Operating systems
Qwerty69
mod5-Copy.pdf
CIN: A-531-1900 Ver. 2018-10
Module 5 Operating Systems
Student Guide
Name: _________________________ Class #: ____________
JCAC Student Guide Module 5 Operating Systems
2 A-531-1900 – 2018-10
Prepared for the U.S. Government by:
JCAC Student Guide Module 5 Operating Systems
3 A-531-1900 – 2018-10
Table of Contents 1 Overview of Operating Systems .................................................................................... 9
1.1 OS Functions ............................................................................................................... 10 1.2 OS Categories .............................................................................................................. 11 1.3 OS Safeguards ............................................................................................................. 12
Authentication ................................................................................................. 13 Privileged vs. Non-Privileged ........................................................................... 13 Access Control ................................................................................................. 13 Logging ............................................................................................................ 14 Backups ........................................................................................................... 14
2 Boot Process ............................................................................................................... 15 2.1 Disk Preparation .......................................................................................................... 15 2.2 Legacy Systems ........................................................................................................... 16
Basic Input Output System (BIOS) ................................................................... 16 Master Boot Record (MBR) ............................................................................. 18 Reading the MBR Partition Table .................................................................... 19
2.3 Modern Systems ......................................................................................................... 22 Unified Extensible Firmware Interface (UEFI) ................................................. 22 Globally Unique Identifier (GUID) Partition Table (GPT) ................................. 23 UEFI Boot Sequence ......................................................................................... 25
3 Windows .................................................................................................................... 27 3.1 Windows Authentication ............................................................................................ 27
Local User Accounts ........................................................................................ 28 Local Group Accounts ...................................................................................... 30
3.2 Windows File and Directory Structure ........................................................................ 32 Users Folder ..................................................................................................... 32 Program Files Folder........................................................................................ 33 Windows Folder ............................................................................................... 33 File/Directory Attributes and Properties ......................................................... 35
3.3 File and Directory Permissions .................................................................................... 37 Shares .............................................................................................................. 39
3.4 Windows Command Line ............................................................................................ 41 Syntax .............................................................................................................. 42 Working Directory and Paths ......................................................................... 44 Environment Variables .................................................................................... 47
3.5 Windows Commands .................................................................................................. 50 3.6 PowerShell (PS) ........................................................................................................... 60
Versions ........................................................................................................... 60 Using Help ....................................................................................................... 61 Cmdlets ............................................................................................................ 61 Aliases.............................................................................................................. 63 PS Cmdlets vs. Windows/UNIX commands ..................................................... 63
3.7 PS ISE ........................................................................................................................... 64
JCAC Student Guide Module 5 Operating Systems
4 A-531-1900 – 2018-10
3.8 Backup and Recovery Procedures .............................................................................. 65 System Restore ................................................................................................ 66
3.9 Logs ............................................................................................................................. 66 4 UNIX ........................................................................................................................... 69
4.1 Accessing a Linux System ............................................................................................ 69 4.2 Anatomy of a UNIX Command .................................................................................... 70 4.3 System Command Manual .......................................................................................... 71 4.4 Introductory Commands ............................................................................................. 72
Pagers .............................................................................................................. 73 4.5 UNIX File and Directory Structure ............................................................................... 74
Common System Directories ........................................................................... 75 File System Navigation .................................................................................... 76
4.6 Visual Editor (vi) .......................................................................................................... 78 5 Advanced UNIX Commands ......................................................................................... 81
5.1 File and Directory Commands ..................................................................................... 81 5.2 Process Related Commands ........................................................................................ 83 5.3 Forensics Commands .................................................................................................. 84 5.4 File Compression ......................................................................................................... 86 5.5 Archiving ..................................................................................................................... 87 5.6 Scheduling Jobs ........................................................................................................... 88 5.7 User Management ...................................................................................................... 89
User Account Related Commands ................................................................... 89 User and System Profiles ................................................................................. 90 User Authentication and Authorization .......................................................... 91
6 File and Directory Permissions..................................................................................... 96 6.1 Syntax of Permissions ................................................................................................. 96 6.2 Permission Definitions ................................................................................................ 97 6.3 Setting Permissions ..................................................................................................... 97
7 Mobile OSs ................................................................................................................. 99 7.1 Android ....................................................................................................................... 99
Device Hardware ............................................................................................. 99 Android OS Security ....................................................................................... 100 Android Runtime (ART) .................................................................................. 100 Rooting Android OS ....................................................................................... 101
7.2 iOS ............................................................................................................................. 102 iOS Secure Boot Chain ................................................................................... 102 iOS Software Updates ................................................................................... 103 iOS Secure Enclave ......................................................................................... 104 Jailbreaking iOS ............................................................................................. 105
8 File Systems .............................................................................................................. 105 8.1 Physical Layer ............................................................................................................ 105 8.2 File System Layer....................................................................................................... 105 8.3 Data Layer ................................................................................................................. 106
File Allocation ................................................................................................ 106 8.4 Metadata Layer ......................................................................................................... 108
JCAC Student Guide Module 5 Operating Systems
5 A-531-1900 – 2018-10
8.5 Filename Layer .......................................................................................................... 108 9 OS Processes ............................................................................................................. 109
9.1 Kernel Designs ........................................................................................................... 110 Linux Design .................................................................................................. 111 Windows Design ............................................................................................ 112 Android Design .............................................................................................. 113 iOS Design ...................................................................................................... 114
9.2 Concepts of APIs ....................................................................................................... 115 10 Processes .................................................................................................................. 117
10.1 Threads...................................................................................................................... 117 10.2 Process Control Block (PCB) Structure ...................................................................... 118 10.3 Process States ........................................................................................................... 119
11 Scheduling and Dispatch ........................................................................................... 121 11.1 Preemptive and Non-preemptive Scheduling .......................................................... 121
12 Concurrency .............................................................................................................. 123 12.1 Interrupts, Exceptions, and Trap Handling ............................................................... 124
Interrupts ..................................................................................................... 124 Exceptions ................................................................................................... 124 Trap Handling .............................................................................................. 124
13 Memory Management .............................................................................................. 125 13.1 Virtual Memory ......................................................................................................... 127
14 Device Drivers ........................................................................................................... 131 14.1 Windows Device Drivers ........................................................................................... 131 14.2 Linux Device Drivers .................................................................................................. 132
15 System Virtualization ................................................................................................ 134 15.1 Types of Virtual Machine Monitors .......................................................................... 134 15.2 Virtualization Technologies ....................................................................................... 135
Guest OS Virtualization ............................................................................... 135
JCAC Student Guide Module 5 Operating Systems
6 A-531-1900 – 2018-10
Introduction omputers perform tasks by carrying out specific instructions using machine coding. Users interact with these instructions by means of operating systems (OSs). An OS acts as the
interface between the computer, its devices, and the user. Understanding the functionality of an OS is important for manipulating and controlling a computer system and can provide valuable insight about local and targeted systems. This insight is the foundation for understanding, preventing, and exploiting system vulnerabilities within the CNO mission.
Safety ll personnel involved in operation and maintenance of electronic equipment must be thoroughly familiar with safety precautions as covered in Module 1.
Module Overview S fundamentals address the relationship between a user and a computer and the core elements involved. Over the next few days, this module will introduce the designs,
functions, and implementation of various OSs. The skills and knowledge provided are an invaluable foundation upon which future understanding and skills are built.
Module Testing Practices his module consists of the following graded events requiring a 75% or better score: One knowledge test
This module will also utilize a minimum of one quiz to reinforce concepts required for obtaining a passing score in the above test.
C
A
O
T
JCAC Student Guide Module 5 Operating Systems
7 A-531-1900 – 2018-10
Module Objectives Upon successful completion of this module, students will be able to:
5.1 Describe key OS components and their interaction with users, software, and hardware.
5.2 Identify relationships between software and the roles an OS performs.
5.3 Describe the interrelation of Information Assurance and access controls.
5.4 State the general principles of a bootstrap process using legacy and modern firmware.
5.5 Identify facts about Windows user account assignments and password management.
5.6 Determine a Windows OS version.
5.7 Modify Windows file and directory attributes and permissions.
5.8 View and modify the local Windows environment and path.
5.9 Recall common Windows files, directories, and their structures.
5.10 Identify and execute Windows CLI commands.
5.11 Describe types of backup and recovery techniques and implications for CNO missions.
5.12 Identify logging capabilities and available logs contained in various OSs.
5.13 Recall basic PowerShell command structure and the PowerShell ISE environment.
5.14 Recall common UNIX files, directories, and their structures.
5.15 Identify and execute UNIX CLI commands.
5.16 Demonstrate proficiency in compression, decompression, and archiving UNIX files and directories.
5.17 Identify the major OSs used by mobile devices.
5.18 State general principles of user and system-level security privileges used by mobile OSs.
5.19 Describe basic facts of logical and physical structures of file systems.
5.20 State basic principles of OS interactions including OS layers, kernel design, and APIs.
5.21 Compare and contrast Linux, Windows, Android, and iOS kernel designs.
5.22 Identify general principles of a process’ lifecycle, task scheduling, and concurrency.
5.23 Evaluate a running process’ state and identify its PPID, location, and ownership.
5.24 Identify memory types, memory management roles, and cost-performance trade-offs.
5.25 Describe how an OS uses driver routines to interact with devices.
5.26 Describe basic concepts of system virtualization and methods to identify a virtual environment.
JCAC Student Guide Module 5 Operating Systems
8 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Identify and describe the layers and objectives of modern OSs.
Cite and interpret the core functions of an OS.
Explain the various roles of an OS and the applications they support.
Define and apply measures necessary to ensure IA and system security.
Differentiate between lectured access controls mechanisms.
Describe the stages of a system boot process.
Define the BIOS and MBR associated with legacy computer architectures.
Define the UEFI and GPT associated with modern computer architectures.
Describe the phases of the UEFI boot sequence.
Exercises This training day includes the following exercises:
N/A
Homework Complete day 1 homework assignment in Student Workbook
Day 1
JCAC Student Guide Module 5 Operating Systems
9 A-531-1900 – 2018-10
1 Overview of Operating Systems An operating system (OS) controls nearly all functions of a computer. Computers rely on an OS to provide a means for interaction among users, software, and hardware. The most commonly used terms to identify these interactions are user, application, system software, and hardware.
User The person using a computer/device. User interaction with software and hardware is provided through OS interfaces. The most common are the graphical user interface (GUI) and the command-line interface (CLI).
Application Executable code designed to carry out specific tasks on the computer, also referred to as programs or software. Examples include anti-virus, office productivity, graphics, audio-visual, web browsers, and games.
System Software An OS consists of two parts:
OS Interface Allows a user to interface with applications, system software, and hardware.
OS Kernel The heart of an OS. Manages the interaction between a user, applications, and hardware.
Hardware The mechanical, magnetic, electronic, and electrical components of a computer.
JCAC Student Guide Module 5 Operating Systems
10 A-531-1900 – 2018-10
1.1 OS Functions
Every OS performs at least three core functions. Based on the OS design and purpose, certain functions may receive higher priority, but all will be present to some extent. Core functions:
File System Management The OS interfaces with data on the hard drive through a file
system. A file system defines the way data is named, stored, organized, and accessed on a hard drive. It can be compared to a filing cabinet, where each drawer correlates to a disk volume, each folder correlates to a directory, and the papers within the folders correlate to files or data on the system. In this comparison, a directory is a container used to organize files and data for the benefit of usability and retrieval of data. A file is a singular named resource used to store information/data.
Figure 1. File system comparison.
Process Management A process is an executing instance of an application. It is the
OSs responsibility to allocate and protect resources for all processes on the system. For instance, when a user executes a word processing application installed on a computer the OS creates and manages the process’ resources, including all memory requirements. When the process is closed, the OS frees up the previously allocated resources.
Device Management A device is any hardware component or peripheral attached
to a computer. The communications path between an OS and attached devices is made possible through special programs called device drivers. A device driver is a computer program that operates or controls a device attached to a computer. For instance, when adding a printer to a computer, a compatible device driver must be installed. A driver is used by the OS as an interpreter between the high-level programming languages of the system and the low-level bits interpreted by the printer’s hardware.
JCAC Student Guide Module 5 Operating Systems
11 A-531-1900 – 2018-10
1.2 OS Categories
OSs perform different roles depending on the type of computer(s) controlled and the applications supported. Depending upon the role performed, the OS may fall into one or more of the following categories:
Table 1. OS categories.
Category Description Example
Single User
Single-Tasking – Only one user can perform a task at any given time.
Multi-Tasking – Only one user can perform multiple tasks (programs) at a time. (Not all mobile devices allow this.)
Stand-alone PCs and mobile devices (smart phones, tablets, and wearables)
Multiuser One or more users can perform one or more tasks at one time.
UNIX or Windows
Client Operates in a networked environment allowing a user to connect to another computer (server) to retrieve information.
UNIX or Windows
Server Provides various services, including email, file sharing, and printer access, as well as ensuring security, to other computers (clients) across a network.
Email server, web server, print server
Distributed One or more tasks are spread among two or more computers.
google.com
As mentioned above, client and server OSs function in a networked environment. A network is composed of more than one computer or device in which all communicate with one another using a common language or protocol. To reduce cost, heat, and power usage, mobile devices rely on OSs that adhere to RISC-based computer architectures with ARM processors.
Table 2. Mobile device vs. PC.
Type OS Computer Architecture
Processor Architecture Features
Mobile Device RISC ARM Embedded systems. Fewer transistors, low cost, less heat, and battery powered.
Personal Computer CISC X86 More transistors, higher cost, more power consumption, better user interface.
JCAC Student Guide Module 5 Operating Systems
12 A-531-1900 – 2018-10
1.3 OS Safeguards
Every OS has inherent vulnerabilities posing risks that must be acknowledged and managed by what is known as Information Assurance (IA). It is very important to keep OSs up-to-date and ensure vulnerabilities are patched as soon as possible. However, not all vulnerabilities can be removed. Some are present because of the nature of a service provided to users. Users and more so Cybersecurity Policy members must be aware of vulnerabilities associated with required services and make adjustments to secure them as best they can, using risk management techniques.
Example:
Web server software on a system may have an inherent vulnerability, if that system is not functioning as a web server. The obvious security solution is to remove the web server software. However, is a system is functioning as a web server, software removal as a solution is not feasible. Other devices, software, and settings may be available to lessen the vulnerability and reduce the risk.
Keep in mind the old adage, “A chain is only as strong as its weakest link,” and remember an OS is not running by itself. Many other software packages (applications) are loaded onto a system and each of them have their own vulnerabilities that require patches and updating. Computer Network Defense (CND) activities implement mandatory DoD IA measures to protect and defend computer systems. IA measures are taken to ensure the following:
Confidentiality Assurance that information is not disclosed to unauthorized individuals, processes, or devices. This is more comparable to “need to know” than a security level.
Integrity Assurance that no unauthorized modification or destruction of
information occurred in transit. Availability Assurance of reliable access to data and services for
authorized users. Non-repudiation Assurance that data delivery is proven to be from a reliable
source, from whom or where the data was derived. Authentication Assurance of properly verifying a user’s credentials.
JCAC Student Guide Module 5 Operating Systems
13 A-531-1900 – 2018-10
Authentication
Authentication ensures users are properly identified before granting access. Authentication requires a user proving who they claim to be by providing credentials for a valid account on a system. Account credentials may be provided to an OS in the following forms:
Username and/or Password
Card or Token
Biometrics Once a user is authenticated, OSs provide mechanisms to ensure data is only accessed by authorized users.
Privileged vs. Non-Privileged
OSs provide privileged user accounts with full system access and non-privileged user accounts with limited access. In general, the privileged account in Linux is root and in Windows it is Administrator. The IA availability measure implements the principle of least privilege, where non-privileged user accounts are only granted access to what is authorized.
Access Control
OSs provide mechanisms for controlling access to system resources. Mechanisms exist to separate users, user processes, and restrict access to files and devices. Mechanisms to enforce this separation are called access controls and include user accounts, group membership, file ownership, and file permissions. The most common of these access controls are discretionary, mandatory, and role-based. Discretionary Access Control (DAC)
Permissions are implemented by an Access Control List (ACL). An ACL details account permissions to a specific resource as determined by permissions set by the owner of that resource. A side effect is a user could grant any or all users of a system the same privileges to a resource they own, resulting in too much authority for a non-privileged user.
Mandatory Access Control (MAC)
MAC policies are set by an administrator using a policy tool. OSs enforce system security policy using security labels (e.g., need-to-know). Users cannot change the policies or grant other users/processes additional permissions. Security is stronger, but configuration is more complex.
Role-Based Access Control (RBAC)
Access decisions are based on each account’s role or functional position. For the JCAC enterprise, it is the ability of a user (e.g. instructor or student) to perform a task, such as viewing, modifying, or creating a file.
JCAC Student Guide Module 5 Operating Systems
14 A-531-1900 – 2018-10
Logging
OSs provide logging capabilities to help ensure the confidentiality and integrity measures of IA are attainable. A log file is a record of system or user activities. Logs can contain events generated either locally or from a remote system. DoD requires various levels of logging depending on the type and/or classification of a system. Log files are typically stored locally; however, some OSs provide the ability to consolidate all logs in a centralized repository. Logs may be used by analysts to provide insight during incident investigations, such as unauthorized access attempts or spillage of classified information.
Backups
OSs provide backup mechanisms to ensure system restoration after data loss. A backup occurs when computer data is copied or archived, usually to a separate location, and for the purpose of data recovery should data loss occur. Data loss can occur from human causes, either malicious or inadvertent, or by outside causes, power surge or natural disaster. OSs discussed in this module have their own method of backing up and restoring data. Backup and restore locations and devices vary depending on the OS. Backup devices include, but are not limited to online storage sites, cloud, network drives, and removable media such as flash drives, micro-drives, CD/DVD ROMs, and storage tapes. Regardless of where backups are stored, performing backups locally and off site supports IA integrity and availability measures.
JCAC Student Guide Module 5 Operating Systems
15 A-531-1900 – 2018-10
2 Boot Process The boot process is a sequence of events that begins when a system is powered on and ends once the OS kernel is loaded into memory space and begins executing. Boot processes vary between OS platforms depending on firmware and disk partitioning schemes in place. Firmware is a set of instructions embedded onto a ROM, PROM, or EEPROM that tells the device how to communicate with other hardware and software. The discussion below addresses some boot components and common steps leading to the loading of an OS.
2.1 Disk Preparation
Before an OS can accept input, it must first be installed on a medium such as a computer’s hard drive. Recall, when a new hard drive leaves the manufacturer, it is configured with a low-level format, which creates cylinders, tracks, and sectors (commonly 512 bytes in size) on the platters.
Partitioning makes a hard drive usable. Partitioning schemes group consecutive sectors together and prepare a hard drive for storing a file system. Once partitioned, a high-level format installs a file system on one of the partitions. The high-level format groups sectors into addressable clusters used by a file system for storing and retrieving disk data. An OS installation setup program then configures and copies OS files to the newly formatted partition. A disk partition is referred to as a disk volume after being assigned a label (e.g., C: or /) and is then considered ready for use by the OS.
Figure 2. High-level format.
JCAC Student Guide Module 5 Operating Systems
16 A-531-1900 – 2018-10
2.2 Legacy Systems
Most legacy computers use a Basic Input/Output System (BIOS) firmware interface for managing the boot process. BIOS directs a system to the storage location of the OS. The BIOS firmware in most legacy systems provides limited features, such as firmware security, boot disk sizes, and the number of available partitions due to partitioning type. Below introduces legacy systems’ boot sequence using a BIOS firmware interface and Master Boot Record (MBR) partitioning scheme.
Basic Input Output System (BIOS)
The boot process begins when the computer is powered on and the microprocessor timer chip receives a “power good” signal and awakens the CPU. Once the CPU is awake, BIOS code is loaded into main memory and begins executing. BIOS firmware consists of software instructions stored on an EEPROM chip. BIOS provides the initial interface between major hardware components and the OS with a primary goal of finding and loading the OS. BIOS performs the following functions as described below. BIOS reads configuration information stored in the Complementary Metal-Oxide Semiconductor (CMOS), a low power, battery operated, RAM. BIOS first reads the CMOS RAM chip, which provides detailed information about the computer hardware and can be altered as the configuration changes by entering the BIOS setup. Setup is accessed by pressing a sequence of hotkey(s) during system startup. If the CPU battery dies or the CMOS is cleared with a jumper, system settings are lost.
BIOS next determines if a cold boot or a warm boot is taking place.
A cold boot (hard boot) occurs when a computer is initially powered on. The BIOS executes a POST (Power-On Self-Test) to initialize and test hardware components. The POST uses beep codes and/or light indicators for error notification.
A warm boot (soft boot) occurs when an OS is restarted without an interruption of power. A POST is not performed during a warm boot.
BIOS builds a device tree to locate bootable media and search for a Volume Boot Sector (VBS) on any removable devices as identified in the CMOS. If a VBS is not found, BIOS searches the computer’s hard drive(s) for a master boot record. Devices are checked in sequence for a valid MBR. Once found, BIOS loads the MBR and executes the first stage boot loader. If BIOS is unable to find an MBR on any of the CMOS boot devices, the boot process may halt and display an error message or reboot and continue looking for a device with a valid MBR.
JCAC Student Guide Module 5 Operating Systems
17 A-531-1900 – 2018-10
A BIOS setup utility is available to modify basic computer hardware settings such as boot order preferences, enabling, and disabling onboard devices (e.g., sound or network cards). Date and time can be modified and the CMOS can be reverted to factory settings; however, this may have adverse effects on the system. Each manufacturer provides their own flavor of BIOS setup utilities and settings.
A Phoenix BIOS Setup Utility is presented below. To access this utility from a VM, open, but do not power on, one of the available VMs. From the top banner of the VMware window, click on VM and choose Power from the available list of menus. From the Power menu, choose Power On to Firmware. The VM’s firmware is based on that of the host machine.
Figure 3. BIOS Setup Utility.
JCAC Student Guide Module 5 Operating Systems
18 A-531-1900 – 2018-10
Master Boot Record (MBR)
The MBR is one of the most significant structures on a hard disk and is created when a hard disk is partitioned. MBR contains a partition table identifying the location of all created partitions. Creation of additional partitions updates the existing partition table. The MBR resides at the first physical sector of the drive (sector 0) and is not part of any partition. The MBR is the first sector read from the boot device and it contains the information to continue the boot process.
The MBR has a total of 512 bytes that contain the first stage boot loader, a partition table, and a boot signature. The boot signature, often referred to as magic number, marks the end of the sector and serves as a validation check for the MBR. The magic number must contain the hex value AA55 or 55AA, which classifies the MBR as valid. An invalid magic number indicates a corrupt or missing MBR. The magic number is also used to determine if the MBR’s partition table is to be read in big Endian (0xAA55) or little Endian (0x55AA).
Figure 4. MBR disk layout.
Once an MBR is found, the BIOS loads the first stage boot loader into memory and transfers control. The first stage boot loader reads the partition table to locate the partition marked as active and then searches the active partition for data needed to locate and load a second stage boot loader. The OS begins to boot once the second stage boot loader is placed into memory. The second stage boot loader’s job is to locate and load the OS kernel.
Note: Windows (XP and earlier) second stage boot loader is NTLDR, while Windows (Vista and later) use BOOTMGR. Linux uses LILO/GRUB.
JCAC Student Guide Module 5 Operating Systems
19 A-531-1900 – 2018-10
Reading the MBR Partition Table
The first stage boot loader reads the partition table to determine which partition is active. The MBR contains a 64-byte partition table located at byte offsets 446 through 509 (0x1BE to 0x1FD). The partition table has space for four entries (16 bytes each) to describe each of the partitions. See the figures below.
Figure 6. MBR partition table entry fields.
Figure 7. MBR partition table entry fields - defined.
Figure 5. MBR partition table entries.
JCAC Student Guide Module 5 Operating Systems
20 A-531-1900 – 2018-10
MBR has a limit of four primary partitions in the partition table. If more partitions are needed, one of the primary partitions labeled an extended partition and logical partitions are created within the extended structure. The disk space assigned to the extended partition is further subdivided into logical volumes. The extended partition has its own partition table in the first sector used to describe two partitions: one partition with a file system and another extended partition.
Figure 8. Extended partitions under NTFS and Linux.
JCAC Student Guide Module 5 Operating Systems
21 A-531-1900 – 2018-10
After successfully loading the kernel into memory, the kernel instructs the processor to switch to protected mode.
Figure 9. Boot process.
The boot process is divided into two modes. In real mode, full access to physical memory is available. In protected mode, access to memory is controlled. Since code is not digitally signed and the CPU boots in real mode, full access to physical memory addresses becomes available and may allow a Bootkit malware attack. A Bootkit is one of the most dangerous types of malware attacks due to its ability to infect the MBR. A bootkit infection is one of the most difficult to detect and remove. A disadvantage of the MBR is that its maximum supported partition size is 2TB. This inability to take advantage of today’s larger disk size creates problems in modern systems.
JCAC Student Guide Module 5 Operating Systems
22 A-531-1900 – 2018-10
2.3 Modern Systems
Modern computer systems fully support the Unified Extensible Firmware Interface (UEFI). UEFI replaces BIOS as the standard firmware interface on many modern platforms. The UEFI specification requires support for both MBR and Globally Unique Identifier (GUID) Partition Table (GPT) partitioned disks, however, GPT is preferred.
Unified Extensible Firmware Interface (UEFI)
UEFI is an improved method of booting due to its highly secure way of carrying out the boot process, checking the integrity of drivers and OS boot loaders that use verification and initialization of digitally signed code. Some systems can turn security features on and off and have the option of booting in BIOS mode, UEFI native mode, or BIOS compatibility mode.
Booting modern systems begins when a system is powered on and its CPU is initialized. Unlike BIOS, UEFI does not launch boot code the first 446 bytes of the MBR even if it exists; instead, each installed OS (or vendor) has its own boot loader (e.g., grubx64.ini). A special partition called the EFI System Partition (ESP) stores OS boot loader files that must be launched by the firmware.
The UEFI boot manager contains a set of global variables that point to the paths of the different OS boot loaders. The UEFI boot manager checks the boot configuration and launches the required OS boot loader, drivers, and kernel. Each OS loader is stored in the EFI directory within its own subdirectory on the ESP.
/EFI/Boot/bootx64.efi /EFI/Microsoft/BOOT/bootmgfw.efi /EFI/boot/efi/EFI/redhat
By automatically detecting OS boot loaders, UEFI allows easy boot access from removable devices such as USB flash drives. UEFI implementations include a user interface to firmware resources allowing OS and boot preferences to be customized.
UEFI offers an optional secure boot protocol. During secure boot, unsigned OS boot loaders and firmware drivers are not able to load. Once an instance of Secure Boot begins, a public key known as a platform key is given. Only boot loaders and drivers encrypted with this key are loadable by the firmware. This ensures the firmware is not infected by malicious or faulty code.
A summary of the advantages of UEFI over BIOS are:
Secure Boot only loads encrypted/signed boot loaders and drivers.
Works with MBR and GPT partitioning schemes
Boots larger GPT-partitioned disks
CPU-independent architecture and drivers
JCAC Student Guide Module 5 Operating Systems
23 A-531-1900 – 2018-10
Globally Unique Identifier (GUID) Partition Table (GPT)
The Globally Unique Identifier (GUID) Partition Table (GPT) is part of the UEFI standard replacing the MBR structure. It is simply another disk-partitioning standard. Key limitations of the MBR are its 32-bit address spacing, maximum partition size of 2TBs, and only four primary partitions. (Figure 10) describes GPT disk layout. GPT uses Logical Block Addressing (LBA) in place of the Cylinder-Head-Sector (CHS) addressing used with MBR. This allows for 128 possible partitions with partition sizes of up to approximately 9.4ZBs (zettabytes). To maintain backwards compatibility with older hardware, GPT reserves the first sector of the disk (LBA 0) as a "protective MBR." This allows a BIOS-based computer to boot from a GPT disk as long as the second stage boot loader and the OS are both GPT-aware. The GPT header begins on the second logical sector of the device (LBA 1), and the partition entry array follows in LBA2. 16,384 bytes (32 512-byte sectors) are reserved for the partition entry array, leaving LBA 34 as the first usable sector on the disk for the OS. Larger disks with larger LBA sizes use fewer total LBAs to store the GPT array. In Figure 10, each LBA is 512 bytes in size and each partition array entry is 128 bytes. LBA values change with larger sector sizes. GPT’s protective MBR is identical to the MBR in a BIOS-based system. While this sector is reserved, it is used in a way that prevents MBR-based systems from misrecognizing and possibly overwriting GPT disks. A single partition type of 0xEE indicates the disk is GPT.
Figure 10. Model GPT scheme.
JCAC Student Guide Module 5 Operating Systems
24 A-531-1900 – 2018-10
The GPT header defines the usable blocks on a disk and the number and size of partition entries that make up the partition table. The header contains a GUID and records its own size and location, as well as the size and location of a backup GPT header and partition table. The header is at least 512 bytes, but may be as large as the actual sector size with zeros filling the empty space. GPT provides redundancy by writing a GPT header and partition table at the beginning and end of a disk. Detailed GPT header format is described in Table 3.
Table 3. GPT header format.
Offset Length Contents
0 8 Signature
8 4 GPT Version
12 4 Header size (usually 92 bytes)
16 4 CRC32 (checksum) of Header
20 4 Reserved
24 8 Current LBA (location of the current header, usually LBA 1)
32 8 Backup LBA (location of the header copy)
40 8 First usable LBA for partitions (primary partition table last LBA + 1)
48 8 Last usable LBA (secondary partition table first LBA - 1)
56 16 Disk GUID
72 8 Starting LBA of array of partition entries (always 2 in primary copy)
80 4 Number of partition entries in array
84 4 Size of a single partition entry (usually 128)
88 4 CRC32 (checksum) of partition array
92 * Reserved; must be zeroes for the rest of the sector
A partition entry array normally ranges from LBA 2-33, with LBA 34 being the first usable sector on the disk. GPT reserves at least 128 partition entries, each 128 bytes in size, rather than four 16-byte partition table entries like MBR. Longer, or even additional entries, are possible when the disk sector size exceeds 512 bytes. The total amount of partition array entries and the length of each is defined in the GPT header. At a minimum, a single partition array entry consists of the following:
Table 4. GUID partition entry format.
Offset Length Contents
0 16 Partition type GUID
16 16 Unique partition GUID
32 8 First LBA
40 8 Last LBA
48 8 Attribute flags
56 72 Partition name
A partition type GUID is a unique reference number that identifies and describes the purpose of a partition. Partition types are used for a variety of purposes including boot, swap, and system data. Each OS has several unique identifiers. For example, a UEFI partition type identifier of C12A7328-F81F-11D2-BA4B-00A0C93EC93B represents for UEFI boot partitions (the ESP).
JCAC Student Guide Module 5 Operating Systems
25 A-531-1900 – 2018-10
UEFI Boot Sequence
UEFI consists of data tables containing platform-related information, plus boot and runtime service calls available to the OS and its loader. Together these provide a standard environment for booting an OS and running pre-boot applications. The UEFI boot process is divided into six phases, each with specific guidelines. The UEFI boot manager controls the boot sequence across these phases:
Security (SEC) Firmware is initialized. Pre-EFI Initialization (PEI) Low-level hardware is initialized. Driver Execution Environment (DXE) UEFI drivers are loaded and executed. Boot Device Selection (BDS) A GPT or MBR determination is made based on
boot configuration. Transient System Load (TSL) Depending on the boot device selected, the
firmware boots an OS loader, UEFI Shell, or UEFI application.
Run Time (RT) UEFI program is cleared from memory and released
to the OS.
Figure 11. UEFI boot process phases.
JCAC Student Guide Module 5 Operating Systems
26 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Distinguish between Windows user account types and the authentication process.
Manage Windows user and group accounts.
Recognize and interpret a Windows file system and its architectural structure.
Demonstrate the ability to modify Windows directory and file attributes and properties.
Interpret basic Windows CLI command structure and proper syntax.
Modify and navigate the Windows file system hierarchy.
Exercises This training day includes the following exercises:
Exercise 5-1, Windows User and Group Accounts
Exercise 5-2, Investigating User Profiles and File Attributes
Exercise 5-3, Setting NTFS and Share Permissions
Exercise 5-4, Absolute and Relative Paths
Homework Complete day 2 homework assignment in Student Workbook
Day 2
JCAC Student Guide Module 5 Operating Systems
27 A-531-1900 – 2018-10
3 Windows The Microsoft Windows family of OSs is a mainstay in both commercial and military organizations. Windows provides a consistent and reliable platform that is easy to use and is chosen by many popular programs. The Windows OSs are the most widely used in the world today and can be utilized in office and home environments.
3.1 Windows Authentication
To access a Windows System, a user must first be authenticated. Authentication is the process of determining whether someone is in fact who they declare to be. Since a computer does not have the ability to see, talk, or reason with its users, how does it validate identity? The answer is simple. Users must utilize an account. In order to use an account, a user must know the account’s credentials (e.g., account name, password, PIN). When a user provides proper account credentials, the computer accepts that the user is who they declare to be. Windows uses three main types of user accounts:
Built-In Accounts automatically created when an OS is installed. At a minimum, every Windows system has an Administrator and Guest built-in account.
Administrator User account with the highest level of privileges
and permissions. Users authenticated as Administrator can install software/devices, change system configuration settings, and manage other user accounts. This account cannot be deleted.
Guest Intended for temporary access when an individual
user account does not exist. Guest account abilities are greatly limited, but a password is typically not required to access the system. This account cannot be deleted.
Common protective measures taken are to rename the Administrator account and disable the Guest account.
Local Account authenticated by the local machine. Local account credentials are
maintained in a local database called the Security Accounts Manager (SAM).
Domain Account authenticated by a domain controller. A domain controller is a centralized server in a Windows network that stores domain account credentials in a database called Active Directory.
JCAC Student Guide Module 5 Operating Systems
28 A-531-1900 – 2018-10
System configuration determines authentication. A Windows system may be configured as a member of a workgroup or a domain. In the workgroup model, each Windows system is considered standalone with regards to authentication. When a user attempts to logon with a local account, the computer communicates with its local SAM for authentication. A domain model is a collection of computers sharing common configurations, resources, and security principles. This information is maintained in a centralized database known as Active Directory. Active Directory is hosted on special servers called domain controllers that contain all domain accounts and other resource information for the domain. When a user attempts to logon with a domain account, the computer must communicate with the domain controller for authentication.
Notes:
(1) For a computer to communicate with a domain controller, the computer itself must have a computer account in Active Directory or in a trusted domain.
(2) As stated before, every Windows OS has built-in accounts. In a workgroup model, each system maintains a built-in Administrator and Guest account in its SAM as local accounts. In a domain environment, Active Directory also maintains built-in Administrator and Guest domain accounts.
Local User Accounts
Local user account management is performed using a Local Users and Groups utility within the Computer Management console. The utility contains two folders: a Users folder to manage user accounts and a Groups folder to manage group accounts. View the properties of an existing user by choosing a user’s icon in the right pane.
Figure 12. User management/icons.
JCAC Student Guide Module 5 Operating Systems
29 A-531-1900 – 2018-10
The properties window for the account appears. Windows 7 and newer disable the Guest account by default.
The Guest Properties window, Figure 13 has the following options available.
User must change password at next logon
When a user is assigned an initial password by an Administrator. In this example, the option is grayed out because the next option is selected.
User cannot change password
Does not allow a user to change password. Since the Guest account is typically a shared account, password changes are not allowed by default.
Password never expires User not required to change passwords. For security purposes, most systems require periodic password changes.
Account is disabled Accounts may be disabled for reasons such as an expired account or an Administrator has manually disabled the account. When an account is disabled, the option is checked.
Account is locked out Accounts may become locked, usually due to invalid logon attempts. When an account is locked out, this option will be checked or will contain a check mark.
Figure 13. User Properties Window.
JCAC Student Guide Module 5 Operating Systems
30 A-531-1900 – 2018-10
To manage a user’s group membership, simply select the Member Of tab. Figure 14 shows the Guest user account is a member of the Guests group. Additional group memberships may be added by simply clicking the Add button.
Local Group Accounts
Groups are accounts that may contain user accounts, computer accounts, and even other group accounts. Groups, often referred to as security groups, are used to logically organize users. Groups of users are then given permissions to system resources such as files and directories.
It is more efficient to use groups for assigning permissions instead of individual user accounts. For instance, an organization has two departments, Accounting and Marketing. Obviously, the boss doesn’t want the Marketing folks accessing the contents of Accounting’s files. By adding user accounts to their respective groups, a logical separation of users now exists. Managing access to the payroll directory is now a simple matter of limiting access permissions to the Accounting group only. So, unless a user account is a member of the Accounting group, access is not granted. Considering an organization of thousands of employees, it is easy to see that using groups to organize and control access makes the most sense.
Figure 15. Group structure example.
Figure 14. Member of user property tab.
JCAC Student Guide Module 5 Operating Systems
31 A-531-1900 – 2018-10
Local group account management may also be performed using the Local Users and Groups utility within the Computer Management console. The Groups folder manages group accounts. In Figure 16, notice that group accounts are identified with a double-profile icon. Figure 16 also shows a list of common built-in local groups. Each one of these groups have default pre-assigned permissions and privileges to perform certain tasks. For instance, adding a user account to the Backup Operators group grants the account all of the necessary privileges to perform system backups. Now consider the Administrators group. Adding a user account to the Administrators group gives that account the equivalent privileges of the built-in Administrator account.
Similar to adding groups to an individual user, group memberships may also be managed by opening the group properties and selecting the users to be added.
Complete Exercise 5-1 in Student Workbook
Windows User and Group Accounts
Figure 16. Common built-in user group listing.
JCAC Student Guide Module 5 Operating Systems
32 A-531-1900 – 2018-10
3.2 Windows File and Directory Structure
Windows uses a hierarchical directory structure where all directories and files fall under a disk volume’s root directory (recall the filing cabinet comparison from earlier). Windows identifies the root directory with a backslash character. All files and directories stored in a file system are subordinate to the root directory ( \ ). Windows file systems also use a drive letter to specify which disk volume is being used (C:, D:, etc.). Default configurations install Windows OS onto the C: volume. When combined, the root of a particular volume’s file system is designated by the drive letter and the root symbol. So, “C:\” indicates the “root of C: volume”.
Figure 17 identifies important Windows directories and subdirectories.
Figure 17. Example of an abbreviated Windows 10 directory structure.
Users Folder
The Users folder contains a subdirectory for each user who has logged on to the system. These subdirectories contain profiles, which are a collection of folders containing user personal data and preferences. Profiles enable each user to save individualized system preferences when logged on. Figure 18 shows the C:\Users directory and individual user
profiles. Viewing the Users directory is a simple technique to identify users who have logged on to a system.
Note: Prior to Windows Vista, C:\Documents and Settings was used to store user profiles.
Default When a user logs on to a system for the first time and/or does not have a profile, the settings contained in C:\Users\Default are used to create the user’s profile. (C:\Documents and Settings\Default User prior to Windows 7)
Public The settings contained in C:\Users\Public are used to add settings and programs to existing accounts that affect all users that log on to the system. (C:\Documents and Settings\All Users prior to Windows 7)
Figure 18. Users folder.
JCAC Student Guide Module 5 Operating Systems
33 A-531-1900 – 2018-10
Program Files Folder
The Program Files folder contains folders and files of installed software, like Microsoft Office, Adobe Acrobat, Symantec Antivirus, or other optional third party and non-OS software. Although options exist to choose alternate installation locations, viewing C:\Program Files is a simple technique to possibly identify installed software on a system.
Windows Folder
The Windows folder contains folders and files of the specific Windows OS and is referred to as “system root”. The default folder name (Windows, in this case) may vary depending on the OS version installed. Some software installations may require a specific system root name for different Windows versions. To resolve differences, a variable %SystemRoot% is used to identify the Windows directory name value for where the OS is installed. Access to the Windows folder contents is not intended for the unprivileged or common user. An extremely important subdirectory of system root is the C:\WINDOWS\system32 directory. System32 contains most of the built-in Windows system files, programs, and commands.
Figure 20. C:\WINDOWS\system32 directory.
Figure 19. Program Files folder.
JCAC Student Guide Module 5 Operating Systems
34 A-531-1900 – 2018-10
Although the contents of the system32 folder displays, some system directories and files are hidden from view for the common user. Many of the files located in C:\Windows\System32 ending in .dll have a lighter, ghost-like appearance. In Figure 21, the subdued appearance indicates the folder or file is protected with the hidden or system attribute.
Figure 21. Hidden and System attribute.
File Explorer provides several viewing options, including making hidden and protected system files visible. Accessing these options vary by OS version. Perform the following:
Step 1: Open File Explorer, choose File from the top bar, and select Change folder and search options.
Step 2: Select the View tab in the Folder Options window, to see the different viewing
options available. Step 3: Choose Show hidden files, folders, and drives Step 4: Uncheck Hide protected operating system files (Recommended)
Figure 22. View options for a directory.
JCAC Student Guide Module 5 Operating Systems
35 A-531-1900 – 2018-10
Table 5. View option settings.
Option Description
Show hidden files, folders, and drives
Makes files, folders, and drives with the hidden attribute, visible
Hide extensions for known file types
When checked, hides known file extensions
When unchecked, displays known file extensions
Hide protected operating system files
When unchecked, files and folders with the system attribute visible
Apply to All Folders and Reset All Folders
Configures all present and future File Explorer sessions with the same viewing options
File/Directory Attributes and Properties
An attribute may be defined as any characteristic of a file or directory. In a general sense, attributes are considered the properties of a file or directory. From a Windows perspective, however, there is a distinct difference. Properties may have varying values, (e.g., name, size, times, dates) whereas attributes are on/off type features. For example, if the read-only attribute is turned on for a file, the file cannot be modified, it can only be read.
The details view in File Explorer displays the attributes of files and directories. Right-click on the fields bar as shown at the top of Figure 23 and left-click Attributes. Notice the current viewable fields are identified with check marks.
Figure 23. Attributes.
JCAC Student Guide Module 5 Operating Systems
36 A-531-1900 – 2018-10
Notice that files or folders may have multiple attributes. For instance, the Fonts folder has the Read-only, System, and Directory attributes. Examples of modifiable file/directory attributes used in Windows 7 and 10:
A Archive Allows backup programs to know which files to backup.
R Read-only Protects the file from being over-written or modified.
C Compression Compressed file or directory (NTFS only)
H Hidden Hidden from standard directory listings and common users.
E Encryption Encrypted file or directory (NTFS only)
S System System file, generally protected from common user access.
Windows 10 may display other attributes such as a D attribute indicating a directory. It differentiates entries describing files from those describing directories.
Complete Exercise 5-2 in Student Workbook
Investigating User Profiles and File Attributes
JCAC Student Guide Module 5 Operating Systems
37 A-531-1900 – 2018-10
3.3 File and Directory Permissions
Authentication is a mechanism by which a system securely identifies a user. Authorization, however, is a mechanism by which a system determines the level of access an authenticated user has to system resources (e.g., files and directories). Authentication and authorization are tightly coupled. Once a system ensures a user is who they claim to be, it must then prevent unauthorized users from gaining access to secure resources. Authentication is determined by checking file and directory permissions against user access attempts.
Performing these checks against files and directories requires that a system use file system capabilities. Most modern Windows OSs use the (NTFS) to provide for the assignment of file and directory permissions using Discretionary Access Control Lists (DACL).
To access file or directory permissions, right-click the file or directory in File Explorer and select Properties.
The Properties window appears with the General tab selected by default. Notice that some very useful properties and attributes are identified here.
Figure 24. Access file/directory properties.
Figure 25. File/Directory Properties Window.
JCAC Student Guide Module 5 Operating Systems
38 A-531-1900 – 2018-10
Select the Security tab to manage permissions. Highlight a group or user name and choose Edit to modify the file or directory permissions.
Figure 26. User Management-> Security tab -> User permissions example.
Note: Comparing the lower pane Permissions windows in Figure 26, notice the Allow boxes.
The subdued checks in the allow column in the picture on the left indicate the permissions are inherited. Inherited permissions are given to an object such as file, because it is a child of a parent object. Default permissions set during creation of an object are considered explicit permissions. The dark checks in the allow column in the picture on the right indicate the permissions were explicitly set, meaning not inherited.
As indicated in Figure 26, account permissions can be viewed by simply selecting the account icon in the top pane. The picture on the left identifies that the selected group has Full Control permissions. Therefore, any account that is a member of Administrators group would then conceivably have Full Control permissions to the Tools directory. The picture on the right identifies the selected user has Read & Execute, List Folder Contents, and Read permissions.
JCAC Student Guide Module 5 Operating Systems
39 A-531-1900 – 2018-10
Basic NTFS permissions and their functions are detailed below:
Permission Meaning for Folders Meaning for Files
Read Permits viewing and listing of files and subfolders
Permits viewing file contents
Write Permits adding of files and subfolders Permits writing to a file
Read & Execute
Permits viewing and listing of files and subfolders as well as file execution; inherited by files and folders
Permits viewing file contents and file execution
List Folder Contents
Permits viewing a listing of files and subfolders; inherited by folders only
N/A
Modify Permits reading and writing of files and subfolders; allows deletion of the folder
Permits reading and writing of the file; allows deletion of the file
Full Control Permits reading, writing, changing of permissions, and deleting of files and subfolders
Permits reading, writing, changing of permissions, and deleting of the file
Note: A special identity group called Everyone exists on all Windows systems. This group cannot be manually updated because all accounts are considered members. On Windows 2K and earlier, the Everyone group has Full Control at the root of the disk or volume by default. For security, newer OSs do not use the Everyone group by default.
Shares
Windows OSs provide directory-sharing capabilities. When a directory is shared, valid users on other systems may access the share over the network.
To share a directory, open the Properties window of a directory and select the Sharing tab. Choose the Share… button and enter a name or use the down arrow to find someone. Add the user then click the Share button and click Done.
Figure 27. Directory Sharing set up.
JCAC Student Guide Module 5 Operating Systems
40 A-531-1900 – 2018-10
After determining a directory to share and who will have access to the share, advanced settings such as folder permissions are established. From the Sharing tab choose the Advanced Sharing… tab to assign share permissions. Share permissions are different from NTFS permissions in that they only apply when the shared folder is accessed over the network. When accessed locally, share permissions are ignored.
To manage share permissions, highlight the group or user name and Allow or Deny them permissions. Adding or removing a group or user can also be accomplished in the permissions pane.
Notice Figure 28, in the right pane, the only available Share Permissions are Full Control, Change, and Read.
Note: On Windows 2000 and prior OSs, the Everyone group is given Full Control share permissions by default. Newer OSs set the Everyone group to Read share permissions by default.
Complete Exercise 5-3 in Student Workbook
Setting NTFS and Share Permissions
Figure 28. Directory sharing permissions.
JCAC Student Guide Module 5 Operating Systems
41 A-531-1900 – 2018-10
3.4 Windows Command Line
Navigating the Windows directory structure is accomplished using File Explorer, My Computer, or the Command-Line Interface (CLI). The shell is a program that handles the user interface with the OS and is also a command language interpreter capable of running batch files or scripts. There are several methods to open a Windows CLI. The Start > Run window is probably the quickest and most commonly used. Once the Run window appears, type cmd and click OK.
Figure 29. Comparison of GUI and CLI.
On a Windows system, most functions performed with GUI tools and utilities may be performed via CLI as well. The CLI is a command interpreter that originated from MS-DOS and is still used on all prevalent Windows OSs today.
See Information Sheet 5-1 in Student Workbook
Command Line Study Sheet
JCAC Student Guide Module 5 Operating Systems
42 A-531-1900 – 2018-10
Syntax
CLI skills are extremely important to CNO analysts. The CLI requires knowledge of a command’s functionality and syntax. Syntax is the grammatical rules and patterns that govern the ordered use of appropriate words and symbols necessary for commands to execute. Syntax may require only the command or the command with one or more options or arguments. Arguments are parameters to specify command features and options. Options modify the operation of a command. Some commands require no arguments, such as cls that clears the screen.
C:\>cls
Syntax varies, so it is imperative that help features are easily accessible. The Windows CLI has a built-in help feature that lists many built-in commands and may also be used to display detailed information for each command. At the command prompt type help followed by the ENTER key to display the most commonly used built-in commands along with a brief functionality description.
C:\>help For more information on a specific command, type HELP command-name ATTRIB Displays or changes file attributes. BREAK Sets or clears extended CTRL+C checking. BCDEDIT Sets properties in boot database to control boot loading. CACLS Displays or modifies access control lists (ACLs) of files. <output abbreviated>
TIME Displays or sets the system time. TITLE Sets the window title for a CMD.EXE session. TYPE Displays the contents of a text file. VER Displays the Windows version. XCOPY Copies files and directory trees. For more information on tools see the command-line reference in the online help.
To get detailed information for a specific command, at the command prompt enter:
C:>\help <name of command> or C:>\<name of command> /?
To obtain help for the more command, enter:
C:\>help more
or C:\>more /? Displays output one screen at a time. MORE [/E [/C] [/P] [/S] [/Tn] [+n]] < [drive:][path]filename command-name | MORE [/E [/C] [/P] [/S] [/Tn] [+n]] MORE /E [/C] [/P] [/S] [/Tn] [+n] [files] [drive:][path]filename Specifies a file to display one screen at a time. command-name Specifies a command whose output will be displayed. <output truncated>
JCAC Student Guide Module 5 Operating Systems
43 A-531-1900 – 2018-10
Making sense of a command’s help output requires an understanding of the following:
Begins with a description of command function/use.
Lists all available arguments and options.
Details proper syntax required for use with each argument/option.
o Delimiters indicate a separation between the command and its associated arguments. The CLI commonly interprets spaces as delimiters. Other common delimiters used to identify command options are the forward slash ( / ), the hyphen ( - ), or the semi-colon ( ; ).
o Brackets [ ] are used to identify optional arguments.
o The pipe ( | ) character may be used in two ways: to pass the output of the first command to the second command as input, and to represent “or” for example, [+R | -R] indicates +R “or” -R may be used.
o Wildcard characters, like an asterisk ( * ), may also be used to denote anything and everything within a specific argument.
The help output for the more command indicates it is used to display output one screen at a time. Also, notice there are many optional arguments.
The following examples show proper syntax for more:
Display readme.txt file contents one screen at a time
C:\Users\Administrator>more readme.txt
Display help command’s output one screen at a time
C:\Users\Administrator>help | more Improper syntax either causes the command to fail or produces an undesired result. For example:
File name spelled incorrectly
C:\Users\Administrator>more readm.txt Cannot access file C:\Users\Administrator\readm.txt
Incorrect use of an option or delimiter
Consider the intention is to display built-in commands and pipe the output to more, so one screen is displayed at a time. Below, the user neglected to include the pipe ( | ).
C:\Users\Administrator>help more
<The command will work, but will produce an undesired result.>
JCAC Student Guide Module 5 Operating Systems
44 A-531-1900 – 2018-10
Working Directory and Paths
When starting the Windows CLI, the C:\Users\Administrator> prompt identifies the current location in the system’s directory structure, known as the working directory or present working directory. All files and directories stored in a Windows file system are subordinate to the root ( \ ) directory. The root of a particular file system is designated by the drive letter and the root symbol ( C:\ ). So, the prompt C:\> indicates the working directory as “the root of C: volume. ” Understanding the organization of files and directories in a file system is one means of recognizing an OS. Additionally, analysts must be able to navigate through a file system by using paths to either move from one location to another or identify a particular location of a file or directory. There are two kinds of paths; absolute and relative. In Windows, an absolute path starts at the volume:root and specifies each directory that must be opened to get to the desired file or directory. Path elements (directories and files) are separated by a backslash ( \ ). Since the absolute path starts with the volume root, it always navigates to the correct location, regardless of the present working directory. Consider the directory tree structure on a C: volume as shown in Figure 30. To get to folder3 use the absolute path of C:\Folder1\folder2\folder3.
Figure 30. Hierarchical directory tree structure.
A relative path gives the location of the target file or directory from (relative to) the present working directory. Since this path is based on the present working directory, it only works from that one place. Because of this limitation, it can be misleading (or simply incorrect) to use a relative path in all cases. When using a relative path, it is possible to go up the directory tree by using the dot dot ( .. ) symbol. This special key combination is reserved to mean parent directory and is used in a relative path to indicate that the path goes up the tree. Now, consider the directory tree structure shown in Figure 30 with Folder1 as the present working directory. To get to CNA from Folder1 use the relative path of ..\CNO\CNA.
JCAC Student Guide Module 5 Operating Systems
45 A-531-1900 – 2018-10
Changing working directories within the CLI is accomplished using the cd command. The help output for cd is shown below. Notice chdir and cd are both displayed as possibilities for changing or displaying the current directory. This is because chdir is a legacy command from MS-DOS that carried over to the modern OS. Both commands provide the same functionality. There are several other instances where legacy commands were carried over and appear in command help output.
C:\>cd /? Displays the name of or changes the current directory. CHDIR [/D] [drive:][path] CHDIR [..] CD [/D] [drive:][path] CD [..] .. Specifies that you want to change to the parent directory. Type CD drive: to display the current directory in the specified drive. Type CD without parameters to display the current drive and directory. Use the /D switch to change current drive in addition to changing current directory for a drive. If Command Extensions are enabled CHDIR changes as follows: The current directory string is converted to use the same case as the on disk names. So CD C:\TEMP would actually set the current directory to C:\Temp if that is the case on disk. CHDIR command does not treat spaces as delimiters, so it is possible to CD into a subdirectory name that contains a space without surrounding the name with quotes. For example: cd \winnt\profiles\username\programs\start menu is the same as: cd "\winnt\profiles\username\programs\start menu" which is what you would have to type if extensions were disabled.
As stated previously, the CLI commonly interprets spaces as delimiters. As the help syntax indicates, chdir and cd are exceptions.
Example:
C:\>cd test folder
C:\test folder>
Note: Most commands interpret “test” and “folder” as two separate directories or may try to interpret “folder” as an argument or option. Here, cd ignored the space and worked as intended.
Other commands may require quotation marks around file or directory names containing spaces to ensure correct interpretation. C:\><command> “test folder “
JCAC Student Guide Module 5 Operating Systems
46 A-531-1900 – 2018-10
cd Displays the name of or changes the current directory.
Options: /d Switch current drive .. Changes to the parent directory \ Changes to the root directory
Syntax: cd /d <drive:> <path> cd \<dir1>\<dir2>
Examples: C:\>cd Displays current working directory
C:\dir1\dir2>cd \ Changes to the root directory C:\
C:\dir1\dir2>cd .. Changes to parent directory C:\dir1
C:\>cd /d X: Changes current drive from C: to X:
C:\>X: Changes current drive from C: to X:
C:\>cd tools Changes current directory to C:\tools
Complete Exercise 5-4 in Student Workbook
Absolute and Relative Paths
JCAC Student Guide Module 5 Operating Systems
47 A-531-1900 – 2018-10
Environment Variables
The environment variable path statement is configured to allow commands and other programs to execute from any working directory. For instance, the absolute path for the Windows calculator is C:\Windows\system32\calc.exe. Consider the present working directory in the CLI is C:\tools and calc.exe is entered. The system first tries to find calc.exe in the present working directory, C:\tools. If the file is not in C:\tools, the system then searches each directory listed in the path statement until the first instance of the file is found and the calculator executes. If the file is not found in the present working directory or the path statement, the error, 'filename' is not recognized as an internal or external command, operable program or batch file is displayed. A typical path statement is: PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files;C:\Program Files\Common Files
From the CLI, the path statement is viewed or changed using the path command.
Examples:
C:\>path Displays path statement
C:\>path=%path%;C:\tools Adds C:\tools directory to path statement
Note: %path% is an example of a variable. It appends the old path to the new setting of the path specified by path. Notice, a semi-colon must separate each absolute path.
Changes made using path at the CLI are not saved once the CLI closes. Therefore, persistent changes for either an individual or all users require the following:
Step 1: Right-click the Computer icon and select Properties from the context menu. Click the Advanced system setting and choose the Environmental Variables tab.
Figure 31. My Computer -> Properties.
JCAC Student Guide Module 5 Operating Systems
48 A-531-1900 – 2018-10
Step 2: Under the Advanced tab of the System Properties window, select Environment Variables.
Figure 32. System Properties -> Advanced tab.
Step 3: In the Environment Variables window, select Path and then Edit. Non-privileged
users do not have permissions to modify the Environment Variables Path statement. This is evident by the Edit button being grayed out or inaccessible at the System level.
Figure 33. Environment Variables window.
JCAC Student Guide Module 5 Operating Systems
49 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Use Windows commands to reveal OS, directory, and file information.
Create, modify, move, and copy files and directories using the CLI.
Apply append (>>), redirect (>), and pipe (|) symbols to files as appropriate.
Interpret basic Windows CLI commands related to user accounts.
Recall basic PowerShell cmdlets, switches, and arguments.
Understand how PowerShell ISE functions as a linear scripting language.
Understand backup mechanisms and reasons for implementing them.
Summarize the purpose of log files and their potential vulnerabilities.
Exercises This training day includes the following exercises:
Exercise 5-5, Windows CLI Commands (Part 1)
Exercise 5-6, Windows CLI Commands (Part 2)
Exercise 5-7, Windows CLI Commands (Part 3)
Homework Complete day 3 homework assignment in Student Workbook
Study for quiz
Day 3
JCAC Student Guide Module 5 Operating Systems
50 A-531-1900 – 2018-10
3.5 Windows Commands
prompt Specifies a new command prompt.
Options: <text> Specifies text for command prompt $P Specifies working directory for command prompt $G Specifies ‘>’ for command prompt
Examples: C:\>prompt test test
Text “test” is now the command prompt
C:\>prompt $G >
The ‘>’ character is now the command prompt
C:\>prompt $P$G C:\Users\Administrator>
Current working directory followed by the ‘>’ character is the command prompt
dir Displays a list of files and subdirectories in a directory.
A standard directory listing of the C:\dir1 directory using the dir command:
C:\dir1>dir Volume in drive C has no label. Volume Serial Number is 503C-9FBF
Directory of C:\dir1
07/15/2013 15:34 <DIR> . 07/15/2013 15:34 <DIR> .. 07/15/2013 15:34 <DIR> test 07/15/2013 15:34 14 test.txt 1 File(s) 14 bytes 3 Dir(s) 199,899,639,808 bytes free
A standard directory listing shows the last written timestamp. <DIR> indicates a directory. Note the difference between test directory and test.txt file. A dot ( . ) indicates the current directory and a dot dot ( .. ) indicates the parent directory.
Options: /T: Controls which time field to display C Created A Last Access W Last Written Syntax: dir [drive:][path][filename] [/T[[:]timefield]] Example to display the created time field. C:\dir1>dir test.txt /T:C
Volume in drive C is OS Volume Serial Number is 742E-8281
Directory of C:\dir1
07/15/2013 15:34 14 test.txt 1 File(s) 14 bytes
JCAC Student Guide Module 5 Operating Systems
51 A-531-1900 – 2018-10
Option: /A: Displays files with a specified attribute D Directory A Archive S System file H Hidden file R Read only
Syntax: dir [drive:][path][filename] [/A[[:]attribute]] Example to display files with the Hidden attribute. C:\Users>dir /A:H
Volume in drive C is OS Volume Serial Number is 742E-8281
Directory of C:\Users
07/15/2013 15:34 <SYMLINKD> All Users [C:\ProgramData] 07/15/2013 02:17 <DIR> Default 07/15/2013 11:53 <JUNCTION> Default User [C:\Users|Default] 07/15/2013 11:41 174 desktop.ini 1 File(s) 174 bytes 3 Dir(s) 54,042,333,184 bytes free
Option: /S Displays files in directories and all subdirectories
Syntax: [/S] [drive:][path][filename] Examples: C:\>dir /S C:\Users\Student
Volume in drive C is OS Volume Serial Number is 742E-8281
Directory of C:\Users\Student
07/08/2013 11:55 <DIR> . 07/08/2013 11:55 <DIR> .. 07/08/2013 11:55 <DIR> Contacts 07/08/2013 11:55 <DIR> Desktop 07/08/2013 11:55 <DIR> Documents 07/08/2013 11:55 <DIR> Downloads 07/08/2013 11:55 <DIR> Favorites <truncated> Total Files Listed: 510 File(s) 155,010,714 bytes 317 Dir(s) 54,042,112,000 bytes free
JCAC Student Guide Module 5 Operating Systems
52 A-531-1900 – 2018-10
attrib Displays or changes file attributes.
Options: + or - R Turns on/off read-only attribute + or – H Turns on/off hidden attribute
+ or – S Turns on/off system attribute + or – A Turns on/off archive attribute
Syntax: attrib [+/- options] <filename>
Examples: C:\>attrib Displays attributes for files contained in C:\
C:\>attrib file.txt Displays attributes for C:\file.txt
C:\>attrib +H file.txt Turns on hidden attribute for file.txt
C:\>attrib /S /D C:\dir1 Displays attributes for C:\dir1 /S processes matching files in current folder and subfolders. /D processes folders, too.
C:\>attrib C:\dir1 +S +H Turns on hidden and system attributes for C:\dir1
The following example compares the results of using the dir and attrib commands with options.
C:\>dir Volume in drive C has no label Volume Serial Number is BA24-675F Directory of C:\ 06/10/2009 04:42 PM 24 autoexec.bat 06/10/2009 04:42 PM 10 config.sys 05/29/2018 08:00 AM <DIR> Program Files 05/29/2018 08:00 AM <DIR> Users <…truncated> 2 File(s) 34 bytes 8 Dir(s) 54,296,637,440 bytes free C:\>attrib A C:\autoexec.bat A SHR C:\bootmgr A SHR C:\BOOTSECT.BAK A C:\config.sys A SH C:\pagefile.sys C:\>dir /a:SHR Volume in drive C has no lable Volume Serial Number is BA24-675F Directory of C:\ 11/20/2010 04:29 PM 383,786 bootmgr 07/08/2013 02:32 PM 8,192 BOOTSECT.BAK 2 File(s) 391,978 bytes 0 Dir(s) 54,296,637,440 bytes free
JCAC Student Guide Module 5 Operating Systems
53 A-531-1900 – 2018-10
date Displays or sets the system date.
Options: /t Does not prompt for date change
Examples: C:\>date /t Displays date without prompting for change
C:\>date Prompts for date change time Displays or sets the system time.
Options: /t Does not prompt for time change
Examples: C:\>time /t Displays time without prompting for change
C:\>time Prompts for time change
ver Displays OS version.
Example: C:\>ver Microsoft Windows [Version 6.1.7601]
In the example output, 6.1 indicates base OS version, in this case Windows, and 7601 indicates build number, which can possibly identify a service pack installation.
title Sets the title for the CLI window.
Syntax: title <new window title>
Example: C:\>title bob’s window Title of CLI window is renamed to “bob’s window”
exit Quits the CLI window.
Example: C:\>exit Closes the CLI window
Complete Exercise 5-5 in Student Workbook
Windows CLI Commands (Part 1)
See Information Sheet 5-2 in Student Workbook
Windows Build Number Reference
JCAC Student Guide Module 5 Operating Systems
54 A-531-1900 – 2018-10
mkdir Creates a directory.
Syntax: mkdir <dir1>\<dir2>\<dir3> mkdir <dir1> <dir2> mkdir <“directory name”>
Examples: C:\>mkdir test\folder Creates folder directory nested in test directory
C:\>mkdir test folder Creates separate directories in current directory
C:\>mkdir “test folder” Creates a single directory named test folder rmdir Removes a directory.
Options: /s Removes directory and all contents
Syntax: rmdir <directory name> rmdir <directory name> /s
Examples: C:\>rmdir test Removes test directory, if empty
C:\>rmdir test /s Removes test directory and all contents copy con “Copy console” is used to create a simple text file, but is not used to edit an
existing file.
Syntax: copy con <filename>
Example: Use copy con to create a file named test.txt.
C:\dir1>copy con test.txt This is the contents of my file. ^Z 1 file(s) copied. C:\dir1> After entering the command and filename, type the contents of the file. Press CTRL + Z and ENTER to save the file. This sequence simply copies text entered from the console to a file.
JCAC Student Guide Module 5 Operating Systems
55 A-531-1900 – 2018-10
notepad Create and edit text files.
Examples: C:\>notepad test.txt Opens the test.txt file for editing if it exists. If it
does not exist, an error message appears and will ask “Do you want to create the file?”.
copy Copies one or more files to another location. Can also name the copied file.
Syntax: copy <filename> <destination directory\new filename> copy <filename> <dir2>
Examples: C:\>copy test.txt C:\dir1\file2.txt Copies test.txt to C:\dir1 and
names it file2.txt
C:\>copy test1.txt+test2.txt C:\dir1 Combines test1.txt and test2.txt as test1.txt in C:\dir1
move Moves and renames files and directories.
Syntax: move <filename> <destination directory\new filename> move <filename> <new filename>
Examples: C:\>move test.txt C:\dir1\test1.txt Moves test.txt to C:\dir1,
renaming it to test1.txt
C:\>move test.txt newtest.txt Renames test.txt to newtest.txt ren Renames a file or directory.
Syntax: ren <source filename> <new filename>
Examples: C:\>ren test.txt file.txt Renames test.txt to file.txt
C:\>ren dir1 folder1 Renames directory dir1 to folder1
type Displays contents of a text file or files.
Example: C:\>type test.txt Displays contents of test.txt
JCAC Student Guide Module 5 Operating Systems
56 A-531-1900 – 2018-10
| Called “pipe,” passes the output of one command to the input of another.
Syntax: <output_of_a_command> | <input_of_another_command>
Example: C:\>type test.txt | more Displays contents of test.txt one
page at a time
find Searches for a text string in a text file or files.
Options: /n Displays line numbers of lines containing specified text string
/I Ignores case when searching for specified string
Syntax: find /n /I “<string>” <path\filename>
Examples: C:\>find /n /I “fox” test.txt Displays line number and line containing
the text “fox” ignoring case sensitivity
C:\>tasklist | find “cmd” Passes the output of the tasklist command to the input of the find command and displays any lines containing the string “cmd”.
del Deletes one or more files.
Examples: C:\>del test.txt test2.txt Deletes test.txt and test2.txt
C:\>del *.txt Deletes all files with .txt extension xcopy Copies directory trees and files.
Options: /e Copies directories and subdirectories, including empty ones
Syntax: xcopy <source> <destination> [options]
Examples: C:\>xcopy /e dir1 f:\ Copies contents of dir1, files and
subdirectories, to F:\
Note: Does not recreate dir1 directory in F:\, so contents of source, dir1, are in the root of F:\.
C:\>xcopy /e dir1 f:\dir1 Copies contents of dir1, files and subdirectories, to F:\
Note: Recreates dir1 directory in F:\.
JCAC Student Guide Module 5 Operating Systems
57 A-531-1900 – 2018-10
doskey Recalls Windows commands.
Options: /history Displays all commands entered.
Example: C:\>doskey /history Displays all previously entered
commands
> Redirects standard command output to a file instead of displaying results on the screen. If the file does not exist, it is created. If the file does exist, it is overwritten.
Syntax: C:\><command> > <textfile>
Example: C:\>doskey /history > history.txt Creates a text file named history.txt
containing all entered commands >> Appends standard output to the end of another file. If the file does not exist, it is
created.
Syntax: more <filename1> >> <newfile>
Example: C:\>more page1.txt >> Chapter1.txt
tree Graphically displays the folder structure of a drive or path.
Options: /f Displays the names of files in each folder /a Uses ASCII instead of extended characters
Examples: C:\>tree /f Graphically displays all files in all directories
The dir and tree commands can generate a significant amount of information, so it’s best to use a redirect or an append ( > or >> ) to send the command results to a file, instead of displaying results on the screen.
C:\>tree /f /a > information.txt Creates or overwrites the file, information.txt, with the entire root directory structure
C:\>tree /f /a >> information.txt Directory structure is appended to information.txt file contents, instead of overwriting them
Complete Exercise 5-6 in Student Workbook
Windows CLI Commands (Part 2)
JCAC Student Guide Module 5 Operating Systems
58 A-531-1900 – 2018-10
cacls Displays or modifies access control lists (ACLs) for directories and files.
Options: /e Edits ACL instead of replacing it /g Grants specified user access (without /e overwrites ACL) /p Replaces specified user access Access permissions available: N – None (user permissions only) R – Read W – Write C – Change (read and write) F – Full
Syntax: cacls <filename> [options] <user:perm>
Examples: C:\>cacls dir1 Displays ACL for C:\dir1 directory C:\>cacls dir1 /g sue:R Replace existing ACL with a single entry
C:\>cacls dir1 /p sue:N Replace existing user access with a single entry
C:\>cacls dir1 /e /g sue:R Edits existing ACL by appending it with an entry granting sue Read permission only.
net accounts
Manage policy settings, such as account and password policies, on a local computer.
Options: /minpwlen:<length> Set minimum length of password
/maxpwage:<days> Sets maximum days password is valid
Examples: C:\>net accounts Displays current settings for password and
logon limitations
C:\>net accounts /minpwlen:7 Sets minimum password length to seven characters
C:\>net accounts /maxpwage:30 Sets maximum password age to 30 days
net user Displays, modifies, or creates user accounts.
Options: /add Creates a user account /delete Deletes a user account
Syntax: net user <username> <password> /add
net user <username> /delete
Examples: C:\>net user joe abcd /add Creates a user account named joe with a
password of abcd
JCAC Student Guide Module 5 Operating Systems
59 A-531-1900 – 2018-10
C:\>net user sue /delete Deletes the user account named sue net localgroup
Displays, modifies, or creates group accounts.
Options: /add Creates a group account or adds a user account as a member
/delete Deletes a group account or removes a user account as a member
Example: C:\>net localgroup sales /add Creates a group account named
sales
C:\>net localgroup sales joe /add Adds a user account named joe to the group named sales
runas Identifies a user account to execute a program.
Options: /user:<username> Identifies user account
Syntax: runas /user:<username> <program>
Example:
C:\>runas /user:administrator cmd.exe Launches a CLI running as the Administrator account. This is known as a secondary logon in Windows.
tasklist Displays a list of processes currently executing.
Example: C:\>tasklist Displays executing processes along with each
respective process identifier (PID).
taskkill Kills one or more processes.
Options: /pid Specifies PID of process to be killed /IM Specifies process by image name /f Forcefully terminate the process
Syntax: taskkill /pid <PID>
taskkill /IM <image name>
Example: C:\>taskkill /pid 1473 Kills process identified as PID 1473 C:\>taskkill /IM notepad.exe Kills Notepad process
Complete Exercise 5-7 in Student Workbook
Windows CLI Commands (Part 3)
JCAC Student Guide Module 5 Operating Systems
60 A-531-1900 – 2018-10
3.6 PowerShell (PS)
Windows PowerShell (PS) is an object-oriented, interactive command environment with scripting language features. PS uses small programs called cmdlets to simplify configuration and administration of local and remote Windows systems. Developed by Microsoft, it also includes the capability of using some UNIX commands and is available for versions of Linux as PS Core. PS Core is also available for Windows and provides a common scripting environment for mixed networks. The PS scripting language generally takes place via the Windows PS Integrated Scripting Environment (ISE). The ISE allows for syntax-coloring, tab completion, Intellisense (list of options to choose while typing), visual debugging, and context-sensitive help. Commands used in scripts are also used in an interactive Windows PS environment.
Versions
Knowing the PS version installed is important because each version has different capabilities and support different sets of commands. Access PS by entering PowerShell in the search or Cortana box on the lower menu bar. If running a 64-bit OS, choose Windows PowerShell. Only use the (x86) version if running a 32-bit system. Once the terminal opens, execute the cmdlet Get-Host or $PSVersionTable. Either will provide the current PS version. Figure 34 shows the current PS Version is 5.1.
Figure 34. How to obtain PS version.
Each version of PS is backwards compatible with previous versions. To use the latest features available with PS, Microsoft recommends running the most current version.
JCAC Student Guide Module 5 Operating Systems
61 A-531-1900 – 2018-10
Using Help
Get-Command shows a list of available cmdlets. Each cmdlet has its own help page similar to running the Windows help or /? command. After identifying a cmdlet to use, run Get-Help for that cmdlet to see available help. Figure 35 shows help output for the get-children cmdlet.
Figure 35. Getting help for Get-childitem.
For more specific examples of using a particular cmdlet add the –examples parameter. In Figure 36, Get-Help Get-Childitem –examples shows examples of the syntax:
Figure 36. Get-help with -examples parameter.
Cmdlets
Cmdlets are small PS commands not stand-alone executables. Cmdlets consist of a verb-noun compound phrase separated by a hyphen, making commands easy to remember and intuitive. In Table 6, the verb part of the command (Get) directs the action; to retrieve data. The noun part of the command (ChildItem) provides the focus for the verb; to obtain a directory listing.
Table 6. Cmdlet Structure.
.
JCAC Student Guide Module 5 Operating Systems
62 A-531-1900 – 2018-10
Get is one of many available verbs PS recognizes. To see an entire list, run Get-Verb.
Figure 37. Get-Verb cmdlet partial results.
Most cmdlets can accept one or more optional parameters (e.g.,switches) to identify additional object attributes. A hyphen (-) precedes the parameter name. Some common parameters include:
-name States the name of an object, (e.g., user, cmdlet, or path name).
-computername States the system name or IP to perform the action.
-path States the path for a directory.
Arguments define additional information associated with a parameter name but are not required. If an argument is omitted PS uses the parameters default arguments. Some common arguments associated with parameters are: -name Student Specifies Student as the -name parameters argument.
-computername Svr1 Specifies the name computer Server1 as the computer name.
-path C:\Windows Specifies the path to traverse when navigating the filesystem.
JCAC Student Guide Module 5 Operating Systems
63 A-531-1900 – 2018-10
Aliases
In addition to the cmdlets, Windows external commands can still work from PS. Some examples of these external commands are date, tree, and ipconfig. However, most internal or built-in commands (e.g. dir, copy, move) are associated with a cmdlet that provides a similar output known as an alias. The PS cmdlet Get-Alias gives a complete list of aliased commands and their associated PS cmdlet. To find the cmdlet associated with a specific command simply type Get-Alias followed by the aliased command. As shown in Figure 38, use a comma separator to view the cmdlet for multiple aliases at one time, such as dir and ls.
Figure 38. Get-alias for the dir command.
In the above output, dir and ls are identified as aliases for Get-ChildItem. Shown here, PS has built-in aliases for many UNIX commands. In Linux (a version of UNIX), the ls command is used to view a directory listing and similar to dir, additional options are available for functionality. Having an alias enables a user to type either dir or ls at a PS prompt and get a result. However, now that dir and ls are aliases, any options previously associated with the commands will no longer work, as they are not part of the PS cmdlet. For example dir /w or dir /a:h are no longer valid. Similarly, ls –l will not work.
PS Cmdlets vs. Windows/UNIX commands
Table 7 shows a list of commonly used cmdlets and their Windows/UNIX command counterparts.
Table 7. Windows and UNIX cmdlet comparison.
PS cmdlet Windows/UNIX command Function Set-Location cd Change working directory Get-Location cd/pwd Displays working directory Get-Childitem dir/ls Displays directory listing Copy-Item copy/cp Copy file(s), dir(s), registry(s), … Clear-Host cls/clear Clear window terminal contents Rename-Item ren/mv Renames a file or directory Remove-Item del/rm Removes one or more files, dirs., …
The PS cmdlet get-command provides an alphabetized list of all PS commands along with the command type (Cmdlet), Name, Version, and Source.
JCAC Student Guide Module 5 Operating Systems
64 A-531-1900 – 2018-10
3.7 PS ISE
Access PS ISE in the same manner as previously described for Windows PS. Enter PowerShell in the search or Cortana box on the lower menu bar. If running a 64 Bit OS, choose Windows PowerShell ISE.
The ISE allows commands to be executed in a console pane while simultaneously viewing the source code of scripts and other tools that can be inserted into the environment. ISE allows for visual debugging, syntax-coloring, tab completion, and the code editing features of IntelliSense. Figure 39 below is the default pane for Windows PowerShell ISE.
Figure 39. PowerShell ISE default Window.
The Menu Bar contains features needed to perform tasks related to writing and running scripts and commands. The Tool Bar has features for creating, opening, saving, and running scripts or portions of scripts. The PowerShell tab is the environment where a script runs. The Script Pane allows for creating and running scripts. The Command Pane is like a terminal window where commands are executed. When scripts run from the Script Pane, results of those commands also run in the Command Pane. The Add-in Tools Pane represents additional functionality such as the Commands Tool. Later JCAC Modules discuss these features further.
Figure 40 is an example of a script (Untitiled.ps1). Review the cmdlets in the Script Pane to determine what commands the script is actually performing. Many of these were already discussed during the PS lesson.
JCAC Student Guide Module 5 Operating Systems
65 A-531-1900 – 2018-10
Figure 40. PowerShell ISE Script Window.
3.8 Backup and Recovery Procedures
A crucial part of network defense is the implementation of a disaster recovery plan. Although most organizations have a plan in place to recover data after a man-made or natural catastrophe, often backup procedures and recovery guidelines are weak. In addition to data backup and recovery, a security recovery plan should also be implemented. Data backup and recovery procedures are essential. If data was breached prior to performing a system backup, the backup itself may contain the vulnerability. When the system is restored from a full backup, the vulnerability or virus may also be restored. This is why patching is an integral part of the backup and recovery process and why IA measures of confidentiality, integrity, and availability are so vital. Most OSs come with backup and recovery software installed. Many are adequate, but there are hundreds of applications that can be purchased or downloaded for free that may contain more desirable options. When a file is created or modified, the archive attribute is turned on to identify the file requires backup. Backup programs use the archive bit to identify what is new or changed since a previous backup. The type of backup performed affects the archive attribute’s state. Basic backup types and their advantages and disadvantages are listed below:
Full Commonly used to backup an entire system by selecting an entire volume. All files selected are backed up. Archive attributes are cleared, or turned off, for files backed up during a full backup.
Pros: Backs up all files and directories.
Cons: Takes a long time since it backs up everything.
Incremental Backs up selected files with the archive attribute. Archive attributes are cleared, or turned off, for files backed up during an incremental backup.
JCAC Student Guide Module 5 Operating Systems
66 A-531-1900 – 2018-10
Pros: Backup times are quicker. Only backs up files and directories that are new or changed since the last full or incremental backup.
Cons: System Restore is more difficult and time consuming as it requires every incremental backup tape or media set.
Differential Backs up selected files with the archive attribute. Archive attributes
remain on for files backed up during a differential backup.
Pros: System Restore requires only the most recent full and differential tapes or media sets.
Cons: Backup times become progressively longer over time. Storage management begins by deciding what data should be backed up. Options may include user files, applications, or the entire OS. After determining what to backup, decide where to backup. Backing data to the same hard drive is normally a bad idea. Backing to an external disk, flash drive, or a networked drive is a better option. Cloud storage services are an excellent means of backing up data. Microsoft provides its own cloud service known as OneDrive built into Windows 10, but others such as Dropbox, iCloud, and GoogleDrive are available depending on user preferences. File system interface and structure must also be taken into account. Although Windows’ NTFS partition supports backing up and restoring files from multiple file system types, (FAT, NTFS, EXT), not all are supported. For instance, Windows 7 does not allow backup to a FAT32 disk because of FAT32’s 4Gb file size limit. Not all backup media is partitioned the same.
System Restore
Modern Windows OSs include a System Restore feature to return the system to a workable state, should it become corrupt, without resorting to backups. This feature is disabled by default in Windows 10. Some events that trigger the creation of restore points are:
Installing an Application
Installing AutoUpdate
Restoring from Backup
Creating a Manual Restore Point
3.9 Logs
Windows implements logging capabilities through specialized event logs. The Event Viewer provides an interface to view the information captured in these logs. For information to be captured, auditing must enabled. Logs are invaluable in determining successful and unsuccessful system or network events to include authentication and authorization. The log entries encompass security, system, and application events with a severity level, ID number, and general description of each event. This information can be used by an analyst to determine a fix if necessary or to track down unusual activity
JCAC Student Guide Module 5 Operating Systems
67 A-531-1900 – 2018-10
Available logs for Windows 7 and 10 are listed below:
Security Log Contains audit events that may affect the security of the system, user activities such as logon/logoff, and resource access attempts.
Application Log Contains events logged by non-OS and third-party applications.
Setup Log Contains actions that occur during Windows setup
System Log Contains events logged by OS components.
JCAC Student Guide Module 5 Operating Systems
68 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Interpret UNIX command syntax and help features.
Interpret and implement introductory UNIX commands.
Recall and use various tools to view text-based files.
Identify the UNIX file and directory structure.
Demonstrate the ability to navigate the UNIX OS hierarchy using the CLI.
Duplicate commands and features of the vi editor, as demonstrated.
Exercise This training day includes the following exercises:
Exercise 5-8, UNIX Introductory Commands
Exercise 5-9, UNIX File System Navigation
Exercise 5-10, UNIX vi Editor
Homework Complete Day 4 Homework assignment in Student Workbook
Day 4
JCAC Student Guide Module 5 Operating Systems
69 A-531-1900 – 2018-10
4 UNIX UNIX is an extremely versatile OS that is portable to a variety of hardware platforms. Originally developed by researchers at AT&T Bell Labs, there are several OSs that look and act very much like UNIX but were developed separately. The most popular non-certified “work-alike” version of UNIX is Linux. Although Linux is actually the kernel, the entire distribution including tools, utilities, and other software (The GNU) is commonly referred to as Linux. This module uses the Linux variant of UNIX for most terminology and references.
4.1 Accessing a Linux System
In Windows, students learned to open a Command Prompt window to enter commands via the CLI. In Linux, a terminal window is opened to access a shell where commands are entered. The terminal window is a text only window within a GUI that emulates a console. The terms console and terminal are used interchangeably, but a console actually refers to an instrument panel that contains the controls of a computer. From the terminal window, commands are entered in text form using a shell. A shell is a program that provides text only interface for Linux and other UNIX like OSs. The shell presents each user with a prompt, executes user commands, and supports a custom environment for each user. Shell prompt examples are:
[root@Linux ~]# # symbol indicates root user
[bob@localhost ~]$ $ or % symbol normally is a non-root user The type of shell used varies depending on several factors such as default system values, user preferences, and program preferences. The login shell assigned is set when a user account is created. There are many different shells available, each with a different set of features and capabilities. Some available shells are:
Bourne Shell (sh)
Tenex C Shell (tcsh)
C Shell (csh)
Bourne-Again Shell (bash) The default shell for Linux (CentOS) is bash. It provides command-line editing, history features, word completion, and a shell scripting language similar to PS. Shell scripts often contain multiple commands executed in linear fashion. Other common elements of a shell script are shell keywords (if, else, break), functions, and flow control (if-then-else and case loops). Shell scripts are used for automation and to avoid repetitive work. Throughout many JCAC modules, scripts are examined, edited, and created to facilitate analysis.
JCAC Student Guide Module 5 Operating Systems
70 A-531-1900 – 2018-10
4.2 Anatomy of a UNIX Command
On a UNIX system, nearly all functions performed with GUI tools and utilities can also be performed via the shell. Knowledge of each command’s functionality and syntax is a necessity. Although UNIX and Windows have similar commands and formats, some things vary greatly. For instance, UNIX commands and files are case sensitive. A file named myfile.txt is not the same as Myfile.txt. Also, Windows paths use backslash ( \ ) while UNIX paths use forward slash ( / ) to separate directory and file names. Commands in UNIX all have the same structure. The number of commands is kept small by extending each command’s functionality using option switches. Options are preceded with a hyphen ( - ).
Figure 41. Command structure.
In Figure 41, the ls command (similar to dir in Windows) provides a directory listing. The option -l provides a long listing of all directories and files within the directory specified in the argument ( /home/bob ).
Example:
[root@localhost ~]# ls –l /home/bob total 8
drwxr-xr-x 2 bob bob 4096 Jul 9 11:45 Desktop/
-rw-r—-r-- 1 root root 15 Jul 12 10:49 test.txt
… results truncated …
When more than one option is desired, often the options are combined together preceded by a single hyphen (-). For example, Windows and Linux have a tree command that uses the same switches; Windows precedes options with a forward slash ( / ) and Linux uses a hyphen ( - ). In addition, Linux can string multiple options together as shown in the comparison below.
Windows: C:\>tree /f /a
Linux: [root@localhost ~]# tree -f -a
or [root@localhost ~]# tree -fa
command option switch argument ls -l /home/bob
list files long listing directory /home/bob
JCAC Student Guide Module 5 Operating Systems
71 A-531-1900 – 2018-10
4.3 System Command Manual
It is virtually impossible to know every UNIX command and for that matter even more difficult to remember the various options and switches involved with each command. UNIX commands, files, and directories are all case sensitive. Similar to the Windows help command, UNIX provides a manual of pages of most commands with examples of proper format and syntax. The man pages are helpful when running commands not often used and are generally divided into eight sections. Key sections are listed below and referenced next to the command in parentheses.
Table 8. man page sections.
Section 1- User Commands Section 5 - File formats and conventions
Section 2- System Calls Section 6 - Games
Section 3 - C Library functions Section 7 - Miscellaneous
Section 4 - Device and Special Files Section 8 - Sys Admin tools and daemons
man Displays on-line manual pages about command. Note (1) is a user command.
Syntax: man <command>
Example: [root@localhost ~]# man ls LS(1) User Commands LS (1)
NAME
ls – List directory contents
SYNOPSIS
ls [OPTION]… [FILE]…
DESCRIPTION
List information about the FILEs (the current directory by
default).
-a, --all do not ignore entries starting with .
-i, --inode print the index number of each file
fork is a system call not a “command”, used to create a new process. Note (2)
Example: [root@localhost ~]# man fork FORK(2) Linux Programmers Manual FORK(2)
NAME
fork – Create a child process
SYNOPSIS
#include <unistd.h>
Pid_t fork(void);
DESCRIPTION
Fork() creates a new process by duplicating the calling
process. The new process, referred to as the child, is an exact..
JCAC Student Guide Module 5 Operating Systems
72 A-531-1900 – 2018-10
4.4 Introductory Commands
The following basic commands and options are used on a regular basis by most users. clear Clears the current screen, providing an empty terminal window.
pwd Print working directory, displays the current working directory. uname Displays the UNIX OS variant. Options: -a Print all information
[root@localhost ~]# uname -a Linux Linux.jcac.local 2.6.18-92.el5 SMP Tue Aug 5 07:41 EDT 2008 i686 i386 …
date Prints or sets the system date and/or time.
Options: -s <date/time> Sets date to date and time provided
Example: [root@localhost ~]# date Fri Sep 2 13:17:00 PDT 2012 [root@localhost ~]# date -s “10/04/2013 15:26:00” Fri Oct 4 15:26:00 PDT 2013
tree Lists directory contents in a tree-like format.
Options: -C Turn colorization on -F Append a “/” for directories
[root@localhost ~]# tree -CF /root
/root __Desktop/ __ test.txt … results truncated …
exit Exit the current shell (CLI console) ls Lists contents of a directory.
Options: -l Long list - shows ownership, permission, and links -i Displays inode number in the first field -s Displays number of file system blocks used by file -a List all files including invisible files
Example:
[root@localhost ~]# ls -lisa /home/bob total 144 4161571 8 drwx------ 16 bob root 4096 Jul 12 10:49 ./ 4161537 8 drwxr-xr-x 3 root root 4096 May 16 08:48 ../ 4161588 8 -rw------- 1 bob bob 211 Jul 09 11:40 .bash_history
JCAC Student Guide Module 5 Operating Systems
73 A-531-1900 – 2018-10
Pagers
Text files are viewed using text viewer utilities often called pagers. Pagers do not change file contents but do allow forward and backward navigation as well as search features. less Displays text files one screen at a time.
Options: b Allows backwards movement, one page at a time / Initiates a search for a string (word) q Exits from less SPACE BAR Advances one screen at a time ENTER Key Advances one line at a time
Example: [root@localhost ~]# less /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
…results truncated …
more Works like the less command but with fewer options.
Examples: [root@localhost ~]# more /home/bob/Chapter1.txt
<displays file text>
head Automatically prints the first 10 lines of a file to standard output. The tail command automatically displays the last 10 lines. Using a “-“ with the number of lines desired will print that number of lines of text to standard output.
Syntax: head <filename>
Example: [root@localhost ~]# head /home/bob/Chapter1.txt <displays file text> [root@localhost ~]# tail -4 /home/bob/Chapter1.txt <displays file text>
cat Displays file(s) contents to the screen and can concatenate (combine) files.
Syntax: cat <filename> <other_filename>
cat <filename1> <filename2> > <bothfiles>
Examples: [root@localhost ~]# cat /tmp/test.txt [root@localhost ~]# cat /tmp/test.txt /home/bob/myfile.txt [root@localhost ~]# cat page1.txt page2.txt > Chapter1.txt
Complete Exercise 5-8 in Student Workbook
UNIX Introductory Commands
JCAC Student Guide Module 5 Operating Systems
74 A-531-1900 – 2018-10
4.5 UNIX File and Directory Structure
Files in UNIX are treated as byte streams meaning they can contain any characters. However, having a space in a file name can cause problems. Therefore, it is recommended to use an underscore ( _ ) instead of a space to separate words in a file name.
Linux provides a standard hierarchy for all UNIX-like OSs called the Linux File System Hierarchy standard. Under this directory structure, all directories and files fall under a root directory. Default configurations install Linux OSs into the / directory, where / indicates the root of the file system. All file systems in Linux are logical names that point to a partitioned area on a disk. Do not confuse /, the root of the file system, with /root. The /root directory is the system administrator’s (root user) home directory.
Figure 42. UNIX directory structure.
The cd command in UNIX works the same way as it does in Windows to navigate the file system.
cd Change Directory.
Syntax: cd /<dirctory>/<directory>
cd <directory>
Examples: [root@localhost ~]# cd /usr/local/bin
[root@localhost ~]# cd ../usr/local/bin
JCAC Student Guide Module 5 Operating Systems
75 A-531-1900 – 2018-10
Common System Directories
System directories and their locations vary among different UNIX-like OSs. Some common directories, along with their purpose and content are explained below.
/boot Static files of the boot loader; required to boot the system. /bin Essential command binaries (e.g., cp, mkdir, ls, less). /sbin Essential system binaries. Commands intended for use by privileged users
(e.g., init, fdisk, ifconfig, lsmod). /usr Second major hierarchy. User system resources such as user binaries and
associated documentation, libraries, and header files. /lib Shared libraries.
/dev Device files (block and character). /etc System administration and configuration files. /home User home directories. /opt Optional third-party software. /proc Processes used by system. /root Root user’s home directory. /tmp Temporary files used by the system. /var Variable size data such as log files.
JCAC Student Guide Module 5 Operating Systems
76 A-531-1900 – 2018-10
File System Navigation
Working directory and path concepts are essential to file system navigation. In UNIX, the current working directory is displayed using the pwd (print working directory) command.
[root@localhost ~] # pwd
/root
UNIX prompts normally show username, hostname, and working directory. Similar to Windows, UNIX prompts are customizable but do not use a drive letter or display the full path of the working directory. Typical system prompts are compared below:
Windows C:\Users\Temp>
UNIX [root@localhost tmp] # When a command is entered, the system searches each directory listed in the path statement until the first instance of the file is found. If not found, an error is displayed, just as in Windows. An absolute path in UNIX begins at the root ( / ) directory as shown below.
Changing to a directory:
[root@localhost ~]# cd /etc/sysconfig
Viewing the contents of a file:
[root@localhost ~]# less /etc/sysconfig/grub
Running a file:
[root@localhost ~]# /opt/zombie_process/zombie_example
The relative path is based on the present working directory. Therefore, it is important to know the current location when using relative paths. If the present working directory is /etc, a relative path can be used to access the sysconfig directory, a subdirectory of the /etc directory.
Example:
[root@localhost etc]# pwd
/etc
[root@localhost etc]# cd sysconfig
[root@localhost sysconfig]# pwd
/etc/sysconfig
JCAC Student Guide Module 5 Operating Systems
77 A-531-1900 – 2018-10
To view the file access_log located in the /var/log/cups directory using a relative pathname, use “..” to cd to the parent directory as many times as necessary until arriving at the directory containing the file. In this example, the file access_log is located one level up and then nested three directories deep.
[root@localhost etc]# pwd
/etc
[root@localhost etc]# less ../var/log/cups/access_log
localhost - - [17/Dec/2013:05:08:52 -0800] “POST / HTTP/1.1…
… results truncated …
The OS keeps a list of common absolute paths to use when searching for commands or files. The list is referred to as the path statement and is denoted by the environmental variable PATH. This path statement can be configured to allow use of a command from any working directory.
For instance, the absolute path for the calendar command is /usr/bin/cal. Consider the present working directory is /home/bob and the cal command is entered. The system first tries to find cal in the present working directory, /home/bob. If the file is not found in the present working directory or the path statement, an error is displayed.
The path statement is viewed using the echo command and the environmental variable $PATH. Individual paths are separated by colons ( : ).
echo Display text to standard output.
Syntax: echo <standard output>
Examples:
[root@localhost etc]# echo Hello
Hello
[root@localhost etc]# echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:
The path statement is modified using the PATH command.
Example:
[root@localhost etc]# PATH=$PATH:/usr/demo [root@localhost ~]# echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/localbin:/usr/demo
Now when the path is viewed, /usr/demo is seen at the end of the path statement.
Like Windows, changes made to the path statement via the shell are not saved once the shell closes. Persistent changes can be made and are explained in the Advanced UNIX module.
Complete Exercise 5-9 in Student Workbook
UNIX File System Navigation
JCAC Student Guide Module 5 Operating Systems
78 A-531-1900 – 2018-10
4.6 Visual Editor (vi)
A text editor is a program used to create and modify text files. All UNIX variances come with the visual editor, vi (pronounced vee-eye, short for “visual”) pre-installed. Text editors often require memorizing commands to perform editing tasks. Three aspects of vi make it quite appealing:
vi is normally supplied with all UNIX systems
vi requires very little memory
vi uses standard alphanumeric keys for commands
Starting vi
vi Creates or edits a text file
Syntax vi <filename>
Example: [root@localhost ~]# vi /tmp/test.txt
When editing a file with vi in Linux, an announcement line appears at the bottom of the screen indicating the filename and its status.
“test.txt” [New File]
When opening an existing file, the announcement line shows the file name, followed by the number of lines and number of characters in the file.
“test.txt” 1L, 15C
There are only two modes of operation in the vi editor:
Command Mode Characters typed perform actions like moving the cursor, cutting or copying text, or searching for a particular text string. vi opens in command mode.
Insert Mode Actual text is typed or overwritten.
To switch from command mode to insert mode, press the ‘i’ key (there is no need to press ENTER). Text is entered starting at the cursor. To exit from insert mode at any time, press the ESC key. The editor reverts to command mode. ESC is also used to cancel an unfinished command.
Note: Use ESC anytime the current mode is forgotten, and then switch to insert mode.
JCAC Student Guide Module 5 Operating Systems
79 A-531-1900 – 2018-10
Listed below are some of the more common vi commands.
Insertion commands i Insert before cursor a Append after cursor o Insert below current line O Insert above current line yy Copy line into memory (yank-yank) p Works with yy to place copied line onto the existing or next line 5p Places five lines of what was copied, at cursor Deletion commands x Delete current character r Replace current character dd Delete current line Navigation commands h Move cursor one place to the left l (lower case L) Move cursor one place to the right j Move cursor one place down k Move cursor one place up / Searches within the document for a string Additional commands In command mode, type a colon (:) allowing access to the ex editor command set. :set nu Displays line numbers for each line of text :<line number> Jumps to a given <line number> :set nonu Removes line numbers from each line of text Exit commands :w Writes (saves) latest changes to the file :q Quits, leaving vi open in command mode :q! Quits vi without saving changes :wq! Saves file and any changes, and quits vi.
Complete Exercise 5-10 in Student Workbook
UNIX vi Editor
See Information Sheet 5-3 in Student Workbook
vi Reference Sheet
JCAC Student Guide Module 5 Operating Systems
80 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Recall and execute advanced UNIX file and directory related commands.
Recall and execute advanced UNIX process related commands.
Recall and execute advanced UNIX forensic related commands.
Identify basic backup and recovery procedures.
Interpret UNIX logging, compression, and archiving commands.
Identify system and user profiles and their locations within an OS.
Create and manage UNIX user accounts.
Interpret UNIX authentication and authorization files and comprehend their fields.
Exercises This training day includes the following exercises:
Exercise 5-11, UNIX File and Directory Commands
Exercise 5-12, UNIX Process and Forensics Related Commands
Exercise 5-13, UNIX Archiving, Compressing, and Scheduling Commands
Exercise 5-14, UNIX User Management
Exercise 5-15, UNIX Authentication and Authorization Files
Homework Complete day 5 homework assignment in Student Workbook
Day 5
JCAC Student Guide Module 5 Operating Systems
81 A-531-1900 – 2018-10
5 Advanced UNIX Commands
5.1 File and Directory Commands
The following are essential UNIX commands for creating and maintaining files and directories. touch Creates an empty file and is also used to modify a files timestamp.
Options: -t Manipulates the file’s access date/time stamp
Syntax: touch <newemptyfile> touch -t YYMMDDHHMM <filename>
Examples: [root@localhost ~]# touch /tmp/notes.txt
[root@localhost ~]# ls -l /tmp/notes.txt -rw-r—-r-- 1 root root 15 Jan 12 6:49 /tmp/notes.txt [root@localhost ~]# touch -t 201307141003 /tmp/notes.txt
[root@localhost ~]# ls -l /tmp/notes.txt -rw-r—-r-- 1 root root 15 Jul 14 10:03 /tmp/notes.txt
mkdir Creates one or more directories.
Options: -p Creates a directory where no parent exists (nested) Syntax: mkdir <directory>
mkdir -p <directory>/<subdirectory1>/<subdirectory2>
Examples: [root@localhost ~]# mkdir /homework
[root@localhost ~]# mkdir –p /folders/students/homework
cp Copies files and directories.
Options: -r Recursively copy directories. Syntax: cp <source-filename> <destination-filename>
cp –r <source-directory> <destination-directory>
Example: [root@localhost ~]# cp /tmp/notes.txt /home/bob/notes.txt [root@localhost ~]# cp -r /tmp /newdir
mv Moves or renames files and directories.
Syntax: mv <original-filename> <new-filename> Examples: Rename notes.txt file: [root@localhost ~]# mv /tmp/notes.txt /tmp/test.txt
Move notes.txt to new directory: [root@localhost ~]# mv /tmp/notes.txt /home/bob/notes.txt
Move and rename notes.txt file: [root@localhost ~]# mv /tmp/notes.txt /home/bob/test.txt
JCAC Student Guide Module 5 Operating Systems
82 A-531-1900 – 2018-10
ln Creates a link between files or directories.
Options: -s Creates a symbolic link to another file.
Syntax: ln -s <filename> <linkname>
Example: [root@localhost tmp]# ln -s /tmp/notes.txt /home/file.txt
rm Removes a file or a directory with contents if using the -r option.
Options: -r Remove a directory and its contents recursively -f Ignore nonexistent files, never prompt (force).
Syntax: rm <filename> rm -rf <directory_with_files>
Example: [root@localhost ~]# rm /tmp/notes.txt [root@localhost ~]# rm –rf /homework
grep Searches a file or files for lines that contain strings of a certain pattern.
Syntax: grep <pattern> <filename>
Examples: [root@localhost ~]# grep bin /etc/passwd [root@localhost ~]# ps –elf | grep cupsd
find Locates files having certain specified characteristics.
Syntax: find <directory_to_start_from> -<options> <patterns>
Example: [root@localhost ~]# find / -name pass*
which Displays full path (location) of most (shell) commands.
Syntax: which <command>
Example: [root@localhost ~]# which passwd
/bin/passwd
file Determines file type.
Syntax: file <filename>
Example: [root@localhost ~]# file /home/bob/file.txt
test.txt: ASCII text
[root@localhost ~]# file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version Linux……
Complete Exercise 5-11 in Student Workbook
UNIX File and Directory Commands
JCAC Student Guide Module 5 Operating Systems
83 A-531-1900 – 2018-10
5.2 Process Related Commands
Similar to Windows tasklist, UNIX provides commands to view system processes. The state of these processes may be running, stopped, suspended, or sleeping (waiting for some process to complete). These commands are invaluable in identifying who or what is running a particular process and the process’ state. Processes should be monitored on a regular basis to ensure only the services and processes desired are running.
ps Displays a snapshot status of active processes. A process running in the background is called a daemon.
Options: -e Lists information about every process running -l Displays in a long format -f Generates a list in full mode format
Syntax: ps -elf
Example: [root@localhost ~]# ps -elf
F S UID PID PPID C PRI NI ADDR SZ … CMD
4 S root 1 0 0 75 0 - 540 initd
1 S root 2 1 0 -40 - - 0 [mig]
1 S root 2178 129 0 17 - - 892 … cupsd
kill Stops a process from running using its PID.
Options: -9 Used to kill a stubborn process that won’t die
Syntax: kill [option] <PID>
Example: [root@localhost ~]# kill -9 2178
pkill Stops a process from running using its process name.
Options: -9 Used to kill a stubborn process that won’t die.
-HUP Used to immediately re-spawn a process to effect configuration changes. After modifying a daemon’s configuration file, use pkill -HUP to hang up and restart the daemon with the new configuration.
Syntax: pkill [option] <process_name>
Examples: [root@localhost ~]# pkill -HUP xinetd
[root@localhost ~]# pkill cupsd
JCAC Student Guide Module 5 Operating Systems
84 A-531-1900 – 2018-10
5.3 Forensics Commands
Many UNIX files and commands are useful in determining unwanted system occurrences. All are not log files but may be used as possible sources of information regarding user behavior. The files and commands listed below aid in the initial phase of system forensics investigation. history Maintains a history file of all commands run by a particular user in that shell.
Syntax: history
Example: [root@localhost ~]# history
1. clear
2. ls –lisa
3. cp /etc/syslog.conf /tmp/newsyslog.conf
history is also used to run previous commands by using an exclamation point (!) followed by the corresponding line number in the history output.
Syntax: ! <line number from history command output>
Example:
To execute cp /etc/syslog.conf /tmp/newsyslog.conf (Line 3 above)
[root@localhost ~]# !3
strings Prints the strings of printable characters in a file (not ASCII characters). Useful in
determining content of non-text files (executables).
Syntax: strings <filename>
Example: [root@localhost ~]# strings /bin/ls
<Prints all printable character sequences that exist in the file>
script Creates a typescript of the terminal session (everything printed on the terminal). CTRL+d ends the script session. View results using less.
Syntax: script <filename>
Example: [root@localhost ~]# script /home/bob/myscript.script
Script started, file is /home/bob/myscript.script [root@localhost ~]# pwd
[root@localhost ~]# <CTRL+d>
[root@localhost ~]# Script done, file is home/bob/myscript.script
[root@localhost ~]# less /home/bob/myscript.script
Script started on Thu 10 Oct 2013 09:10:28 AM CDT
… results truncated …
JCAC Student Guide Module 5 Operating Systems
85 A-531-1900 – 2018-10
su Used to switch from the current user account to another. It is often used to switch to root user to perform tasks requiring elevated privileges.
Syntax: su <username>
Example: [root@localhost ~]# su bob
[bob@CentOS6_A root]$
The following commands help determine who is logged on and when they logged on. This could be a local login or when a user has changed to a user account with escalated privileges. whoami Displays who the user is logged in as at this moment (after switching user).
Syntax: whoami
Example: [root@localhost ~]# whoami root
who Displays user login information including login name, time, terminal, and more.
Syntax: who
Example: [root@localhost ~]# who root :0 2013-10-04 13:03
root pts/0 2013-10-04 13:03 (:0.0)
w Displays information about the user(s) logged in and what they are doing.
Syntax: w
Example: [root@localhost ~]# w USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 - 13:03 ?xdm? 12.7s 0.24s /usr/bin/gnome-session
root pts/0 :0.0 13:03 0.00s 0.03s 0.01s w
Complete Exercise 5-12 in Student Workbook
UNIX Process and Forensic Related Commands
JCAC Student Guide Module 5 Operating Systems
86 A-531-1900 – 2018-10
5.4 File Compression
File compression reduces a file’s size on a disk by using selected algorithms and mathematical calculations. The way files are formatted makes their structure predictable, even if file contents vary. A file’s contents are often repeated, which provides an opportunity to employ compression methods. Two methods of compression are lossy and lossless, which were discussed in Computer Organization and Architecture. Lossy compression is used on data such as audio where some portions of the data can be thrown away without major degradation of sound quality. Lossless compression simply creates a file smaller than the original that can later be reconstructed, maintaining all of its data and metadata. File compression saves disk space and uses less bandwidth during network transfers such as FTP or installing programs across a network. Programs installed on a system are often compressed. During installation, the file “un-compresses” and files are placed into the necessary directories. Once a setup is complete, the compressed file may be removed to save space. Although there are many compression utilities available, most Linux systems prefer the gzip and gunzip utilities for backing up data and programs. These utilities use the lossless method for compression and are discussed below. gzip Compresses a files and appends a .gz file extension. The original file is replaced.
Syntax: gzip <sourcefile>
Example:
[root@localhost ~]# ls -l /etc | grep services
-rw-r—r--. 1 root root 641020 Sep 26 10:22 services.conf
[root@localhost ~]# gzip /etc/services
[root@localhost ~]# ls -l /etc | grep services
-rw-r—r--. 1 root root 127223 Sep 26 09:12 services.gz
An optional -r flag is available to recursively compress an entire directory. It moves down through the directory and compresses each file individually. However, a better result is achieved by archiving an entire directory and compressing its contents into one file. This is demonstrated in the following archiving section.
gunzip Decompresses a file that was compressed with gzip.
Syntax: gunzip <filename>
Examples:
[root@localhost ~]# gunzip /etc/services.gz
-rw-r—r--. 1 root root 641020 Sep 26 10:22 services.conf
JCAC Student Guide Module 5 Operating Systems
87 A-531-1900 – 2018-10
5.5 Archiving
UNIX system backup tools have the same basic features of full, incremental, and differential as discussed earlier. A full backup has disadvantages of time to restore and larger sized backups. Incremental backups only back up files that have changed since the last backup. A “meta file” is created that stores information about what has changed in the filesystem since the last backup. Differential backups are not supported as well from the command line in Linux. This topic focuses on archiving selected data rather than system backups. The tape archive tar command is an archiving utility that has been around since the early days of UNIX and was designed to archive data to a tape drive. Rather than send multiple files to an archive, tar takes multiple files/directories and creates one single archive file that can be transferred to an archive location. The single archived file is normally compressed prior to being transferred. Compression can be done following the archive or simultaneously with the archiving using the z option. The compressed, archived file is referred to as a tarball. The commands below are used for archiving, restoring, and viewing contents of archived data. The options and examples are only a small sample of the capabilities of the tar utility. tar Tape archive utility used to archive files to tape or disk.
Options: c Create an archive t List table of contents of tar file x Extract, must be in target directory to extract z Compress the archived file using gzip (tarball) v Verbose, list each file as tar reads/writes f Read/write to or from a file C Change to directory
Syntax: tar -[options] <destination-file> <source>
Examples: Create an archive named /root/tmp.tar of the /tmp directory.
[root@localhost ~]# tar -cvf /root/tmp.tar /tmp
List the contents of the archive created.
[root@localhost ~]# tar -tvf /root/tmp.tar
Restore (extract) the archive created.
[root@localhost ~]# tar -xvf /tmp/tmp.tar –C /
Create a tarball named /root/tmp.tar.gz of the /tmp directory.
[root@localhost ~]# tar -czvf /root/tmp.tar.gz /tmp
Restore and uncompress a tarball named /root/tmp.tar.gz
[root@localhost ~]# tar -xzvf /root/tmp.tar.gz
JCAC Student Guide Module 5 Operating Systems
88 A-531-1900 – 2018-10
5.6 Scheduling Jobs
System related tasks, referred to as jobs are scheduled to run at an instance or recurring intervals. The following commands are used to create and execute these scheduled jobs.
at Schedules a job/process for a one-time execution. Syntax: at <scheduled time> ENTER
at> <Job/process to be performed at the scheduled time> [CTRL+d] Places the job into the queue and exits
Examples: Redirect the contents of /etc/passwd to /tmp/test.txt, at 14:30:
[root@localhost ~]# at 14:30 at> cat /etc/passwd > /tmp/test.txt [CTRL+d]
atq Lists user’s pending jobs. atrm Deletes user’s jobs identified by job number. crontab Schedules periodic jobs. The cron daemon (crond) checks the /etc/crontab every
minute for any jobs that need to run. To create a cron job, the cron table (crontab) is created or modified.
Options: -e Edit the crontab -l List crontab entries
Example: [root@localhost ~]# crontab -e <Results displayed in the vi editor.>
Below is a list of the crontab file’s six fields with their allowable values.
Field 1: Minute of execution 00 to 59 Field 2: Hour of execution 0 to 23 Field 3: Day(s) of execution 1 to 31 Field 4: Month(s) of execution 1 to 12 Field 5: Day(s) of the week of execution 0 to 6 (0 = Sunday) Field 6: Action to take
Example: 30 19 1-31 1,3,5,7,9,11 1-5 rm -rf /home/usr1/tmp/*
Schedules a job (rm -rf /home/usr1/tmp/*) to run at 19:30 every day of odd number months, Monday to Friday.
Complete Exercise 5-13 in Student Workbook
UNIX Archiving, Compressing, and Scheduling Commands
JCAC Student Guide Module 5 Operating Systems
89 A-531-1900 – 2018-10
5.7 User Management
System access requires a user account. Accounts are created when needed and deleted when no longer required. The only user account installed on the system during installation is root user. Nearly all security restrictions are bypassed for any program executed by user root.
User Account Related Commands
The following user-related commands and syntax are used to manage user accounts. useradd Creates a new user or updates default new user information.
Options: -d Specifies the path of the user’s home directory; Linux - users’ home directories are in /home
-m Makes a home directory if it doesn’t already exist -n Assigns whatever group is in default
Syntax: useradd -d /home/<users home> -m -n <username>
Examples: [root@localhost ~]# useradd -d /home/bob –m -n bob
[root@localhost ~]# useradd -d /home/billy –m billy userdel Deletes a user account.
Options: -r <username> (Recursively) Removes the home directory for specified user
Syntax: userdel -r <username>
Example: [root@localhost ~]# userdel -r billy
passwd Enables a user to change their password (no user name) or for root to set and
modify password settings.
Syntax: passwd <username>
Example: [student@localhost ~]# passwd (current) password: **********
New password: **********
Retype password: **********
JCAC Student Guide Module 5 Operating Systems
90 A-531-1900 – 2018-10
User and System Profiles
The /home directory contains a subdirectory for each user who has logged on to the system. User bob maintains all of his files in the directory /home/bob. Only bob and root have access to bob’s directories and files, unless either grants permissions to others. These subdirectories contain profiles, a collection of files and folders containing user personal data and preferences. Profiles enable each user to save individualized system preferences when logged on.
/etc/profile Contains the system wide environment and startup programs. When a user logs on to a system for the first time and/or does not have a profile, the settings contained in the systems /etc/profile file are used to create the user’s profile.
~/.bashrc A tilde (~) references paths that start with a user’s home directory. Depending upon the shell and type of login used, users customize their environment by modifying either ~/.bash_profile,~/.bashrc, or ~/.profile.
The .bashrc file is a shell script that executes every time a user opens a new shell. Commands or other scripts can be placed into this file so the shell environment always starts off the same way. Often, users place their own personal aliases and functions inside of this script for automation or convenience.
For example:
1. User root opens a terminal window and edits student users .bashrc. (/home/student/.bashrc)
2. Root adds the following lines to the bottom of the .bashrc shell script:
echo “Good morning user $USER”
echo “Today’s date and time is” `date`
alias cls=`clear`
Note: The backtick surrounding the commands date and clear is on the top left key of the keyboard below the ESC key.
3. Root writes and quits out of the editor and switches user to student. Note the new shell reads the modified ~/.bashrc.
4. Run the alias, cls. The screen clears as expected.
5. Execute bash again. The .bashrc is read again and is read for every every time a bash shell opens.
6. Exit the session.
Complete Exercise 5-14 in Student Workbook
UNIX User Management
JCAC Student Guide Module 5 Operating Systems
91 A-531-1900 – 2018-10
User Authentication and Authorization
Similar to accessing Windows, users must first be authenticated within a UNIX system. Authentication methods in UNIX are very different when compared to Windows, but the concept is identical. Once a user is authenticated, verifications take place to see if the user is authorized to perform certain actions (e.g., logon, access files, execute applications). Authentication and authorization is determined mainly by three files whose functions are listed below.
/etc/passwd Authentication and Authorization
/etc/shadow Authentication
/etc/group Authorization Any user needing access to a computer should have a user account for security and accountability purposes. UNIX authentication is performed by looking up entries in the passwd and shadow files. The group file is used primarily to determine the level of access a user has within the operating system. Every user has an entry in the passwd file as well as a corresponding entry in the shadow file. These key files and their fields are described below.
/etc/passwd/
The passwd file contains a line for each user and system account. This module focuses on regular user accounts. System accounts are discussed in the Advanced UNIX module. Information on the root account is normally the first entry within the passwd file. The root account, similar to the Administrator account in Windows, cannot be deleted and has full privileges by default. It is better to assign a user root privileges as opposed to logging on as root. Permissions for the /etc/passwd file are read for everyone, meaning anyone can see the contents of this file.
Example:
[root@localhost ~]# less /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
bob:x:500:500:Jim Bob:/home/bob:/bin/bash
… results truncated … To look for a specific user account entry, use grep to display only the lines of the file containing the user account.
Example:
[root@localhost ~]# grep bob /etc/passwd
bob:x:500:500:Jim Bob:/home/bob:/bin/bash
JCAC Student Guide Module 5 Operating Systems
92 A-531-1900 – 2018-10
The seven fields for each entry in the passwd file are explained in Table 9. Notice the fields are separated by colons.
Table 9. Fields of /etc/passwd.
1 2 3 4 5 6 7
Username: Password: UID: GID: Comment: Home Dir: Default Shell
bob: x: 500: 500: Jim Bob: /home/bob: /bin/bash
1. bob User account name.
2. x Placeholder for the hashed password stored in the /etc/shadow file.
3. 500 User Identification (UID). Number that identifies user to the system. User root UID is always 0.
4. 500 Group Identification (GID). Number that identifies user’s primary group.
5. Jim Bob Comments, normally users full name, office, or phone numbers.
6. /home/bob User’s home directory.
7. /bin/bash User’s default shell.
/etc/shadow
The shadow file contains password and account expiration information for all user accounts. Every line in the shadow file corresponds to a line in the passwd file. Each line contains nine fields separated by colons. These fields contain user’s name, hashed password, and password aging data. Unlike the passwd file where everyone can read its contents, only root can read and write to the contents of the shadow file.
Example:
[root@localhost ~]# less /etc/shadow
root:$1$ke8pz0Gw$Zz0kt3Odk43ReDio3HNh1/:12583:0:99999:7:::
bin:*:14126:0:99999:7:::
… results truncated …
bob:$1$ije79ldk$93bBnquwsSl0wke83kl21/:14932:0:99999:7:::
Again, use grep to look for a specific user account entry.
Example:
[root@localhost ~]# grep bob /etc/shadow
bob:$1$ije79ldk$93bBnquwsSl0wke83kl21/:11000:7:100:5:20:11500:
JCAC Student Guide Module 5 Operating Systems
93 A-531-1900 – 2018-10
The nine fields for each entry in the shadow file are explained in Table 10.
Table 10. Fields of /etc/shadow.
1 2 3 4 5 6 7 8
User: Hashed Password: Lastchg: Min: Max: Warning: Inactive: Expire:
Bob: $1$ije79ldk$93bBnquwsSl0wke83kl21/: 11000: 7: 100: 5: 20: 11500:
1. bob User account name.
2. $1$ije79ldk$93bBnquwsSl0wke83kl21/
Hashed password. NP stands for No Password, usually for system accounts, and LK, *, or !! often means the account is locked.
3. 11000 Number of days between 01JAN1970, and the last password modification date - when last changed.
4. 7 Minimum number of days between password changes (i.e., a user cannot change their password again within this number of days).
5. 100 Maximum number of days a password is valid before the user is required to specify a new password.
6. 5 Number of warning days before a user is required to change their password.
7. 20 Number of days after password expires; account is disabled.
8. 11500 Number of days from 01JAN1970 until account expires.
/etc/group
The group file is where group membership is established and user authorization is managed. Once authenticated, a user must be authorized access to the system and its resources. Remember, a user’s primary group is established in the passwd file. Each /etc/group file entry contains four fields indicating the group’s details.
Example:
[root@localhost ~]# less /etc/group root::0:
other::1:
staff::10:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
students::100:
… results truncated … Use grep to find information about a specific group.
JCAC Student Guide Module 5 Operating Systems
94 A-531-1900 – 2018-10
Example:
[root@localhost ~]# grep adm /etc/group adm:x:4:root,daemon,bob,elrod
Table 11 describes each of the four fields for the adm group entry. As in the other files, these fields are also separated by colons.
Table 11. Fields of /etc/group.
1 2 3 4
Group name: Password: GID: Users having this supplementary group
adm: x: 4: root,daemon,bob,elrod
1. adm Group name.
2. x Placeholder for the encrypted password.
3. 4 GID.
4. root,daemon,bob,elrod
List of users who have this group as a supplementary group. The /etc/passwd file shows user root with a GID of 0. This is because the primary group for root is the root group. Root also belongs to bin, daemon, sys, and adm groups.
Complete Exercise 5-15 in Student Workbook
UNIX Authentication and Authorization Files
JCAC Student Guide Module 5 Operating Systems
95 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Identify file and directory classes and permissions.
Modify UNIX directory and file permissions via the CLI.
Identify OSs used on various mobile devices.
Identify techniques to remove or bypass restrictions on an Android or iOS mobile device.
Summarize how file systems are structured and describe the layers they contain.
Differentiate between kernel mode and user mode functions.
Compare and contrast the Linux, Windows, Android, and iOS kernel designs.
Exercises This training day includes the following exercises:
Exercise 5-16, UNIX File Permissions
Exercise 5-17, System Calls and DLLs
Homework Complete day 6 homework assignment in Student Workbook
Day 6
JCAC Student Guide Module 5 Operating Systems
96 A-531-1900 – 2018-10
6 File and Directory Permissions All files and directories in UNIX fall into a class with permissions assigned to it. Each user falls into at least one class:
Owner (u) Actual owner/user of the file or directory.
Group (g) Group ownership of the file or directory.
Other (o) All other users on the system. Anyone who is not owner or member of a group are considered others.
6.1 Syntax of Permissions
File and directory permissions for each class are displayed by performing a long listing of the directory or file. Long listing displays the name of the owner and group. User permissions apply to the owner of the file or directory. Group permissions apply to all users who belong to the group associated with the file. Other permissions apply to anyone who is not the owner or does not belong to the group. These permissions apply to any user who can login to the system. Using ls -al, permissions for /etc/passwd are explained below: [root@localhost ~]# ls -al /etc/passwd -rw-r--r-- 1 root root 1256 Jun 27 10:59 /etc/passwd
First character indicates file type. - Regular or ordinary file d Directory file b Block device file c Character device file l Symbolic link (points to the location of another file)
Characters 2 through 4 indicate owner (user) permissions. r Read permissions for user w Write permissions for user x Execute permissions for user
Characters 5 through 7 indicate group permissions. r Read permissions for group w Write permissions for group x Execute permissions for group
Characters 8 through 10 indicate permissions of all others. r Read permissions for others w Write permissions for others x Execute permissions for others
JCAC Student Guide Module 5 Operating Systems
97 A-531-1900 – 2018-10
6.2 Permission Definitions
The following permission sets are for files and directories.
Permission Meaning for Directories Meaning for Files
Read (r) View directory contents View file contents
Write (w) Create/delete files or remove directories within that directory
Alter file contents
Execute (x) Allows users to change into the directory using cd
Execute file as a program (e.g., script)
6.3 Setting Permissions
Permissions for files and directories are set with the chmod command. There are two methods for changing file permissions, numerical and symbolic. Earlier modules explained the octal numbering system, which is helpful as well as familiar. Numerical Utilizes (octal) code to specify three octal digits; first digit for owners’
permissions, second digit for group permissions, and third digit for others’ permissions.
r read 4 w write 2 x execute 1
Example:
[root@localhost ~]# ls -l /etc/test
-rwx---r-- 1 root sys 689 Jun 27 10:59 test
[root@localhost ~]# chmod 745 /etc/test
[root@localhost ~]# ls –l /etc/test
-rwxr--r-x 1 root sys 689 Jun 27 11:02 test
Symbolic Utilizes alpha representations and symbols to assign read, write, and execute
permissions for user/owner (u), group (g), and others (o).
r read w write x execute
u owner (user) g group o other
+ add to existing permissions = set permissions exactly - removes permissions
JCAC Student Guide Module 5 Operating Systems
98 A-531-1900 – 2018-10
Example:
[root@localhost ~]# ls –l /etc/test
-rwx---r-- 1 root sys 689 Jun 27 11:05 test
[root@localhost ~]# chmod u=rx,g+r,o-r /etc/test
[root@localhost ~]# ls –l /etc/test
-r-xr----- 1 root sys 689 Jun 27 11:07 test
Complete Exercise 5-16 in Student Workbook
UNIX File Permissions
JCAC Student Guide Module 5 Operating Systems
99 A-531-1900 – 2018-10
7 Mobile OSs Mobile devices have evolved from phones only capable of making voice calls to powerful handheld computers. With the convenience of technology and the evolution of mobile devices, more people use and store data on mobile devices than desktop computers. Basic phones use a proprietary OS known as a Real-Time OS (RTOS) while smartphones, tablets, and wearables use a customized version of a desktop OS kernel known as a General-Purpose OS (GPOS). Older mobile phones are considered embedded devices in that they only do one thing, or a small, well-defined number of things. Today’s mobile devices combine the two OS types to achieve “smart” functionality. A GPOS provides a software platform for a user to interface and a second low-level proprietary RTOS operates the radio and other hardware required for cellular communications. RTOS services data in real time as it arrives without buffering delays guaranteeing a program runs with very consistent timing. This topic focuses on two primary user facing software platforms; Google’s Android OS and Apple’s iOS. OS authentication and authorization remains the same when referring to mobile devices or any other entity where a user or a server requests permission to perform a restricted operation. The OS, as the first step in authorization, normally performs local-user authentication. However, network host and remote user authentication by remote servers may also be required when using a mobile device. Sometimes, the complexity of two-factor user authentication methods is reduced due to the nature of a mobile device. Since keyboards are not the norm, passwords are rarely used unless employers enforce their use. When possible, multi-factor authentication is required such as something you know (e.g., password), something you have (e.g., token) and something you are (e.g., fingerprints, voice recognition, or iris scans). Authorization details vary depending on the OS used.
7.1 Android
Android provides an open-source platform and application environment for mobile devices. Stringent architecture and security programs ensure the flexibility required of an open platform still protects users and applications.
Device Hardware
Although Android is not particular on which processor it runs, it does take advantage of hardware-specific capabilities when they exist. For example, ARM v6 eXecute-Never ensures a memory page cannot be writeable and executable at the same time to prevent adversary code injection attacks.
JCAC Student Guide Module 5 Operating Systems
100 A-531-1900 – 2018-10
Android OS Security
The Android OS platform is built on top of the secure Linux kernel, as well as a secure inter- process communication facility enabling secure communications between applications running in different processes. Unlike other OSs, the Android system assigns a unique User Identification (UID) to each Android application and runs it as that user in a separate process. Android boasts an Application Sandbox, a kernel-level feature where each application runs in its own sandbox, isolated from other applications and processes. An Application (app) not sandboxed has full rights and permissions of the user running the app and can access any user resources. If there is a security weakness in an app, an attacker may exploit it and take control. With control of an app, an attacker is able to do anything the user can. By limiting access to resources used by each app, application sandboxing reduces the possibility of a hacker exploiting security holes in an app or the framework it is linked against. Sandboxing also prevents a rogue application from harming other applications, the Android OS, or the device itself. The Application Sandbox resides within the kernel, and therefore all software above the kernel also runs within the Application Sandbox. Security-Enhanced Linux (SELinux) is used to further enhance security by enforcing MAC over all processes, even those running with escalated privileges such as root. As such, security is enhanced by confining privileged processes and automating security policy creation, whereby anything not explicitly allowed, is denied. Google Play Protect is Google’s built-in malware protection for Android that continuously runs in real time. It automatically scans the device to ensure the latest in mobile security. The device can also be secured, even if it is lost, by signing into the Google account from a browser and locking or finding the device. Also, via the Google account, data can be remotely erased.
Android Runtime (ART)
ART is an application runtime environment used by the Android OS. Its primary purpose is to implement portions of an execution model. ART applications are fully compiled when installed, providing faster access time to a program. A fully compiled app takes longer to install and takes up more storage space, but most new devices have ample processing power and storage to mitigate any ART disadvantages. Once installed, the entire application resides on the device. The official language for Android development is the Java programming language. Software may be written using Java, C++, or others using Android’s Software Development Kit (SDK), which was specifically designed for Android. However, it is possible to develop C and C++ applications using the Android Native Development Kit (NDK) that runs on multiple platforms but can be somewhat complex. SDK provides platform specific libraries to manage native activities and access physical device components, such as sensors and touchpad input.
JCAC Student Guide Module 5 Operating Systems
101 A-531-1900 – 2018-10
Android 9.0 (Pie) is the latest major update to the Android kernel, replacing Android 8.0 (Oreo) as the default standard. With today’s technological advances, updates to OSs, devices, and applications are ever changing. Therefore, features for specific kernel versions are generalized in this module. Security aspects remain the same across all mobile OSs. System software updates, security patches, and accessibility are key components in reducing vulnerabilities.
Rooting Android OS
Normally, Android device users do not have root access over much of the subsystems. Gaining root access, a technique called rooting, requires specialized software such as KingoRoot or TowelRoot to bypass this restriction. These tools are run on a PC to which a smartphone is attached via a USB cable. Once the phone is rooted using an available root app, a custom ROM may be installed, such as LineageOS, which is one of the latest and greatest Android builds. The device can then be rid of any “bloatware” (useless software) that handset makers and carriers put on the device. Overclocking the CPU, increasing performance, is obtained with software such as “SetCPU.” Android rarely implements strong security measures to prevent users from modifying or replacing the OS; allowing installation of apps not approved by a central authority such as Google Play. This simple user preference is known as “sideloading” where an installation package is installed onto an Android device from websites other than Google Play, where the user has allowed unknown sources in the Security Settings. Two downfalls involved with rooting is the possibility of bricking the device and compromising the device to malicious software, hackers, or bugs. Bricking the device simply means, turning it into a useless device, a brick or a paperweight. Bricking may result from a of a bad ROM install, improperly overclocking the CPU, or simply not following proper steps while routing. To avoid compromising the device, ensure a reputable app store is used when installing new apps.
JCAC Student Guide Module 5 Operating Systems
102 A-531-1900 – 2018-10
7.2 iOS
Apple designed an OS specifically for the iPhone, iPod touch, and iPad and aptly named it iOS. At the heart of iOS is the XNU kernel. The kernel is trusted and enforces security measures such as code signing, sandboxing, entitlement checking, and memory protection. An Apple device combined with iOS is built around stringent security features, transparent to the user. iOS security protects a device and its data, including anything a user does locally, on a network, and with Internet services. Many security features of iOS are enabled by default and key features such as device encryption are not configurable to prevent users from accidently disabling. System security is designed so that hardware and software are secure across all core components of the iOS device. These core components, discussed below, are a secure boot chain, software updates, and a secure enclave coprocessor that uses its own security measures.
iOS Secure Boot Chain
To ensure integrity, each component of the startup process is cryptographically signed by Apple and until the chain of trust is verified, the next step in the process will not begin. These steps in the boot chain include bootloader, kernel, kernel extensions, and baseband firmware. When an iOS device is powered on, the application processor executes code from the boot ROM. Boot ROM code cannot be modified once created and is written onto the chip during fabrication. It is implicitly trusted and contains the Apple Root public key used to verify the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures the next step is signed by Apple before proceeding. Once the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel (XNU). Once the boot sequence completes, a user may enter a passcode to access the device. A personal identification number (PIN) or an alphanumeric phrase up to 37 characters is the passcode options. A PIN passcode is the default passcode type and starting with iOS 10, a six-digit PIN is now required over a four-digit PIN on older iOS versions. Once accessed, the device assumes the user of the device is authorized to use it. Also, each app is digitally signed and can be authenticated by the OS. Therefore, there are no user authentication or authorization Application Program Interface (APIs) or libraries in iOS. Figure 43 on the following page demonstrates the iOS Secure Boot Chain.
JCAC Student Guide Module 5 Operating Systems
103 A-531-1900 – 2018-10
Figure 43. Secure boot chain.
iOS Software Updates
Software updates to address security concerns and provide new features are normally provided for all supported devices at the same time. Users may receive iOS update notifications on a device through iTunes and updates are delivered wirelessly, encouraging rapid adoption of the latest security fixes. The boot chain discussed earlier ensures only Apple-signed code is installed on a device, to include updates. To prevent devices from being downgraded to older versions lacking the latest security updates, iOS uses a process called System Software Authorization. If downgrades were possible, an attacker who gains access to a device could install an older version of iOS and exploit a vulnerability that was fixed in the newer version.
JCAC Student Guide Module 5 Operating Systems
104 A-531-1900 – 2018-10
Updates to iOS can be accomplished either using iTunes installed on a computer with the device attached or via Over-the-Air (OTA) on the device itself. Updates can also be downloaded to a local network server running OS X Server so devices can be updated without connecting to a server.
iTunes A full copy of the iOS is downloaded and installed. OTA Software updates download only the components required to update the
device. Updates are performed in the following manner. During an iOS upgrade, iTunes, or the device itself connects to an Apple install server and sends a list of cryptographic measurements for each part of the installation bundle to be installed. A bundle consists of LLB, iBoot, the kernel, and OS image, a random anti-replay value (nonce), and the device’s unique exclusive chip ID (ECID). The server compares the measurements against the version where the install is allowed, and if it matches, the device ECID is added to the measurement and the result is signed. The server then passes a complete set of signed data to the device as part of the upgrade. Authorizing and signing only known measurements ensures the update takes place exactly as provided by Apple.
iOS Secure Enclave
On devices using an A8 through A11 “Bionic” processor, the Secure Enclave coprocessor uses System Software Authorization (SSA) to ensure software integrity and prevent downgrade installations. A secure enclave processor has its own secure boot and personalized software update in addition to the application processor. The processor provides other cryptologic operations for data protection key management and maintains data protection integrity, even if the kernel is compromised. Each secure enclave has a Unique ID (UID), not accessible to other parts of the system or known by Apple. When the device starts, an ephemeral (short-lived) key is created and combined with the UID. It is then used to encrypt the Secure Enclave’s portion of the device’s memory space. The Secure Enclave is also responsible for processing fingerprint data from a Touch ID, a fingerprint recognition feature designed and released by Apple Inc., available on iPhone 5S and newer iOS devices. The processor enhances security by making access to the device faster and easier. It reduces the use of long, complex passwords by using a fingerprint scan to provide access to a device.
JCAC Student Guide Module 5 Operating Systems
105 A-531-1900 – 2018-10
Jailbreaking iOS
Jailbreaking is the process of removing or bypassing limitations placed by a manufacturer on an iOS mobile device by using software and hardware exploits. Similar to rooting an Android device, jailbreaking allows root access to an iOS file system allowing a user to download additional applications, extensions, and themes not available through the Apple App Store. Jailbreaking also allows a user to change the iPhone default browser and mail client. The ability to jailbreak an iOS after version 11.3 has not been confirmed. iOS has very strong security measures. A locked bootloader prevents users from modifying the OS, installation of apps not authorized by Apple, and user-installed apps from gaining root privileges. Although jailbreaking may expand and possibly even enhance some features limited by Apple and its App Store, it violates Apple’s end-user license agreement. Installing a package that may contain malicious code could potentially brick the iPhone. Jailbreaking may disable the ability to update the device or install new applications because the chain of trust is broken as a result of jailbreaking.
8 File Systems A file system defines the way data is named, stored, organized, and accessed on a disk volume. Each type of file system has unique properties and features, but they can all be organized into five layers: physical layer, file system layer, data layer, metadata layer, and filename layer.
8.1 Physical Layer
The physical layer pertains to the type of media containing the file system (e.g., hard drive, CD/DVD, thumb drive).
8.2 File System Layer
The file system layer contains data that describes file system structural details. File allocation unit sizes, structure offsets, and mounting information. This data is usually located in the first sector of the file system, typically in a file system data structure called a superblock or boot sector. With this information, other file system details can be found, similar to having a map in the lobby of a building. Allocation unit sizes are determined by the number of sectors grouped into blocks/clusters .
Figure 44. File Allocation Unit.
JCAC Student Guide Module 5 Operating Systems
106 A-531-1900 – 2018-10
8.3 Data Layer
The data layer is where the actual file and directory data is stored. Each block/cluster is given a logical address used by the file system to locate and store data on the disk. Blocks/clusters are flagged in one of two states by the file system.
Allocated A file is actively using the block/cluster.
Unallocated The block/cluster is not being used by a file.
To allocate new blocks/clusters as required, each file system must keep track of the available free space on the disk volume. One method is to use a bitmap. A bitmap is a data structure that uses a bit for each block/cluster to flag it as either allocated or unallocated. If the bit is 1, the block/cluster is allocated, and if the bit is 0, it is unallocated. Figure 45 shows a small bitmap of used blocks.
Figure 45. Bitmap.
File Allocation
The data layer supports various storage methods. The simplest storage method is to allocate contiguous blocks/clusters sufficient to hold the file and is the first option used by most file systems. Contiguous file allocation occurs when files are stored in sequential block/cluster addresses. Figure 46 shows four files and how they are stored contiguously on a disk. Files stored contiguously are more efficient and can be read faster.
Figure 46. Contiguous file storage.
JCAC Student Guide Module 5 Operating Systems
107 A-531-1900 – 2018-10
When contiguous blocks/clusters are unavailable to fit an entire file, the file system fragments it. This non-contiguous file allocation occurs when data is stored in non-sequential block/cluster addresses. There are two methods for keeping track of where all the parts of a file are addressed and stored; linked allocation and indexed allocation. Linked allocation is the process of locating data using pointers. Each cluster containing data identifies the location of the next piece of data if necessary. The starting cluster is listed in a data structure called a directory entry.
Figure 47. Linked file allocation.
With Indexed allocation, each file has an index that contains location pointers for each piece of the file. Opening the file loads the index into memory, making the pointers available.
Figure 48. Indexed file allocation.
JCAC Student Guide Module 5 Operating Systems
108 A-531-1900 – 2018-10
8.4 Metadata Layer
Metadata describes “data about data.” The metadata layer contains data that describes a file. A file’s metadata contains allocation pointers and other descriptive information such as:
Type Three particular types of metadata are: descriptive, structural, and administrative.
Size Size of the file in bytes, words, or blocks/clusters.
Maximum Allowable Size Maximum allowed file size.
Location Pointer to where file is stored on disk.
Protection Access control data limiting who has access to a file.
Name of Owner File owner’s user ID; used for protection.
Name of Group Name of group with privileges.
Timestamps When file was created, modified, or accessed.
8.5 Filename Layer
The filename layer is how a user interfaces with a file system and contains data that assigns a name to each file. Filename data are located in a directory and are used to map filenames with corresponding metadata. To the standard user, accessing a file by name is the only avenue into a file system. Once a user accesses a file by name, the file system uses the file’s metadata to locate and load the file’s contents.
Figure 49. Interaction between layers of the file system.
JCAC Student Guide Module 5 Operating Systems
109 A-531-1900 – 2018-10
9 OS Processes Once an OS successfully boots, it is responsible for controlling all user, application, system software, and hardware interactions. To do so, the OS kernel is the core component acting as a bridge between the user and the data processing performed by the hardware. The kernel itself is a program and is known as the heart of the OS. There are several kernel implementations; however, each design serves a common purpose by acting as an intermediary between computer resources and user applications. The kernel runs in the most privileged ring of the CPU (Ring 0), known as kernel mode. Kernel mode provides an OS with access to the entire CPU instruction set. Depending on the implementation, an OS kernel may be responsible for the following:
Process Management
Memory Management
Device Management
File System Management
System Call Control
Thread Scheduling
Interrupt and Exception Handling
Synchronization with CPU(s) An executing application (a process) typically runs in the least privileged ring (Ring 3), known as user mode. User mode actions that require a kernel service use system calls to make requests. Depending on the OS, system calls are requested from user mode or by using callable functions in user mode that are mapped to a related system call in the kernel. Descriptions that are more definitive vary among programmers, engineers, and normal users. JCAC Windows and UNIX modules delve deeper into system call specifics. No matter where the system call is requested, authorization for these calls must be verified by the kernel before access is granted. If access is granted, the system call handler provides access to the requested kernel service by returning a handle. The handle allows continued access to the kernel service without the need for repeated verification.
Figure 50. System call.
JCAC Student Guide Module 5 Operating Systems
110 A-531-1900 – 2018-10
9.1 Kernel Designs
The kernel is a core component of an OS however, it does not act alone. The kernel is a software program responsible for running other programs and providing secure access to hardware attached to the machine or device. With limitations on resources such as memory, CPU speed, and disk space, the kernel is also responsible for determining what programs are allowed to run and for how long. The scheduling feature of the kernel is discussed in detail after an introduction to different kernel designs. Differing kernel designs are based on the way a kernel interacts with other OS components. This module focuses on Linux, Windows, Android, and iOS kernel designs and the general design components common to all kernels.
Applications User mode programs providing OS interface and functionality. Application Programming Interface (API)
Documented interface for requesting protected OS services. The API is the library of functions used to invoke system calls.
Kernel Program consisting of core OS functions designed specifically for interacting with various hardware components such as CPU scheduling, interrupt and exception handling, and CPU synchronization.
Hardware Abstraction Architecture dependent code used by the kernel to interact with different hardware architectures. Windows calls it Hardware Abstraction Layer (HAL), and Linux calls it architecture-dependent kernel code.
JCAC Student Guide Module 5 Operating Systems
111 A-531-1900 – 2018-10
Linux Design
Figure 51. Linux OS layers.
Linux specific components:
GNU C Libraries (glibc) The Linux API contains callable functions used to invoke system calls.
System Call Interface Converts a system call to the requested kernel service.
Allows a program to invoke protected kernel routines to perform system functions.
Architecture-dependent Code Known as board support package (BSP). Serves as the
processor and platform-specific code for the given architecture.
JCAC Student Guide Module 5 Operating Systems
112 A-531-1900 – 2018-10
Windows Design
Figure 52. Windows OS layers.
Windows specific components:
Subsystem The Windows API consists of functions implemented by the
subsystem. These callable functions are contained in a suite of libraries called Dynamic Link Libraries (DLLs) and are used to provide an exposed documented interface for requesting protected OS services.
Native API When a subsystem function requires protected OS services, the
Native API translates the request into the actual system call. Executive The executive contains higher-level system capabilities, such as access
control, process management, memory management, and I/O management.
HAL The hardware abstraction layer (HAL) is the layer of code that isolates
the kernel and device drivers from hardware specifics. It is implemented through the system file HAL.DLL, a kernel loadable module that provides an API-like interface for device drivers.
JCAC Student Guide Module 5 Operating Systems
113 A-531-1900 – 2018-10
Android Design
Figure 53. Android design layers.
Android specific layers:
Applications Each application runs in its own process. Processes are started and stopped as needed to run an application’s components. Processes may be killed to reclaim resources.
Application Framework A procedure of developing applications on an Android
platform written in Java using tools and API libraries provided by Android Software Development Kit (SDK).
Libraries Native libraries written in C or C++. Also included in this layer
are the Android Runtime. Recall ART replaced the Dalvik Virtual Machine in newer kernel versions.
Linux Kernel Android uses the Linux kernel for hardware abstraction since it
provides a proven driver model and often existing drivers. It also provides memory management, process management, a security model, networking, and a lot of core OS infrastructure.
JCAC Student Guide Module 5 Operating Systems
114 A-531-1900 – 2018-10
iOS Design
Figure 54. iOS design layers.
iOS specific layers:
Applications Apple and third-party developed and approved applications. Cocoa Touch Includes a technology framework for building an application’s user
interface. Media Incorporates technologies used to play, record, and edit audiovisual
media and for rendering and animating 2D and 3D graphics. Core Services A set of Mac OS X and iOS APIs. Core OS Defines programming interfaces related to hardware and networking. Device Drivers Consists of the Mach kernel environment, device drivers, BSD library
functions, and other low-level components. It also includes support for file systems, networking, security, IPC, programming languages, and kernel extensions.
JCAC Student Guide Module 5 Operating Systems
115 A-531-1900 – 2018-10
9.2 Concepts of APIs
APIs provide a set of clearly defined methods of communication between applications and the OS. An API specification can take many forms, but often includes specifications for routines, data structures, object classes, variables or remote calls. An API is usually related to a software library, such as a predefined library function in programming. The API prescribes the expected behavior while the library is an actual implementation of this set of rules. POSIX based systems, such as Linux specify a set of common APIs that aim to enable an application written for a POSIX conformant operating system to be compiled for another POSIX conformant operating system. Microsoft has a strong commitment to a backward-compatible APIs, particularly within their Subsystem, so that older applications run on newer versions of Windows.
Examples of callable functions (Windows)/system calls (Linux): Windows Linux
Process Control CreateProcess() fork() ExitProcess() exit() WaitForSingleObject() wait() Device Manipulation SetConsoleMode() ioctl() ReadConsole() read() WriteConsole() write() File Manipulation CreateFileW() open() ReadFile() read() WriteFile() write() CloseHandle() close()
Exercise 5-17 in Student Workbook
System Calls and DLLs
JCAC Student Guide Module 5 Operating Systems
116 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
Recognize and evaluate process states and the actions they perform.
Understand the basics of preemptive and non-preemptive task scheduling.
Understand conditions that may arise when running concurrent processes/threads.
Differentiate between interrupts, exceptions, and traps.
Generalize how memory allocation is performed.
Explain memory hierarchy and cost-performance trade-offs.
Identify system device drivers implemented as loadable kernel modules.
Define system virtualization and the types of technologies it involves.
Exercises This training day includes the following exercises:
Exercise 5-18, Process Lifecycle
Exercise 5-19, Concurrency
Homework Complete day 7 homework assignment in Student Workbook
Study for Test
Day 7
JCAC Student Guide Module 5 Operating Systems
117 A-531-1900 – 2018-10
10 Processes An application contains instructions compiled as executable code and is considered passive. When an application is executed, it becomes an active process. A process is a container of resources required by an application’s instructions. Some of these resources are:
Executable (Image File) An applications compiled and executable code Process ID A unique, numerical identifier for a process. Memory Allocated memory requirements for an application is
executable code and process specific data (e.g., input or output for the user).
Account Identifier Identifies the user or system account executing a process,
known as the process’ security context. Thread Component of a process scheduled to run on the CPU. Called
thread in Windows and lightweight process (LWP) in UNIX.
Note: In the following sections, the term thread is considered synonymous with LWP.
10.1 Threads
Executing and managing a process is considered expensive, meaning it is OS and CPU intensive. Rather than executing processes as single units, threads, small segments of code are used by a process at a much lower cost than creating and managing an entirely new process. A thread simply shares parent process’ resources, such as code, security context, and memory space. Threads are scheduled by the kernel to perform jobs for a process (e.g., process worker bees). A system with a single processor (single core) may only be scheduled to run one thread at a time. The illusion of performing multiple jobs simultaneously is created by a component of the kernel called the schedule dispatcher. The dispatcher’s job is to schedule threads to run on the CPU. As various threads are vying for CPU time, the dispatcher uses context switching to effectively schedule between threads until all their work is done. On multiprocessor systems, multiple threads are able to perform different jobs simultaneously. For instance, a multi-thread process may have one thread provide rapid response jobs while another thread performs intensive calculations.
JCAC Student Guide Module 5 Operating Systems
118 A-531-1900 – 2018-10
10.2 Process Control Block (PCB) Structure
The dispatcher uses a process control block (PCB) to keep track of the current state of each process. Different OSs maintain certain information native to a particular OS, but all will contain at least the following:
Process Name Application name. Process ID Unique identifier for current process. Process State Information about current state of process. Process Counter Identifies location of next command to execute for the same
process. CPU Registers Information on accumulators, index registers, stack pointers,
and general purpose registers. These are saved during interrupts to allow for continuity when the process resumes.
Memory Management Data on page tables, limit registers, or segment tables. Accounting Information Data on values of CPU and real time utilized, time limits,
account numbers, and process numbers. I/O Status Information Data on a listing of I/O devices allocated to the process. Access Rights Security information for the process.
JCAC Student Guide Module 5 Operating Systems
119 A-531-1900 – 2018-10
10.3 Process States
In this discussion, process states are used to describe the life-cycle of a process. State names vary between OSs, but the following generic terms may be applied across many platforms.
State Function Example
New Creation of process Double-click program
Ready Process waiting in line to run In queue
Run Process’ instructions being executed Process running
Wait Process waiting for an event to continue Need a file off the HDD
End Terminate process Completed
When an application is executed, a process is started. The process is assigned a priority and is admitted to the ready queue based on that priority. When the processor becomes available, dispatch schedules the highest priority process to run for a set length of time (a quantum). If the process requires data from the hard drive, it is placed into an event wait state while the data is being retrieved and the dispatch schedules the next process in queue. Once the data has been retrieved, the process is marked as event complete and placed back into the ready queue. If the process scheduled does not require any additional data, it continues to execute until its quantum has expired. If the process completes its task, it exits. Otherwise, it is interrupted and returned to the ready queue. Figure 55 depicts the states of a process lifecycle.
JCAC Student Guide Module 5 Operating Systems
120 A-531-1900 – 2018-10
Figure 55. Process lifecycle flowchart.
Exercise 5-18 in Student Workbook
Process Lifecycle
JCAC Student Guide Module 5 Operating Systems
121 A-531-1900 – 2018-10
11 Scheduling and Dispatch The OS kernel is ultimately responsible for selecting which process gets time on the CPU. The criteria generally used for process scheduling are:
CPU Utilization Gainfully employing the processor.
Throughput Number of processes terminated in a set amount of time.
Turnaround Time Amount of time a process takes before being terminated.
Waiting Time Amount of time in the ready queue.
Response Time Amount of time the process takes to react to the user.
11.1 Preemptive and Non-preemptive Scheduling
The kernel’s schedule dispatcher uses scheduling algorithms to determine which process to run when the CPU becomes available. A preemptive scheduling algorithm schedules a process to run for a set quantum. This quantum is a length of time measured in milliseconds as designated by the CPU. If the process is still running at the end of the quantum, it is suspended, and another process is scheduled to run. This is known as context switching.
Algorithm Description
Round Robin Each process runs for a quantum and then the next process runs. No thread left behind; everyone gets a turn.
Multilevel Queue The ready queue is divided into several distinct sub-queues, each with its own quantum length. Processes are assigned to a sub- queue for execution. A priority is assigned.
Multilevel Feedback Queue
Similar to multilevel queue, but processes can move between levels. Used by Windows and Linux. Priority may get raised.
JCAC Student Guide Module 5 Operating Systems
122 A-531-1900 – 2018-10
A non-preemptive scheduling algorithm schedules a process to run until the process voluntarily releases the CPU.
Algorithm Description
First Come, First Served
First process runs on the CPU until terminated and then, moves on to the following process.
Shortest Job First With overhead on the CPU, processes (jobs) are assigned a rough order of magnitude and run on the processor in order of least amount of time to most amount of time and run until terminated. Long jobs are continually bumped in the queue by shorter jobs resulting in starvation for the long job.
Priority A priority is assigned to each process. The higher the priority, the sooner the process runs on the processor.
JCAC Student Guide Module 5 Operating Systems
123 A-531-1900 – 2018-10
12 Concurrency As discussed previously, a single processor (single core) may only be scheduled to run one process at a time. Multi-tasking is the illusion of performing multiple jobs simultaneously by interleaving processes on the same CPU. Systems with multiple processors (multi-processing systems), schedule multiple processes simultaneously in what is known as concurrency. When running concurrent processes certain contentions may arise.
Race Condition Occurs due to a process depending on the timely output sequence of another process. If the dependent process receives the output out of sequence or in an untimely manner, unanticipated behavior results.
Deadlock Condition Occurs when a thread enters a wait state because a requested
system resource is held by another waiting thread, which in turn may be waiting for another resource held by another waiting thread. If a process is unable to change its state indefinitely because the resources requested are being used by another waiting process, the system is said to be in a deadlock.
There are many concurrency control mechanisms implemented in both programming and hardware to alleviate or mitigate contention issues.
Exercise 5-19 in Student Workbook
Concurrency
JCAC Student Guide Module 5 Operating Systems
124 A-531-1900 – 2018-10
12.1 Interrupts, Exceptions, and Trap Handling
The OS kernel is responsible for interrupt, exception, and trap handling. Interrupts and exceptions divert the processor to code outside the current flow of control. Traps are mechanisms used to capture the executing process/thread when an interrupt or exception occurs.
Interrupts
Interrupts are primarily generated by I/O devices and are commonly referred to as hardware interrupts. An interrupt is an asynchronous event unrelated to what the processor is executing and may occur at any time. Pointing devices, printers, keyboards, and disk drives are generally interrupt driven. Therefore, each device’s driver is coded with interrupt service routines (ISR) that allow the OS kernel to control interaction between interrupts and scheduling with the processor.
Exceptions
Exceptions, sometimes referred to as software interrupts, are synchronous conditions that result from the execution of a particular instruction. Examples of exceptions include memory access violations, debugging issues, and mathematical anomalies like division by zero. However, not all exceptions result from faults. System calls are treated as exceptions by the OS kernel.
Trap Handling
The OS kernel uses a trap handler to take control of interrupts and exceptions when they occur. When an interrupt occurs, the kernel traps the currently executing process/thread and changes its state to wait. The interrupting process/thread is then scheduled to run on the CPU if permitted by the kernel. Interrupts are typically scheduled with higher priority in the queue. When a user mode process initiates a system call, the kernel traps the call as an exception for transition into kernel mode. The trapped call is then verified and authorized before the requested service is granted. When an exception results from an instruction error, the kernel traps these occurrences to avoid corrupting data or the OS itself. For example, an instruction attempts to change protected data in memory and causes a memory access violation (exception). If the kernel fails to trap this exception, the result could end with the infamous Windows “Blue Screen of Death” or a Linux “Kernel Panic.”
JCAC Student Guide Module 5 Operating Systems
125 A-531-1900 – 2018-10
13 Memory Management To execute, a process has certain memory requirements. Process memory can be divided into five sections.
Figure 56. Process memory.
Stack Memory used by non-static, local variables that are explicitly declared in
a program. The stack is efficiently managed by the CPU allowing very fast access to variable data.
Free Space Part of the computer’s memory reserved for external libraries of code
and shared memory. Heap Memory used for dynamically allocated memory that is uninitialized at
first. Access to the heap is slower than access to the stack; however, data may be allocated when needed and freed when no longer required.
Data Holds global and static variables, which exist throughout the life of the
program. Text Stores the compiled code of the currently running program.
Note: The stack and the heap start at opposite ends of a process’ free memory space and grow inward toward each other. If they ever meet, a stack- or heap-based buffer overflow occurs.
JCAC Student Guide Module 5 Operating Systems
126 A-531-1900 – 2018-10
The evolution of process memory management provides insight on how a modern OS handles process memory requirements. Consider earlier memory management schemes. The first scheme of memory management was called single user contiguous, where a single process reserved the entire RAM space. Once the process ended, RAM was cleared so the next process could load. If a process required more memory than was available in RAM, it could not execute. This scheme is impractical for the demands of modern OSs.
.
Figure 57. Single user contiguous.
To handle multiple processes loading into RAM at the same time, a fixed-size partitioning scheme was developed. RAM was divided into contiguous sections of different sizes called partitions. If one of the partitions was 50KB in size, then a process < 50KB could be loaded into the partition. Partition sizes were static and could not be changed unless the system was rebooted. Therefore, if a process was only 10KB in size, 40KB of RAM was left unused.
Figure 58. Fixed-size partitioning.
JCAC Student Guide Module 5 Operating Systems
127 A-531-1900 – 2018-10
To eliminate wasted RAM, dynamic partitioning was developed, to allocate partitions of the exact size needed. Therefore, a 10KB process was allocated a 10KB partition in RAM as shown in Figure 59.
Figure 59. Dynamic partitioning.
13.1 Virtual Memory
Each of the previous memory management schemes required an entire process to be loaded contiguously into RAM. Virtual memory management uses a concept known as paging to divide each process into small chunks or pages. Paging also requires RAM to be partitioned into equally sized chunks called page frames. Page frames are identified by the physical address locations in RAM and process pages are simply loaded into RAM as needed.
Figure 60. Memory mapping.
JCAC Student Guide Module 5 Operating Systems
128 A-531-1900 – 2018-10
When a CPU is in protected mode, the OS is responsible for mapping all process memory requirements into RAM. Since process memory requirements typically exceed the amount of RAM available, OSs extend memory allocation demands with virtual memory. For instance, a 32-bit OS has the ability to address approximately 4 GB (232) of memory. The upper 2 GB is reserved for kernel space memory requirements and the lower 2 GB is allotted for user space process memory requirements.
Figure 61. Upper and lower memory areas.
Virtual memory extends memory demands by providing a logical 2 GB of addressable space for every process. Virtual memory is commonly implemented using virtual addresses, page directories, page tables, and a swap/page file.
Virtual Addresses Every process may have different memory requirements, so every process identifies all memory requirements as virtual addresses. These virtual addresses are usable by the process’ resources in user mode.
Page Directories Every process has a page directory. The page directory contains page directory entries that are used as pointers to a specific page table.
Page Tables Page tables contain page table entries (PTEs). Each PTE contains a specific address, known as a page. These pages identify the page frame address of the data being sought.
Swap/Page File The swap space (UNIX) or page file (Windows) uses physical disk space to store memory data that is not actively being used in RAM to make room for something that is active. This is known as swapping.
JCAC Student Guide Module 5 Operating Systems
129 A-531-1900 – 2018-10
Figure 62. Virtual Addressing.
The most frequently used data is stored in cache and tracked using the translation lookaside buffer (TLB). Figure 62 combines the TLB concept learned earlier in Computer Organization and Architecture with how the OS handles virtual memory. Virtual Addressing abbreviations:
TLB Translation Lookaside Buffer
PD Page Directory
PDE Page Directory Entry
PT Page Table
PTE Page Table Entry
PF Page Frame
JCAC Student Guide Module 5 Operating Systems
130 A-531-1900 – 2018-10
When the system generates a virtual address, it is converted into a page frame address in one of two ways:
Use the TLB to find the cached page frame address
If TLB misses, the OS uses the page table to identify the page frame address
Once the page frame address is found, it is combined with the offset to determine the exact location of the data within the frame. Page table searches by the OS are similar to the TLB in that, the physical address may not always be valid. When the PTE references an invalid address, a page fault is generated. For instance, if a PTE references a page frame that has been swapped out to disk, a page fault is generated until the data can be retrieved from the disk. Excessive swapping is known as thrashing, which leads to slow disk access and overall poor system performance.
JCAC Student Guide Module 5 Operating Systems
131 A-531-1900 – 2018-10
14 Device Drivers Windows and Linux systems both implement device drivers as loadable-kernel modules (LKM). Drivers typically fall into one of the following categories:
Device Driver Translates I/O related function calls into specific hardware device requests.
File System Driver Accepts file oriented I/O requests and translates them into I/O
operations destined for the disk. Network Driver Accepts network I/O requests and translates them into I/O
communications destined for other network devices.
For the purpose of this module, focus is placed on device drivers.
14.1 Windows Device Drivers
The Windows kernel relies on the HAL to isolate the OS from the hardware. Windows device drivers are dynamically loaded to only deal with the HAL. Therefore, when the OS needs to perform some sort of I/O, it asks the HAL how to do it. If a device needs to communicate with the OS, it asks the HAL how to do it. Therefore, the HAL is the API for device drivers.
Windows device drivers typically end with a .sys file extension and are loaded by default in the %SystemRoot%\System32\drivers directory. The drivers consist of callable routines for the specific types of I/O requests.
Initialization Routine Called when the LKM is loaded and is used to register the rest of the driver's routines with the OS.
Add-device Routine Drivers that support Plug and Play (PnP) implement an add- device routine to send a driver notification whenever a new device is detected.
Start I/O Routine Used to initiate a data transfer to or from a device.
Dispatch Routines Initialized by the OS when called upon to perform I/O operation; the main function of a device driver.
Interrupt Service Routine (ISR)
Scheduled by the kernel upon device interrupt to transfer control to the driver’s ISR.
Deferred Procedure Call (DPC)
Used to control ISRs. For instance, once an ISR completes, the DPC ends the interrupt and returns to normal scheduling.
JCAC Student Guide Module 5 Operating Systems
132 A-531-1900 – 2018-10
Figure 63. Windows device driver implementation.
14.2 Linux Device Drivers
Linux device drivers are pieces of code that are loaded and unloaded to and from the kernel on demand as LKMs. Similar to the Windows HAL, Linux uses architecture-dependent code or BSP to interface with hardware. Linux device names typically reside in the /dev directory or one of its subdirectories and consist of callable routines similar to Windows:
Initialization Routine
Called when the LKM is loaded, it is used to register the rest of the driver's routines with the OS.
Device Naming Routine
Device files are located in /dev and their associated LKMs are within /lib. Drivers, in Linux, use contextual names but applications are not required to use them. Driver identification is accomplished using major-minor number pairings ranging from 0- 255. These are referred to as device nodes.
Applications use file system nodes to access a device. When an application makes an I/O request (open, close, read, write) on a device node, the kernel does not handle the request as a regular I/O file, but passes the request to a device driver. The device driver handles the I/O operation and sends the results to the user. The device node provides the device abstraction.
JCAC Student Guide Module 5 Operating Systems
133 A-531-1900 – 2018-10
File Operations
Routines that are similar to Windows dispatch routines. Linux treats all devices as files and uses standard system calls to communicate with them.
open Open handle
close Close handle
read Read request
write Write request
llseek Seek operation
ioctl Control request
Linux devices take on certain roles to determine I/O interactions. These roles determine how each device interprets file operation routines.
Block Device File Expected to use system calls such as read() and write() and transfers data one block at a time. Block devices are also referred to as raw I/O because there is no interpretation of data. This allows for random access. Blocks are normally 512 bytes in size.
Character Device File Expected to use an interface for interpretation of the data when written to or read from the device. Characters read sequentially in a stream of bytes. A keyboard is a character device because when the system call get() is called, the byte is interpreted as a character.
Figure 64. Linux device driver implementation.
JCAC Student Guide Module 5 Operating Systems
134 A-531-1900 – 2018-10
15 System Virtualization System virtualization is the act of creating a virtual version of something such as a hardware platform, OS, storage device, or something computer related. Virtualization allows for isolated duplication of software and physical hardware, thereby reducing IT environment expenses and increasing efficiency and agility. Virtualization is controlled by a virtual machine monitor (VMM), often referred to as a hypervisor. The VMM can be software, firmware, or hardware that runs virtual machines and presents a guest OS with a virtual representation of hardware. A virtual machine (VM) is an instance of an OS executing on a virtualized system. A virtual system contains a host machine and any number of guest machines. The student laptops and the classroom student positions are both host examples. A host machine holds the primary OS and contains the VMM running one or more VMs. The guest machine is any VM supported by the host machine.
15.1 Types of Virtual Machine Monitors
Type 1 VMM sits above the hardware and virtualizes the complete hardware. Also known as bare metal, embedded, or native hypervisor, a type 1 VMM works directly on the hardware of a host and is capable of monitoring OSs that run above the hypervisor. Completely independent of a host OS, this software implement VMM services a guest OS requests.
Some common Type 1 VMMs are:
VMware ESXi server Microsoft Hyper-V Citrix/Xen Server
Type 2 VMM runs within an OS, and relies on OS services to manage a hardware. Also known as hosted hypervisors, a type 2 VMM is a software implemented embedded kernel module within a host OS that services a guest OS requests. Here, the hypervisor is installed on an OS and supports other OSs above.
Some common Type 2 VMMs are:
VMware Workstation Virtual Box VMware Fusion
JCAC Student Guide Module 5 Operating Systems
135 A-531-1900 – 2018-10
15.2 Virtualization Technologies
There are four commonly used virtualization technologies. Each having advantages and disadvantages when running multiple OSs on a single physical computer system. The four technologies are guest operating system, shared kernel, kernel level, and hypervisor virtualizations. The focus for this module is on guest operating system virtualization.
Guest OS Virtualization
A virtualization program running on a host OS creates one or more virtual machines to run as guest OSs on the computer. The application starts, stops, and manages all VMs and controls access to physical hardware resources on behalf of those VMs. A virtualization application also scans the instruction stream of an executing guest system and replaces all privileged instructions with unprivileged emulations with a process known as binary rewriting. Rewriting or “encoding” gives the guest OS the impression it is running directly on system hardware, rather than a VM within an application. Figure 65 provides an illustration of a guest OS operating within a virtualization application.
Figure 65. Virtualization layers.
A virtualization application runs on top of a host OS, in this case Windows XP. Because of multiple abstraction layers, this produces weak performance. On the positive side, no changes are needed to a host or guest OSs and special CPU hardware virtualization is not needed.
From a security standpoint, a virtual machine escape can be used to break out of a VM environment and access the host’s operating system. Vulnerabilities in some virtualization applications (VMware Workstation) exist and should be addressed to reduce possible exploitation and prevent an intruder from taking over a host.
JCAC Student Guide Module 5 Operating Systems
136 A-531-1900 – 2018-10
Working from a VM does not eliminate vulnerabilities to a host. Software patching and maintaining good security practices remain vital to reduce system weaknesses. Understanding the benefits of virtualized systems enables exploitation of target systems. Determining if a target system is a virtual machine or the actual host is accomplished with a variety of commands. Irrelevant of the OS used, there are a variety of system tools that help determine a system’s hardware components and other useful information such as serial numbers and BIOS or UEFI revisions. To view this information on most Windows OSs, the systeminfo command is used and most Linux systems use the dmidecode command. Figure 66 displays an excerpt from the systeminfo command used on a Windows 7 VM. Notice the System Manufacturer and System Model information identify this is a virtual machine.
Figure 66. Windows 7 System Information (systeminfo)
In Figure 67 the same type of information is provided for a Linux system using the dmidecode command. Here the Manufacturer and Product Name identify the system as VMware.
Figure 67. CentOS 6 System Information (dmidecode)
JCAC Student Guide Module 5 Operating Systems
137 A-531-1900 – 2018-10
Objectives At the end of this training day, students will be able to:
None
Exercises This training day includes the following exercises:
None
Homework None
Day 8
