FINAL Final - DFIR
Dd (Data dump)
A Linux command line utility for cloning (duplicating) or restoration of secondary storages, such as drives. The tool can be used on live drives.
PhotoRec
A powerful free, open-source, and multi-platform carving tool that focuses on rebuilding and recovering media files. This tool
EnCase
A proprietary tool that includes many advanced features for image inspection. It can collect data from block devices, decrypt encrypted data, create forensic block device images, investigate data, and generate a report for the user.
DNS Cache
A temporary database, maintained by a computer's operating system, that contains records of all the recent visits and attempted visits to websites and other internet domains.
Bulk Extractor
A tool that attempts to rebuild and recover files without using a specific file system structure. It is known for its speed and thoroughness. It ignores file system structure; it can process different parts of a disk in parallel.
Alert
Actionable warning or error message that require someone's attention
Capture format
Choose the right ______________.
Black Holing Shunt
DDoS traffic from a malicious network should be dropped and prevented from reaching its destination.
Debug
Generated by applications for troubleshooting purposes
NTFS
Microsoft Windows latest file system. Includes notable features and advantages over older file systems.
CMD
creating and loading data streams is done via CMD.
CAINE Live
digital forensics toolset that can be booted from a "live" media, such as USB, and run directly from memory.
Netstat
displays routing tables, open and established sockets, incoming and outgoing TCP connections, and a variety of network interfaces through the command-line.
registry changes
registry operations performed by a process
Collected disk images
these can be mounted directly in Linux to access its data.
HxD
Although not a carving software, it is commonly used to view raw data. This tool is a hex editor that edit a raw disk of any size, and modify RAM.
external source
Always capture to THIS
Tactics, Techniques and Procedures
Describes the behavior of a malicious actor
Host Isolation
Disconnect an infected system from the network
Indicators
Events or artifacts that indicate an imminent attack or in-progress intrustion
Documentation
Findings, evidence, and operations that were undertaken must be included in proper _____________
Informational
Generated during a benign operation, with records of normal and expected behavior
Error
Generated when an _____ occurs in the OS or other system software
Segmentation
Isolate infected networks from clean machines
incident response policy
Most important responsibility an incident response team has to create THIS
DLL Dump
Some DLLs loaded by processes can be dumped with this plugin.
state capture
THIS is crucial to an investigation because it allows analyzing a threat in identical conditions within a lab
memory acquisition
THIS should be done before drive acquisition
System interaction
THIS should be minimal. Forensic evidence should be acquired only from relevant parts of the system.
Log Files
These enable an investigator to obtain a picture of what went on in a digital system. THESE can be located in various directories and may have to be searched for.
DF team
This team responds after an attack
Responsible, Accountable, Consulted, Informed
What does RACI stand for?
Find evidence
What responsibility does a Digital Forensics team have?
PID
a unique ID assigned to a running process
process
an instance of a program
file system modifications
file operations performed by a process
Flare VM
performs malware analysis and reverse engineering in Windows systems.
journaling
records all metadata changes made on the volume to protect the file system in the event of a crash or mishandled files.
MBR (Master Boot Record)
stores the partition information in the first sector of a disk. Refers to specific boot sector at the very beginning of the hard disk and it holds some information on how the partitions are organized on a hard disk.
sterilized media
use THIS for acquisition
IOC (Indicator of Compromise)
use patterns of known indicators related to past attacks, to prevent attack propagation
Live USB
used for data acquisition and performing live forensics techniques. They are loaded with a complete functioning operating system that can be booted on a computer from a connected flash drive.
ISO
used for images of optical block devices, such as CD-ROM and DVD media
Hashing
used to verify that the file compiled from the carving process matches files that were involved in the data breach.
Find undetected threats
what does the Threat Hunting team do?
DumpIt
An acquisition tool often used in Windows systems to dump data from memory and investigate processes that were running on the machine. It is a combination of two tools: win32dd and win66dd.
Rekall
An advanced forensics and incident response framework, developed by Google. It leverages exact debugging information provided by operating system vendors to precisely locate significant kernel data structures.
Volatility
An open-source collection of Python-based tools that support both Linux and Windows. It has an option to read different types of memory dumps and filter them according to different parameters.
Function, Information, Recovery
FIR method
Warning
Generated when something is missing or required by an application or system
Cached Data
Semi-permanent files that are often used to optimize user experience but can also be used to track user activity, such as web browser history, recently used or accessed programs and files, DNS cache, and web browser cookies. Investigating the contents of THIS can reveal step-by-step activity.
a cyber event
The DFIR process begins when THIS occurs
IR Team
This team responds during an attack
Reduce further damage
What does an Incident Response team do?
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
What is PICERL?
Tier 3 in a SOC
Which team is always threat hunting?
FTK Imager
a GUI-based program with advanced features for capturing primary and secondary storages, including memory and drives. It includes an option to clone drives on virtual machines.
PowerForensics
a PowerShell module designed for forensics operations. It provides a framework for hard drive forensic analysis. Can be used for both live systems and mounted drive captures (dead Windows analysis)
Raw
a bit-by-bit copy of the captured drive or partition. dd is an example of a tool that uses this format..
/proc/modules
a good example of the Linux method of file representation; it lists all modules loaded into the kernel
remote connections
a list of outbound connections initiated by a process
GPT (GUID Partition Table)
a newer partitioning scheme that was developed as an alternative to MBR. Supports 128 disk partitions. Not limited to 2TB. Periodically checks for errors and data corruption.
FTK
a proprietary set of utilities that includes an imager tool, and tools used to inspect cloned drives
Browser Forensics
a user's searches and other activities and most of the collected data can be retrieved by analyzing the _________ cache and history files.
ADS
allows more than one data stream to be associated with a file. These are often misused by attackers to hide executable sections within an allegedly benign file to bypass traditional detection mechanisms.
Autoruns
an example of a tool that can be used to identify possible startup locations
Expert Witness Format (EWF)
an image of a disk volume, data storage device, or RAM
Autopsy
an open-source tool that serves as a front-end GUI to The Sleuth Kit, which is a collection of command line tools that can perform block device, volume and file system analysis.
startup programs
can be evidence of persistent malware that is activated by a certain trigger.
explorer.exe
can load only the default data of the file.
static binaries
executables that can run independently of system libraries.
SIFT Workstation
features tools for reverse engineering, incident response, network forensics, threat intelligence, etc.
block storage
less volatile area
user is logged on
memory captures are better if...
DLL usage
module load operations performed by a process
memory
more volatile area
Ext4
most common files system in Linux distributions. Analysis process of this file system is similar in concept to NTFS
Magic Numbers
the easiest and fastest way to do file carving is to look for these. They indicate the beginning of the file.
file carving
the process of obtaining deleted files and metadata in data streams
File Carving
the process of reading data from unallocated portions of media and using a tool to determine if the information can be pieced together.
Processes
these may indicate malicious activity, and identify _________ that are acting erratically
type
this command can be used to read or redirect the output of a data stream.
dir /R
this command via CMD will display the content of a folder with its files including ADS, if it exists
ProcDump
this dumps a process as an executable. The executable can then be further inspected and analyzed.
network data
this is useful to identify back doors or malware beaconing.
MRU (most recenly used)
this list is used by the Windows OS to quickly locate recently used files and can provide valuable evidence in a forensics context.