Forensics
the partition table has 4 main entries (16 bytes each) to describe each of the partitions:
0x1BE, 0x1CE, 0x1DE, 0x1EE
Sectors are what size?
512 bytes
the MBR contains a ___ byte partition table located at byte offsets 0x1BE to 0x1FD (446 to 509)
64
an ____, often hidden on NTFS volumes, provides the ability to attach any kind of information to a file but not in the file.
Alternate data stream
During this phase, an analyst will investigate and analyze the static evidence collected looking for specific data pertaining to the incident.
Analysis
a ____ is a header or footer or both, within a file that indicates the application associated with a file or the type of file
file signature
The MBR is always located on the ___ physical sector of a disk and will end in 0x55AA
first
Deleted files remain in ___ where clusters/blocks are not assigned but may contain data.
unallocated (free) disk space
Applied to a file or part of a file's contents
File level encryption
____ is primarily concerned with computer workstations, removable storage devices, and other physical digital media storage devices.
Host-based forensics
____ is a technique to reduce the search space by identifying known files by their hashed (MD5/SHA1).
Hash analysis
____ aid in examining large amounts of data to find keywords or strings
Keyword searches
___ files that can be ignores, such as typical system files- explorer.exe etc
Known
Files in a hash set typically fall into one of two categories:
Known or notable
_____ with the case name, evidence number and description of evidence and create a chain of custody form.
Label the evidence
SIFT is a _____-based VMWare workstation configures to conduct forensic investigations on both Windows and UNIX systems.
Linux
the ___ should contain the tools required for packet analysis or other type of networking traffic
Listener
Computer systems and network devices are typically classified by two states:
Live or dead
____ are powered on with processes running. Disks are being accessed and removable media is changing.
Live systems
___ obtains only the file system
Logical imaging
____ is recommended if suspect utilizes RAID or hard drive encryption.
Logical imaging
a ____ is created to preserve the current state of a system (typically a laptop) by recording memory and open files before shutting off the system.
Hibernation file.
The _______ is an open source, VMWare appliance created by SANS Faculty.
SANS SIFT forensic workstation
True or False: Encase contains the ability to acquire data from multiple sources, to include RAM, documents, Internet artifacts, web history, RAIDS, workstations, servers.
True
True or False: SANS has the ability to examine multiple file system types from different OSs
True
True or False: if a cell device is off, leave it off, but find a recharger ASAP.
True
True or false: if the cell is on, do everything possible to keep it on. Store in a faraday bag to stop the signal
True
List of words and phrases used to search evidence
Keyword lists
On UNIX, users and groups are in ___ and ___
/etc/passwd and /etc/groups
-Minimize data loss -Avoid compromising the suspect system with additional data that may modify the access time of files.
Acquisition Goals
The focus of this phase is to collect the relevant volatile and non-volatile data using sound forensic techniques and tools that ensure data integrity.
Acquisition phase
____ involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest.
Analysis
____ will be used to take data as input and produce it in a more useful human readable format.
Analysis tools
_____ is best defined as an approach to manipulate, erase, or obfuscate digital data or make its examination difficult, time consuming and virtually impossible.
Anti Forensics
The process of permanently eliminating a particular file or entire file systems.
Artifact wiping
Malicious software that creates an access channel that the attacker can use for connecting, controlling, spying, or otherwise interacting with the victim's system.
Backdoor
Why was this device seized? What type of information is expected to be obtained? How long do I have to conduct analysis?
Basis of analysis
_____ is the process of making it difficult to find data while also keeping it accessible for future use.
Data hiding
The route the evidence takes from the time you find it until the case is closed or goes to court.
Chain of custody
____ is one of the most important documents maintained during an investigation. It documents how evidence was examined, by whom and when it changed hands
Chain of custody
____ are used for gathering evidence
Collection tools
____ is a modified version of the DD tool that depicts the status as an image is being collected, hashed, and checked for integrity.
DCFIDD
The process of collecting digital evidence from electronic media.
Data collection
____ is the process of recovering deleted images, files, and emails discovered during media analysis.
Data recovery
____ usually refers to the extraction of deleted files from a file systems unallocated space
Data recovery
____ are powered off leaving data at rest making it easier to gather the non-volitile, unchanging, data.
Dead systems
a ____ is a program that allows software developers to observe their program while it is running
Debugger
This is usually done through the manufacturer name and device model.
Device ID
____, also known as computer forensics, Can be defined as the practice of collecting and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
Digital Forensics
____ is through commands sent to a SIM reader into which the SIM is placed
Directly
a _____ is a program that takes a programs executable binary as input and generates textual files that contain the assembly language code for the entire program or parts of it.
Disassembler
____ is a process by which a magnetic field is applied to a digital media device.
Disk Degaussing
A bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media
Disk Image
____ utilities use a variety of methods to overwrite the existing data on disks.
Disk wiping
Some OS's habe the ability to store the contents of memory automatically during an error condition creating ____ or ____ files to be assistant in troubleshooting
Dump, Core
____ analysis is analyzing the file based on its behavior
Dynamic
Generic register can be used for any integer, boolean ,logical, or memory operation. Results of a function will likely populate in this register.
EAX
____ has the ability to acquire data from multiple sources, can analyze both Linux/Unix and windows, produces an exact binary duplicate of the original media, and automatically generates reports.
EnCase
Acts as a virtual drive on the system, encrypting any file or directory placed within the container
Encrypted "containers"
____ is one of the more commonly used techniques to defeat computer forensics.
Encryption
Electronically stored information found on or in use by digital media devices
Evidence
____ within the digital forensics' realm is defined as electronically stored information found on or in use by digital media devices such as: -Standard computer systems -Networking equipment -Computing peripherals -Removable Hard drives -Cell phones -Other consumer electronic devices
Evidence
Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after collection. It ensures that the evidence has not been altered
Evidence integrity
____ are used to extend past the 4 partition limitation
Extended partitions
____ utilities are used to delete individual files from an OS
File wiping
the ____ should be able to clearly describe how the evidence was found, how it was handles, and everything that happened to it.
Forensic analyst
The Second step in collecting digital evidence is to create an exact physical copy of the evidence. This copy is called a
Forensic image
____ should clearly define the roles and responsibilities of all people performing or assisting with the organization's forensic activities
Forensic policy
a ____ is a standalone computer system utilized to perform forensic analysis of digital media
Forensic workstation
____ may be used to determine what other actions need to be performed as well as to recommend improvements to policies, guidelines, procedures, tools, and other aspects of the forensics process.
Formal reports
____ can be used to look for similar files. Two exact copies will have identical hashes.
Fuzzy hashing
Using Sleuth Kit tools, the creation process has 2 steps-
Gather and make
during _____ the device is removed from the suspect system and connected to the analysts forensic workstation
Hardware acquisition
a ____ is placed between the suspect hard drive and the acquisition system.
Hardware write-blocker
Three data acquisition methods
Hardware, software, and live
____ is a repository of electronic versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources.
Harmony
____ provides the means to find,filter, and isolate deleted, tampered, or altered files through the use of hash values, signature analysis, keyword searches, and other digital forensic techniques and procedures.
Host-based forensics
This phases begins documentation of chain of custody and basis for analysis.
Incident Response
4 phases of Digital Forensics Methodology
Incident Response Acquisition Analysis Reporting
An _____ is an analyst toolkit that resides on a separate storage media device like a floppy, thumb drive, or CD-ROM
Incident Response Disk.
The initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss.
Incident response
SIM data may be acquired 2 ways:
Indirect and direct
Malware analysis should be conducted in a ____
Isolated environment
To verify integrity of collected data, compute a ___ hash on the evidence
MD5
____ is defined as programming that is designed to disrupt or deny operation, gather info that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior.
Malware
_____ is the process of analyzing malware to determine exactly what the malware is designed to do.
Malware analysis
The MBR contains 3 sub directories...
Master boot program, Master Partition Table and a 2 byte marker indicating the end of a sector.(0x55AA)
____ is one of the most significant structures on a hard disk and is created when a hard disk is partitioned
Master boot record
The static examination of collected data using forensic analysis tools and techniques
Media analyis
____ is the static investigation of the copies of the original evidence collected from the system.
Media analysis
The documents and media files resulting from the in theater forensics will be transferred into the
NGIC National Harmony database
A user with an account on a windows system has an ____ file. It contains the configuration and environments settings which includes a great deal of identifiable data pertaining to user activity.
NTUSER.DAT
Intelligence gathered in theater will ultimately be logged along wih the collected image into the
National Media Exploitation Center database
NIST develops and maintains a very large set of hashed called the ____
National Software Reference Library
Two reasons to perform malware analysis
Network defense and understand how Malware works
____ is the process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network
Network-based forensics
Digital forensics is composed of two disciplines:
Network-based forensics and Host-based forensics
In many cases, ____ often times contains more variables and considerations than with _____
Network-based forensics, Host-based forensics
____ includes general methodologies for investigating events using forensic techniques and should provide step-by-step procedures explaining the performance of routine tasks
Organizational policy
____ is one method used by malicious code authors to hide embedded strings from potential malware analysts or antivirus software.
Packing
Most likely to be encountered on linux, UNIx, and MAC OS X
Partition level encryption
____ is considered the best evidence. It grabs the entire contents of a drive or digital media device, including Slack, unallocated and swap space.
Physical drive imaging
Common image file formats
Raw (dd), EWF, AFF
The process of analyzing malware to determine its functions is commonly called ____
Reverse engineering
Stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Rootkit
Malware that makes you believe the computer is infected, and the only way to remove it is to click a specific link on the screen.
Scareware
If a file requires less space than the file allocation unit size, an entire file allocation unit is reserved leaving the unused portion (____) available for examination.
Slack space
Three common open-source forensic tools
Snort, Tripwire, Wireshark
During ____, an analyst boots the suspect system with the helix boot CD-rom and images the local hard drives attached to the system.
Software acquisition
a ____ is used on the acquisition system (forensic workstation) to prevent writes to source data.
Software write-blocker
the ___ is an area in program memory that is used for short-term storage of information by the CPU and the program
Stack
____ analysis is analyzing the file in a constant, non-changing state.
Static
Tools should be ____, and should not require the use of any libraries other than those on the read-only media
Statically-linked (self contained)
A ____ contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious computer.
Statically-linked executable
Technique where information or files are randomly hidden within another file in an attempt to hide data by leaving it in plain sight
Stegonagraphy
____ are used to search the media for text strings, and may be used to discover hidden files or functionality of a file.
String and keyword searches
Most OSs use ____ in conjunction with RAM to provide a large virtual memory area for data and code being used by applications.
Swap space. (UNIX USES A SWAP PARTITION).
During OS/application install or upgrade, ____ are created.
Temporary files. (Could contain copies of other files on the system, application data, or other information.)
____ are used to sort the file system files by their modified, accessed, changed, and created timestamps. Start with recent data first
Timelines
The purpose of ____ is to confuse, disorient and divert the forensic examination process
Trail obfuscation
A seemingly innocent file that contains malicious code that works behind the functional program
Trojan Horse
the ____ machine is where all system and file analysis is conducted
Victim
Most Prevalent on windows system
Whole disk encryption
Write blockers are required if using a _____-based application to image media, however, they are not required if using ____, as media can be manually mounted as READ ONLY
Windows, Linux
____ are used to protect evidence disks by preventing accidental writes to source data.
Write-blockers
____ contain security event information such as successful and failed authentication attempts and security policy changes.
audit logs
Imaging/copy tools __ is usually the first tool used when collecting non-volatile evidence. Reads input files block by block and provides 3 versions
dd
The collection phase uses simple tools such as ___ as well as scripting tools that automate the execution of these tools.
dd and netstat
Malware analysis has two disciplines or analysis methods:
dynamic and static
Windows hibernation file
hiberfil.sys
Internet history file
index.dat
____ is through commands sent to the phone and passed on to the SIM
indirectly
___ contain information about various OS events, and may hold application specific event info
logs
____ is the command that will take the raw image and mount it onto a specified directory of choice to be able to examine the contents of the image.
mount
on windows systems, the ___ and ___ commands can be used to enumerate the users and groups on the system
netuser and netgroup
When acquiring ______ data, it is necessary to perform the following: Pre image hash, creation of the image, the a post image hash
no volatile data
Files that have been identified as illegal or inappropriate such as hacking tools or child porn
notable
.PST and .OST
outlook
The _____ is a hidden system file that is used by windows for virtual memory when there is not enough physical memory to run programs.
pagefile.sys
The purpose of a ____ is for the analyst to describe the actions performed, determine what other actions need to be performed, and recommend improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process.
reporting
____ is a tool that will enable the investigator to check similarities in files by computing and comparing context triggered pieceware hashes.
ssdeep
Established environment contains a ___ and a __
victim and listener
the ____ is an important source of evidence for forensic examiners as it provides a collection of data files that store vital configuration data for a system.
windows registry