FINAL Final - DFIR

Dd (Data dump)

A Linux command line utility for cloning (duplicating) or restoration of secondary storages, such as drives. The tool can be used on live drives.

PhotoRec

A powerful free, open-source, and multi-platform carving tool that focuses on rebuilding and recovering media files. This tool

EnCase

A proprietary tool that includes many advanced features for image inspection. It can collect data from block devices, decrypt encrypted data, create forensic block device images, investigate data, and generate a report for the user.

DNS Cache

A temporary database, maintained by a computer's operating system, that contains records of all the recent visits and attempted visits to websites and other internet domains.

Bulk Extractor

A tool that attempts to rebuild and recover files without using a specific file system structure. It is known for its speed and thoroughness. It ignores file system structure; it can process different parts of a disk in parallel.

Alert

Actionable warning or error message that require someone's attention

Capture format

Choose the right ______________.

Black Holing Shunt

DDoS traffic from a malicious network should be dropped and prevented from reaching its destination.

Debug

Generated by applications for troubleshooting purposes

NTFS

Microsoft Windows latest file system. Includes notable features and advantages over older file systems.

CMD

creating and loading data streams is done via CMD.

CAINE Live

digital forensics toolset that can be booted from a "live" media, such as USB, and run directly from memory.

Netstat

displays routing tables, open and established sockets, incoming and outgoing TCP connections, and a variety of network interfaces through the command-line.

registry changes

registry operations performed by a process

Collected disk images

these can be mounted directly in Linux to access its data.

HxD

Although not a carving software, it is commonly used to view raw data. This tool is a hex editor that edit a raw disk of any size, and modify RAM.

external source

Always capture to THIS

Tactics, Techniques and Procedures

Describes the behavior of a malicious actor

Host Isolation

Disconnect an infected system from the network

Indicators

Events or artifacts that indicate an imminent attack or in-progress intrustion

Documentation

Findings, evidence, and operations that were undertaken must be included in proper _____________

Informational

Generated during a benign operation, with records of normal and expected behavior

Error

Generated when an _____ occurs in the OS or other system software

Segmentation

Isolate infected networks from clean machines

incident response policy

Most important responsibility an incident response team has to create THIS

DLL Dump

Some DLLs loaded by processes can be dumped with this plugin.

state capture

THIS is crucial to an investigation because it allows analyzing a threat in identical conditions within a lab

memory acquisition

THIS should be done before drive acquisition

System interaction

THIS should be minimal. Forensic evidence should be acquired only from relevant parts of the system.

Log Files

These enable an investigator to obtain a picture of what went on in a digital system. THESE can be located in various directories and may have to be searched for.

DF team

This team responds after an attack

Responsible, Accountable, Consulted, Informed

What does RACI stand for?

Find evidence

What responsibility does a Digital Forensics team have?

PID

a unique ID assigned to a running process

process

an instance of a program

file system modifications

file operations performed by a process

Flare VM

performs malware analysis and reverse engineering in Windows systems.

journaling

records all metadata changes made on the volume to protect the file system in the event of a crash or mishandled files.

MBR (Master Boot Record)

stores the partition information in the first sector of a disk. Refers to specific boot sector at the very beginning of the hard disk and it holds some information on how the partitions are organized on a hard disk.

sterilized media

use THIS for acquisition

IOC (Indicator of Compromise)

use patterns of known indicators related to past attacks, to prevent attack propagation

Live USB

used for data acquisition and performing live forensics techniques. They are loaded with a complete functioning operating system that can be booted on a computer from a connected flash drive.

ISO

used for images of optical block devices, such as CD-ROM and DVD media

Hashing

used to verify that the file compiled from the carving process matches files that were involved in the data breach.

Find undetected threats

what does the Threat Hunting team do?

DumpIt

An acquisition tool often used in Windows systems to dump data from memory and investigate processes that were running on the machine. It is a combination of two tools: win32dd and win66dd.

Rekall

An advanced forensics and incident response framework, developed by Google. It leverages exact debugging information provided by operating system vendors to precisely locate significant kernel data structures.

Volatility

An open-source collection of Python-based tools that support both Linux and Windows. It has an option to read different types of memory dumps and filter them according to different parameters.

Function, Information, Recovery

FIR method

Warning

Generated when something is missing or required by an application or system

Cached Data

Semi-permanent files that are often used to optimize user experience but can also be used to track user activity, such as web browser history, recently used or accessed programs and files, DNS cache, and web browser cookies. Investigating the contents of THIS can reveal step-by-step activity.

a cyber event

The DFIR process begins when THIS occurs

IR Team

This team responds during an attack

Reduce further damage

What does an Incident Response team do?

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

What is PICERL?

Tier 3 in a SOC

Which team is always threat hunting?

FTK Imager

a GUI-based program with advanced features for capturing primary and secondary storages, including memory and drives. It includes an option to clone drives on virtual machines.

PowerForensics

a PowerShell module designed for forensics operations. It provides a framework for hard drive forensic analysis. Can be used for both live systems and mounted drive captures (dead Windows analysis)

Raw

a bit-by-bit copy of the captured drive or partition. dd is an example of a tool that uses this format..

/proc/modules

a good example of the Linux method of file representation; it lists all modules loaded into the kernel

remote connections

a list of outbound connections initiated by a process

GPT (GUID Partition Table)

a newer partitioning scheme that was developed as an alternative to MBR. Supports 128 disk partitions. Not limited to 2TB. Periodically checks for errors and data corruption.

FTK

a proprietary set of utilities that includes an imager tool, and tools used to inspect cloned drives

Browser Forensics

a user's searches and other activities and most of the collected data can be retrieved by analyzing the _________ cache and history files.

ADS

allows more than one data stream to be associated with a file. These are often misused by attackers to hide executable sections within an allegedly benign file to bypass traditional detection mechanisms.

Autoruns

an example of a tool that can be used to identify possible startup locations

Expert Witness Format (EWF)

an image of a disk volume, data storage device, or RAM

Autopsy

an open-source tool that serves as a front-end GUI to The Sleuth Kit, which is a collection of command line tools that can perform block device, volume and file system analysis.

startup programs

can be evidence of persistent malware that is activated by a certain trigger.

explorer.exe

can load only the default data of the file.

static binaries

executables that can run independently of system libraries.

SIFT Workstation

features tools for reverse engineering, incident response, network forensics, threat intelligence, etc.

block storage

less volatile area

user is logged on

memory captures are better if...

DLL usage

module load operations performed by a process

memory

more volatile area

Ext4

most common files system in Linux distributions. Analysis process of this file system is similar in concept to NTFS

Magic Numbers

the easiest and fastest way to do file carving is to look for these. They indicate the beginning of the file.

file carving

the process of obtaining deleted files and metadata in data streams

File Carving

the process of reading data from unallocated portions of media and using a tool to determine if the information can be pieced together.

Processes

these may indicate malicious activity, and identify _________ that are acting erratically

type

this command can be used to read or redirect the output of a data stream.

dir /R

this command via CMD will display the content of a folder with its files including ADS, if it exists

ProcDump

this dumps a process as an executable. The executable can then be further inspected and analyzed.

network data

this is useful to identify back doors or malware beaconing.

MRU (most recenly used)

this list is used by the Windows OS to quickly locate recently used files and can provide valuable evidence in a forensics context.