Forensics

the partition table has 4 main entries (16 bytes each) to describe each of the partitions:

0x1BE, 0x1CE, 0x1DE, 0x1EE

Sectors are what size?

512 bytes

the MBR contains a ___ byte partition table located at byte offsets 0x1BE to 0x1FD (446 to 509)

64

an ____, often hidden on NTFS volumes, provides the ability to attach any kind of information to a file but not in the file.

Alternate data stream

During this phase, an analyst will investigate and analyze the static evidence collected looking for specific data pertaining to the incident.

Analysis

a ____ is a header or footer or both, within a file that indicates the application associated with a file or the type of file

file signature

The MBR is always located on the ___ physical sector of a disk and will end in 0x55AA

first

Deleted files remain in ___ where clusters/blocks are not assigned but may contain data.

unallocated (free) disk space

Applied to a file or part of a file's contents

File level encryption

____ is primarily concerned with computer workstations, removable storage devices, and other physical digital media storage devices.

Host-based forensics

____ is a technique to reduce the search space by identifying known files by their hashed (MD5/SHA1).

Hash analysis

____ aid in examining large amounts of data to find keywords or strings

Keyword searches

___ files that can be ignores, such as typical system files- explorer.exe etc

Known

Files in a hash set typically fall into one of two categories:

Known or notable

_____ with the case name, evidence number and description of evidence and create a chain of custody form.

Label the evidence

SIFT is a _____-based VMWare workstation configures to conduct forensic investigations on both Windows and UNIX systems.

Linux

the ___ should contain the tools required for packet analysis or other type of networking traffic

Listener

Computer systems and network devices are typically classified by two states:

Live or dead

____ are powered on with processes running. Disks are being accessed and removable media is changing.

Live systems

___ obtains only the file system

Logical imaging

____ is recommended if suspect utilizes RAID or hard drive encryption.

Logical imaging

a ____ is created to preserve the current state of a system (typically a laptop) by recording memory and open files before shutting off the system.

Hibernation file.

The _______ is an open source, VMWare appliance created by SANS Faculty.

SANS SIFT forensic workstation

True or False: Encase contains the ability to acquire data from multiple sources, to include RAM, documents, Internet artifacts, web history, RAIDS, workstations, servers.

True

True or False: SANS has the ability to examine multiple file system types from different OSs

True

True or False: if a cell device is off, leave it off, but find a recharger ASAP.

True

True or false: if the cell is on, do everything possible to keep it on. Store in a faraday bag to stop the signal

True

List of words and phrases used to search evidence

Keyword lists

On UNIX, users and groups are in ___ and ___

/etc/passwd and /etc/groups

-Minimize data loss -Avoid compromising the suspect system with additional data that may modify the access time of files.

Acquisition Goals

The focus of this phase is to collect the relevant volatile and non-volatile data using sound forensic techniques and tools that ensure data integrity.

Acquisition phase

____ involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest.

Analysis

____ will be used to take data as input and produce it in a more useful human readable format.

Analysis tools

_____ is best defined as an approach to manipulate, erase, or obfuscate digital data or make its examination difficult, time consuming and virtually impossible.

Anti Forensics

The process of permanently eliminating a particular file or entire file systems.

Artifact wiping

Malicious software that creates an access channel that the attacker can use for connecting, controlling, spying, or otherwise interacting with the victim's system.

Backdoor

Why was this device seized? What type of information is expected to be obtained? How long do I have to conduct analysis?

Basis of analysis

_____ is the process of making it difficult to find data while also keeping it accessible for future use.

Data hiding

The route the evidence takes from the time you find it until the case is closed or goes to court.

Chain of custody

____ is one of the most important documents maintained during an investigation. It documents how evidence was examined, by whom and when it changed hands

Chain of custody

____ are used for gathering evidence

Collection tools

____ is a modified version of the DD tool that depicts the status as an image is being collected, hashed, and checked for integrity.

DCFIDD

The process of collecting digital evidence from electronic media.

Data collection

____ is the process of recovering deleted images, files, and emails discovered during media analysis.

Data recovery

____ usually refers to the extraction of deleted files from a file systems unallocated space

Data recovery

____ are powered off leaving data at rest making it easier to gather the non-volitile, unchanging, data.

Dead systems

a ____ is a program that allows software developers to observe their program while it is running

Debugger

This is usually done through the manufacturer name and device model.

Device ID

____, also known as computer forensics, Can be defined as the practice of collecting and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

Digital Forensics

____ is through commands sent to a SIM reader into which the SIM is placed

Directly

a _____ is a program that takes a programs executable binary as input and generates textual files that contain the assembly language code for the entire program or parts of it.

Disassembler

____ is a process by which a magnetic field is applied to a digital media device.

Disk Degaussing

A bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media

Disk Image

____ utilities use a variety of methods to overwrite the existing data on disks.

Disk wiping

Some OS's habe the ability to store the contents of memory automatically during an error condition creating ____ or ____ files to be assistant in troubleshooting

Dump, Core

____ analysis is analyzing the file based on its behavior

Dynamic

Generic register can be used for any integer, boolean ,logical, or memory operation. Results of a function will likely populate in this register.

EAX

____ has the ability to acquire data from multiple sources, can analyze both Linux/Unix and windows, produces an exact binary duplicate of the original media, and automatically generates reports.

EnCase

Acts as a virtual drive on the system, encrypting any file or directory placed within the container

Encrypted "containers"

____ is one of the more commonly used techniques to defeat computer forensics.

Encryption

Electronically stored information found on or in use by digital media devices

Evidence

____ within the digital forensics' realm is defined as electronically stored information found on or in use by digital media devices such as: -Standard computer systems -Networking equipment -Computing peripherals -Removable Hard drives -Cell phones -Other consumer electronic devices

Evidence

Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after collection. It ensures that the evidence has not been altered

Evidence integrity

____ are used to extend past the 4 partition limitation

Extended partitions

____ utilities are used to delete individual files from an OS

File wiping

the ____ should be able to clearly describe how the evidence was found, how it was handles, and everything that happened to it.

Forensic analyst

The Second step in collecting digital evidence is to create an exact physical copy of the evidence. This copy is called a

Forensic image

____ should clearly define the roles and responsibilities of all people performing or assisting with the organization's forensic activities

Forensic policy

a ____ is a standalone computer system utilized to perform forensic analysis of digital media

Forensic workstation

____ may be used to determine what other actions need to be performed as well as to recommend improvements to policies, guidelines, procedures, tools, and other aspects of the forensics process.

Formal reports

____ can be used to look for similar files. Two exact copies will have identical hashes.

Fuzzy hashing

Using Sleuth Kit tools, the creation process has 2 steps-

Gather and make

during _____ the device is removed from the suspect system and connected to the analysts forensic workstation

Hardware acquisition

a ____ is placed between the suspect hard drive and the acquisition system.

Hardware write-blocker

Three data acquisition methods

Hardware, software, and live

____ is a repository of electronic versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources.

Harmony

____ provides the means to find,filter, and isolate deleted, tampered, or altered files through the use of hash values, signature analysis, keyword searches, and other digital forensic techniques and procedures.

Host-based forensics

This phases begins documentation of chain of custody and basis for analysis.

Incident Response

4 phases of Digital Forensics Methodology

Incident Response Acquisition Analysis Reporting

An _____ is an analyst toolkit that resides on a separate storage media device like a floppy, thumb drive, or CD-ROM

Incident Response Disk.

The initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss.

Incident response

SIM data may be acquired 2 ways:

Indirect and direct

Malware analysis should be conducted in a ____

Isolated environment

To verify integrity of collected data, compute a ___ hash on the evidence

MD5

____ is defined as programming that is designed to disrupt or deny operation, gather info that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior.

Malware

_____ is the process of analyzing malware to determine exactly what the malware is designed to do.

Malware analysis

The MBR contains 3 sub directories...

Master boot program, Master Partition Table and a 2 byte marker indicating the end of a sector.(0x55AA)

____ is one of the most significant structures on a hard disk and is created when a hard disk is partitioned

Master boot record

The static examination of collected data using forensic analysis tools and techniques

Media analyis

____ is the static investigation of the copies of the original evidence collected from the system.

Media analysis

The documents and media files resulting from the in theater forensics will be transferred into the

NGIC National Harmony database

A user with an account on a windows system has an ____ file. It contains the configuration and environments settings which includes a great deal of identifiable data pertaining to user activity.

NTUSER.DAT

Intelligence gathered in theater will ultimately be logged along wih the collected image into the

National Media Exploitation Center database

NIST develops and maintains a very large set of hashed called the ____

National Software Reference Library

Two reasons to perform malware analysis

Network defense and understand how Malware works

____ is the process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network

Network-based forensics

Digital forensics is composed of two disciplines:

Network-based forensics and Host-based forensics

In many cases, ____ often times contains more variables and considerations than with _____

Network-based forensics, Host-based forensics

____ includes general methodologies for investigating events using forensic techniques and should provide step-by-step procedures explaining the performance of routine tasks

Organizational policy

____ is one method used by malicious code authors to hide embedded strings from potential malware analysts or antivirus software.

Packing

Most likely to be encountered on linux, UNIx, and MAC OS X

Partition level encryption

____ is considered the best evidence. It grabs the entire contents of a drive or digital media device, including Slack, unallocated and swap space.

Physical drive imaging

Common image file formats

Raw (dd), EWF, AFF

The process of analyzing malware to determine its functions is commonly called ____

Reverse engineering

Stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Rootkit

Malware that makes you believe the computer is infected, and the only way to remove it is to click a specific link on the screen.

Scareware

If a file requires less space than the file allocation unit size, an entire file allocation unit is reserved leaving the unused portion (____) available for examination.

Slack space

Three common open-source forensic tools

Snort, Tripwire, Wireshark

During ____, an analyst boots the suspect system with the helix boot CD-rom and images the local hard drives attached to the system.

Software acquisition

a ____ is used on the acquisition system (forensic workstation) to prevent writes to source data.

Software write-blocker

the ___ is an area in program memory that is used for short-term storage of information by the CPU and the program

Stack

____ analysis is analyzing the file in a constant, non-changing state.

Static

Tools should be ____, and should not require the use of any libraries other than those on the read-only media

Statically-linked (self contained)

A ____ contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious computer.

Statically-linked executable

Technique where information or files are randomly hidden within another file in an attempt to hide data by leaving it in plain sight

Stegonagraphy

____ are used to search the media for text strings, and may be used to discover hidden files or functionality of a file.

String and keyword searches

Most OSs use ____ in conjunction with RAM to provide a large virtual memory area for data and code being used by applications.

Swap space. (UNIX USES A SWAP PARTITION).

During OS/application install or upgrade, ____ are created.

Temporary files. (Could contain copies of other files on the system, application data, or other information.)

____ are used to sort the file system files by their modified, accessed, changed, and created timestamps. Start with recent data first

Timelines

The purpose of ____ is to confuse, disorient and divert the forensic examination process

Trail obfuscation

A seemingly innocent file that contains malicious code that works behind the functional program

Trojan Horse

the ____ machine is where all system and file analysis is conducted

Victim

Most Prevalent on windows system

Whole disk encryption

Write blockers are required if using a _____-based application to image media, however, they are not required if using ____, as media can be manually mounted as READ ONLY

Windows, Linux

____ are used to protect evidence disks by preventing accidental writes to source data.

Write-blockers

____ contain security event information such as successful and failed authentication attempts and security policy changes.

audit logs

Imaging/copy tools __ is usually the first tool used when collecting non-volatile evidence. Reads input files block by block and provides 3 versions

dd

The collection phase uses simple tools such as ___ as well as scripting tools that automate the execution of these tools.

dd and netstat

Malware analysis has two disciplines or analysis methods:

dynamic and static

Windows hibernation file

hiberfil.sys

Internet history file

index.dat

____ is through commands sent to the phone and passed on to the SIM

indirectly

___ contain information about various OS events, and may hold application specific event info

logs

____ is the command that will take the raw image and mount it onto a specified directory of choice to be able to examine the contents of the image.

mount

on windows systems, the ___ and ___ commands can be used to enumerate the users and groups on the system

netuser and netgroup

When acquiring ______ data, it is necessary to perform the following: Pre image hash, creation of the image, the a post image hash

no volatile data

Files that have been identified as illegal or inappropriate such as hacking tools or child porn

notable

.PST and .OST

outlook

The _____ is a hidden system file that is used by windows for virtual memory when there is not enough physical memory to run programs.

pagefile.sys

The purpose of a ____ is for the analyst to describe the actions performed, determine what other actions need to be performed, and recommend improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.

reporting

____ is a tool that will enable the investigator to check similarities in files by computing and comparing context triggered pieceware hashes.

ssdeep

Established environment contains a ___ and a __

victim and listener

the ____ is an important source of evidence for forensic examiners as it provides a collection of data files that store vital configuration data for a system.

windows registry