Information System Security The Big Picture Approach to Computer Systems Security Secure System Administration - SANS GIAC © 2000, 2001 Welcome to the second series of your KickStart courses This course is part of a series of courses intended for system administrators who are new to the world of information assurance and system security The next set of courses will be different from your first set We will be focusing on computer systems and operating system commands, so this will be more pragmatic The approach to the slides is also a bit different We hope that you will try a number of these commands yourself Finally, there is information both in the slides and in the notes that is testable So, please pay close attention as we work through the material We are going to discuss Windows 98, Windows NT, Windows 2000, and UNIX/Linux For each operating system, you will learn how it works; terminology; some basic commands; the fundamental security issues; and how to compensate for threats This course is intended for an audience that wants to build a solid foundation with basic concepts in information assurance, but needs to build experience If you are a new system administrator, or perhaps you have been recently dubbed the security office for your organization, this course is for you Let’s get started We will first a short section to cover general concepts Please pay attention though – there is a quiz at the end You are encouraged to try every tool and command that you learn – except the ones that are marked as dangerous! Purpose and Goal You are going to learn how to search for clues on computer systems We will cover the foundational principles, terminology, threats and countermeasures for four widely deployed computer systems: Windows 98, Windows NT, Windows 2000 and Unix/Linux The focus is to help you: • Understand your system • Perform basic forensics (find and preserve evidence) Plan on getting access to a Windows and Unix systems and following along with the exercises You will need these systems as you progress in your training anyway Secure System Administration - SANS GIAC © 2000, 2001 This course will be pragmatic We will learn how to things You will learn over 75 operating system commands and information gathering tools We will also cover some essential theory and terminology, the concepts behind information systems so we will be able know how to interpret what the tool is telling us The course structure is designed to build on the sections that go before For instance, when we cover Windows 2000, we will not repeat information about the FAT file system or operating system commands that are the same on Windows 98 or NT You will have already learned those When you learn about a tool, it is strongly recommended that you try the exercises yourself To get the most out of this course, you need to have access to a Windows system and a Unix system We intend for you to try the examples Make a good backup of your computer, get someone to help you if need be and go buy the latest Red Hat Linux and install it “Day 2” Agenda • • • • • • • How Computers Work Backups, Hidden Data Windows 98 Windows NT Windows 2000 Unix/Linux Security Forensics and OS Commands Secure System Administration - SANS GIAC © 2000, 2001 Well, let’s get to work On this slide you see the areas we will cover; some general information, and then into the operating specifics This is a great moment to let you know just how similar the Windows operating systems are There are differences, but if you scan one of these systems with the famous network scanner nmap, it has a really hard time telling them apart, the network stacks are just about the same, though it can distinguish Windows 2000 Most of the commands we use for Windows 98 will work fine on Windows 2000 Win2K is an advanced operating system and so there are differences, primarily the Active Directory Even so, it is important to remember that Windows 2000 is a marketing term, it really was NT 5.0 and followed NT 4.0 One of the goals of this course is to help you to be familiar with both Windows and Unix These are common operating systems and there is a really good chance you will need to have a basic understanding of both How Computers Work • Boot Sequence – Operating System • File System Device Driver • Disk Partitions • ScanDisk • Sectors, Clusters, Cylinders, and Disk Geometry • Dr Watson • hdparam • fdisk Secure System Administration - SANS GIAC © 2000, 2001 In this first section of the course, we are going to get our feet wet and understand how computer systems work Again, don’t expect much theory, we will mention a concept and then try to equip you to see how the concept works on Windows and Unix systems We can’t cover everything of course, the boot sequence for Windows NT would take 10 – 12 slides alone The important thing though, is for you to actually try these exercises Don’t just be passive, get in the game, if the course talks about ls –l /dev or running Dr Watson, get to it Learn how your system works My friend Mary Walker from Motorola was giving a presentation at a DARPA-funded meeting on intrusion detection once and someone asked a really hard question She shrugged her shoulders and held out her hands palm up and said,”That one deserves the Motorola salute!” Bad things happen to perfectly nice operating systems If you work to master these concepts and tools, perhaps you can be part of the solution instead of just giving the shrug salute! The Beginning • When you power a computer on: – The disk spins up – The system begins a boot sequence taking its directions from a read only memory chip with a simple basic input output system called a ROM BIOS – Most modern operating systems allow the ROM BIOS to be password protected – The system begins to read specific tailored operating system information from the disk Secure System Administration - SANS GIAC © 2000, 2001 The more you understand the boot sequence of a system, the more of a miracle it is possible to boot at all First, at power up, the computer uses an onboard ROM BIOS to find its disk drives, count and test memory, and search for hardware such as a mouse and keyboard Then it will search for further boot instructions on a disk The computer doesn’t have much software loaded, so the expectation is to find a specially formatted disk area just for bootup support On Windows systems, the first three bytes of the bootup part of the file system contain the address to jump to that contains the actual bootstrap code We still jump to something simple, called a bootstrap loader, which teaches the system just enough to be ready for the secondary bootstrap loader The secondary bootstrap loader is actually what does the heavy lifting Windows 9x systems call this file IO.SYS, whereas NT and 2000 call it NTLDR This is such a touchy operation that attack code which harms the boot area can cause a great deal of damage Bootstrap Illustrated Graphic Courtesy National White Collar Crime Center Secure System Administration - SANS GIAC © 2000, 2001 When you turn on the computer, the powersupply "awakens“, the CPU registers are cleared, and a special register called the program counter is set (on PC's) to F000 – the address of the system's BIOS (Basic Input Output System) Next, BIOS runs a system check called POST or Power on Self Test Graphic Courtesy National White Collar Crime Center Used by permission Bootstrap Illustrated(2) Graphic Courtesy National White Collar Crime Center Secure System Administration - SANS GIAC © 2000, 2001 As part of POST's systems checks, it probes for devices – network cards, parallel port devices including printers, etc, by sending signals over the system bus to ensure it can communicate with the devices that are present Then tests are done on the system timer and video devices Next RAM (Random Access Memory) and the keyboard are checked for and tested Graphic Courtesy National White Collar Crime Center Used by permission Bootstrap Illustrated(3) Graphic Courtesy National White Collar Crime Center Secure System Administration - SANS GIAC © 2000, 2001 Finally disk drives are checked The findings of the POST program are compared to settings saved in a special chip called the CMOS (Complimentary Metal Oxide Semiconductor) Any changes to system configuration must be updated on the CMOS chip Information stored by the CMOS chip includes the hard disk type, time and date, memory/cache preferences, power-on password and disk/CDROM boot-time search sequence Although this is the process for a PC, the boot up sequence is similar for most computers At this point we are finally ready to load information from the disk to boot the operating system Graphic Courtesy National White Collar Crime Center Used by permission Booting the OS Graphic Courtesy National White Collar Crime Center Secure System Administration - SANS GIAC © 2000, 2001 When booting the operating system, the CPU reads information in the Master Boot Record – this is always located at Cylinder Head Sector AKA the first sector The Master boot record (or Master Boot Block as it is sometimes referred to) contains the location of the boot record The boot program, in turn loads IO.SYS, CONFIG.SYS MSDOS.SYS, COMMAND.COM, and AUTOEXEC.BAT If you are able to pause your audio, please take a second an run your windows explorer and look at your C:\ drive, you should see many of these files there if your system boots from C On UNIX platforms it would proceed with loading the kernel Graphic Courtesy National White Collar Crime Center Used by permission Kernel • All operating systems (OS) in this course support multiple privilege hardware levels – Privilege restricts the instruction set that can be run by a running program, called a process – User’s programs should not be able to modify page tables used to support virtual memory management Secure System Administration - SANS GIAC © 2000, 2001 10 The higher the privilege level a program runs at, the more harm it can potentially cause In practice, programs have been able to up their priority level with alarming ease Privilege in this case is hardware privilege, the ability to interface with processes at layer of the OSI Protocol stack or the kernel of a program This is much different that the operating system privileges that allow one to perform tasks as Administrator or root That said, attackers that succeed in getting access to system privileges also succeed in obtaining access to the hardware privilege levels through programs like device drivers In Unix, many networking applications, called daemons, run at the highest application privilege If they are compromised by a buffer overflow, then the attacker is able to run her own software at this privilege level What is a buffer overflow? It is when the program expects to read in a fixed amount of data, but doesn’t checking to make sure that is all that is read in The data is crafted by the attacker to be in two parts Part one is the maximum length the program expected to read in, this is usually just throwaway data Part two, is the section that is longer than the maximum expected and is executable code, a program This program will then run at the privilege level of the service that read in the data If you are old enough to remember drive in movies, this is a little like sneaking your friends in using the trunk of your car The attendant doesn’t usually check for extra passengers 10 File Systems – Reliability vs Performance • Partitions can be used to divide a physical disk into logical divisions • Spanning volumes can create a logical entity across multiple physical disks • Striped volumes increase performance and increase risk of data loss • Mirrored volumes decrease performance and decrease risk of data loss Secure System Administration - SANS GIAC © 2000, 2001 22 This slide above describes the four most important terms for discussing the logical abstractions used when dealing with disks There are both hardware and software RAID (Redundant Array of Inexpensive Disks) array solutions Striped RAID is an approach where the file is stored in chunks on multiple disks and improves performance since multiple disk controllers can be run in parallel However, a single disk failure that holds only 25% of the total information can cause the loss of all the files In this case, backups are really important Of course there are a variety of compromise RAID schemes that attempt to balance fault tolerance and performance such as the RAID scheme for Windows 2000 and Linux that is a major improvement over the earlier RAID scheme RAID mode allows you to combine a number of physical disks, and still maintain some redundancy RAID-5 can be used on three or more disks, with zero or more spare-disks The resulting RAID-5 device capacity will be Number of devices in the array -1*Size of the smallest device in the array or (N-1)*S In this configuration, the parity information is distributed evenly among the participating drives If one of the disks fail, data is recoverable with the parity information As a simple example, suppose we have data disks and one parity disk The bits on the data disks are: 1 for the four disks The parity bit is the Exclusive Or, (XOR) of these four data bits, which can be calculated by adding them up and writing a if the sum is even and a if it is odd Here the sum of Disk through Disk is "3", so the parity is If it was 0 1, which adds up to 2, the parity would be This scheme does work well in practice, but there are some caveats First, it depends on the disk controller to identify an error Second, if two disks fail simultaneously, all data are lost RAID-5 can survive one disk failure, but not two or more If you were to a disk search on RAID you could find many a horror story, parity or not, RAID systems must be backed up on a regular basis 22 Disk Sectors and Clusters • Basic data storage containers on a disk • Disks for US market tend to have 512byte sectors • Clusters are groups of sectors • Clusters optimize speed over storage efficiency • Large clusters present data hiding opportunity Secure System Administration - SANS GIAC © 2000, 2001 23 As the data is written to a disk, it is stored in sectors, these tend to be 512 bytes This means that a 20GB disk drive would have about forty million sectors How we know this? If you haven’t looked at binary math in a while, hit Start -> Programs -> Accessories -> Calculator, View Scientific A kilobyte is 2** 10th power Hit 2, on the left side select X^Y and enter 10 You should see 1024 A Megabyte is 2**20th, or 1,048,576 Any guesses on a Gigabyte? Sure, 2**30th or 1,073,741,824 Multiply that by 20 and you get 21,474,836,480 How big was a sector, it was 512 bytes and if we divide the 20GB number by 512 we get 41,943,040 Your turn; for a 5GB drive how many million sectors are there if rounded to the nearest million? Did you get 10 million? (2**30, multiplied by 5, divided by 512 should yield 10,485,760 Who cares? Well disks are getting bigger and bigger and disks work via a lookup table A lookup table with that many entries is going to be S L O W Therefore sectors are grouped together in clusters The term “cluster size” tells us how many sectors are in a cluster A cluster size of 2048 bytes holds sectors How many sectors are in a cluster size of 8192 bytes? The problem is that if a disk cluster is not filled up because the file is smaller than the size of the cluster, then disk space is wasted All file systems must compromise between disk utilization and file system efficiency There are a number of ways to take advantage of the disk layout to hide files A truly cunning malicious user can hide data in the unused cluster space by selecting small files and writing the data directly to the disk after the end of file mark Unix systems have been attacked with software that tries to hide itself It may be necessary to determine the actual disk information and compare this with what the operating system reports ( A cluster size of 8192 bytes holds 16 sectors) 23 Unallocated cluster Secure System Administration - SANS GIAC © 2000, 2001 24 This slide shows a forensic tool examining an unallocated cluster and then we see that it indeed has data in it The data should look familiar, it is from the beginning of this course This situation can happen for any number of reasons- including temporary working files that are deleted, files that are deleted, files that are broken or lost, and of course intentionally There are any number of disk utilities, including Norton Utilities, that have the ability to search a disk for data that may be written outside the file boundaries We have introduced sectors and clusters, so now let’s dig a bit deeper into rest of the disk architecture Disk geometry and the file system driver can affect performance and reliability Performance is a complex mix that consists of rotation speed of platter (10,000 RPM disks are available these days) sectors/track, seek time, rotational latency, cache size, data structure, transfer rates (including bus), and the disk interface 24 Tools for Managing Disks • SCANDISK – Scans disks for logical or physical errors Can be used to repair corrupt portions of the disk • CHKDSK – Functionally similar to SCANDISK but is DOS based • fsck – Unix based disk maintenance tool Secure System Administration - SANS GIAC © 2000, 2001 25 Now that we can picture what the disk looks like, let's look at some operating system tools that are used to keep the disks running reliably Windows 9x and NT provides Scandisk to enable the system to deal with disk drive errors such as when a system is suddenly powered off and the drive has not been properly unmounted In this event, Scandisk is invoked automatically when the system is rebooted The function that scandisk serves is so vital that similar tools exist for other platforms CHKDSK is the equivalent on DOS and fsck (short for file system check) is used on UNIX systems The next few slides will look at SCANDISK in detail, but although interface and presentation may differ, both chkdsk and fsck serve the same purpose 25 Scandisk Secure System Administration - SANS GIAC © 2000, 2001 26 To run ScanDisk on Windows 9x, the easiest thing to is hit the Start button and then select the run command, type scandisk, and it will come up This screen shows both the primary window on the left, and also the options window Please turn your attention to the options for the logfile- to append or to replace The logfile is called scandisk.txt and can be found in the root directory of the disk you are testing, if you are running scandisk on drive C: The logfile will be c:\scandisk.txt At the end of the run, scandisk will show you a report An example of this is shown on the next slide 26 SCANDISK Report Secure System Administration - SANS GIAC © 2000, 2001 27 This is an example of a scandisk run on my laptop’s hard drive Let’s read this from the bottom up We see the term allocation units These are clusters or groups of sectors How many sectors per cluster? Recall a sector is 512 bytes, so if there are 4,096 bytes in each cluster, then there must be sectors per cluster This is wasteful of disk space if you have small files since a cluster must be allocated to a single file that might only fill it half full or even less The next two entries show that this disk is about half full The next line up is interesting We have 484 hidden files That seems to be quite a lot and might bear further investigation To summarize, we have learned a bit about disk We have discussed reliability and have introduced a tool, ScanDisk, that will help us check the health of a Windows 9x drive 27 Scandisk Report (2) Viruses frequently overwrite boot area Secure System Administration - SANS GIAC © 2000, 2001 28 Of course, we not always get a clean bill of health This actually happened on my primary computer shortly after I was moving all of my files to the Windows 2000 laptop Since the FAT is a major vulnerability I made the screenshot since I couldn’t resist, and them immediately did a back up of all the important files The good news is that since I have several copies of backups, this is a great opportunity to format the drive and reinstall whatever operating system I want to use You would be amazed how much faster your system will be after a clean install Say what you want about windows, but keeping all my data in My Documents is a great convenience! Now, let’s explore the Unix file system a bit 28 File Systems and Unix • In Unix everything is a file, even hardware devices are represented as a file – Character devices – data is read in sequentially - keyboard – Block devices – data can be accessed in chunks in any order – disk • hdparm –g /dev/hda Secure System Administration - SANS GIAC © 2000, 2001 29 The Unix model is to treat everything, hardware included, as a file To this, we need a special designator called a file mode so that the operating system kernel can tell something is hardware or a device driver Device drivers in Unix are almost always kept in a directory called /dev There are two primary things to look for when investigating device drivers: - Are they character mode, or block mode? - Major and Minor device numbers If you have access to a Unix system type: ls –l /dev | more to start becoming familiar with this crucial directory We can see the results of this on the next slide Dir is used to list files in Windows and ls in Unix It is well worth your time to become familiar with the options to these programs, try dir /? or ls help (or ls /?) and then take some time to find out what is possible 29 Unix device drivers # ls –l /dev total 72 -rwxr-xr-x crw crw brw-rw -crw w wbrw brw-rw -brw-rw -brw-rw -brw-rw -brw-rw -brw-rw -brw-rw -brw-rw -brw-rw -brw-rw 1 1 1 1 1 1 1 1 root root root root root root root root root root root root root root root root root sys sys disk root floppy disk disk disk disk disk disk disk disk disk disk 26450 14, 14, 20 32, 5, 2, 16, 3, 3, 3, 10 3, 11 3, 12 3, 13 3, 14 3, 15 3, 16 Sep Apr Apr May May May May May May May May May May May May May 24 1999 MAKEDEV 17 1999 audio 17 1999 audio1 1998 cm206cd 26 15:17 console 1998 fd1 1998 gscd 1998 hda 1998 hda1 1998 hda10 1998 hda11 1998 hda12 1998 hda13 1998 hda14 1998 hda15 1998 hda16 Secure System Administration - SANS GIAC © 2000, 2001 30 On this slide we are continuing to discuss the Unix operating system, please note the column on the left Generally this is used primarily to understand file permissions, but we are concerned with the mode The entries that start with a “c” are character mode This means the data is read in a serial fashion, one octet at a time Audio, we listen to or create sound with a stream of information Console, that would be me on the keyboard, pecking away a key at a time The entries that start with a “b” in the left-hand column are block mode devices, we see fd1, the device driver for the floppy drive and hda the device driver for my hard disk Major device numbers help determine what type or flavor of hardware you have Two common disk types are IDE (Integrated Drive Electronics) and SCSI (Small Computer System Interface) Both are block devices of course The Major device number for IDE is and SCSI is Note: for all the hda entries, there is a to the left of the device name This is the major number Of the hda values, they range from to 15 for the possible partitions for this disk, this is the minor number 30 Exploring the Unix filesystem [root@loco /tmp]# df Filesystem 1k-blocks /dev/hda5 6143236 /dev/hda1 23302 Used Available Use% Mounted on 788028 5043148 14% / 2647 19452 12% /boot [root@loco /tmp]# hdparm -g /dev/hda /dev/hda: geometry = 789/255/63, sectors = 12685680, start = WARNING: be careful trying options to hdparm Secure System Administration - SANS GIAC © 2000, 2001 31 On this slide we are discussing Unix Now we know that files that are in /dev are device drivers and disks are block devices so that they can be be accessed randomly instead of serially Which ones really matter to us? How we find our disk? Many commands give information about file systems Two of the most useful are df and du The df command displays the number of free i-nodes (determined by the system administrator) and 'blocks' on the mounted file system Blocks on a system are units of disk space The du (disk usage) command provides a list of each file directory in a file system and the number of blocks used by the file I like to use du –b to list the files in bytes if it is supported by the Unix system in case I forget how many bytes are in a block, since it varies depending on the Unix operating system A really good command to see what is mounted on a Unix system is “df” The result of this is shown in the slide The name of my disk is /dev/hda and there are two partitions mounted Note the minor numbers, hda1 and hda5 When you are doing forensics or at the keyboard incident handling, df is one of the first commands you will type Knowing the name of our disk, we can continue to explore the file system and disk Before you type anything though, be sure and note the warning If you just loaded a copy of Red Hat Linux to experiment with, then go for it However, if this machine is used in production at all, then be very careful Check the command syntax before you type it by first consulting a “man”(manual) page A man page is an online manual found on most Unix systems For instance, “man hdparam” should tell you how it works on your system 31 Exploring the Unix Filesystem(2) [root@loco /tmp]# fdisk -l /dev/hda Disk /dev/hda: 255 heads, 63 sectors, 789 cylinders Units = cylinders of 16065 * 512 bytes Device Boot /dev/hda1 * /dev/hda2 /dev/hda5 /dev/hda6 Start 4 781 End 789 780 789 Blocks 24066 6313545 6241221 72261 Id 83 83 82 System Linux Extended Linux Linux swap WARNING: be careful trying options to fdisk Secure System Administration - SANS GIAC © 2000, 2001 32 The hdparm command will provide information about the hard disk As you can see though on the previous slide, hdparam is a wee bit cryptic On this slide we have an illustration of fdisk, which gives more useful information fdisk –l simply prints partition information and exits That is pretty safe! The difference between the information df showed us and fdisk shows us is critical to understand if we are ever involved in an investigation of a Unix box “df” only listed the mounted partitions, fdisk will try to list every partition We will come back to this later, but the thing that we must clearly understand is we must be aware of what these tools show us and what it means or we cannot audit or protect our systems 32 Windows FDISK Secure System Administration - SANS GIAC © 2000, 2001 33 Interestingly enough, Windows has an FDISK command of its own We aren’t going into it here We will wait until we explore the FAT file system a little bit later But let’s some math based on the screen shot on this slide If sectors are 512 bytes, and the FAT16 has a maximum allocation address of 2**16 (Two to the 16th power is 65,536), what is the maximum disk size FAT16 could support if the cluster or allocation size was one sector? Remember, don’t panic when we binary math, Windows users, try: Start, Programs, Accessories, Calculator, View Scientific Unix users, try xcalc When we get into binary and hex numbers at any point these are helpful tools Did you get 33,554,432 or 32MB? Sure that is the result of 2**16 x 512, the maximum number of addresses multiplied by the number of byes an address is holding This is why most computers with large disk drives will have multiple sectors per cluster After all 32MB is not a very large disk drive My Windows 2000 laptop has an GB drive and my Linux laptop has a GB drive Desktop systems tend to have much larger drives We have covered a lot of material, let’s see if we can summarize the critical issues We have begun to actually investigate what goes on under the hood on a Unix and Windows system and used tools to this 33 Review of Core Concepts • Systems begin boot from ROM BIOS and then look for boot code • The secondary loader for Win 9x is IO.SYS, NT and 2000 is NTLDR • Data is stored in disk sectors commonly 512 and sectors are grouped into clusters • Disk geometry affects performance and reliability • Everything in Unix is a file, devices which can be character or block are represented by their drivers • Tools for Windows and Unix that let us see what is running and how the disk is set up Secure System Administration - SANS GIAC © 2000, 2001 34 Multitasking, swap, and disk laout… I hope these terms have come alive for you A lot of people use computers and they have no idea how they work or what is going on Please allow me to encourage you again to give the examples a try As you continue your journey in information security, it is very likely that one day you will face a problem with a computer You will not know if the system is just having problems or if you are dealing with an attack of some form either by a person or malicious code We want to begin to prepare you to gather data and understand how things work CREDIT: If you are taking this course for academic credit, assignment SSA_1.1 Describe the process to examine your computer’s ROM BIOS settings Describe at least two settings that can be used to enhance your system’s security Are there potential risks or drawbacks to be aware of if these settings are changed from the default? 34 Review of Commands • find from Windows Explorer • Dr Watson, advanced, system, task, startup • CHKDSK/SCANDSK • fdisk • • • • • • ps ax (or ps ef) lsof top free, hdparam fsck ls –l Secure System Administration - SANS GIAC © 2000, 2001 35 Of course tools are your friend and some of the tools that we have visited during this module are shown on the slide I have stressed tools enough that you might want to take a bit of time making sure you are familiar with these before you take the first quiz I need to end with a warning about something Unix tools tend to be lower case and case sensitive That is, fsck will work, Fsck will not However, Powerpoint is insistent about capitalizing the first letters of things So please bear with me, I know what the commands are supposed to look like I fix them and Powerpoint changes them back It may win a few Also, for many of the examples I am using Windows 98 first release and RedHat 7.0 If you are using a different operating system please bear with me Obviously we will load NT 4.0 and Windows 2000 for those sections I love forensics so I have certainly enjoyed myself I hope you had a good time as well This is Stephen out! 35 Course Revision History Secure System Administration - SANS GIAC © 2000, 2001 36 v1.5 – S Northcutt – 25 Jun 2000 v1.6 – edited by C Wendt – Jul 2000 v1.7 – edited by J Kolde – Jul 2000 v1.8 – edited by S Northcutt v1.9 – revised by S Northcutt – Sep 2000 (Special thanks to James Folk) v2.0 – edited by J Kolde, format grayscale for b/w printing v2.1 – revised by R Blader and S Northcutt Dec 2000, new soundtrack mastered v2.2 – revised by S Northcutt – Dec 2000 (Special thanks to Danny Harris) 36 ... operating system of the computer In our time together we are going to get a crash course in operating systems, especially the file system component, and then tie that information to information system. .. The system begins to read specific tailored operating system information from the disk Secure System Administration - SANS GIAC © 2000, 2001 The more you understand the boot sequence of a system, ... tabs on the advanced view Three of them to note are system, basic general information about your operating system, task, and startup In the system view, note that you have a swap file This is