Capturing Nature - Sky

These pictures were captured during 2006-2007 using Nokia 6230i.

Data Compression Algorithm - Lampel Ziv

This is a universal lossless data compression algorithm designed by A. Lampel, Jacab Ziv, and Terry Welch, which was published by T. Welch in 1984 as an enhanced version of LZ78 algorithm. Lempel Ziv algorithm is mostly used in compression like gzip, GIF, and V.42 modem standard. There are two algorithms derived from Lempel Ziv algorithms , they are LZ77 and LZ78.

Most data carry a pattern, for instance in an article some letters appear more often than others, data compression techniques uses this method to compress data by replacing repeated letters by adding different short value to it and get a small size than the original data. Reproducing the original data is possible in this lossless data compression method. Lempel Ziv uses an adaptive dictionary; this is created in while the data being encoded. On the other hand it is not required to transmit or store the dictionary since decoder is capable of building the dictionary. The dictionary size can increase infinitely large in theory, although it practice it increased to certain extend and stop. Recommended size of a dictionary is 4096.

What is Data Hiding Analysis ?

Data hiding analysis is the method or the process of searching for the hidden data in the system or the hard disk. Cybercriminals hide the information in the system by thinking that it would not be detected by searching queries or advance forensic data analyzing tools used by forensic investigators. They will use different methods to hide the information or the application that they infect, intend to damage or trying to steal in hidden format inside the hard disk using many varieties of data hiding methods such as using tools like Invisible software or simple method of adding the hidden flag in Windows file system or by adding the hidden attribute (-h) in DOS prompt. In some other cases cybercriminals change the file format of the data so that it appears different to other users. For instance a cybercriminal who is trying to pass out a confidential business data file (MS excel file) might rename it as a picture file and nobody would suspect since this is a totally different file than it looks. Later the cybercriminal will rename the file extension back to the excel format and use it.
On the other hand cybercriminals use steganography techniques to hide data from the authorized users. For example in MS PowerPoint slide add a picture of a “duck” and insert a confidential document and minimize it as much as possible then change the font colour of the words to white and group with the “duck” picture and save and send via e-mail. Everyone will think that sender is transferring a picture of a duck to a friend, but the actual scenario is the cybercriminal is transferring confidential data without anyone noticing any difference.

Windows XP boot Process

When switch on the power of a PC, system clock send clock ticks to start the CPU, then the CPU checks the startup program in ROM BIOS and starts the POST (Power On Self Test) which is tests all the hardware devices functionality of the PC and check whether the PC is good condition to operate. If the POST completed successfully it finishes the initialization of the CPU. During the POST process it checks whether this power on process occurred due to soft/warm or hard/cold start. (Cold start is when the machine start occurs with an in proper shutdown, whereas soft start happens when the machine is restarting with proper execution of commands when it is on) If it is a cold start POST perform a full test and if it is a warm start it omit the memory test part during the POST.

BIOS check the disk and load the MBR (Master Boot Record) to the memory, and then MBR take over the boot process. Boot Loader in the MBR searches the partition table for active partition and reads first sector to locate Boot Record. NTLDR (NT Loader) is a system file which is stored in the system root start the XP loading in following phases;

Initial Boot Loading – Processor is turned to real mode from the protected mode and switched on the memory paging. NTLDR will detect and load Boot.ini into memory.

Operating System selection – Boot.ini check whether it has more than one operating systems configured in the system and if it identified two or more it stops the process and allow user to select a OS.

Hardware detection – When XP is selected, NTLDR loads the Ntdelect.com program which detect the hardware profiles configured for the system. If there are many hardware profiles detected, it gives a time period to select a hardware profile for the system before proceeding with the 1^st profile. Then NTLDR is loading Ntoskrnl.exe.

Configuration selection – It loads drives which are selected as boot drivers to the system, while ntoskrnl.exe in first phase disable interrupts and call HAL (Hardware Abstraction Layer) to setup interrupt controller, then it enables the interrupts before the next phase. During the 2^nd phase below processes execute and re-initialization occurs in the given sequence.

a. Object manager

b. Executive

c. Microkernel

d. Security Reference Monitor

e. Memory manager

f. Cache manager

g. LPCS

h. I/O Manager

i. Process Manager

I/O manager first finishes loading boot drivers and system drivers and prioritized and load all other drivers. Session Manager Subsystem (SMSS) loads win23k.sys devices driver which change screen into graphical mode. After successful loading of all the device drivers and services it saves its configuration as “Last Know Good Configuration”. Hence logging process is started by Winlogon.exe, and lsass.exe (Local Security Authority) displays the logon screen.