C702 PA Main Study test

7036

<Windows Protection Service> has entered the stopped state.

Storage Area Network (SAN)

A Storage Area Network (SAN) is a dedicated high-speed network that provides access to consolidated block-level storage Its architecture allows a network of storage devices to be accessible to multiple servers as attached drives by eliminating network bottlenecks It consists of components such as interconnected hosts, multiple switches, and storage devices which can be connected via Fiber Channel Technology since it supports faster data rates and uninterrupted data access

Base Station Controller:

A base station controller (BSC) manages the transceiver equipment and performs channel assignment. It is a part of the GSM architecture that controls one or more BTSes and the cell site radio signals to reduce the load on the switch.

Base Transceiver Station:

A base transceiver station (BTS) is a radio transceiver equipment that facilitates users with wireless communication between a mobile phone and a network.

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections

4688

A new process has been created

4657

A registry value was modified

7045

A service was installed in the system

Service

A service was started by the Service Control Manager

Subscriber Identity Module:

A subscriber identity module (SIM) can store sensitive data such as user contacts, messages, and the time stamps associated with them. It also contains technical information such as the Integrated Circuit Card Identifier (ICCID), International Mobile Subscriber Identity (IMSI), last dialed numbers (LDNs), and service provider name (SPN), which help a forensic investigator during cell phone data acquisition.

Interactive

A user logged on to this computer

NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer

Network

A user or computer logged on to this computer from the network

Active@ File Recovery

Active@ File Recovery contains a CD/DVD ISO image that allows one to burn a bootable CD or DVD with a lightweight version of Windows 7 running in RAM (WinPE 3.0). It can recover data in case the system is not bootable and cannot attach the damaged hard disk drive to another machine

What is a benefit of a web application firewall (WAF)?

Acts as a reverse proxy to inspect all HTTP traffic

Amazon CloudWatch

Allows the inspection, access and storage of log files from various AWS sources such as AWS CloudTrail, EC2 instances, and Route 53. It helps in collecting all log data to a centralized location and analyzes them by performing custom search queries These logs can be viewed as log streams that capture a sequence of log events from the same instance or resource.

4663

An attempt was made to access an object

Authentication Center:

An authentication center (AuC) stores the user's IMSI, encryption, and authentication keys.

Equipment Identity Register:

An equipment identity register (EIR) is a database that contains a list of mobile devices along with their IMEI numbers. A mobile network operator can analyze the EIR to track the IMEI of a mobile device and check if it is valid (whitelisted or blacklisted), suspected, or stolen/blocked (blacklisted), and accordingly take action, if required.

4660

An object was deleted

Static Analysis

Analyze without running the code Analyzing the binary code provides information such as data structures, function calls, call graphs, etc. Load the binary code on to the test system (preferably the OS on which the malware is not designed to run) to analyze its static properties Some of the static properties of the binary code to be examined include strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata etc. File fingerprinting Online malware scanning Performing strings search Identifying packing / obfuscation methods Finding the portable executables (PE) information Identifying file dependencies Malware disassemble

Exit Relay

As the final relay of the Tor circuit, the exit relay receives the client's data from the middle relay and sends the data to the destination website's server. The exit relay's IP address is directly visible to the destination. Hence, in the event of transmission of malicious traffic, the exit relay is suspected to be the culprit, as it is perceived to be the origin of such malicious traffic. Hence, the exit relay faces the most exposure to legal issues, take-down notices, complaints, etc., even when it is not the origin of malicious traffic

Batch

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention

How does a hacker bypass a web application firewall (WAF) with the toggle case technique?

By randomly capitalizing some of the characters

Data Rescue 4

Data Rescue for Mac software recovers files from a crashed or virus-corrupted hard drive. It recovers photos, videos, and documents from crashed, corrupted, or non-mounting hard drives; accidentally reformatted hard drives or reinstalled OS; and previous deletion, damaged, or missing files. It can recover all file types from any HFS/HFS+ formatted drive.

Volatile Data

Data that are lost as soon as the device is powered off; examples include system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

On Windows Vista and later versions, it is located in

Drive:\$Recycle.Bin\<SID>

On older FAT file systems (Windows 98 and prior)

Drive:\RECYCLED

On Windows 2000, NT, and XP it is located in

Drive:\RECYCLER\<SID>

GIF Files

GIF is a file format that contains 8 bits per pixel and displays 256 colors per frame. The format was developed by CompuServe in 1987. GIF uses lossless data compression techniques, which maintain the visual quality of the image. The GIF file structure includes a header, image data, optional metadata, and a footer. The hex value of a GIF image file starts with the values 47 49 46, which represent the GIF filename.

Russian Standard

GOST P50739-95

Malware often modifies the below-mentioned registry keys to continue running on the system whenever the user logs in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Expl orer\Run

PDF Files

Hex values for a PDF begin with 25 50 44 46, which is the signature of every PDF file representing the %PDF values in hexadecimal form. The file version of PDF follows this signature, while the file ends with the %EOF value, representing the end of file

Android Debug Bridge (ADB)

Is a command-line tool that allows investigators to connect the device to a forensic workstation through a USB and communicate with it The ADB commands facilitate device actions such as copying files back and forth, installing and uninstalling applications, and running shell commands on a device To use ADB commands to control an Android device over USB, the investigator should first enable the USB debugging feature

EaseUS Data Recovery Wizard

Is used to perform format recovery and unformat and recover deleted files emptied from Recycle Bin or data lost due to partition loss or damage, software crash, virus infection, unexpected shutdown, or any other unknown reasons under Windows 10, 8, 7, 2000/XP/Vista/2003/2008 R2 SP1/Windows 7 SP1. This software supports hardware RAID and hard drive, USB drive, SD card, memory card, etc.

Dynamic Analysis

It refers to the process of studying the behavior of a malware by running it in a monitored environment Dynamic malware analysis makes it easy for the investigators to observe in real-time how the malware interacts with the system properties and the network Two approaches to dynamic malware analysis: Monitoring Host Integrity It involves taking snapshots of the system state using the same tools before and after the analysis to detect changes made to the entities residing in the system Observing Runtime Behavior It involves live monitoring the behaviour of the chosen malware as it runs on the system

manual Analysis

Manual

JPEG files

Maximum compression ratio 90% A JPEG bit stream contains a sequence of data chunks. Every chunk starts with a marker value, with each marker having a 16-bit integer value, and it is stored in the big-endian byte format. The most significant bit of the marker is set to 0xff. The lower byte of the marker determines the type of marker

What should a forensic investigator collect to analyze the email artifacts of a Tor Browser session?

Memory dump

Mondo Rescue

Mondo Rescue is a GPL disaster recovery solution. It supports Linux (i386, x86_64, ia64) and FreeBSD (i386). It's packaged for multiple distributions (Fedora, RHEL, openSuSE, SLES, Mandriva, Mageia, Debian, Ubuntu, Gentoo). It supports tapes, disks, network and CD/DVD as backup media, multiple filesystems, LVM, software and hardware Raid, BIOS and UEFI.

American:

NAVSO P-5239-26 (MFM) DoD 5220.22-M NAVSO P-5239-26 (RLL) NIST SP 800-88 (Not necessarily exclusively American)

adb pull

On an unlocked and unrooted Android device, the investigator can perform logical acquisition by connecting the device to the forensic workstation via USB and running the adb pull command to acquire data

Metadata

Organization name Author name Computer name Network name Hidden text or cells Document versions Template information Personalized views Non-visible portions of embedded OLE objects

Non-volatile Data

Permanent data stored on secondary storage devices such as hard disks and memory cards; examples include hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, event logs, etc.

How should a forensic investigator preserve evidence on a cell phone during transport without altering any digital evidence?

Place the device in a Faraday bag

PNG Files

Portable Network Graphics (PNG) is a lossless image format intended to replace the GIF and TIFF formats. PNG improves the GIF file format and replaces it with an image file format. It is copyright and license free. The PNG file format supports 24-bit true color, transparency in both the normal and alpha channels, as well as indexed/palette-based images of 24-bit RGB or 32-bit RGBA colors and grayscale images. The PNG file signature consists of the reminder of a file having a single PNG image. These images are comprised of a series of chunks, starting with an IHDR chunk and ending with an IEND chunk. The hex values of a PNG file, as shown in the screenshot below, begin with 89 50 4e, which is the hex value for GIF.

ProDiscover Forensics

ProDiscover Forensics is a computer security tool that enables computer professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.

Which media sanitization method does the NIST SP 800-88 recommend for making recovery infeasible while still allowing the media to be reused?

Purge Clear: Logical techniques applied to sanitize data in all storage areas using the standard read and write commands Purge: Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques Destroy: Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage

R-Studio

R-STUDIO is the data recovery solution for recovery of files from NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+, and APFS (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD/Solaris), and Ext2/Ext3/Ext4 FS (Linux) partitions. It also uses raw file recovery (scan for known file types) for heavily damaged or unknown file systems. It functions on local and network disks, even if such partitions are formatted, damaged, or deleted.

Recover4all Professional

Recover4all software recovers (undeletes) files that were accidentally deleted under Windows. It recovers the files that were accidently deleted from the Recycle Bin, or if the drive was formatted, or if the file system was damaged. Recover4all does not require installation and can run directly from a USB disk, flash drive, etc.

net share

Retrieve information on all resources that are shared on the local computer.

Information_Schema

Stores information related to all databases, along with the read-only tables Provides access to the database metadata

Bags Key: (?)

The Bags key consists of various numerically named subkeys and under each of these subkeys there is a "Shell" key which stores the view preferences of the folder, such as position of the window, location, view mode, and sort methods for items within the window

5156

The Windows Filtering Platform has allowed connection

BMP files

The bitmap image file (BMP) format, device-independent bitmap (DIB) file format, or simply a bitmap is a standard graphics image file format used to store images on Windows OSes. Microsoft developed this format so that Windows can display an image on any type of screen. Bitmap images can include animations. The size and color of these images can vary from 1 bit per pixel (black and white) to 24-bit color (16.7 million colors). A bitmap file always has 42 4D as the first characters in hexadecimal representation. These characters translate to BM in the ASCII code

BagMRU

The information of folders recently accessed by the user is stored in the BagMRU key and its subkeys. Each of these subkeys store folder names and record folder path corresponding to the hierarchy of when they are accessed through Windows Explorer

Middle Relay

The middle relay is used for the transmission of data in an encrypted format. It receives the client's data from the entry relay and passes it to the exit relay.

Mobile Switching Center:

The mobile switching center (MSC) processes calls and messages within a network and routes them between landline and wireless networks.

Primary Data Files

The primary data file (MDF) is the starting point of a database; it points to other files in the database. Every database has a primary data file that stores all data in the database objects (tables, schema, indexes, etc.). The file name extension for the primary data files is .mdf.

Secondary Data Files

The secondary data files (NDF) are optional. A database contains only one primary data file, but it can contain zero/single/multiple secondary data files. The secondary data files can be stored on a hard disk, separate from the primary data file. The file name extension for the secondary data files is .ndf

7040

The start type of <Windows Protection Service> was changed from autostart to demand start/auto start to disabled

Transaction Log Data Files

The transaction log data files (LDF) hold the log information associated with a database. A transaction log file helps a forensic investigator in examining the transactions that occur in a database and recover the deleted data, if required. The file name extension for the transaction log date files is .ldf and each file is divided into multiple virtual log files.

Base Station Subsystem:

This is one of the major sections of a cellular network. It controls the BSC and BTS units. It is responsible for: Handling the traffic The network switching system and signaling between cell phones

Home Location Register:

This is the database at the MSC that stores the data related to the subscribers and other services.

Visitor Location Register:

This is the database used for the mobile phones roaming outside their service area. It contains the current location of the mobile user as well as the Temporary Mobile Subscriber Identity (TMS

Entry/Guard Relay

This relay provides an entry point to the Tor network. When attempting to connect via the entry relay, the IP address of the client can be read. The entry relay/guard node transmits the client's data to the middle node.

Unlock

This workstation was unlocked

Mysqlaccess

To check the access privileges defined for a hostname or username

Mysqlbinlog

To display the content of bin logs (mysql-bin.nnnnnn) in text format

myisamchk

To dump single or multiple databases for backup purpose

mysqldbexport

To export metadata, data, or both from one or more databases

Myisamchk

To obtain the status of the MyISAM table, identify the corrupted tables, repair the corrupted tables, etc

myisamlog

To process the MyISAM log file and perform recovery operation, display version information, etc., depending on the situation

oleid

Used for Microsoft Office products.

German

VSITR

UTF-16

a 16-bit, variable-width encoding

UTF-32

a 32-bit, fixed-width encoding

Most Recently Used (MRU)

a list of files that have been most recently used

Debian/Ubuntu Linux: (for Apache)

access.log

RHEL/Red Hat/CentOS/Fedora Linux: (For Apache)

access_log

UTF-8

an 8-bit, variable-width encoding; maximizes compatibility with ASCI

SysTools MailPro+

examine local mail files and folders and collect them as evidence for Mozilla Thunderbird data

FreeBSD (for Apache)

httpd-access.log

Network-Attached Storage (NAS)

is a centralized storage device in which one or more servers with dedicated multiple hard drives in a RAID configuration are used to store and share data with clients on a shared network It is present on a Local Area Network (LAN) as an independent network node, can access the shared storage devices through a standard Ethernet connection, and is defined by its own unique IP address

qemu-img

is a command line tool that is used to create, convert, and modify image files offline (Convert the acquired dd image file into a virtual machine file format using QEMU Disk Image Utility)

Dead Acquisition

is defined as the acquisition of data from a suspect machine that is powered off Dead acquisition usually involves acquiring data from storage devices such hard drives, DVD-ROMs, USB drives, flash cards, and smart phones Examples of static data: emails, word documents, web activity, spreadsheets, slack space, unallocated drive space, and various deleted files

AWS CloudTrail

provides AWS API call history for AWS accounts including calls made via the AWS Management Console or Command Line tools, AWS Software Development Kits and other AWS services

Minimum Linux Kernel that supports ext4

v2.6.19 onwards

Just a Bunch of Drives/Disks (JBOD)

▪ JBOD (an acronym for 'Just a Bunch Of Drives/Disks') is a type of data storage configuration for multiple hard disks that do not support RAID arrays ▪ It is defined as the concatenation of multiple hard disks of varying capacities and specifications into a single, large logical drive. This integration of disks is referred to as "Spanning". ▪ Every individual drive within the JBOD can be accessed as a separate drive volume by the host computer ▪ It does not support redundancy, parity check, or striping, unlike RAID configurations ▪ In the event of a single disk failure, the entire system does not fail, and the data available on the other disks remain intact

A forensic investigator is searching a Windows XP computer image for information about a deleted Word document. The investigator already viewed the sixth file that was deleted from the computer. Two additional files were deleted. What is the name of the last file the investigator opens?

$R7.doc

Order of Volatility

1. Registers, processor cache 2. Routing table, process table, kernel statistics, and memory 3. Temporary file systems 4. Disk or other storage media 5. Remote logging and monitoring data related to the target system 6. Physical configuration and network topology 7. Archival media

OWASP Top 10 IoT Vulnerabilities

1. Weak or Guessable Passwords Attackers can use easy-to-guess or publicly available passwords to gain access to the systems. Using backdoors in device firmware or client software also grants unauthorized access to the deployed systems. 2. Insecure Network Services Vulnerable network services on any Internet-powered device can compromise the confidentiality, integrity/authenticity, or availability of information, and/or allow unauthorized remote control to any attacker 3. Insecure Ecosystem Interfaces Components lying out of the device ecosystem, such as backend API, cloud, or mobile interfaces, might compromise the device if proper security controls are not in place. Common issues include a lack of authentication/authorization, a lack of or a weak encryption, and a lack of input and output filtering. 4. Lack of Secure Update Mechanism This includes vulnerabilities such as lack of firmware validation on the device, lack of secure delivery, lack of anti-rollback mechanisms, and lack of notifications on security changes because of updates 5. Use of Insecure or Outdated Components The use of insecure software components/libraries, such as insecure customization of operating system platforms and use of third-party software or hardware components, could allow the device to be compromised 6. Insufficient Privacy Protection Personal data or confidential data stored on the systems could be used insecurely if they are not protected using encryption or any other protection mechanisms 7. Insecure Data Transfer and Storage The sensitive data on a system or being transferred over the network should be encrypted properly 8. Lack of Device Management When no proper security mechanisms are applied to devices deployed in a production environment makes them more vulnerable to attacks 9. Insecure Default Settings Devices with default configurations are exposed to attack. Moreover, allowing users to modify the configuration of devices might pose security risks. 10. Lack of Physical Hardening With no physical hardening measures in place, attackers can gain unauthorized access to sensitive information stored on a device

A hex

1010

B hex

1011

C hex

1100

D hex

1101

E hex

1110

F hex

1111