Ch. 13 - Performing Forensic Analysis and Techniques

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What does the operator 'if' set in the dd utility?

'if' sets the input file

What does the operator 'of' set in the dd utility?

'of' sets the output file

What are some of the main locations in Linux that forensics analysts will initially investigate?

/var /home /etc

What are log viewers?

A built-in feature of forensics suites that allow log entries to be matched with other forensic information.

What piece of hardware is crucial to digital forensics for password cracking?

A powerful GPU can result in massive speed increases over traditional CPU-based cracking.

What is file carving?

A specialized forensics tool that looks at data on a block-to-block basis, looking for information like file headers and other indicators of file structure and then attempts to recover them.

What is a legal hold?

Conducted when information must be retained for a legal case.

What two files may contain encryption keys normally stored in memory on a Window system?

Core dumps an hibernation files

What is the most common forensic activity for endpoints?

Disk or storage-based analysis

Why is a forensic copy different than simply copying files from one drive to another?

It is a bit-by-bit copy that ensures that slack space and unallocated space are both copied as part of the image. This captures deleted files that have not yet been overwritten, fragments of older files in the space that was not written to by new files, and data that was stored on a drive before it was partitioned.

What is key to conducting memory forensics?

Running live forensic analysis on a running machine or making a copy of a live memory to point in time forensic memory analysis.

Which hashing algorithms are commonly used in forensics?

SHA1 and MD5

What makes cloud and virtualized environments more difficult to perform forensics on?

Systems may be ephemeral.

What Linux utility is used to clone drives and what format does it use?

The Linux dd utility is used to clone drives in a bit-by-bit format. It is copied in a RAW format.

What is a useful tool in reviewing the Windows history of USB devices connected to a system?

USB Historian

What is a common open source memory forensics framework?

Volatility

What is the difference between Wireshark and Tcpdump?

Wireshark is an open source network analyzer that allows the user to view network data in a GUI. It has to be downloaded and installed. Tcpdump is a command-line packet capture utility found on many Linux and Unix systems by default.

What forensics device is crucial to maintaining the integrity of the drive's data?

Write blockers.

What flag is used in 'dd' to set the block size?

bs For example, bs = 64k

What are the key components to a forensics toolkit?

• A digital forensics workstation • Forensics investigation suite like FTK, EnCase • Write blocker • Forensic drive duplicator • Wiped drives and removable media • Cables and drive adapters • Camera • Labeling and documentation tools • Notebooks and prepared documentation forms/checklists

What are some programs that could be evidence of antiforensics attempt?

• CCleaner, a system cleanup program that removes browser history and cache and wipes other information useful for forensics investigation • Eraser, a file wiping utility

What is the Order of Volatility in forensics investigations?

• CPU cache, registers, running processes and RAM • Network traffic • Disk Drives • Backups, printouts, optical media

What are the drawbacks of live imaging?

• Can leave remnants due to the imaging utility being mounted from a removable drive or installed • The contents of a drive or memory may change during the imaging process • Malware or other software may be able to detect the imaging tool and could take action to avoid it or disable it • Live images typically do not include unallocated space

What are commonly used forensics suites?

• FTK • EnCase • CAINE • Autopsy • SIFT

What are the three main components of the report at the end of a forensic investigation?

• Goals and scope of the investigation • Targets • Findings and analysis

What are the four primary modes of data acquisition from mobile devices?

• Physical, by acquisition of the SIM card, memory cards, or backups • Logical, which usually requires a forensic tool to create and image of the logical storage volumes • Manual access, which involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found • Filesystem, which can provide details of deleted files as well as existing files and directories

What characteristics are important to a reliable forensics workstation?

• Powerful, multicore CPU • Plenty of RAM • Ample, fast storage

What are some open source forensics utilities?

• Sleuth • Autopsy • SIFT • CAINE

Name some log analysis tools.

• Splunk • Sawmill • Event Log Analyzer • A text editor may be used to search and review logs.

What are the uses of hashing in a digital forensics investigation?

• To ensure that the copy matches the source drive or device • Used to validate binaries and other application related files to detect changes to the binaries • Used to check if a file matches a known good version or one from a backup

What mobile forensics tools are important to have on hand?

• Tools for accessing SIM cards and flash memory cards • Mobile device connection cable kit that contains most common connector types for current phones. • Mobile device-specific forensic software and tools

What must be tracked in a complete chain of custody?

• What is collected • Who collected or analyzed the data • When each action occurred • When devices and other evidence were transferred, handled, accessed, and securely stored

What are the common Windows and Linux utilities used in forensic applications?

• Windows - WinDbg • Linux - dd

What are some popular memory capture tools?

• fmem and LiME from Linux • DumpIT from Windows • The Volatility Framework supports multiple operating systems • EnCase and FTK both have built-in memory capture and analysis capabilities


Kaugnay na mga set ng pag-aaral

Medical Terminology Chapters 8, 9

View Set

Chapter 6: Making Sense of Statistical Significance

View Set

WHAP: All Through The End of Time Period 2 (1.1-4.7)

View Set

Chapter 21: 21.2 Progressive Presidents

View Set

Combo with "2nd half of Intro to American Politics Key terms and concepts" and 1 other

View Set

2.1 rates of change and tangent lines to curves

View Set

Discrete Mathematics 1.4 Predicates and Quantifiers

View Set

NUR 3465 Developing Family Peds Chapter 26: Growth and Development of the Toddler

View Set

Accounting Chapter 1 Smartbook questions

View Set

Mystery Shopping/Guest Satisfaction

View Set