IT 360 exam 2

ios layer Core services

- interaction with apps

ios layer Core OS

- like kernel

benefits of the logical volume manager in Linux.

Abstract layer that provides volume management for kernel Resizing partitiono Creates backups by taking snapshot of LV Virtualizes partitions so they can be split, combined, and/or arrayed Forensic tools must be LVM aware

Linux was created by whom and when

Bell labs 1960s

Android partitions

Boot loader boot recovery user data cache system

var/log/faillog

Contains failed user logins in Linux

index.dat

File used by Internet Explorer § Stores web addresses, search queries, and recently opened files

forensic steps that should be taken before shutting down a seized computer.

Initial tools: Task Manager Net Stat Net Sessions OpenFiles Document results and shutdown

/var/log/mail.*

Mail server

/var/log/mysql

MySQL database server

What are the four (4) states that a cell phone can be in?

Nascent active quiescent semi-active

Nascent state

New, no user data

iOS is based on which operating system?

OS X

Active state

On, performing tasks, and ready to store data

Linux is based off of

UNIX

· What are four (4) directories important for Android forensics?

acct cache data mnt

/var/log/apport.lol

application crashes

recovery

boot into a recovery console

IOS data partitions

calendar entries contacts notes ipod control directory

cp

copies files

mkdir

creates new directory

android dir data

data for each app

Quiescent

dormant to conserve battery while maintaining user data

o Heap

dynamic memory, can exist between functions. Less stable than data segment of memory

win log forwarded events

events collected from remote computers

win log application and services

events from a single application

win log application

events logged by apps or programs

win log system

events logged by windows components

Heap and stack x as needed

expand

cache

frequently accessed data and recovery logs

Smss.exe

handles services on your system

ios layer Cocoa Touch

handles user gestures

crss.exe

handles various tasks (e.g. creating threads, console windows, etc.)

boot loader

hardware initialization

boot

info needed to boot up

explorer.exe

interface the user interacts with

ls

lists contents of directory

stack

local § local variables and parameters ( the most dynamic)

wing log security

logon attempts

winlogon.exe

logs users on

user data

majority of user data including apps

android dir Mnt

mount point for all file systems

android dir acct

mountpoint for control group and provude user accounting

mv

move a file

ios layer Media

multimedia

how can swap file be useful for digital forensics analysis

o Contain remnants of word processing documents, emails, internet history, database entries, other work that has occurred in past sessions

· What issues must an analyst be aware of when conducting a memory dump.

o Data inconsistency o If run on a compromised system This could affect the collected data's reliability. Some response tools may even substantially alter the digital environment of the original system and cause an adverse impact on the dumped memory data.

· Be familiar with the National Institute of Standards and Technology guidelines for reporting phone analysis activities.

o Descriptive list of items submitted for examination (serial, make, model) o Identify and signature of examiner o Equipment setup used in examination o Brief description of analysis steps o Supporting materials o Findings Files related to investigation request Other files that support findings o Internet-related evidence (e.g., web site o traffic) o Graphic image analysis o Ownership info

· What was the Windows "User assist" feature created and how can it be useful during analysis?

o Feature that helps programs launch faster o Registry key shows all programs that have been executed on a windows machine

· If a user deletes their Internet Explorer browser history, what alternate technique might reveal their web activity?

o INDEX.DAT

two (2) ways to extract data from an Android phone?

o In developer mode o Adb (Android debugging bridge) shell command when connected to workstation

Why is it important for forensic analysts to know the steps in the boot up process for various operating systems?

o It's important because a a virus might be infecting a drive at a specific boot process. o Malware attacks can affect the boot process o Hard drive encryption programs operate during the boot process

guidelines to follow when transporting and storing digital evidence?

o Keep in secure location at all times o Direct to evidence locker (no stops)

some of the important processes on a Windows computer that hackers might attempt to mimic?

o Ntdetect.com o Ntbootdd.sys o Smss.exe o Winlogon.exe o Lsass.exe o Explorer.exe Crss.exe

· Be familiar with what information might be discovered by examining the Windows registry.

o Stores all configuration and preferences data o Look for auto-run programs o Five sections (hives) -root, current user, machine, users (HKU -user profiles), config o Files that run at startup o USB devices o WiFi connection info o MAC address of computer that created Word documents o All uninstalled software o Passwords stored in browsers o Shellbag -folder access

what is a swap file

o Volatile data, used to optimize the use of RAM o Augmented RAM (virtual memory) o Pagefile.sys in hard drive root

· the guidelines for collecting phone evidence.

o When plugging into computer, make sure phone does not sync o Follow same protocol for PC; touch device a little as possible and document everything you do o Can change setting in Windows registry to prevent writing to mobile device

Semi-active

o between active and quiescent; activated by timer and dims display

Hal.dll

o interface for hardware

ntdetect.com

o queries computer for basic device and configuration data

NTBootdd.sys

o storage controller device driver

/var/log/lpr.log

record of items printed

rm

remove a file

rmdir

remove directory

· What are five (5) types of Windows logs that might contain useful evidence?

security application system forwarded events application and services

/var/log/kern.log

system messages that can help rule out malware

system

usually not important

o Android characteristics

§ Based off linux - 2003 § Open source Acquired by Google in 2005 § Names based on sweets

Four Layers to iOS

· Core OS · Core services · Media · Cocoa Touch

§ IOS File system

· HFS+ and FAT32 For pc communications

§ Model and serial number information in

· iPod_control\device\sysinfo