Review 1

A user is suspected of deleting files using a wiping tool. Which artifact should be reviewed for Directory Metadata information?

$I30 file

Which two files track changes within the NTFS file system Journaling

$Logfile and $UsnJrnl

Evidence of Timestamp manipulation can include

$S_I (B) time prior to $F_N (B) time Fractional second values are all zeroes $S_I (M) time prior to ShimCache time $S_I times prior to $I30 slack entries MFT entry number is significantly out of sequence

Which variable can be used by fileless malware to call the executable CMD.EXE on a Windows System?

%COMSPEC%

Using MACTIME program what is the correct syntax to gather a timeline

./mactime -b (switch)

What file signature can be used to carve for deleted MFT entries?

0x 46 49 4C 45

$MFTMIRR

A backup copy of the first four records of the M FT

This file should be examined for indications of malicious content

A file in C:\Windows\System32 With an ADS of Zone.Identifier of 3

What command will list all persistent VSC on Windows host

Admin - CLI - vssadmin list shadows

what ca be detected by timeline analysis

Anti-Forensics

Which tools can be used for full-analysis of VSC

Arsenal Image Mounter, F-Response, VShadowMount

What type f Index does NTFS utilize?

B-Tree index

Term for classifying an attackers preferences by combining info such as: IP address, Custom Malware, Target selection?

Behavioral Indicators

What king of input does the MACTIME tool take?

Body File

Which NTFS timestamp will change when an Admin gives ownership permissions of a file to a User?

C- Metadata Change

Which MACB standard time field is updated when a file is renamed?

C- Metadata changed

An analyst us investigating a suspicious file, an executable, Prefetch indicates the file has executed numerous times. What would be the next step based off Prefetch Data?

Calculate the sha-256 hash of the executable and search for it on VirusTotal.com

When examining a system that has been mounted as a VM, which technique could identify persistent malware?

Checking for applications that start automatically in HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run

Incident Response indicates a remote user clicked on a link and now the corporate site is upside down and they can't connect to a VPN. What should the IR team first action be?

Confirm website has not been defaced Review the recent access logs for the users Confirm the information relayed

What is the forensic purpose of investigating the $I30 file

Contains a list of the file name indexes for a Directory

$Logfile

Contains transactional info used by NTFS to maintain integrity of the filesystem in the even of a crash

Describe Reflective Code Injection

Custom loaders are used to bypass common API functions

What can be determined based on artifacts found in the Windows 8+ AppCompatCache registry key?

Date and time an executable was last modfied

A computer on a local area network has been compromised by a RAT, what is the next step in the identification phase of incident handling?

Determine if other network systems have been compromised

At offset 0x16 within the MFT record what is the value of 0x02

Directory ha been deleted

At offset 0x16 within the MFT record what is the value of 0x03

Directory in use

Which tool can be used to generate a bodyfile when examining a CD?

FLS

Name two places to find Filename layer artifacts - filenames

File System Metadata- MFT entry Directory Data $I30 contains list of children files/directories

At offset 0x16 within the MFT record what is the value of 0x01

File in use

What's the next step after creating a timeline with log2timeline.py?

Filter the timeline with PSORT.py

a third-party Audit of externally facing infrastructure after recent breaches falls under which category of the incident response process?

Follow-Up

$Volume

Friendly name of volume for display in My Computer. NTFS version and mount flags

Where are the excluded files and folders located for Volume Shadow Copies or Snapshot?

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNottoSnapshot

A User deleted a key from: Software\Microsoft\Windows\CurrentVersion\Runonce Which Registry key could restore the Runonce key after reboot?

HKLM\System\CurrentControlSet\Services

Which tool is a cross platform tool for parsing $I30 index files?

INDXparse.py Tool

What is the purpose of Volatility's plugin KDBGscan?

Identifies the Windows OS build string

An Adversary has been identified within a network, they are actively moving through systems and encrypting data. What would contain this event?

Identify the attack vector and remove the compromised services from the workstations.

What type of artifacts can you analyze with TSK icat?

Image file, MFT or inode number, specific attribute Id "Zone.Identifier"

Which two tools can be used to parse $I30 files

Indx2Csv (export/carved) and Velociraptor for live systems

Characteristics of an NTFS resident file can include what?

It is a small file less than 600 kb

Which tool could be used along with third-party tools by and IR team looking to capture info on the applications which will be launched at Startup from a subnet of Windows hosts?

KANSA

Which tools can be used to Triage VSC

KAPE and Velociraptor

What type of credentials can be stolen by a successful attack on service that was started as a scheduled task?

LSA Secret - Schedules tasks have passwords saved as LSA secrets

What is a type 2 logon?

Logging on through the console

$LogFile

Low-Level transactional logs for NTFS, full payload, indexes, UsnJrnl, 64MB - but can be adjusted (Flight Recorder)

Which MFT Record is always reserved for the Root of the Volume?

MFT Record #5

Which MFT record number would the NTFS file system check to find if a cluster is in use?

MFT Record #6 - $Bitmap - shows free & unused clusters

What is the term for a Windows object that limits access to a single process at a time?

MUTEX

$MFT

Master File Table - A database that tracks every file in the volume

MFT Entry Allocated

Metadata filled out / Pointers to clusters

Which default Windows artifact would examine to detect a malicious executable maintaining persistence?

NTUSER.DAT

Which of the following should be collected in order to construct a timeline relevant to file downloading activities?

NTUSER.DAT hive Open/Save MRU

What are the possible ADS zones?

NoZone=1 MyComputer=0 Intranet=1 Trusted=2 Internet=3 Untrusted=4

At offset 0x16 within the MFT record what is the value of 0x00

Not in use unallocated

Using F-Response and KAPE

OS- Windows Use-Triage Imaging/artifact post processing Deployed-Manual -designed for standalone Advantage-Powerful & simple to use Disadvantage- Not designed for large-scale remote use

Describe KANSA

OS= Windows Use= IR & threat hunting Deploy= PowerShell remoting via GPO Advantages-Uses PS remoting for efficiency & credential safety Disadvantage- Not for acquisitions

At what offset is the Hard Link Count to determine how many $File_Name attributes exist for a record?

Offset 0x12

The portion of the MFT record that describes the states given as options resides at what offset

Offset 0x16 Values Can be 0x00, 0x01, 0x002, 0x03

Which attack technique uses an NT hash to request a service ticket and mount a remote file share?

Over Pass the Hash - OPTH

The tool Indx2Csv can be used to parse what artifact?

Parsing exported or carved $I30 files Active and slack entries

What is the tool istat used for?

Part of TSK displays statistics about a given metadaa structure aka inode, including MFT entries

Under which category of ATT&CK would a defender place and artifact that indicates tampering with component firmware?

Persistence

Applications running from a Temp Directory indicate what?

Processes should not continue to run from a Temp location, could indicate malicious activity

Which class of Malware can modify the input to a live incident response powershell collection script?

Rootkit

What are deleted $I30 Index entries called?

Slack entries

What is the best option for acquiring the memory of a compromised machine running in VMware?

Suspend the VM and copy the .vmem file from the host

What is Copy-On -Write (COW)

Technique to efficiently store just data differences on VSC/Snapshots

What is the size of backed up blocks within a VSC/Snapshot?

The backed up blocks are stored in 16kb chunks

Where are the VSC/Snapshot backup 16kb block chunks files stored?

The file are stored in the System Volume Information Directory at the Root of the Volume

How many timestamp values are present if the filename is too long and Windows has to shorten the filename to 8.3 standards?

The long and short filename attributes each have 4 timestamps each for a total of 12 $SI = 4 $FN=4 $8.3=4

What is the tracking file called for a VSC and in what format is the name?

The name of the tracking file is called the Catalog and it is in a GUID format

Running malfind plugin produces this output Process: lsass.exe Pid:1928 VadTag:Vad protection: Page_Execute_ReadWrite

The process memory section is marked as an executable with no associated mapped file on disk

Locating time stamps that have all zeroes is an indicator of what?

Timestamps were manually altered using an anti-forensics tools

$BITMAP

Tracks the allocation (in-use versus free) of each duster in the volume

What data structure is responsible for tracking every memory section assigned to a process?

Virtual Address Descriptor (VAD)

During the examination of a Windows 8 workstation application compatibility shim cache - What does the EXEC Flag value represent?

Whether the program has been run on the system

What does SIGCHECK tell you?

Will indicate if a certificate was explicitly revoked by its issuer This can be an indicator of malware trying to hide on the system

What tool can be used to analyze VSC within linux

Within Linux VM you can use Libvshadow, vshadowmount and vshadowinfo to analyze VSCs within linux - free tools

you've used log2timeline.py to analyze VSC snapshots, explain why you might have duplicates?

an entry MACB are the same, these files will produce duplicates, metadata info extracted from a file stored in numerous places

Which techniques can malware use to hide evidence or process injection?

by injecting code that does not use the portable executable format (mz) header

$Extend\$UsnJrnl

change journal, index listing all of the files that have changed on the system and why,

Vshadowmount command does what?

exposes all VSC as raw disk images for examination within Linux Sift

what is the size of a file that could be resident within an MFT record?

less than 600 bytes

Vshadowinfo

lists all available shadow snapshots in a disk image in Linux

MFT Entry Unallocated

metadata may or may not be filled out if filled out, its from a deleted file/folder The clusters may have been reused

What does the following volatility command tell you: vol.py -f bc2.vmem malfind | grep mz |wc -L output: 1

one section within the memory image contains an executable Window's binary

How does Windows Management Instrumentation (WMI) help and attacker evade detection?

the malware will only run when certain conditions are met WMI- allows triggers to be set when a condition is met Malware doesn't need to run on startup Avoids behavioral patterns this way

The Hard link County at offset 0x12 refers to?

the number of $File_Name attributes there are for the file

For the past 6 months, exactly 13 hrs after patches are released your web server receives 7 suspicious packets from and IP in Europe. How can you classify this activity?

the timing and recurrence of the attack demonstrate a Behavioral Indicator