Digital Forensics Final Study Guide

What is Linux logs in general and explain at least 4 logs with their path.

/var/log/faillog : This log file contains failed user logins. This can be important when tracking attempts to crack into the system. /var/log/kern.log: This log file is used for messages from the operating system's kernel. It is more likely to show systemwide problems. /var/log/apport.log: This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of malware. /var/log/lpr.log: This is the printer log. It can give you a record of any items that have been printed from this machine.

Write about Linux boot process.

1. On a PC, booting Linux begins in the BIOS (basic input/output system) at address 0xFFFF0. (Linux is often used on embedded systems and smartphones. In such cases, when it is first powered on, the first step is to load the bootstrap environment.) 2.The BIOS locates the master boot record (MBR) and passes control to it. The MBR then loads up a boot loader program, such as LILO (Linux Loader) or GRUB (Grand Unified Bootloader).When a bootable device is found, the first-stage boot loader is loaded into RAM and executed 3.A splash screen is commonly displayed, at this point. The Linux image is loaded into RAM. 4.The system then switches the CPU from real mode to protected mode. The system now loads the compressed kernel and calls the decompress_kernel() function. It is at this point that you may see the "Uncompressing Linux..." message displayed on the screen. Now the start_kernel() function is called, and the uncompressed kernel displays a large number of messages on the screen as it initializes the various hardware and processes such as the scheduler. 5.The kernel_thread() function is called next to start init. The kernel goes into an idle loop and becomes an idle thread with process ID 0. The process init() begins high-level system initialization. ( Note that unlike PC systems, embedded systems have a simpler first user process than init. 6.The boot process then inspects the /etc/inittab file to determine the appropriate run level. Based on the run level, the init process then executes the appropriate start-up script. The default boot run level is set in the file /etc/inittab with the initdefault variable.

4.The Linux __________ directory holds compiled files and may include malware. 1./bin 2./dev 3./boot 4./var

1./bin

4.The subscriber identity module (SIM) is a memory chip that stores the __________. 1.International Mobile Subscriber Identity (IMSI) 2.International Mobile Equipment Identity (IMEI) 3.home location register (HLR) 4.personal unlocking code (PUK)

1.International Mobile Subscriber Identity (IMSI)

7.__________ involves making an email message appear to come from someone or someplace other than the real sender or location. 1.Spoofing 2.Stripping 3.Extracting 4.Transference

1.Spoofing

1. Which Linux log records application crashes? 1.The /var/log/apport.log log 2.The /var/log/lpr.log log 3.The /var/log/kern.log log 4.The /var/log/lighttpd/* log

1.The /var/log/apport.log log

7.__________ was the first law meant to curtail unsolicited email. However, the law has many loopholes. 1.The CAN-SPAM Act 2.18 U.S.C. 2252B 3.The Electronic Communications Privacy Act (ECPA) 4.The Communications Assistance to Law Enforcement Act

1.The CAN-SPAM Act

1.Why would you not turn off a router before examining it for evidence? 1.You may destroy evidence. 2.You would turn it off. 3.It will lose its routing tables when powered off. It violates FBI forensic guidelines.

1.You may destroy evidence.

7.The Linux __________ shell command makes a physical image of what is live in memory. 1.dd 2.ls 3.finger 4.Top

1.dd

7.The Linux __________ command can be used to quickly catalog a suspect drive. 1.ls 2.dd 3.file 4.top

1.ls

4.On a network, a __________ prevents traffic jams by ensuring that data goes straight from its origin to its proper destination. It remembers the address of every node on the network and anticipates where data needs to go. 1.switch 2.hub 3.network interface card 4.Router

1.switch

1.Where is the data for roaming phones stored? 1.visitor location register (VLR) 2.home location register (HLR) 3.base transceiver station (BTS) 4.Global System for Mobile (GSM)

1.visitor location register (VLR)

4.What RFC describes the contents of an email header? 1.2822 2.3864 3.1777 4.3389

2.3864

4.There are four layers to iOS, the operating system used by the iPhone, iPod, and iPad. The__________ layer is how applications interact with iOS. 1.Core OS 2.Core Services 3.Media 4.Cocoa Touch

2.Core Services

1. What does a router use to determine the path on which to send packets? 1.MAC address 2.IP address 3.Protocol used 4.Next available port

2.IP address

1.What is the file format .edb used with? 1.GroupWise 2.Microsoft Exchange 3.Microsoft Outlook 4.Linux email

2.Microsoft Exchange

1.What is the .ost file format used for? 1.Microsoft Outlook mailbox 2.Microsoft Outlook offline storage 3.Microsoft Lotus Notes 4.Microsoft Outlook Express

2.Microsoft Outlook offline storage

13.What term is used to describe a protocol used to receive email that works on port 110? 1.Internet Message Access Protocol (IMAP) 2.Post Office Protocol version 3 (POP3) 3.TCP/IP 4.Simple Mail Transfer Protocol (SMTP)

2.Post Office Protocol version 3 (POP3)

7.What common email header field is commonly used with the values "bulk," "junk," or "list"; or used to indicate that automated "vacation" or "out of office" responses should not be returned for the mail? 1.Content-Type 2.Precedence 3.References 4.Received

2.Precedence

7.When seizing evidence from a mobile device, the __________ utility allows you to unlock a locked iPod Touch. 1.Recover My iPod 2.Pwnage 3.Device Seizure 4.Data Doctor

2.Pwnage

10.It is a common practice to keep Linux kernel images in which directory? 1.The /usr directory 2.The /boot directory 3.The /var/spool directory 4. The /proc directory

2.The /boot directory

10.Brandon is a forensic specialist who examined a mobile device as part of a crime investigation. He is now working on the forensic report. What does Brandon NOT need to include in the mobile device forensic report, according to National Institute of Standards and Technology (NIST) guidelines? 1. A descriptive list of items submitted for examination, including serial number, make, and model 2.The identity and signature of the suspect 3.The equipment and setup used in the examination 4.A brief description of the steps taken during the examination, such as string searches, graphics image searches, and recovering erased files

2.The identity and signature of the suspect

10.A(n) __________ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address. 1.TOR 2.anonymizer 3.POP3 4.email examiner

2.anonymizer

1.Linux is often used on embedded systems. In such cases, when the system is first powered on, the first step is to load the __________. 1.drivers 2.bootstrap environment 3.kernel 4.shell

2.bootstrap environment

10. John is investigating a Linux web server. It is suspected that someone executed an SQL injection attack on this server, and John wants to look for evidence of this. He wants to start by examining the web server log. Which of the following directories should he look in to find the web server logs? 1./etc 2./dev 3./var 4./sys

3./var

10.What is Internet Message Access Protocol (IMAP)? 1. A protocol used to receive email that works on port 35 2.A protocol used to receive email that works on port 25 3.A protocol used to receive email that works on port 143 4.A protocol used to receive email that works on port 110

3.A protocol used to receive email that works on port 143

4.James is a forensic specialist who wants to examine a network router for potential evidence in a case. What is the first step he should take to safely examine the router? 1.Shut it down. 2.Image the router. 3.Connect to the router over the network. 4.Nothing, routers do not retain data.

3.Connect to the router over the network.

1.Which of the following types of mass emails are not covered by the CAN-SPAM Act? 1.Emails advertising products 2.Emails advertising legal services 3.Emails advertising a church event 4.Emails advertising stock prices

3.Emails advertising a church event

4.Which header would have the sender's MAC address? 1.TCP 2.IP 3.Ethernet 4.None

3.Ethernet

1.You are performing a forensic analysis on a cell phone. You have tried entering the PUK six times, all incorrectly. What does this mean for your investigation? 1.The phone is now restored to factory conditions and data cannot be recovered. 2.Nothing; you can keep trying the PUK as many times as needed. 3.Nothing; you can try the PUK 9 times before the phone is restored to factory conditions on the 10th. 4.The phone is now wiped forensically.

3.Nothing; you can try the PUK 9 times before the phone is restored to factory conditions on the 10th.

10.Hard drives eventually age and begin to encounter problems. It is also possible that a suspect hard drive may have some issues preventing a full forensic analysis. Use the Linux __________ command to help with that. 1.dmesg 2.ps 3.fsck 4.pstree

3.fsck

4.The email __________ keeps a record of the message's journey as it travels through a communications network. 1.client 2.account 3.header 4.protocol

3.header

7.The Linux __________ command displays a list of all users currently logged in to a system. 1.su 2.finger 3.who 4.top

3.who

7.The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data. Devices are in the __________ state when received from the manufacturer. 1.semi-active 2.quiescent 3.active 4. nascent

4. nascent

4.The __________ directory in Linux is different from any other directory in that it is not really stored on the hard disk. It is created in memory and keeps information about currently running processes. 1./dev 2./usr 3./var/spool 4./proc

4./proc

13. The process of sending an email message to an anonymizer is the definition of what? 1.Spoofing 2.Hacking 3.Spamming 4.Anonymous remailing

4.Anonymous remailing

13.RFC 3864 describes message header field names. Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type, refers to which header field? 1.References 2.Precedence 3.Received 4.Content-Type

4.Content-Type

4.The __________ standard for wireless communication of high-speed data for mobile devices is what is commonly called 4G. 1.Global System for Mobile (GSM) communications 2.Enhanced Data Rates for GSM Evolution (EDGE) 3.Universal Mobile Telecommunications System (UMTS) 4.Long Term Evolution (LTE)

4.Long Term Evolution (LTE)

10.What common email header field includes tracking information generated by mail servers that have previously handled a message, in reverse order? 1.Content-Type 2.Precedence 3.References 4.Received

4.Received

1. __________ occurs when a SIM card's identifying information is copied to a different SIM card. 1.Mobile switching 2.Personal identification number switching 3.Registry copying 4.SIM cloning

4.SIM cloning

4.The Linux __________ shell command shows all the messages that were displayed during the boot process. 1.ps 2.grep 3.fsck 4.dmesg

4.dmesg

7.A(n) __________ is a unique serial number that identifies each SIM, engraved on the SIM during manufacturing. 1.personal identification number (PIN) 2.International Mobile Equipment Identity (IMEI) number 3.home location register (HLR) 4.integrated circuit card identifier (ICCID)

4.integrated circuit card identifier (ICCID)

4.The Electronic Communications Privacy Act requires an investigator to have a wiretap order to acquire ___________ information from an Internet service provider (ISP). 1.transactional 2.basic subscriber 3.content 4.real-time access

4.real-time access

Which exploit disguises malware as a legitimate system process without the risk of crashing the process? The key to this exploit is creating a process in a suspended state. This is accomplished by loading the process into memory by suspending its main thread. The program will remain inert until an external program resumes the primary thread, causing the program to start running. A) Process hollowing B) DLL injection C) Ransomware D) Logic bomb

A) Process hollowing

Jeremy is a forensic specialist. He has extracted volatile memory from a computer to a memory dump file. Now he needs to analyze it using the Volatility tool. Which command is the best one to begin with, which will give him a simple overview of processes that were in memory? A.pslist B.pstree C.psscan D.svcscan

A.pslist

Which exploit involves causing code to execute within the address space of some other process? A) Process hollowing B) DLL injection C) Ransomware D) Trojan horse

B) DLL injection

1.Which Volatility (tool for memory dump analysis) command displays memory dump processes in a hierarchical form, making it clear what process started a particular process? A.pslist B.pstree C.psscan D.svcscan

B.pstree

1.Which of the following is not true of computer memory? A) The stack is automatically allocated and managed as needed for temporary variables within functions inside programs. B) The heap is memory that programs can allocate as needed. C) The stack is the source of what are commonly called "memory leaks." D) When a programmer writes code that allocates memory from the heap but does not carefully deallocate that memory, the program can begin consuming more and more memory until a system crash can occur.

C) The stack is the source of what are commonly called "memory leaks."

In 2019, David Tinley pleaded guilty to programming and deploying malicious code within software he had created for the Siemens Corporation. The goal of Tinley's code was to cause the software to fail after a period of time, thus causing Siemens to have to hire him again to fix the problem. What type of code did Tinley create? A.A virus B Trojan horse C. A logic bomb D. Spyware

C. A logic bomb

Write on "firewall forensics" in detail

Connection attempts on the same set of ports from many different Internet sources are usually due to decoy scans. In decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her IP address somewhere in the mix •Analyze the firewall logs in depth to look for decoy addresses originating from the same subnets. You will likely see that the attacker has connected recently, whereas the decoyed addresses have not. For collecting data, need to examine the firewall logs for any sort of connections or attempted connections on those ports. If your firewall logs have details of "packet flags" that might indicate a port scan. you need to scan the log for any packets that might indicate a decoy scan

What is "Faking email", explain in detail.

Criminals may fake their email messages: Spoofing involves making an email message appear to come from someone trusted or someplace other than the real sender or location. The email sender uses a software tool that is readily available on the Internet to cut out his or her IP address and replace it with someone else's IP address. A suspect who uses anonymous remailing sends an email message to an anonymizer. An anonymizer is an email server that strips identifying information from an email message before forwarding it with the anonymous mailing computer's IP address. It is also very common for an email to arrive, often from a trusted friend, colleague, or family member, that is valid in every respect except for the content of the message. §the message is suspect, and the website uniform resource locator (URL) pointed to is usually a hacker or phishing site. The message may read something like "Wow! Check out this great website: www.hackersite.com." Cause : The cause of valid, but clearly suspect, emails is likely that the trusted friend's computer is infected with malware.

1.Which of the following is not true of paging and computer memory? A.A page table is a data structure. B.A page table maps virtual addresses to physical addresses. C.Processes use virtual addresses, whereas hardware and RAM use physical addresses. D.Physical memory is always contiguous.

D.Physical memory is always contiguous.

Volatility is a tool used for analyzing computer memory dump files. Which Volatility command displays details of all services that were in memory when the memory dump was taken? A.pslist B.pstree C.psscan D.svcscan

D.svcscan

What is "Email Header", explain in detail with examples.

Headers: The header for email message tells you a great deal about the email. The standard for email format, including headers, is RFC 2822. §The header keeps a record of the message's journey as it travels through the communications network. As the message is routed through one or more mail servers, each server adds its own information to the message header. Each device in a network has an IP address that identifies the device and can be resolved to a location address or area. The message header must include at least the following fields: From—The email address and, optionally, the name of the sender. Date—The local time and date when the message was written. The message header should include at least the following fields: Message-ID—An automatically generated field. In-Reply-To—The message-ID of the message that this is a reply to; used to link related messages together RFC 3864 describes message header field names.

Write on directories of Android OS.

In Android, there are specific directories that may yield forensic evidence: •The acct directory is the mount point for the control group and provides user accounting. •The cache directory stores frequently accessed data. This will almost always be interesting forensically. •The data directory has data for each app. This is clearly critical for forensic examinations. •The mnt directory is a mount point for all file systems and can indicate internal and external storage such as SD cards. If you have an Android image, the Linux ls command used on this directory will show you the various storage devices.

Write on "Email Files and Formats".

Local storage archives are any archives that have an independent archive format from a mail server. Examples of these types of archives include the following: •.pst (Outlook) (an outlook data file extension) •.ost (Offline Outlook Storage) •.mbx or .dbx (Outlook Express) •.mbx (Eudora) •.emi (common to several email clients). For example, in Outlook a clever criminal might have a second .pst file containing email messages that he loads only when committing his nefarious activities. If his computer is seized and you simply look in Microsoft Outlook, you won't see any incriminating evidence.

Define any 4 terms of cellular device technology.

MSC: A mobile switching center (MSC) is the switching system for the cellular network, responsible for routing calls between base stations and the public switched telephone network BTS: The base transceiver station (BTS) is the part of the cellular network responsible for communications between the mobile phone and the network switching system. HLR : The home location register (HLR) is a database used by the MSC that contains subscriber data and service information. SIM: The subscriber identity module (SIM) is a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone.

Write on types of router attacks and getting evidence from router.

Router table poisoning is one of the most common and effective attacks. To carry out this type of attack, an attacker alters the routing data update packets that the routing protocols need. This results in incorrect entries in the routing table. This, in turn, can result in •Artificial congestion, •Can overwhelm the router, or •Can allow an attacker access to data in the compromised network by sending data to a different destination or over a different route than anticipated. Getting Evidence from the router: •Don't shut down router •Can erase valuable evidence •Don't alter anything •Connect with the router (from forensics server) to run certain commands Document your process

1. What does a 500 HTTP response indicate, when you do network analysis? 1.Client error 2.OK 3.Redirect Server error

Server error

Write on collecting evidence using any network investigation tool like RSA Netwitness or NetResident or Snort.

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Which are forensically importance Linux directories. Explain any 4 in detail.

The /bin Directory: The /bin directory holds binary or compiled files. This means programs, including some malware The /etc Folder: The /etc folder contains configuration files. Most applications require some configuration when they start up. An intruder into a system may want to change how a given application behaves. The /etc/inittab File: This is where the boot-up process and operation is set. A sophisticated attacker might want to change the inittab to change the behavior of the system. The /mnt Directory: Many devices, such as floppy and CD-ROM drives, are mounted in the /mnt directory. Any drive must be mounted prior to its use. From a forensic perspective, checking this directory lets you know what things are currently mounted on the system.

Describe any 4 shell commands for Linux forensics.

The dmesg Command: You can use the dmesg command to view all the messages that were displayed during the boot process. The fsck Command: Hard drives eventually age and begin to encounter problems. It is also possible that a suspect hard drive may have some issues preventing a full forensic analysis. You can use fsck (file system check) to help with that. The grep Command: This is the single most popular search command for Linux. It allows you to search for a wide range of parameters. You might use dmesg>myfile.txt, then grep myfile.txt for specific data. The ps Command: The ps command shows the currently running processes for the current user.

Describe features and/or steps of mobile forensics of Oxygen or Cellebrite or MobileEdit or any one of your choice.

This is a full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, and the like

Describe steps of "Email File forensics and examination" using Paraben E3 or any other tool of your choice

To begin, we first add our evidence by selecting Add Evidence. This opens the new evidence wizard and we then select the email database evidence category and then we select its source type. We choose the email format and navigate to the evidence source file or folder, in this example we will use a Microsoft Outlook PST file. At this point we can give the evidence a custom name or label if necessary, then click OK. As soon as the evidence is added the Content Analysis wizard opens. This powerful wizard quickly automates much of the processing normally done during an investigation. The content analysis wizard gives you the option to perform the following actions on the evidence file: -Sorting email attachments by file types which speeds up the examination of the email attachments. -Next you can index the keywords in the email database which drastically expedites all text searches. -The optical character recognition, OCR, feature allows for the extraction of textual data from images, so you can perform text searches on graphic files. E3 is the only tool that has this capability. For faster navigation within your email evidence you can add bookmarks to important folders, messages, parts of messages or attachments. E3 also allows you to easily print any email data. In the Data View pane select the email you'd like to print or you can right-click on your email of choice and select print from the drop down menu

Write on "How commuter memory works"

Volatile memories only hold contents while the device has power. Once a device is shut down, data in volatile memory is lost Examples of volatile memory: §Static RAM (SRAM) §Synchronous static RAM (SSRAM) §Synchronous dynamic RAM (SDRAM) §Field Programmable Gate Array (FPGA) §Memory cell is the fundamental building block of RAM. A memory cell is an electronic circuit that stores a bit of binary information. High voltage denotes a 1, whereas low voltage denotes a 0. In addition to the memory cells, there is the fetch/store controller (part of CPU) that is used to either fetch data from memory addresses or store data in memory addresses.

What evidences can be found from mobile device?

call history, Messages / emails, Photos and video, Information about the phone, GPS information, Network information

1.Which Linux shell command lists all currently running processes (programs or daemons) that the user has started? 1.top 2.ps 3.cmp 4.cp

ps

Write on "Analyzing memory" with Volatility. Include detail of at least 3 commands

§Volatility -info: The first Volatility command is simply to get information about Volatility to ensure it is working properly. The command to get information is shown here: This command give great deal of information. Among the information will be the profiles supported. Volatility pslist: is a basic command that lists the processes that were in the memory dump §Volatility pstree: This is very much like plist, except it shows the processes in a hierarchical tree, making it very clear what process started a particular process. For example:

Write on collecting evidence using "capturing memory". Include narration/steps of memory capturing of any one tool/software of your choice.

•The first step is to capture the memory from a live machine. •This can be done with several different tools, many of which are available for free. •Command-line tool DumpIt dumps out the current memory in a file ending in the .raw extension •RAM Capturer has a graphical interface rather than command line •OSForensics also provides the option to capture live memory •Exterro`s FTK imager allows you to capture memory very easily

Write on "Malware Hiding Techniques".

•Viruses: Software that self-replicates: macro viruses, polymorphic viruses, ransomware •Worms: A virus that self-propagates •Spyware: Software that monitors the computers activity •Logic Bomb: Execute malicious activity when some logical condition is met •Trojan Horse: Delivery mechanism for a virus, worm, spyware, logic bomb §DLL Injection: Malware uses various techniques to covertly execute code on systems. One such technique is DLL injection. DLL injection involves causing code to execute within the address space of some other process. This is accomplished by forcing the targeted program to load a DLL. Multiple techniques can be used to accomplish this kind of attack. Specific registry keys can be useful. Process hollowing which is also known as process replacement. This is a technique wherein the malware is disguised as a legitimate system process, without the risk of crashing the process. The key to process hollowing is creating a process in a suspended state. This is accomplished by loading the process into memory by suspending its main thread. The program will remain inert until an external program resumes the primary thread, causing the program to start running.

Describe any 4 "Router forensics" commands in detail.

•show version command provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are. •show running-config command provides the currently executing configuration. •show startup-config command provides the system's start-up configurations. -(Differences between show startup-config and show running-config can be indicative of a hacker having altered the system.) •show ip route command shows the routing table. Manipulating that routing table is one primary reason hackers infiltrate routers.