Module 1: The Windows Operating System

1.0 Introduction

1.1. Windows History

1.1.1 Disk Operating System
1.1.2 Windows Versions
1.1.3 Windows GUI
1.1.4 Operating System Vulnerabilities

1.2 Windows Architecture and Operations

1.2.1 Hardware Abstraction Layers
1.2.2 User Mode and Kernel Mode
1.2.3 Windows File Systems
1.2.4 Alternate Data Streams
1.2.5 Windows Boot Process
1.2.6 Windows Startup
1.2.7 Windows Shutdown
1.2.8 Processes, Threads, and Services
1.2.9 Memory Allocation and Handles
1.2.10 The Windows Registry
1.2.11 Lab – Exploring Processes, Threads, Handles, and Windows Registry

1.3 Windows Configuration and Monitoring

1.3.1 Run as Administrator
1.3.2 Local Users and Domains
1.3.3 CLI and PowerShell
1.3.4 Windows Management Instrumentation
1.3.5 The net Command
1.3.6 Task Manager and Resource Monitor
1.3.7 Networking
1.3.8 Accessing Network Resources
1.3.9 Windows Server
1.3.10 Lab – Create User Accounts
1.3.11 Lab – Using Windows PowerShell
1.3.12 Lab – Windows Task Manager
1.3.13 Lab – Monitor and Manage System Resources in Windows

1.4 Windows Security

1.4.1 The netstat Command
1.4.2 Event Viewer
1.4.3 Windows Update Management
1.4.4 Local Security Policy
1.4.5 Windows Defender
1.4.6 Windows Defender Firewall
1.4.7 Check Your Understanding – Identify the Windows Tool

1.5 The Windows Operating System Summary

1.5.1 What Did I Learn in this Module?
1.5.2 Quiz: The Windows Operating System

Module 2: Linux Overview

2.0 Introduction

2.0.1 Why Should I Take this Module?
2.0.2 What Will I Learn in this Module?
2.0.3 Lab Video – Install a Virtual Machine on a Personal Computer
2.0.4 Lab – Install a Virtual Machine on a Personal Computer

2.1 Linux Basics

2.1.1 What is Linux?
2.1.2 The Value of Linux
2.1.3 Linux in the SOC
2.1.4 Linux Tools

2.2 Working in the Linux Shell

2.2.1 The Linux Shell
2.2.2 Basic Commands
2.2.3 File and Directory Commands
2.2.4 Working with Text Files
2.2.5 The Importance of Text Files in Linux
2.2.6 Lab – Working with Text Files in the CLI
2.2.7 Lab – Getting Familiar with the Linux Shell

2.3 Linux Servers and Clients

2.3.1 An Introduction to Client-Server Communications
2.3.2 Servers, Services, and Their Ports
2.3.3 Clients
2.3.4 Lab Video – Use a Port Scanner to Detect Open Ports
2.3.5 Lab – Use a Port Scanner to Detect Open Ports
2.3.6 Lab – Linux Servers

2.4 Basic Server Administration

2.4.1 Service Configuration Files
2.4.2 Hardening Devices
2.4.3 Monitoring Service Logs
2.4.4 Lab – Locating Log Files

2.5 The Linux File System

2.5.1 The File System Types in Linux
2.5.2 Linux Roles and File Permissions
2.5.3 Hard Links and Symbolic Links
2.5.4 Lab – Navigating the Linux Filesystem and Permission Settings

2.6 Working with the Linux GUI

2.6.1 X Window System
2.6.2 The Linux GUI

2.7 Working on a Linux Host

2.7.1 Installing and Running Applications on a Linux Host
2.7.2 Keeping the System Up to Date
2.7.3 Processes and Forks
2.7.4 Malware on a Linux Host
2.7.5 Rootkit Check
2.7.6 Piping Commands
2.7.7 Video – Applications, Rootkits, and Piping Commands
2.7.8 Lab – Configure Security Features in Windows and Linux

2.8 Linux Overview Summary

2.8.1 What Did I Learn in this Module?
2.8.2 Quiz: Linux Overview

Module 3: Mobile Device Connectivity

3.0 Introduction

3.0.1 Why Should I Take This Module?
3.0.2 What Will I Learn in This Module?

3.1 Wireless and Cellular Data Network

3.1.1 Wireless Data Networks
3.1.2 Wi-Fi Manual Configuration
3.1.3 Lab – Mobile Wi-Fi
3.1.4 Cellular Communications Standards
3.1.5 Airplane Mode
3.1.6 Hotspot
3.1.7 Check Your Understanding – Wireless Technology

3.2 Bluetooth

3.2.1 Bluetooth for Mobile Devices
3.2.2 Bluetooth Pairing

3.3 Email Configuration

3.3.1 Introduction to Email
3.3.2 Check your understanding – Email Protocols
3.3.3 Android Email Configuration
3.3.4 iOS Email Configuration
3.3.5 Internet Email

3.4 Mobile Device Synchronization

3.4.1 Types of Data to Synchronize
3.4.2 Enabling Synchronization
3.4.3 Synchronization Connection Types

3.5 Mobile Device Connectivity Summary

3.5.1 What Did I Learn in this Module?
3.5.2 Quiz – Mobile Device Connectivity

Module 4: Mobile Operating Systems and Security

4.0 Introduction

4.0.1 Why Should I Take This Module?
4.0.2 What Will I Learn in This Module?

The first computers did not have modern storage devices such as hard drives, optical drives, or flash storage. The first storage methods used punch cards, paper tape, magnetic tape, and even audio cassettes.

Floppy disk and hard disk storage require software to read from, write to, and manage the data that they store. The Disk Operating System (DOS) is an operating system that the computer uses to enable these data storage devices to read and write files. DOS provides a file system which organizes the files in a specific way on the disk. Microsoft bought DOS and developed MS-DOS.

MS-DOS used a command line as the interface for people to create programs and manipulate data files, as shown in the command output. DOS commands are shown in bold text.

Starting MS-DOS…
HIMEM is testing extended memory… done.
C:∖> C:∖DOS∖SMARTDRV.EXE /X
C:∖> dir
Volume in drive C is MS-DOS_6
Volume Serial Number is 4006-6939
Directory of C:∖
DOS  <DIR>  05-06-17 1:09p
COMMAND  COM   54,645 05-31-94  6:22a
WINA20   386   9,349  05-31-94  6:22a
CONFIG   SYS   71 05-06-17      1:10p
AUTOEXEC   BAT   78 05-06-17    1:10p
     5 file(s)     64,143 bytes
              517,021,696 bytes free
C:∖>

With MS-DOS, the computer had a basic working knowledge of how to access the disk drive and load the operating system files directly from disk as part of the boot process. When it was loaded, MS-DOS could easily access the disk because it was built into the operating system.

Early versions of Windows consisted of a Graphical User Interface (GUI) that ran over MS-DOS, starting with Windows 1.0 in 1985. The disk operating system still controlled the computer and its hardware. A modern operating system like Windows 10 is not considered a disk operating system. It is built on Windows NT, which stands for “New Technologies”. The operating system itself is in direct control of the computer and its hardware. NT is an OS with support for multiple user processes. This is much different than the single-process, single-user MS-DOS.

Today, many things that used to be accomplished through the command line interface of MS-DOS can be accomplished in the Windows GUI. You can still experience what it was like to use MS-DOS by opening a command window, but what you see is no longer MS-DOS, it is a function of Windows. To experience a little of what it was like to work in MS-DOS, open a command window by typing cmd in Windows Search and pressing Enter. The table lists some commands that you can use. Enter help followed by the command to learn more about the command.

MS-DOS Command	Description
dir	Shows a listing of all the files in the current directory (folder)
cd directory	Changes the directory to the indicated directory
cd ..	Changes the directory to the directory above the current directory
cd∖	Changes the directory to the root directory (often C:)
copy source destination	Copies files to another location
del filename	Deletes one or more files
find	Searches for text in files
mkdir directory	Creates a new directory
ren oldname newname	Renames a file
help	Displays all the commands that can be used, with a brief description
help command	Displays extensive help for the indicated command

1.1.2 Windows Versions

Since 1993, there have been more than 20 releases of Windows that are based on the NT operating system. Most of these versions were for use by the general public and businesses because of the file security offered by the file system that was used by the NT OS. Businesses also adopted NT OS-based Windows operating systems. This is because many editions were built specifically for workstation, professional, server, advanced server, and datacenter server, to name just a few of the many purpose-built versions.

Beginning with Windows XP, a 64-bit edition was available. The 64-bit operating system was an entirely new architecture. It had a 64-bit address space instead of a 32-bit address space. This is not simply twice the amount of space because these bits are binary numbers. While 32-bit Windows can address a little less than 4 GB of RAM, 64-bit Windows can theoretically address 16.8 million terabytes. When the OS and the hardware all support 64-bit operation, extremely large data sets can be used. These large data sets include very large databases, scientific computing, and manipulation of high definition digital video with special effects. In general, 64-bit computers and operating systems are backward-compatible with older, 32-bit programs, but 64-bit programs cannot be run on older, 32-bit hardware.

With each subsequent release of Windows, the operating system has become more refined by incorporating more features. Windows 7 was offered with six different editions, Windows 8 with as many as five, and Windows 10 with eight different editions! Each edition not only offers different capabilities, but also different price points. Microsoft has said that Windows 10 is the last version of Windows, and that Windows has become a service rather than just an OS. They say that rather than purchasing new operating systems, users will just update Windows 10 instead.

OS	Versions
Windows 7	Starter, Home Basic, Home Premium, Professional, Enterprise, Ultimate
Windows Server 2008 R2	Foundation, Standard, Enterprise, Datacenter, Web Server, HPC Server, Itanium-Based Systems
Windows Home Server 2011	None
Windows 8	Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows RT
Windows Server 2012	Foundation, Essentials, Standard, Datacenter
Windows 8.1	Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows RT 8.1
Windows Server 2012 R2	Foundation, Essentials, Standard, Datacenter
Windows 10	Home, Pro, Pro Education, Enterprise, Education, loT Core, Mobile, Mobile Enterprise
Windows Server 2016	Essentials, Standard, Datacenter, Multipoint Premium Server, Storage Server, Hyper-V Server

1.1.3 Windows GUI

The Desktop can be customized with various colors and background images. Windows supports multiple users, so each user can customize the Desktop to their liking. The Desktop can store files, folders, shortcuts to locations and programs, and applications. The Desktop also has a recycle bin icon, where files are stored when the user deletes them. Files can be restored from the recycle bin or the recycle bin can be emptied of files, which truly deletes them.

At the bottom of the desktop is the Task Bar. The Task Bar has three areas that are used for different purposes. At the left is the Start menu. It is used to access all of the installed programs, configuration options, and the search feature. At the center of the Task Bar, users place quick launch icons that run specific programs or open specific folders when they are clicked. Finally, on the right of the Task Bar is the notification area. The notification area shows, at a glance, the functionality of many different programs and features. For example, a blinking envelope icon may indicate new email, or a network icon with a red “x” may indicate a problem with the network.

Often, right-clicking an icon will bring up additional functions that can be used. This list is known as a Context Menu, shown in the figure.

There are Context Menus for the icons in the notification area, for quick launch icons, system configuration icons, and for files and folders. The Context Menu provides many of the most commonly used functions by just clicking. For example, the Context Menu for a file will contain such items as copy, delete, share, and print. To open folders and manipulate files, Windows uses the Windows File Explorer.

1.1.4 Operating System Vulnerabilities

Operating systems consist of millions of lines of code. Installed software can also contain millions of lines of code. With all this code comes vulnerabilities. A vulnerability is some flaw or weakness that can be exploited by an attacker to reduce the viability of a computer’s information. To take advantage of an operating system vulnerability, the attacker must use a technique or a tool to exploit the vulnerability. The attacker can then use the vulnerability to get the computer to act in a fashion outside of its intended design. In general, the goal is to gain unauthorized control of the computer, change permissions, or to manipulate or steal data.

Click each of the headings below to see some common Windows OS security recommendations.

virus or malware protection

By default, Windows uses Windows Defender for malware protection.
Windows Defender provides a suite of protection tools built into the system.
If Windows Defender is turned off, the system becomes more vulnerable to attacks and malware.

Unknown or unmanaged services

There are many services that run behind the scenes.
It is important to make sure that each service is identifiable and safe.
With an unknown service running in the background, the computer can be vulnerable to attack.

Encryption

When data is not encrypted, it can easily be gathered and exploited.
This is not only important for desktop computers, but especially mobile devices.

Security policy

A good security policy must be configured and followed.
Many settings in the Windows Security Policy control can prevent attacks.

Firewall

By default, Windows uses Windows Firewall to limit communication with devices on the network.
Over time, rules may no longer apply.
For example, a port may be left open that should no longer be readily available.
It is important to review firewall settings periodically to ensure that the rules are still applicable and remove any that no longer apply

File and share permission

These permissions must be set correctly.
It is easy to just give the “Everyone” group Full Control, but this allows all people to do what they want to all files.
It is best to provide each user or group with the minimum necessary permissions for all files and folders.

weak or no password

Many people choose weak passwords or do not use a password at all.
It is especially important to make sure that all accounts, especially the Administrator account, have a very strong password.

When a user logs in as an administrator, any program that they run will have the privileges of that account.
It is best to log in as a Standard User and only use the administrator password to accomplish certain tasks.

1.2.1 Hardware Abstraction Layers

Windows computers use many different types of hardware. The operating system can be installed on a purchased computer or a on computer that is assembled by the user. When the operating system is installed, it must be isolated from differences in hardware. The basic Windows architecture is shown in the figure.

A hardware abstraction layer (HAL) is software that handles all of the communication between the hardware and the kernel. The kernel is the core of the operating system and has control over the entire computer. It handles all of the input and output requests, memory, and all of the peripherals connected to the computer.

In some instances, the kernel still communicates with the hardware directly, so it is not completely independent of the HAL. The HAL also needs the kernel to perform some functions.

1.2.2 User Mode and Kernel Mode

As identified in the figure, there are two different modes in which a CPU operates when the computer has Windows installed: the user mode and the kernel mode.

Installed applications run in user mode, and operating system code runs in kernel mode. Code that is executing in kernel mode has unrestricted access to the underlying hardware and is capable of executing any CPU instruction. Kernel mode code also can reference any memory address directly. Generally reserved for the most trusted functions of the OS, crashes in code running in kernel mode stop the operation of the entire computer. Conversely, programs such as user applications, run in user mode and have no direct access to hardware or memory locations. User mode code must go through the operating system to access hardware resources. Because of the isolation provided by user mode, crashes in user mode are restricted to the application only and are recoverable. Most of the programs in Windows run in user mode. Device drivers, pieces of software that allow the operating system and a device to communicate, may run in either kernel or user mode, depending on the driver.

All of the code that runs in kernel mode uses the same address space. Kernel-mode drivers have no isolation from the operating system. If an error occurs with the driver running in kernel mode, and it writes to the wrong address space, the operating system or another kernel-mode driver could be adversely affected. In this respect, the driver might crash, causing the entire operating system to crash.

When user mode code runs, it is granted its own restricted address space by the kernel, along with a process created specifically for the application. The reason for this functionality is mainly to prevent applications from changing operating system code that is running at the same time. By having its own process, that application has its own private address space, rendering other applications unable to modify the data in it. This also helps to prevent the operating system and other applications from crashing if that application crashes.

1.2.3 Windows File Systems

Click each heading to learn more about Windows file systems.

exFAT

This is a simple file system supported by many different operating systems.
FAT has limitations to the number of partitions, partition sizes, and file sizes that it can address, so it is not usually used for hard drives (HDs) or solid-state drives (SSDs) anymore.
Both FAT16 and FAT32 are available to use, with FAT32 being the most common because it has many fewer restrictions than FAT16.

Hierarchical File System Plus (HFS+)

This file system is used on MAC OS X computers and allows much longer filenames, file sizes, and partition sizes than previous file systems.
Although it is not supported by Windows without special software, Windows is able to read data from HFS+ partitions.

Extended File System (EXT)

This file system is used with Linux-based computers.
Although it is not supported by Windows, Windows is able to read data from EXT partitions with special software.

New Technology File System (NTFS)

This is the most commonly used file system when installing Windows. All versions of Windows and Linux support NTFS.
Mac-OS X computers can only read an NTFS partition. They are able to write to an NTFS partition after installing special drivers.

NTFS is the most widely used file system for Windows for many reasons. NTFS supports very large files and partitions and it is very compatible with other operating systems. NTFS is also very reliable and supports recovery features. Most importantly, it supports many security features. Data access control is achieved through security descriptors. These security descriptors contain file ownership and permissions all the way down to the file level. NTFS also tracks many time stamps to track file activity. Sometimes referred to as MACE, the timestamps Modify, Access, Create, and Entry Modified are often used in forensic investigations to determine the history of a file or folder. NTFS also supports file system encryption to secure the entire storage media.

Before a storage device such as a disk can be used, it must be formatted with a file system. In turn, before a file system can be put into place on a storage device, the device needs to be partitioned. A hard drive is divided into areas called partitions. Each partition is a logical storage unit that can be formatted to store information, such as data files or applications. During the installation process, most operating systems automatically partition and format the available drive space with a file system such as NTFS.

NTFS formatting creates important structures on the disk for file storage, and tables for recording the locations of files:

Partition Boot Sector – This is the first 16 sectors of the drive. It contains the location of the Master File Table (MFT). The last 16 sectors contain a copy of the boot sector.
Master File Table (MFT) – This table contains the locations of all the files and directories on the partition, including file attributes such as security information and timestamps.
System Files – These are hidden files that store information about other volumes and file attributes.
File Area – The main area of the partition where files and directories are stored.

Note: When formatting a partition, the previous data may still be recoverable because not all the data is completely removed. The free space can be examined, and files can be retrieved which can compromise security. It is recommended to perform a secure wipe on a drive that is being reused. The secure wipe will write data to the entire drive multiple times to ensure there is no remaining data.

1.2.4 Alternate Data Streams

NTFS stores files as a series of attributes, such as the name of the file, or a timestamp. The data which the file contains is stored in the attribute $DATA, and is known as a data stream. By using NTFS, you can connect Alternate Data Streams (ADSs) to the file. This is sometimes used by applications that are storing additional information about the file. The ADS is an important factor when discussing malware. This is because it is easy to hide data in an ADS. An attacker could store malicious code within an ADS that can then be called from a different file.

In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, Testfile.txt:ADS. This filename indicates an ADS called ADS is associated with the file called Testfile.txt. An example of ADS is shown in the command output.

In the output:

The first command places the text “Alternate Data Here” into an ADS of the file Testfile.txt called “ADS”.
After that, dir, shows that the file was created, but the ADS is not visible.
The next command shows that there is data in the Testfile.txt:ADS data stream.
The last command shows the ADS of the Testfile.txt file because the r switch was used with the dir command.

1.2.5 Windows Boot Process

Many actions occur between the time that the computer power button is pressed and Windows is fully loaded, as shown in the figure. This is known as the Windows Boot process.

Two types of computer firmware exist:

Basic Input-Output System (BIOS)

BIOS firmware was created in the early 1980s and works in the same way it did when it was created. As computers evolved, it became difficult for BIOS firmware to support all the new features requested by users.

Unified Extensible Fireware Interface (UEFI)
UEFI was designed to replace BIOS and support the new features.

In BIOS firmware, the process begins with the BIOS initialization phase. This is when hardware devices are initialized and a power on self-test (POST) is performed to make sure all of these devices are communicating. When the system disk is discovered, the POST ends. The last instruction in the POST is to look for the master boot record (MBR).

The MBR contains a small program that is responsible for locating and loading the operating system. The BIOS executes this code and the operating system starts to load.

In contrast to BIOS firmware, UEFI firmware has a lot of visibility into the boot process. UEFI boots by loading EFI program files, stored as .efi files in a special disk partition, known as the EFI System Partition (ESP).

Note: A computer that uses UEFI stores boot code in the firmware. This helps to increase the security of the computer at boot time because the computer goes directly into protected mode.

Whether the firmware is BIOS or UEFI, after a valid Windows installation is located, the Bootmgr.exe file is run. Bootmgr.exe switches the system from real mode to protected mode so that all of the system memory can be used.

Bootmgr.exe reads the Boot Configuration Database (BCD). The BCD contains any additional code needed to start the computer, along with an indication of whether the computer is coming out of hibernation, or if this is a cold start. If the computer is coming out of hibernation, the boot process continues with Winresume.exe. This allows the computer to read the Hiberfil.sys file which contains the state of the computer when it was put into hibernation.

If the computer is being booted from a cold start, then the Winload.exe file is loaded. The Winload.exe file creates a record of the hardware configuration in the registry. The registry is a record of all of the settings, options, hardware, and software the computer has. The registry will be explored in depth later in this chapter. Winload.exe also uses Kernel Mode Code Signing (KMCS) to make sure that all drivers are digitally signed. This ensures that the drivers are safe to load as the computer starts.

After the drivers have been examined, Winload.exe runs Ntoskrnl.exe which starts the Windows kernel and sets up the HAL. Finally, the Session Manager Subsystem (SMSS) reads the registry to create the user environment, start the Winlogon service, and prepare each user’s desktop as they log on.

1.2.6 Windows Startup

There are two important registry items that are used to automatically start applications and services:

HKEY_LOCAL_MACHINE – Several aspects of Windows configuration are stored in this key, including information about services that start with each boot.
HKEY_CURRENT_USER – Several aspects related to the logged in user are stored in this key, including information about services that start only when the user logs on to the computer.

The registry will be discussed later in this topic.

Different entries in these registry locations define which services and applications will start, as indicated by their entry type. These types include Run, RunOnce, RunServices, RunServicesOnce, and Userinit. These entries can be manually entered into the registry, but it is much safer to use the Msconfig.exe tool. This tool is used to view and change all of the start-up options for the computer. Use the search box to find and open the Msconfig tool.

The Msconfig tool opens the System Configuration window. There are five tabs which contain the configuration options.

General

Three different startup types can be chosen here. Normal loads all drivers and services. Diagnostic loads only basic drivers and services. Selective allows the user to choose what to load on startup.

Boot

Any installed operating system can be chosen here to start. There are also options for Safe boot, which is used to troubleshoot startup.

Services

All the installed services are listed here so that they can be chosen to start at startup.

Startup

All the applications and services that are configured to automatically begin at startup can be enabled or disabled by opening the task manager from this tab.

Tools

Many common operating system tools can be launched directly from this tab.

1.2.7 Windows Shutdown

It is always best to perform a proper shutdown to turn off the computer. Files that are left open, services that are closed out of order, and applications that hang can all be damaged if the power is turned off without first informing the operating system. The computer needs time to close each application, shut down each service, and record any configuration changes before power is lost.

During shutdown, the computer will close user mode applications first, followed by kernel mode processes. If a user mode process does not respond within a certain amount of time, the OS will display notification and allow the user to wait for the application to respond, or forcibly end the process. If a kernel mode process does not respond, the shutdown will appear to hang, and it may be necessary to shut down the computer with the power button.

There are several ways to shut down a Windows computer: Start menu power options, the command line command shutdown, and using Ctrl+Alt+Delete and clicking the power icon. There are three different options from which to choose when shutting down the computer:

Shutdown – Turns the computer off (power off).
Restart – Re-boots the computer (power off and power on).
Hibernate – Records the current state of the computer and user environment and stores it in a file. Hibernation allows users to pick up right where they left off very quickly with all their files and programs still open.

1.2.8 Processes, Threads, and Services

A Windows application is made up of processes. The application can have one or many processes dedicated to it. A process is any program that is currently executing. Each process that runs is made up of at least one thread. A thread is a part of the process that can be executed. The processor performs calculations on the thread. To configure Windows processes, search for Task Manager. The Processes tab of the Task Manager is shown in the figure.

All of the threads dedicated to a process are contained within the same address space. This means that these threads may not access the address space of any other process. This prevents corruption of other processes. Because Windows multitasks, multiple threads can be executed at the same time. The amount of threads that can be executed at the same time is dependent on the number of the computer’s processors.

Some of the processes that Windows runs are services. These are programs that run in the background to support the operating system and applications. They can be set to start automatically when Windows boots or they can be started manually. They can also be stopped, restarted, or disabled.

Services provide long-running functionality, such as wireless or access to an FTP server. To configure Windows Services, search for services. The Windows Services control panel applet is shown in the figure.

Be very careful when manipulating the settings of these services. Some programs rely on one or more services to operate properly. Shutting down a service may adversely affect applications or other services.

1.2.9 Memory Allocation and Handles

A computer works by storing instructions in RAM until the CPU processes them. The virtual address space for a process is the set of virtual addresses that the process can use. The virtual address is not the actual physical location in memory, but an entry in a page table that is used to translate the virtual address into the physical address.

Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a virtual address space of 8 terabytes.

Each user space process runs in a private address space, separate from other user space processes. When the user space process needs to access kernel resources, it must use a process handle. This is because the user space process is not allowed to directly access these kernel resources. The process handle provides the access needed by the user space process without a direct connection to it.

A powerful tool for viewing memory allocation is RAMMap, which is shown in the figure. RAMMap is part of the Windows Sysinternals Suite of tools. It can be downloaded from Microsoft. RAMMap provides a wealth of information regarding how Windows has allocated system memory to the kernel, processes, drivers, and applications.

1.2.10 The Windows Registry

Windows stores all of the information about hardware, applications, users, and system settings in a large database known as the registry. The ways that these objects interact are also recorded, such as what files an application opens and all of the property details of folders and applications. The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. Values store data and are stored in the keys and subkeys. A registry key can be up to 512 levels deep.

Select the headings to find out more about five hives of the Windows registry.

HKEY_CURRENT_USER (HKCU)

Holds information concerning the currently logged in user.

HKEY_USERS (HKU)

Holds information concerning all the user accounts on the host.

HKEY_CLASSES_ROOT (HKCR)

Holds information about object linking and embedding (OLE) registrations. OLE allows users to embed objects from other applications (like a spreadsheet) into a single document (like a Word document).

HKEY_LOCAL_MACHINE (HKLM)

Holds system-related information.

HKEY_CURRENT_CONFIG (HKCC)

Holds information about the current hardware profile.

New hives cannot be created. The registry keys and values in the hives can be created, modified, or deleted by an account with administrative privileges. As shown in the figure, the tool regedit.exe is used to modify the registry. Be very careful when using this tool. Minor changes to the registry can have massive or even catastrophic effects.

Navigation in the registry is very similar to Windows file explorer. Use the left panel to navigate the hives and the structure below it and use the right panel to see the contents of the highlighted item in the left panel. With so many keys and subkeys, the key path can become very long. The path is displayed at the bottom of the window for reference. Because each key and subkey is essentially a container, the path is represented much like a folder in a file system. The backslash (∖) is used to differentiate the hierarchy of the database.

Registry keys can contain either a subkey or a value. The different values that keys can contain are as follows:

- REG_BINARY – Numbers or Boolean values
- REG_DWORD – Numbers greater than 32 bits or raw data
- REG_SZ – String values

Because the registry holds almost all the operating system and user information, it is critical to make sure that it does not become compromised. Potentially malicious applications can add registry keys so that they start when the computer is started. During a normal boot, the user will not see the program start because the entry is in the registry and the application displays no windows or indication of starting when the computer boots. A keylogger, for example, would be devastating to the security of a computer if it were to start at boot without the user’s knowledge or consent. When performing normal security audits, or remediating an infected system, review the application startup locations within the registry to ensure that each item is known and safe to run.

The registry also contains the activity that a user performs during normal day-to-day computer use. This includes the history of hardware devices, including all devices that have been connected to the computer including the name, manufacturer and serial number. Other information, such as what documents a user and program have opened, where they are located, and when they were accessed is stored in the registry. This is all very useful information when a forensics investigation needs to be performed.

1.2.11 Lab – Exploring Processes, Threads, Handles, and Windows Registry

1.3.1 Run as Administrator

As a security best practice, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. This is because any program that is executed while logged on with those privileges will inherit administrative privileges. Malware that has administrative privileges has full access to all the files and folders on the computer.

Sometimes, it is necessary to run or install software that requires the privileges of the Administrator. To accomplish this, there are two different ways to install it.

Administrator

Right-click the command in the Windows File Explorer and choose Run as Administrator from the Context Menu.

Administrator Command Prompt

Search for command, right-click the executable file, and choose Run as Administrator from the Context Menu. Every command that is executed from this command line will be carried out with the Administrator privileges, including installation of software.

1.3.2 Local Users and Domains

When you start a new computer for the first time, or you install Windows, you will be prompted to create a user account. This is known as a local user. This account will contain all of your customization settings, access permissions, file locations, and many other user-specific data. There are also two other accounts that are present, the guest, and the administrator. Both of these accounts are disabled by default.

As a security best practice, do not enable the Administrator account and do not give standard users administrative privileges. If a user needs to perform any function that requires administrative privileges, the system will ask for the Administrator password and allow only that task to be performed as an administrator. Requiring the administrator password protects the computer by preventing any software that is not authorized from installing, executing, or accessing files.

The Guests account should not be enabled. The guest account does not have a password associated with it because it is created when a computer is going to be used by many different people who do not have accounts on the computer. Each time the guest account logs on, a default environment is provided to them with limited privileges.

To make administration of users easier, Windows uses groups. A group will have a name and a specific set of permissions associated with it. When a user is placed into a group, the permissions of that group are given to that user. A user can be placed into multiple groups to be provided with many different permissions. When the permissions overlap, certain permissions, like “explicitly deny” will override the permission provided by a different group. There are many different user groups built into Windows that are used for specific tasks. For example, the Performance Log Users group allows members to schedule logging of performance counters and collect logs either locally or remotely. Local users and groups are managed with the lusrmgr.msc control panel applet, as shown in the figure.

In addition to groups, Windows can also use domains to set permissions. A domain is a type of network service where all of the users, groups, computers, peripherals, and security settings are stored on and controlled by a database. This database is stored on special computers or groups of computers called domain controllers (DCs). Each user and computer on the domain must authenticate against the DC to logon and access network resources. The security settings for each user and each computer are set by the DC for each session. Any setting supplied by the DC defaults to the local computer or user account setting.

1.3.3 CLI and PowerShell

The Windows command line interface (CLI) can be used to run programs, navigate the file system, and manage files and folders. In addition, files called batch files can be created to execute multiple commands in succession, much like a basic script.

To open the Windows CLI, search for cmd.exe and click the program. Remember that right-clicking the program provides the option to Run as administrator, giving much more power to the commands that will be used.

The prompt displays the current location within the file system. These are a few things to remember when using the CLI:

The file names and paths are not case-sensitive, by default.
Storage devices are assigned a letter for reference. The drive letter is followed by a colon and backslash (∖). This indicates the root, or highest level, of the device. Folder and file hierarchy on the device is indicated by separating them with the backslash. For example, the path C:∖Users∖Jim∖Desktop∖file.txt refers to a file called file.txt that is in the Desktop folder within the Jim folder within the Users folder at the root of drive C:.
Commands that have optional switches use the forward slash (/) to delineate between the command and the switch option.
You can use the Tab key to auto-complete commands when directories or files are referenced.
Windows keeps a history of the commands that were entered during a CLI session. Access previously entered commands by using the up and down arrow keys.
To switch between storage devices, type the letter of the device, followed by a colon, and then press Enter.

Even though the CLI has many commands and features, it cannot work together with the core of Windows or the GUI. Another environment, called the Windows PowerShell, can be used to create scripts to automate tasks that the regular CLI is unable to create. PowerShell also provides a CLI for initiating commands. PowerShell is an integrated program within Windows and can be opened by searching for “powershell” and clicking the program. Like the CLI, PowerShell can also be run with administrative privileges.

These are the types of commands that PowerShell can execute:

cmdlets – These commands perform an action and return an output or object to the next command that will be executed.
PowerShell scripts – These are files with a .ps1 extension that contain PowerShell commands that are executed.
PowerShell functions – These are pieces of code that can be referenced in a script.

To see more information about Windows PowerShell and get started using it, type help in PowerShell, as shown in the command output.

There are four levels of help in Windows PowerShell:

get-help PS command – Displays basic help for a command
get-help PS command [-examples] – Displays basic help for a command with examples
get-help PS command [-detailed] – Displays detailed help for a command with examples
get-help PS command [-full] – Displays all help information for a command with examples in greater depth

1.3.4 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is used to manage remote computers. It can retrieve information about computer components, hardware and software statistics, and monitor the health of remote computers. To open the WMI control from the Control Panel, double-click Administrative Tools > Computer Management to open the Computer Management window, expand the Services and Applications tree and right-click the WMI Control icon > Properties.

The WMI Control Properties window is shown in the figure.

These are the four tabs in the WMI Control Properties window:

General – Summary information about the local computer and WMI
Backup/Restore – Allows manual backup of statistics gathered by WMI
Security – Settings to configure who has access to different WMI statistics
Advanced – Settings to configure the default namespace for WMI

Some attacks today use WMI to connect to remote systems, modify the registry, and run commands. WMI helps them to avoid detection because it is common traffic, most often trusted by the network security devices and the remote WMI commands do not usually leave evidence on the remote host. Because of this, WMI access should be strictly limited.

1.3.5 The net Command

Windows has many commands that can be entered at the command line. One important command is the net command, which is used in the administration and maintenance of the OS. The net command supports many subcommands that follow the net command and can be combined with switches to focus on specific output.

To see a list of the many net commands, type net help at the command prompt. The command output shows the commands that the net command can use. To see verbose help about any of the net commands, type C:∖> net help ,as shown below.

net accounts

Sets password and logon requirements for users

net session

Lists or disconnects sessions between a computer and other computers on the network

net share

Creates, removes, or manages shared resources

net start

Starts a network service or lists running network services

net stop

Stops a network service

net use

Connects, disconnects, and displays information about shared network resources

net view

Shows a list of computers and network devices on the network

1.3.6 Task Manager and Resource Monitor

There are two very important and useful tools to help an administrator to understand the many different applications, services, and processes that are running on a Windows computer. These tools also provide insight into the performance of the computer, such as CPU, memory, and network usage. These tools are especially useful when investigating a problem where malware is suspected. When a component is not performing the way that it should be, these tools can be used to determine what the problem might be.

Task Manager

The Task Manager, which is shown in the figure, provides a lot of information about the software that is running and the general performance of the computer.

Processes

Lists all of the programs and processes that are currently running.
Displays the CPU, memory, disk, and network utilization of each process.
The properties of a process can be examined or ended if it is not behaving properly or has stalled.

Performance

A view of all the performance statistics provides a useful overview of the CPU, memory, disk, and network performance.
Clicking each item in the left pane will show detailed statistics of that item in the right pane.

App history

The use of resources by application over time provides insight into applications that are consuming more resources than they should.
Click Options and Show history for all processes to see the history of every process that has run since the computer was started.

Startup

All of the applications and services that start when the computer is booted are shown in this tab.
To disable a program from starting at startup, right-click the item and choose Disable.

Users

All of the users that are logged on to the computer are shown in this tab.
Also shown are all the resources that each user’s applications and processes are using.
From this tab, an administrator can disconnect a user from the computer.

Details

Similar to the Processes tab, this tab provides additional management options for processes such as setting a priority to make the processor devote more or less time to a process.
CPU affinity can also be set which determines which core or CPU a program will use.
Also, a useful feature called Analyze wait chain shows any process for which another process is waiting.
This feature helps to determine if a process is simply waiting or is stalled.

Services

All the services that are loaded are shown in this tab.
The process ID (PID) and a short description are also shown along with the status of either Running or Stopped.
At the bottom, there is a button to open the Services console which provides additional management of services.

Overview

The tab displays the general usage for each resource.
If you select a single process, it will be filtered across all of the tabs to show only that process’s statistics.

CPU

The PID, number of threads, which CPU the process is using, and the average CPU usage of each process is shown.
Additional information about any services that the process relies on, and the associated handles and modules can be seen by expanding the lower rows.

Memory

All of the statistical information about how each process uses memory is shown in this tab.
Also, an overview of usage of all the RAM is shown below the Processes row.

Disk

All of the processes that are using a disk are shown in this tab, with read/write statistics and an overview of each storage device.

Network

All of the processes that are using the network are shown in this tab, with read/write statistics.
Most importantly, the current TCP connections are shown, along with all of the ports that are listening.
This tab is very useful when trying to determine which applications and processes are communicating over the network.
It makes it possible to tell if an unauthorized process is accessing the network, listening for a communication, and the address with which it is communicating.

1.3.7 Networking

One of the most important features of any operating system is the ability for the computer to connect to a network. Without this feature, there is no access to network resources or the internet. To configure Windows networking properties and test networking settings, the Network and Sharing Center is used. The easiest way to run this tool is to search for it and click it. Use the Network and Sharing Center to verify or create network connections, configure network sharing, and change network adapter settings.

Network and Sharing Center

The initial view shows an overview of the active network. This view shows whether there is internet access and if the network is private, public, or guest. The type of network, either wired or wireless, is also shown. From this window, you can see the HomeGroup the computer belongs to, or create one if it is not already part of a HomeGroup. This tool can also be used to change adapter settings, change advance sharing settings, set up a new connection, or troubleshoot problems. Note that HomeGroup was removed from Windows 10 in version 1803.

Change Adapter Settings

To configure a network adapter, choose Change adapter settings in the Networking and Sharing Center to show all of the network connections that are available. Select the adapter that you want to configure. In this case, we change an Ethernet adapter to acquire its IPv4 address automatically from the network.

Acess Adapter Properties

Right-click the adapter you wish to configure and choose Properties, as shown in the figure.

Acess TCP/IPV4 Properties

This connection uses the following items: Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) depending on which version you wish to use. In the figure, IPv4 is being selected.

Change Settings

Click Properties to configure the adapter. In the Properties dialogue box, shown in the figure, you can choose to Obtain an address automatically if there is a DHCP server available on the network. If you wish to configure addressing manually, you can fill in the address, subnet, default gateway, and DNS servers to configure the adapter. Click OK to accept the changes. You can also use the netsh.exe tool to configure networking parameters from a command prompt. This program can display and modify the network configuration. Type netsh /? at the command prompt to see a list of all the switches that can be used with this command.

nslookup and netstat

Domain Name System (DNS) should also be tested because it is essential to finding the address of hosts by translating it from a name, such as a URL. Use the nslookup command to test DNS. Type nslookup cisco.com at the command prompt to find the address of the Cisco webserver. When the address is returned, you know that DNS is functioning correctly. You can also check to see what ports are open, where they are connected, and what their current status is. Type netstat at the command line to see details of active network connections, as shown in the command output. The netstat command will be examined further later in this module.

1.3.8 Accessing Network Resources

Like other operating systems, Windows uses networking for many different applications such as web, email, and file services. Originally developed by IBM, Microsoft aided in the development of the Server Message Block (SMB) protocol to share network resources. SMB is mostly used for accessing files on remote hosts. The Universal Naming Convention (UNC) format is used to connect to resources, for example:

∖∖servername∖sharename∖file

In the UNC, servername is the server that is hosting the resource. This can be a DNS name, a NetBIOS name, or simply an IP address. The sharename is the root of the folder in the file system on the remote host, while the file is the resource that the local host is trying to find. The file may be deeper within the file system and this hierarchy will need to be indicated.

When sharing resources on the network, the area of the file system that will be shared will need to be identified. Access control can be applied to the folders and files to restrict users and groups to specific functions such as read, write, or deny. There are also special shares that are automatically created by Windows. These shares are called administrative shares. An administrative share is identified by the dollar sign ($) that comes after the share name. Each disk volume has an administrative share, represented by the volume letter and the $ such as C$, D$, or E$. The Windows installation folder is shared as admin$, the printers’ folder is shared as print$, and there are other administrative shares that can be connected. Only users with administrative privileges can access these shares.

The easiest way to connect to a share is to type the UNC of the share into the Windows File Explorer, in the box at the top of the screen which shows the breadcrumb listing of the current file system location. When Windows tries to connect to the share, you will be asked to provide credentials for accessing the resource. Remember that because the resource is on a remote computer, the credentials need to be for the remote computer, not the local computer.

Besides accessing shares on remote hosts, you can also log in to a remote host and manipulate that computer, as if it were local, to make configuration changes, install software, or troubleshoot an issue. In Windows, this feature uses the Remote Desktop Protocol (RDP). When investigating security incidents, a security analyst uses RDP often to access remote computers. To start RDP and connect to a remote computer, search for remote desktop and click the application. The Remote Desktop Connection window is shown in the figure.

Because RDP is designed to permit remote users to control individual hosts, it is a natural target for threat actors. Care should be taken when activating RDP, especially on unpatched legacy versions of Windows such as those that are still found in industrial control systems. Care should be taken to limit the exposure of RDP to the internet, and security approaches and access control policies, such as Zero Trust, should be used to limit access to internal hosts.

1.3.9 Windows Server

Note: Although there is a Windows Server 2000, it is considered a client version of Windows NT 5.0. Windows Server 2003 is a server based on NT 5.2 and begins a new family of Windows Server versions.

These are some of the services that Windows Server provides:

Network Services – DNS, DHCP, Terminal services, Network Controller, and Hyper-V Network virtualization
File Services – SMB, NFS, and DFS
Web Services – FTP, HTTP, and HTTPS
Management – Group policy and Active Directory domain services control

1.3.10 Lab – Create User Accounts

1.3.11 Lab – Using Windows PowerShell

1.3.12 Lab – Windows Task Manager

1.3.13 Lab – Monitor and Manage System Resources in Windows

1.4.1 The netstat Command

When malware is present in a computer, it will often open communication ports on the host to send and receive data. The netstat command can be used to look for inbound or outbound connections that are not authorized. When used on its own, the netstat command will display all of the active TCP connections.

By examining these connections, it is possible to determine which of the programs are listening for connections that are not authorized. When a program is suspected of being malware, a little research can be performed to determine its legitimacy. From there, the process can be shut down with Task Manager, and malware removal software can be used to clean the computer.

To make this process easier, you can link the connections to the running processes that created them in Task Manager. To do this, open a command prompt with administrative privileges and enter the netstat -abno command, as shown in the command output.

Note: If you are not in administrator mode, a “The requested operation requires elevation” message will appear. Search for Command Prompt. Right-click on Command Prompt and chose Run as administrator.

By examining the active TCP connections, an analyst should be able to determine if there are any suspicious programs that are listening for incoming connections on the host. You can also trace that process to the Windows Task Manager and cancel the process. There may be more than one process listed with the same name. If this is the case, use the PID to find the correct process. Each process running on the computer has a unique PID. To display the PIDs for the processes in the Task Manager, open the Task Manager, right-click the table heading and select PID.

1.4.2 Event Viewer

Windows Event Viewer logs the history of application, security, and system events. These log files are a valuable troubleshooting tool because they provide information necessary to identify a problem. To open the Event Viewer, search for it and click the program icon, as shown in the figure.

Windows includes two categories of event logs: Windows Logs, and Application and Services Logs. Each of these categories has multiple log types. Events that are displayed in these logs have a level: information, warning, error, or critical. They also have the date and time that the event occurred, along with the source of the event and an ID which relates to that type of event.

It is also possible to create a custom view. This is useful when looking for certain types of events, finding events that happened during a certain time period, displaying events of a certain level, and many other criteria. There is a built-in custom view called Administrative Events that shows all critical, error, and warning events from all of the administrative logs. This is a good view to start with when trying to troubleshoot a problem.

Security event logs are found under Windows Logs. They use event IDs to identify the type of event.

1.4.3 Windows Update Management

No software is perfect, and the Windows operating system is no exception. Attackers are constantly coming up with new ways to compromise computers and exploit bad code. Some of these attacks come so quickly that defenses against them have not yet been devised and distributed. These are called zero-day exploits. Microsoft and security software developers are always trying to stay ahead of the attackers, but they are not always successful. To ensure the highest level of protection against these attacks, always make sure Windows is up to date with the latest service packs and security patches.

Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from making a successful attack. From time to time, manufacturers combine patches and upgrades into a comprehensive update application called a service pack. Many devastating virus attacks could have been much less severe if more users had downloaded and installed the latest service pack. It is highly desirable that enterprises utilize systems that automatically distribute, install, and track security updates.

Windows routinely checks the Windows Update website for high-priority updates that can help protect a computer from the latest security threats. These updates include security updates, critical updates, and service packs. Depending on the setting you choose, Windows automatically downloads and installs any high-priority updates that your computer needs or notifies you as these updates become available. To configure the settings for Windows update, search for Windows Update and click the application.

Update status, shown in the figure, allows you to check for updates manually and see the update history of the computer.

There are also settings for the hours where the computer will not automatically restart, for example during regular business hours. You can also choose when to restart the computer after an update, if necessary, with the Restart options. Advanced options are also available to choose how updates are installed how other Microsoft products are updated.

1.4.4 Local Security Policy

A security policy is a set of objectives that ensures the security of a network, the data, and the computer systems in an organization. The security policy is a constantly evolving document based on changes in technology, business, and employee requirements.

In most networks that use Windows computers, Active Directory is configured with Domains on a Windows Server. Windows computers join the domain. The administrator configures a Domain Security Policy that applies to all computers that join the domain. Account policies are automatically set when a user logs in to a computer that is a member of a domain. Windows Local Security Policy, shown in the figure, can be used for stand-alone computers that are not part of an Active Directory domain. To open the Local Security Policy applet, search for Local Security Policy and click the program.

Password guidelines are an important component of a security policy. Any user that must log on to a computer or connect to a network resource should be required to have a password. Passwords help prevent theft of data and malicious acts. Passwords also help to confirm that the logging of events is valid by ensuring that the user is the person that they say they are. In the Local Security Policy, Password Policy is found under Account Policies and defines the criteria for the passwords for all of the users on the local computer.

Use the Account Lockout Policy in Account Policies to prevent brute-force login attempts. For example, you can set the policy to allow the user to enter a wrong username and/or password five times. After five attempts, the account is locked for 30 minutes. After 30 minutes, the number of attempts is reset to zero and the user can attempt to login again.

It is important to make sure that computers are secure when users are away. A security policy should contain a rule about requiring a computer to lock when the screensaver starts. This will ensure that after a short time away from the computer, the screen saver will start and then the computer cannot be used until the user logs in.

If the Local Security Policy on every stand-alone computer is the same, then use the Export Policy feature. Save the policy with a name, such as workstation.inf. Copy the policy file to an external media or network drive to use on other stand-alone computers. This is particularly helpful if the administrator needs to configure extensive local policies for user rights and security options.

The Local Security Policy applet contains many other security settings that apply specifically to the local computer. You can configure User Rights, Firewall Rules, and even the ability to restrict the files that users or groups are allowed to run with the AppLocker.

1.4.5 Windows Defender

Antivirus protection

This program continuously monitors for viruses. When a virus is detected, the user is warned, and the program attempts to quarantine or delete the virus.

Adware protection

This program continuously looks for programs that display advertising on your computer.

Phishing protection

This program blocks the IP addresses of known phishing websites and warns the user about suspicious sites.

Spyware protection

This program scans for keyloggers and other spyware.

Trusted / untrusted sources

This program warns you about unsafe programs about to be installed or unsafe websites before they are visited.

To open Windows Defender, search for it and click the program. Although Windows Defender works in the background, you can perform manual scans of the computer and storage devices. You can also manually update the virus and spyware definitions in the Update tab. Also, to see all of the items that were found during previous scans, click the History tab.

1.4.6 Windows Defender Firewall

A firewall selectively denies traffic to a computer or network segment. Firewalls generally work by opening and closing the ports used by various applications. By opening only the required ports on a firewall, you are implementing a restrictive security policy. Any packet not explicitly permitted is denied. In contrast, a permissive security policy permits access through all ports, except those explicitly denied. In the past, software and hardware were shipped with permissive settings. As users neglected to configure their equipment, the default permissive settings left many devices exposed to attackers. Most devices now ship with settings as restrictive as possible, while still allowing easy setup.

To allow program access through the Windows Defender Firewall, search for Control Panels. Under Systems and Security, locate Windows Defender Firewall. Click Allow an app or feature through Windows Defender Firewall, as shown in the figure.

If you wish to use a different software firewall, you will need to disable Windows Firewall. To disable the Windows Firewall, click Turn Windows Firewall on or off.

Many additional settings can be found under Advanced settings. Here you can create inbound or outbound traffic rules based on different criteria. You can also import and export policies or monitor different aspects of the firewall.

1.5.1 What Did I Learn in this Module?

Windows History

The first computers required a Disk Operating System (DOS) to create and manage files. Microsoft developed MS-DOS as a command line interface (CLI) to access the disk drive and load the operating system files. Early versions of Windows consisted of a Graphical User Interface (GUI) that ran over MS-DOS. However, modern Windows versions are in direct control of the computer and its hardware and support multiple user processes. This is much different than the single process, single user MS-DOS. Since 1993, there have been more than 20 releases of Windows that are based on the NT operating system. Users use a Windows GUI to work with data files and software. The GUI has a main area that is known as the Desktop and a Task Bar situated below the desktop. The Task Bar includes the Start menu, quick launch icons, and a notification area. Windows has many vulnerabilities. Recommendations to secure the Windows OS include use of virus or malware protection, use of strong passwords, use of firewall, and limited use of the administrator account, among others.

Windows Architecture and Operations

Windows consists of a hardware abstraction layer (HAL) that is software that handles all of the communication between the hardware and the kernel. The kernel has control over the entire computer and handles input and output requests, memory, and all of the peripherals connected to the computer. Windows operates in two different modes. The first is user mode. Most Windows programs run in user mode. The second is kernel mode. It allows operating system code direct access to the computer hardware. Windows supports several different file systems, but NTFS is the most widely used. NTFS volumes include the partition boot sector, master file table, system files and the file area. When a computer boots, it first accesses system information and code that is stored in BIOS hardware. The BIOS boot code performs a system self-test called POST, locates and loads the Windows OS, and loads other associated programs to start the operating system. Windows should always be shutdown properly.

A computer works by storing instructions in RAM until the CPU processes them. Each process in a 32-bit Windows computer supports a virtual address space that enables addressing up to 4 gigabytes. Each process in a 64-bit Windows computer supports a virtual address space of up to 8 terabytes. Windows stores all of the information about hardware, applications, users, and system settings in a large database known as the registry. The registry is a hierarchical database where the highest level is known as a hive, below that there are keys, followed by subkeys. There are five registry hives that contain data regarding the configuration and operation of Windows. There are hundreds of keys and subkeys.

Windows Configuration and Monitoring

For security reasons, it is not advisable to log on to Windows using the Administrator account or an account with administrative privileges. Do not give standard users administrative privileges. Do not enable the Guests account unless the computer is going to be used by many different people who do not have accounts. Use Windows groups to make administration of users easier. Local users and groups are managed with the lusrmgr.msc control panel applet.

You can use the CLI or the Windows PowerShell to execute commands. PowerShell can be used to create scripts to automate tasks that the regular CLI is unable to automate. Windows Management Instrumentation (WMI) is used to manage remote computers. The net command can be combined with switches to focus on specific output. Task Manager provides a lot of information about what is running, and the general performance of the computer. The Resource Monitor provides more detailed information about resource usage. The Network and Sharing Center is used to configure Windows networking properties and test networking settings. The Server Message Block (SMB) protocol is used to share network resources such as files on remote hosts. The Universal Naming Convention (UNC) format is used to connect to resources. Windows Server is an edition of Windows that is mainly used in data centers. It provides network, file, web, and management services to a Windows network or domain.

Windows Security

Malware can open communication ports to communicate and spread. The Windows netstat command displays all open communication ports on a computer and can also display the software processes that are associated with the ports. This enables unknown potentially malicious software to be identified and shutdown. Windows Event Viewer provides access to numerous logged events regarding the operation of a computer. Windows logs Windows events and applications and services events. Logged event severity levels range through the information, warning, error, or critical levels. It is very important to keep Windows up to date to guard against new security threats. Software patches, updates, and service packs address security vulnerabilities as they are discovered. Windows should be configured to automatically download and install updates as they become available. Windows can be configured to only install and restart a computer at specified times of day.

2.0.1 Why Should I Take this Module?

Linux is an open-source operating system that is fast, powerful, and highly customizable. It is built for network use as either a client or server. Linux is well-loved by a large community of users, including cybersecurity personnel.

Study this module to learn some basic information about the Linux operating system and learn some Linux skills. Linux skills are highly desirable in the cybersecurity operations profession.#whyshoulditakemodule

2.0.2 What Will I Learn in this Module?

his module contains the following:

2 Videos
7 Labs
1 Module Quiz

Module Title: Linux Overview

Module Objective: Implement basic Linux security.

2.0.3 Lab Video – Install a Virtual Machine on a Personal Computer

2.0.4 Lab – Install a Virtual Machine on a Personal Computer

2.1.1 What is Linux?

Linux is an operating system that was created in 1991. Linux is open source, fast, reliable, and small. It requires very little hardware resources to run and is highly customizable. Unlike other operating systems such as Windows and Mac OS X, Linux was created, and is currently maintained by, a community of programmers. Linux is part of several platforms and can be found on devices anywhere from “wristwatches to supercomputers”.

Another important aspect of Linux is that it is designed to be connected to the network, which makes it much simpler to write and use network-based applications. Because Linux is open source, any person or company can get the kernel’s source code, inspect it, modify it, and re-compile it at will. They are also allowed to redistribute the program with or without charges.

A Linux distribution is the term used to describe packages created by different organizations. Linux distributions (or distros) include the Linux kernel with customized tools and software packages. While some of these organizations may charge for their Linux distribution support (geared towards Linux-based businesses), the majority of them also offer their distribution for free without support. Debian, Red Hat, Ubuntu, CentOS, and SUSE are just a few examples of Linux distributions.

2.1.2 The Value of Linux

Linux is often the operating system of choice in the Security Operations Center (SOC). These are some of the reasons to choose Linux:

Linux is open source – Any person can acquire Linux at no charge and modify it to fit specific needs. This flexibility allows analysts and administrators to tailor-build an operating system specifically for security analysis.
The Linux CLI is very powerful – While a GUI makes many tasks easier to perform, it adds complexity and requires more computer resources to run. The Linux Command Line Interface (CLI) is extremely powerful and enables analysts to perform tasks not only directly on a terminal, but also remotely.
The user has more control over the OS – The administrator user in Linux, known as the root user, or superuser, has absolute power over the computer. Unlike other operating systems, the root user can modify any aspect of the computer with a few keystrokes. This ability is especially valuable when working with low level functions such as the network stack. It allows the root user to have precise control over the way network packets are handled by the operating system.
It allows for better network communication control – Control is an inherent part of Linux. Because the OS can be adjusted in practically every aspect, it is a great platform for creating network applications. This is the same reason that many great network-based software tools are available for Linux only.

2.1.3 Linux in the SOC

The flexibility provided by Linux is a great feature for the SOC. The entire operating system can be tailored to become the perfect security analysis platform. For example, administrators can add only the necessary packages to the OS, making it lean and efficient. Specific software tools can be installed and configured to work in conjunction, allowing administrators to build a customized computer that fits perfectly in the workflow of a SOC.

The figure shows Sguil, which is the cybersecurity analyst console in a special version of Linux called Security Onion. Security Onion is an open source suite of tools that work together for network security analysis.

Select the headings to find out more about tools that are often found in a SOC.

Network packet capture software

A crucial tool for a SOC analyst as it makes it possible to observe and understand every detail of a network transaction.
Wireshark is a popular packet capture tool.

Malware analysis tools

These tools allow analysts to safely run and observe malware execution without the risk of compromising the underlying system.

Intrusions detection systems (IDSs)

These tools are used for real-time traffic monitoring and inspection.
If any aspect of the currently flowing traffic matches any of the established rules, a pre-defined action is taken.

Firewalls

This software is used to specify, based on pre-defined rules, whether traffic is allowed to enter or leave a network or device.

Log managers

Log files are used to record events.
Because a network can generate a very large number of log entries, log manager software is employed to facilitate log monitoring.

Security information and event management (SIEM)

SIEMs provide real-time analysis of alerts and log entries generated by network appliances such as IDSs and firewalls.

Ticketing systems

Task ticket assignment, editing, and recording is done through a ticket management system. Security alerts are often assigned to analysts through a ticketing system.

2.2.1 The Linux Shell

In Linux, the user communicates with the OS by using the CLI or the GUI. Linux often starts in the GUI by default. This hides the CLI from the user. One way to access the CLI from the GUI is through a terminal emulator application. These applications provide user access to the CLI and are often named as some variation of the word “terminal”. In Linux, popular terminal emulators are Terminator, eterm, xterm, konsole, and gnome-terminal.

Fabrice Bellard has created JSLinux which allows an emulated version of Linux to run in a browser. Search for it on the internet. Open a Linux console in JSLinux and type the ls command to list the current directory content. Keep the tab open if you would like to try out some of the other commands discussed in this chapter.

The figure shows gnome-terminal, a popular Linux terminal emulator.

Note: The terms shell, console, console window, CLI terminal, and terminal window are often used interchangeably.

2.2.2 Basic Commands

Linux commands are programs created to perform a specific task. Use the man command (short for manual) to obtain documentation about commands. As an example, man ls provides documentation about the ls command from the user manual.

Because commands are programs stored on the disk, when a user types a command, the shell must find it on the disk before it can be executed. The shell will look for user-typed commands in specific directories and attempt to execute them. The list of directories checked by the shell is called the path. The path contains many directories commonly used to store commands. If a command is not in the path, the user must specify its location, or the shell will not be able to find it. Users can easily add directories to the path, if necessary.

To invoke a command via the shell, simply type its name. The shell will try to find it in the system path and execute it.

The table lists basic Linux commands and their functions.

Note: It is assumed that the user has the proper permissions to execute the command. File permissions in Linux are covered later in this module.

2.2.3 File and Directory Commands

2.2.4 Working with Text Files

Linux has many different text editors, with various features and functions. Some text editors include graphical interfaces while others are command-line only tools. Each text editor includes a feature set designed to support a specific type of task. Some text editors focus on the programmer and include features such as syntax highlighting, brackets and parenthesis check, and other programming-focused features.

While graphical text editors are convenient and easy to use, command line-based text editors are very important for Linux users. The main benefit of command-line-based text editors is that they allow for text file editing from a remote computer.

Consider the following scenario: a user must perform administrative tasks on a Linux computer but is not sitting in front of that computer. Using SSH, the user starts a remote shell to the remote computer. Under the text-based remote shell, the graphical interface is not available, which makes it impossible to rely on tools such as graphical text editors. In this type of situation, text-based programs are crucial.

The figure shows nano, a popular command-line text editor. The administrator is editing firewall rules. Text editors are often used for system configuration and maintenance in Linux.

Due to the lack of graphical support, nano (or GNU nano) can only be controlled with the keyboard. For example, CTRL+O saves the current file; CTRL+W opens the search menu. GNU nano uses a two-line shortcut bar at the bottom of the screen, where commands for the current context are listed. Press CTRL+G for the help screen and a complete list of commands.

2.2.5 The Importance of Text Files in Linux

In Linux, everything is treated as a file. This includes the memory, the disks, the monitor, and the directories. For example, from the operating system standpoint, showing information on the display means to write to the file that represents the display device. It should be no surprise that the computer itself is configured through files. Known as configuration files, they are usually text files used to store adjustments and settings for specific applications or services. Practically everything in Linux relies on configuration files to work. Some services have not one, but several configuration files.

Users with proper permission levels can use text editors to change the contents of configuration files. After the changes are made, the file is saved and can be used by the related service or application. Users are able to specify exactly how they want any given application or service to behave. When launched, services and applications check the contents of specific configuration files to adjust their behavior accordingly.

In the figure, the administrator opened the host configuration file in nano for editing. The host file contains static mappings of host IP addresses to names. The names serve as shortcuts that allow connecting to other devices by using a name instead of an IP address. Only the superuser can change the host file.

Note: The administrator used the command sudo nano /etc/hosts to open the file. The command sudo (short for “superuser do”) invokes the superuser privilege to use the nano text editor to open the host file.

2.2.6 Lab – Working with Text Files in the CLI

2.2.7 Lab – Getting Familiar with the Linux Shell

2.3.1 An Introduction to Client-Server Communications

Servers are computers with software installed that enables them to provide services to clients across the network. There are many types of services. Some provide external resources such as files, email messages, or web pages to clients upon request. Other services run maintenance tasks such as log management, memory management, disk scanning, and more. Each service requires separate server software. For example, the server in the figure uses file server software to provide clients with the ability to retrieve and submit files.

2.3.2 Servers, Services, and Their Ports

In order that a computer can be the server for multiple services, ports are used. A port is a reserved network resource used by a service. A server is said to be “listening” on a port when it has associated itself to that port.

While the administrator can decide which port to use with any given service, many clients are configured to use a specific port by default. It is common practice to leave the service running in its default port. The table lists a few commonly used ports and their services. These are also called “well-known ports”.

2.3.3 Clients

2.3.4 Lab Video – Use a Port Scanner to Detect Open Ports

2.3.5 Lab – Use a Port Scanner to Detect Open Ports

2.3.6 Lab – Linux Servers

2.4.1 Service Configuration Files

In Linux, services are managed using configuration files. Common options in configuration files are port number, location of the hosted resources, and client authorization details. When the service starts, it looks for its configuration files, loads them into memory, and adjusts itself according to the settings in the files. Configuration file modifications often require restarting the service before the changes take effect.

Because services often require superuser privileges to run, service configuration files often require superuser privileges to edit.

The command output shows a portion of the configuration file for Nginx, which is a lightweight web server for Linux.

The next command output shows the configuration file for the network time protocol (NTP).

The last command output shows the configuration file for Snort, a Linux-based intrusion detection system (IDS).

There is no rule for a configuration file format; it is the choice of the service’s developer. However, the option = value format is often used. For example, in the last command output, the variable ipvar is configured with several options. The first option, HOME_NET, has the value 209.165.200.224/27. The hash character (#) is used to indicate comments.

2.4.2 Hardening Devices

Device hardening involves implementing proven methods of securing the device and protecting its administrative access. Some of these methods involve maintaining passwords, configuring enhanced remote login features, and implementing secure login with SSH. Defining administrative roles in terms of access is another important aspect of securing infrastructure devices because not all information technology personnel should have the same level of access to the infrastructure devices.

Depending on the Linux distribution, many services are enabled by default. Some of these features are enabled for historical reasons but are no longer required. Stopping such services and ensuring they do not automatically start at boot time is another device hardening technique.

OS updates are also extremely important to maintaining a hardened device. New vulnerabilities are discovered every day. OS developers create and issue fixes and patches regularly. An up-to-date computer is less likely to be compromised.

The following are basic best practices for device hardening.

Ensure physical security
Minimize installed packages
Disable unused services
Use SSH and disable the root account login over SSH
Keep the system updated
Disable USB auto-detection
Enforce strong passwords
Force periodic password changes
Keep users from re-using old passwords

Many other steps exist and are often service or application-dependent.

2.4.3 Monitoring Service Logs

Log files are the records that a computer stores to keep track of important events. Kernel, services, and application events are all recorded in log files. It is very important for an administrator to periodically review the logs of a computer to keep it healthy. By monitoring Linux log files, an administrator gains a clear picture of the computer’s performance, security status, and any underlying issues. Log file analysis allows an administrator to guard against upcoming issues before they occur.

In Linux, log files can be categorized as:

Application logs
Event logs
Service logs
System logs

Some logs contain information about daemons that are running in the Linux system. A daemon is a background process that runs without the need for user interaction. For example, the System Security Services Daemon (SSSD) manages remote access and authentication for single sign-on capabilities.

The table lists a few popular Linux log files and their functions.

The command output shows a portion of /var/log/messages log file. Each line represents a logged event. The timestamps at the beginning of the lines mark the moment the event took place.

2.4.4 Lab – Locating Log Files

2.5.1 The File System Types in Linux

ext2 (second extended file system)

ext2 was the default file system in several major Linux distributions until supplanted by ext3.
Almost fully compatible with ext2, ext3 also supports journaling (see below).
ext2 is still the file system of choice for flash-based storage media because its lack of a journal increases performance and minimizes the number of writes.
Because flash memory devices have a limited number of write operations, minimizing write operations increases the device’s lifetime.
However, contemporary Linux kernels also support ext4, an even more modern file system, with better performance and which can also operate in a journal-less mode.

ext3 (third extended file system)

ext3 is a journaled file system designed to improve the existing ext2 file system.
A journal, the main feature added to ext3, is a technique used to minimize the risk of file system corruption in the event of sudden power loss.
The file systems keeps a log (or journal) of all the file system changes about to be made.
If the computer crashes before the change is complete, the journal can be used to restore or correct any eventual issues created by the crash.
The maximum file size in ext3 file systems is 32 TB.

ext4 (fourth extended file system)

Designed as a successor of ext3, ext4 was created based on a series of extensions to ext3.
While the extensions improve the performance of ext3 and increase supported file sizes, Linux kernel developers were concerned about stability issues and were opposed to adding the extensions to the stable ext3.
The ext3 project was split in two; one kept as ext3 and its normal development and the other, named ext4, incorporated the mentioned extensions.

NFS (Network File System)

NFS is a network-based file system, allowing file access over the network.
From the user standpoint, there is no difference between accessing a file stored locally or on another computer on the network.
NFS is an open standard which allows anyone to implement it.

CDFS (Compact Disc File System)

CDFS was created specifically for optical disk media.

Swap File System

The swap file system is used by Linux when it runs out of RAM.
Technically, it is a swap partition that does not have a specific file system, but it is relevant to the file system discussion.
When this happens, the kernel moves inactive RAM content to the swap partition on the disk.
While swap partitions (also known as swap space) can be useful to Linux computers with a limited amount of memory, they should not be considered as a primary solution.
Swap partition is stored on disk which has much lower access speeds than RAM.

HFS Plus or HFS+ (Hierarchical File System Plus)

A file system used by Apple in its Macintosh computers.
The Linux kernel includes a module for mounting HFS+ for read-write operations.

APFS (Apple File System)

An updated file system that is used by Apple devices. It provides strong encryption and is optimized for flash and solid-state drives.

Master Boot Record (MBR)

Located in the first sector of a partitioned computer, the MBR stores all the information about the way in which the file system is organized.
The MBR quickly hands over control to a loading function, which loads the OS.

Mounting is the term used for the process of assigning a directory to a partition. After a successful mount operation, the file system contained on the partition is accessible through the specified directory. In this context, the directory is called the mounting point for that file system. Windows users may be familiar with a similar concept: the drive letter.

The command output shows the output of

the mount command issued in the Cisco CyberOPS VM.

When issued with no options, mount returns the list of file systems currently mounted in a Linux computer. While many of the file systems shown are out of the scope of this course, notice the root file system (highlighted). The root file system is represented by the “/” symbol and holds all files in the computer by default. It is also shown in the output that the root file system was formatted as ext4 and occupies the first partition of the first drive (/dev/sda1).

2.5.2 Linux Roles and File Permissions

In Linux, most system entities are treated as files. In order to organize the system and enforce boundaries within the computer, Linux uses file permissions. File permissions are built into the file system structure and provide a mechanism to define permissions on every file. Every file in Linux carries its file permissions, which define the actions that the owner, the group, and others can perform with the file. The possible permission rights are Read, Write and Execute. The ls command with the -l parameter lists additional information about the file.

Consider the output of the ls -l command in the command output.

The output provides a lot of information about the file space.txt.

The first field of the output displays the permissions that are associated with space.txt (-rwxrw-r–). File permissions are always displayed in the User, Group, and Other order.

The file space.txt in has the following permissions:

The dash (-) means that this is a file. For directories, the first dash would be a “d”.
The first set of characters is for user permission (rwx ). The user, analyst, who owns the file can Read, Write and eXecute the file.
The second set of characters is for group permissions (rw-). The group, staff, who owns the file can Read and Write to the file.
The third set of characters is for any other user or group permissions (r–). Any other user or group on the computer can only Read the file.

The second field defines the number of hard links to the file (the number 1 after the permissions). A hard link creates another file with a different name linked to the same place in the file system (called an inode). This is in contrast to a symbolic link, which is discussed on the next page.

The third and fourth field display the user (analyst) and group (staff) who own the file, respectively.

The fifth field displays the file size in bytes. The space.txt file has 253 bytes.

The sixth field displays the date and time of the last modification.

The seventh field displays the file name.

The figure shows a breakdown of file permissions in Linux.

Binary	Octal	Permission	Description
000	0	—	No access
001	1	–x	Execute only
010	2	-w-	Write only
011	3	-wx	Write and Execute
100	4	r–	Read only
101	5	r-x	Read and Execute
110	6	rw-	Read and Write
111	7	rwx	Read, Write and Execute

File permissions are a fundamental part of Linux and cannot be broken. A user has only the rights to a file that the file permissions allow. The only user that can override file permission on a Linux computer is the root user. Because the root user has the power to override file permissions, the root user can write to any file. Because everything is treated as a file, the root user has full control over a Linux computer. Root access is often required before performing maintenance and administrative tasks. Because of the power of the root user, root credentials should use strong passwords and not be shared with anyone other than system administrators and other high-level users.

2.5.3 Hard Links and Symbolic Links

A hard link is another file that points to the same location as the original file. Use the command ln to create a hard link. The first argument is the existing file and the second argument is the new file. As shown in the command output, the file space.txt is linked to space.hard.txt and the link field now shows 2.

Both files point to the same location in the file system. If you change one file, the other is changed, as well. The echo command is used to add some text to space.txt. Notice that the file size for both space.txt and space.hard.txt increased to 257 bytes. If you delete the space.hard.txt with the rm command (remove), the space.txt file still exists, as verified with the more space.txt command.

A symbolic link, also called a symlink or soft link, is similar to a hard link in that applying changes to the symbolic link will also change the original file. As shown in the command output below, use the ln command option -s to create symbolic link.

Notice that adding a line of text to test.txt also adds the line to mytest.txt. However, unlike a hard link, deleting the original text.txt file means that mytext.txt is now linked to a file that no longer exists, as shown with the more mytest.txt and ls -l mytest.txt commands.

Although symbolic links have a single point of failure (the underlying file), symbolic links have several benefits over hard links:

Locating hard links is more difficult. Symbolic links show the location of the original file in the ls -l command, as shown in the last line of output in the previous command output (mytest.txt -> test.txt).
Hard links are limited to the file system in which they are created. Symbolic links can link to a file in another file system.
Hard links cannot link to a directory because the system itself uses hard links to define the hierarchy of the directory structure. However, symbolic links can link to directories.

2.5.4 Lab – Navigating the Linux Filesystem and Permission Settings

2.6.1 X Window System

The graphical interface present in most Linux computers is based on the X Window System. Also known as X or X11, X Window is a windowing system designed to provide the basic framework for a GUI. X includes functions for drawing and moving windows on the display device and interacting with a mouse and keyboard.

X works as a server which allows a remote user to use the network to connect, start a graphical application, and have the graphical window open on the remote terminal. While the application itself runs on the server, the graphical aspect of it is sent by X over the network and displayed on the remote computer.

Notice that X does not specify the user interface, leaving it to other programs, such as window managers, to define all the graphical components. This abstraction allows for great flexibility and customization as graphical components such as buttons, fonts, icons, window borders, and color schemes are all defined by the user application. Because of this separation, the Linux GUI varies greatly from distribution to distribution. Examples of window managers are Gnome and KDE. While the look and feel of window managers vary, the main components are still present.

The figure displays the Gnome Window Manager.

This figure displays the KDE Windows Manager.

2.6.2 The Linux GUI

Although an operating system does not require a GUI to function, GUIs are considered more user-friendly than the CLI. The Linux GUI as a whole can be easily replaced by the user. As a result of the large number of Linux distributions, this module focuses on Ubuntu when covering Linux because it is a very popular and user-friendly distribution.

Ubuntu Linux uses Gnome 3 as its default GUI. The goal of Gnome 3 is to make Ubuntu even more user-friendly. The table lists the main UI components of Unity.

The figure shows the location of some of the features of the Ubuntu Gnome 3 Desktop.

2.7.1 Installing and Running Applications on a Linux Host

Many end-user applications are complex programs written in compiled languages. To aid in the installation process, Linux often includes programs called package managers. A package is the term used to refer to a program and all its supporting files. By using a package manager to install a package, all the necessary files are placed in the correct file system location.

Package managers vary depending on Linux distributions. For example, pacman is used by Arch Linux while dpkg (Debian package) and apt (Advanced Packaging Tool) are used in Debian and Ubuntu Linux distributions.

The command output shows the output of a few apt-get commands used in Debian distributions.

The apt-get update command is used to get the package list from the package repository and update the local package database. The apt-get upgrade command is used to update all currently installed packages to their latest versions.

2.7.2 Keeping the System Up to Date

Also known as patches, OS updates are released periodically by OS companies to address any known vulnerabilities in their operating systems. While companies have update schedules, the release of unscheduled OS updates can happen when a major vulnerability is found in the OS code. Modern operating systems will alert the user when updates are available for download and installation, but the user can check for updates at any time.

The following table compares Arch Linux and Debian / Ubuntu Linux distribution commands to perform package system basic operations.

A Linux GUI can also be used to manually check and install updates. In Ubuntu for example, to install updates you would click Dash Search Box , type software updater , and then click the Software Updater icon, as shown in the figure.

2.7.3 Processes and Forks

A process is a running instance of a computer program. Multitasking operating systems can execute many processes at the same time.

Forking is a method that the kernel uses to allow a process to create a copy of itself. Processes need a way to create new processes in multitasking operating systems. The fork operation is the only way of doing so in Linux.

Forking is important for many reasons. One of them relates to process scalability. Apache, a popular web server, is a good example. By forking itself, Apache is able to serve a large number of requests with fewer system resources than a single-process-based server.

When a process calls a fork, the caller process becomes the parent process, with the newly created process referred to as its child. After the fork, the processes are, to some extent, independent processes; they have different process IDs but run the same program code.

The table lists three commands that are used to manage processes.

The command output shows the output of the top command on a Linux computer.

2.7.4 Malware on a Linux Host

Linux malware includes viruses, Trojan horses, worms, and other types of malware that can affect the operating system. Due to a number of design components such as file system structure, file permissions, and user account restrictions, Linux operating systems are generally regarded as better protected against malware.

While arguably better protected, Linux is not immune to malware. Many vulnerabilities have been found and exploited in Linux. These range from server software to kernel vulnerabilities. Attackers are able to exploit these vulnerabilities and compromise the target. Because Linux is open source, fixes and patches are often made available within hours of the discovery of such problems.

If a malicious program is executed, it will cause damage, regardless of the platform. A common Linux attack vector is its services and processes. Vulnerabilities are frequently found in server and process code running on computers connected to the network. An outdated version of the Apache web server could contain an unpatched vulnerability which can be exploited by an attacker, for example. Attackers often probe open ports to assess the version and nature of the server running on that port. With that knowledge, attackers can research if there are any known issues with that particular version of that particular server to support the attack. As with most vulnerabilities, keeping the computer updated and closing any unused services and ports is a good way to reduce the opportunities for attack in a Linux computer.

The command output shows an attacker using the Telnet command to probe the nature and version of a web server (port 80).

The attacker has learned that the server in question is running nginx version 1.12.0. The next step would be to research known vulnerabilities in the nginx 1.12.0 code.

2.7.5 Rootkit Check

A rootkit is a type of malware that is designed to increase an unauthorized user’s privileges or grant access to portions of the software that should not normally be allowed. Rootkits are also often used to secure a backdoor to a compromised computer.

The installation of a rootkit can be automated (done as part of an infection) or an attacker can manually install it after compromising a computer. A rootkit is destructive because it changes kernel code and its modules, changing the most fundamental operations of the OS itself. With such a deep level of compromise, rootkits can hide the intrusion, remove any installation tracks, and even tamper with troubleshooting and diagnostic tools so that their output now hides the presence of the rootkit. While a few Linux vulnerabilities through history have allowed rootkit installation via regular user accounts, the vast majority of rootkit compromises require root or administrator access.

Because the very nature of the computer is compromised, rootkit detection can be very difficult. Typical detection methods often include booting the computer from trusted media such as a diagnostics operating system live CD. The compromised drive is mounted and, from the trusted system toolset, trusted diagnostic tools can be launched to inspect the compromised file system. Inspection methods include behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.

Rootkit removal can be complicated and often impossible, especially in cases where the rootkit resides in the kernel; re-installation of the operating system is usually the only real solution to the problem. Firmware rootkits usually require hardware replacement.

chkrootkit is a popular Linux-based program designed to check the computer for known rootkits. It is a shell script that uses common Linux tools such as strings and grep to compare the signatures of core programs. It also looks for discrepancies as it traverses the /proc file system comparing the signatures found there with the output of ps.

While helpful, keep in mind that programs to check for rootkits are not 100% reliable.

The command output shows the output of chkrootkit on an Ubuntu Linux.

2.7.6 Piping Commands

Although command line tools are usually designed to perform a specific, well-defined task, many commands can be combined to perform more complex tasks by a technique known as piping. Named after its defining character, the pipe (|), piping consists of chaining commands together, feeding the output of one command into the input of another.

For example, the ls command is used to display all the files and directories of a given directory. The grep command compares searches through a file or text looking for the specified string. If found, grep displays the entire contents of the folder where the string was found.

The two commands, ls and grep, can be piped together to filter out the output of ls. This is shown in the output of the ls -l | grep host command and the ls -l | grep file command.

2.7.7 Video – Applications, Rootkits, and Piping Commands

2.7.8 Lab – Configure Security Features in Windows and Linux

2.8.1 What Did I Learn in this Module?

Linux Basics

Linux is a fast, reliable, and small open-source operating system. It requires few hardware resources to run and is highly customizable. It is designed to be used on networks. The Linux kernel is distributed by different organizations with different tools and software packages. A customized version of Linux that is called Security Onion contains software and tools that are designed for use in network security monitoring by cybersecurity analysts. Kali Linux is another customized Linux distribution that has numerous tools that are designed for network security penetration testing.

Working in the Linux Shell

In Linux, the user communicates with the operating system through a GUI or a command-line interface (CLI), or shell. If a GUI is running, the shell is accessed through at terminal application such as xterm or gnome terminal. Linux commands are programs that perform a specific task. The man command, followed by a specific command, provides documentation for that command. It is important to know at least basic Linux commands, file and directory commands, and commands for working with text files. In Linux everything is treated is if it were a file, including the memory, disks, monitor, and directories.

Linux Servers and Clients

Servers are computers that have software installed that enables them to provide services to client computers across the network. Some services provide access to external resources such as files, email, and web pages, to clients upon request. Other services run internally and perform tasks such as log management, memory management, or disk scanning. To enable a computer to provide multiple services, ports are used. A port is a reserved network resource that “listens” for requests by clients. While the port number that is used by a service can be configured, most services listen on default “well-known” ports. Client software applications are designed to communicate with specific types of servers. Web browsers are designed to communicate with web servers by using the HTTP protocol on port 80. FTP clients communicate with FTP servers to transfer files.

Basic Server Administration

In Linux, servers are managed by using configuration files. Various settings can be modified and saved in configuration files. When a service is started, it looks at its configuration file(s) to know how it should run. There is no rule for the way configuration files are written. Configuration file formatting depends on the creator of the server software. Linux devices should be secured by using proven methods to protect the device and administrative access. This is known as hardening devices. One way to harden a device is to maintain passwords, configure enhanced login features, and implement secure remote login with SSH. It is also very important to keep the operating system up to date. Other ways to harden a device are to force periodic password changes, enforce strong passwords, and to prevent reuse of passwords. Finally, Linux clients and servers use logfiles to record the operation of the system and important events. A number of different logfiles are maintained including application logs, event logs, service logs, and system logs. Server logs record activities that are conducted by remote users who access system services. It is important to know the location of different logs in the Linux file system so that they can be accessed and monitored for problems.

The Linux File System

Linux supports a number of different file systems that vary by speed, flexibility, security, size, structure, logic, and more. Some of the file systems that are supported by Linux are ext2, ext3, ext4, NFS, and CDFS. File systems are mounted on partitions and accessed through mounting points, or directories. Windows drive letters are examples of mounting points. The mount command can be used to display details of the file systems that are currently mounted on a Linux computer. The root file system is represented by the “/” symbol. It contains all of the files in the computer by default. Linux uses file permissions to control who is permitted to have different types of access to files and directories. Permissions include read (r), write (w), and execute (x). Files and directories have permissions that are assigned for users, groups, and others. The permissions for files and folders are displayed with the ls -l command. This command also displays the links for a file. Hard links create another file with a different name that is linked to the same place in the file system. The owner of the file and the group for the file are also displayed along with the date and time of the last modification to the file. File permissions are powerful features of the Linux file system and can’t be violated. Only the root user can override file permissions. Because of the power of the root user, root access should be carefully controlled. Hard links are created with the ln command. Changes to one of the hard-linked files are also made to the original file. Symbolic links, or symlinks, are similar to hard links in that a change to the linked file is reflected in the original file. Symbolic links have several advantages over hard links.

Working with Linux GUI

The X Windows, or X11, system is a basic software framework that includes functions for creating, controlling, and configuring a windows GUI in a point-and-click interface. Different vendors use the X Windows system to create different windows manager GUIs for Linux. Examples of windows managers are Gnome and KDE. The Ubuntu Linux distribution uses Gnome 3 by default. The Gnome 3 desktop consists of the Apps Menu, Ubuntu Dock, Top Bar, Calendar and System Message tray, the Activities area, and the Status Menu.

Working on a Linux Host

In order to install applications on Linux hosts, programs called package managers are used. Packages are software applications and all of their supporting files. Package managers are extremely helpful for installing complex software applications from centralized package repositories that are accessible over the internet. Different Linux distributions use different package managers. For example, Arch Linux uses pacman, Debian uses dpkg as the base package manager and apt to communicate with dpkg. Ubuntu also uses apt. Package manager CLI commands are used to install, remove, and update software packages. Upgrade commands upgrade all currently installed packages. Package management can also be performed in a GUI. Software processes are instances of computer programs that are running. Multitasking operating systems can run many processes at the same time. Forking is a method that the kernel uses to allow a running process to copy itself. The ps command lists the running processes, top displays information about running processes dynamically, and kill is used to remove, restart, or pause running processes. While Linux is considered to be better protected against malicious software (malware) than other operating systems, it is still susceptible to Trojan horses, worms, and other types of malware. Linux is usually attacked through its services and processes. Out of date software is often vulnerable to attack. Threat actors can probe a device for open ports that are linked to out of date server processes. With this knowledge, attacks can be launched. It is important to keep the operating system and its components and applications up to date. The chkrootkit program is designed to detect rootkit malware. Rootkits are deep level malware programs that are very difficult to detect and remove. They can change the fundamental operation of the operating system itself and can be used to create unauthorized access to systems. Piping commands uses the “|” symbol to chain different commands together by using the output of one command as the input for another.

3.0.1 Why Should I Take This Module?

A mobile device is any device that is hand-held, lightweight, and typically has a touchscreen for input. Like a desktop or laptop computer, mobile devices use an operating system to run applications (apps), games, and play movies and music. Mobile devices also have a different CPU architecture, designed to have a reduced instruction set when compared to laptop and desktop processors. With the increase in demand for mobility, the popularity of laptops and other mobile devices continues to grow. This chapter focuses on many features and capabilities of mobile devices.

3.0.2 What Will I Learn in This Module?

3.1.1 Wireless Data Networks

The ability of a laptop, tablet, or cell phone to wirelessly connect to the internet has provided people with the freedom to work, learn, communicate, and play wherever they want.

Mobile devices typically have two wireless internet connectivity options:

Wi-Fi – Wireless network connections use local Wi-Fi settings.
Cellular – Wireless network connections are fee-provided using cellular data. Cellular networks require cellular towers and satellites to create a mesh of global coverage. A cellular data network connection can become expensive without an appropriate service plan.

You may need to register a device with a carrier or provide some unique identifier. Every mobile device has a unique 15-digit number called an International Mobile Equipment Identity (IMEI). This number identifies the device to a carrier’s network. The numbers come from a family of devices called the Global System for Mobile Communications (GSM). The number is found in the device’s configuration settings or a battery compartment if the battery is removable.

A unique number called the International Mobile Subscriber Identity (IMSI) identifies the device user. The IMSI is often programmed on the subscriber identity module (SIM) card or can be programmed on the mobile device itself, depending on the network type.

Wi-Fi is usually preferred over a cellular connection because it is typically free. Wi-Fi radios use less battery power than cellular radios, so the device battery should last longer using Wi-Fi.

Many businesses, organizations, and locations also offer free Wi-Fi connections to attract customers. For example, coffee shops, restaurants, libraries, and even public transportation may offer free Wi-Fi access to users. Educational institutions have also adopted Wi-Fi connectivity. For instance, college campuses enable students to connect their mobile devices to the college network, sign up for classes, watch lectures, and submit assignments.

3.1.2 Wi-Fi Manual Configuration

It is essential to secure home Wi-Fi networks. Precautions should be taken to protect Wi-Fi communications on mobile devices:

Enable security on home networks. Always enable the highest Wi-Fi security framework possible. Currently, WPA2 security is the most secure.
Never send login or password information using clear, unencrypted text.
Use a secure VPN connection when possible.

Devices can connect automatically or manually to Wi-Fi networks.

Select each tab to view the steps to take when manually connecting to a Wi-Fi network using an Android or an iOS mobile device.

3.1.3 Lab – Mobile Wi-Fi

3.1.4 Cellular Communications Standards

Cell phones were introduced in the mid-1980s. Back then, cell phones were bigger and bulkier. It was also difficult and expensive to call people on another cellular network because there were few industry standards for cellular technology. Without standards, interoperability between cell phone manufacturers was very difficult.

Industry standards have simplified interconnectivity between cell providers. These standards have also made it less expensive to use cellular technology. However, cellular standards have not been adopted uniformly around the world. Therefore, some cell phones may only work in one country and not operate in other countries. Other cell phones can use multiple standards and operate in

many

countries.

3.1.5 Airplane Mode

It may be required for you to disable your cellular access. For instance, airlines typically ask their passengers to disable cellular access. Most mobile devices have a setting called Airplane Mode to simplify this process. This setting turns off all cellular, Wi-Fi, and Bluetooth radios.

Airplane Mode is useful when traveling on an airplane or when located where accessing data is prohibited or expensive. Most mobile device functions are still usable, but communication is not possible. Once airplane mode can be turned on, Wi-Fi, Bluetooth, and other wireless functionality can be turned on except for cellular. You can also enable or disable cellular access. The two figures display the screens to turn Airplane Mode on or off on an iOS device and the screen to enable or disable cellular access on an iOS.

Enabling Disabling Cellular Data on Android and iOS

You can also enable or disable cellular access. Select each tab to view the steps to change cellular access settings on an Android and an iOS device.

3.1.6 Hotspot

Another useful cellular feature is using a cellular device as a hotspot. A hotspot is when a cellular device provides an internet connection to other devices. The Wi-Fi devices could select the cellular device at its Wi-Fi connection. For instance, a user may need to connect a computer to the internet, but no Wi-Fi or wired connection is available. A cell phone can bridge the internet through the cellular carrier’s network.

To enable an iOS device to become a personal hotspot, touch Personal Hotspot as shown below in the figure on the left. This opens the Personal Hotspot shown in the figure on the right. Notice how the iOS Personal Hotspot feature can connect Bluetooth or USB-connected devices to the internet.

Note: A hotspot is sometimes referred to as tethering.

Finally, there are apps available for mobile devices that can be useful tools when diagnosing mobile device radio problems. For instance, a Wi-Fi analyzer can display information about wireless networks, while a cell tower analyzer can be used on cellular networks.

3.1.7 Check Your Understanding – Wireless Technology

Standard enables speeds of 100 Mb/s and up to 1Gb/s, supports gaming services, and is often implemented using LTE.

Wireless connection option is preferred because it is typically free.

This setting enables a cellular device to be used as a bridge to the Internet using the cellular carrier’s network.

Introduced in 2019, it enabled speeds up to 20 Gb/s.

This setting turns off all cellular, as well as Wi-Fi and Bluetooth radios.

3.2.1 Bluetooth for Mobile Devices

3.2.2 Bluetooth Pairing

Bluetooth is a networking standard consisting of the physical and protocol levels. The physical level for Bluetooth is a radio frequency standard. Devices connect to other Bluetooth-enabled devices at the protocol level, called Bluetooth pairing. At the protocol level, devices agree on the timing, method, and comparison of sent bits.

Specifically, Bluetooth pairing is when two Bluetooth devices establish a connection to share resources. Bluetooth radios must be turned on for the devices to pair, and one device begins searching for other devices. Other devices must be set to discoverable mode, also called visible, so that they can detect them.

When a Bluetooth device is in discoverable mode, it transmits Bluetooth and device information such as device name, services that the device can use, Bluetooth class, and device name.

A PIN may be requested to authenticate the pairing process during the pairing process, as shown in the figure. The PIN is often a number but can also be a numeric code or passkey. The PIN is stored using pairing services, so it does not have to be entered the next time the device tries to connect. This is convenient when using a smartphone headset because it is paired when turned on within range.

Select each tab to view the steps required to pair a Bluetooth device with an Android and an iOS device.

3.3.1 Introduction to Email

We all use email but never really think about how email actually works. The email structure relies on email servers and email clients. Select each for more information.

Note: This section focuses on email clients for mobile devices.

Email clients and servers use various protocols and standards to exchange emails.

Select each email protocol or standard for more information.

3.3.2 Check your understanding – Email Protocols

3.3.3 Android Email Configuration

3.3.4 iOS Email Configuration

3.3.5 Internet Email

3.4.1 Types of Data to Synchronize

3.4.2 Enabling Synchronization

Sync typically means data synchronization. However, the meaning of sync varies slightly between an Android and an iOS device.

Android devices can synchronize your contacts and other data from Facebook, Google, and Twitter. As a result, all devices using the same Google account will have access to the same data. This makes it easier to replace a damaged device without data loss. Android Sync also allows the user to choose the data types to synchronize.

Android devices also support automatic synchronization with a feature called Auto Sync. This synchronizes the device with the service provider’s servers automatically, without user intervention. To save on battery life, you can disable automatic synchronization for all or just some of the data.

The following are the various steps to synchronize an Android device.

To review what data to synchronize on an Android device.

Step 1. Open your device’s Settings app.
Step 2. Tap Accounts and backup > Manage accounts.
Step 3. If you have more than one account on your device, tap the one you want.
Step 4. Tap Sync account.
Step 5. Review the data to be synchronized and when they last synced. You can enable or disable which apps to sync.

To disable auto-sync on an Android device.

Step 1. Open your device’s Settings app.
Step 2. Tap Accounts and backup > Manage accounts.
Step 3. Disable Auto-sync data

iOS devices support two types of synchronizing:

Backup – Copies your data from your phone to your computer or iCloud. That includes application settings, text messages, voicemails, and other data types. Backup saves a copy of all data created by the user and by apps.
Sync – Copies new apps, music, video, or books from iTunes to your phone and from your phone to iTunes, resulting in full synchronization on both devices. Sync copies only media downloaded via the iTunes Store mobile app, respecting what was specified through iTunes’ Sync definitions. For example, a user can keep movies from syncing to the phone if the user does not watch movies on the phone.

As a general rule, when connecting an iOS device to iTunes, always perform a Backup first and then Sync. The order can be changed in iTunes’ Preferences.

A few more useful options are available when performing Sync or Backup on iOS:

Backup storage location – iTunes stores backups on the local computer hard drive or the iCloud online service.
Backup straight from an iOS device – In addition to backing up data from an iOS device to the local hard drive or iCloud through iTunes, users can configure the iOS device to upload a copy of its data directly to iCloud. Backups can perform automatically, eliminating the need to connect to iTunes. Similar to Android, the user can also specify the type of data sent to the iCloud backup, as shown in the figure.
Sync over Wi-Fi – iTunes can scan and connect to iOS on the same Wi-Fi network. When connected, the Backup process can be initiated automatically between iOS devices and iTunes. Backups happen automatically every time iTunes and the iOS device are on the same Wi-Fi, eliminating the need for a wired USB connection.

When a new iPhone connects to the computer, iTunes will offer to restore it using the most recent backup of data from other iOS devices, if available. The figure below shows the iTunes window on a computer.

1.0.1 Why Should I Take this Module?

1.0.2 What Will I Learn in this Module?

1.1.1 Disk Operating System