The boot process is an essential part of using a computer, and understanding how it works can provide valuable forensic information. As a forensic examiner, you can also control the boot process to use forensic booting tools. In this article, we will take a detailed look at how the boot process works.
When you turn on your computer, the power supply sends power to the motherboard, which activates the boot process. The power-on self-test (POST) runs through a series of checks to ensure that everything is working correctly. The instructions for the POST are stored in a read-only memory (ROM) chip as part of the BIOS (basic input/output system).
Most POST sequences will have a combination of audible and visual messages to let you know what is and isn’t working. The POST checks your video card, and at that point, you will see information from the POST on the screen. It then checks to make sure it can find a CPU and that it is communicating. It then tests your RAM, which is a very basic check of whether it can communicate with your RAM.
The POST then checks for the keyboard and mouse, and depending on the type of keyboard you have, you might see the keyboard light flash at this point. You would normally see an indication on the screen of how you can enter the BIOS setup program on your computer. Each BIOS software vendor will have a different keystroke, but it is often either F2, F10, or the Delete key.
This is where important forensic information is stored, including date and time information and the booting order. Your computer can be set to boot from your hard drive first or from your CD, USB Drive, or even from the network. If you want to boot the computer with a forensic boot CD or forensic USB device, you may need to change the boot order.
Lights on each drive will flash as the POST checks them for booting instructions. Most computers are set up to check the optical drive first, as this makes it easier to install new operating systems. Then, they check the very first hard drive (drive zero), and the POST is looking for the Master Boot Record.
The Master Boot Record is always at cylinder zero, head zero, and sector one, and it points to the boot sector. Finally, the POST is done, and the operating system takes over.
In conclusion, understanding the boot process is essential for forensic examiners as it provides valuable information about the system. Controlling the boot process can also help in using forensic booting tools. Knowing how the POST works and what it checks during the booting process can also be helpful in detecting problems with the system.