IT 360 exam 2
ios layer Core services
- interaction with apps
ios layer Core OS
- like kernel
benefits of the logical volume manager in Linux.
Abstract layer that provides volume management for kernel Resizing partitiono Creates backups by taking snapshot of LV Virtualizes partitions so they can be split, combined, and/or arrayed Forensic tools must be LVM aware
Linux was created by whom and when
Bell labs 1960s
Android partitions
Boot loader boot recovery user data cache system
var/log/faillog
Contains failed user logins in Linux
index.dat
File used by Internet Explorer § Stores web addresses, search queries, and recently opened files
forensic steps that should be taken before shutting down a seized computer.
Initial tools: Task Manager Net Stat Net Sessions OpenFiles Document results and shutdown
/var/log/mail.*
Mail server
/var/log/mysql
MySQL database server
What are the four (4) states that a cell phone can be in?
Nascent active quiescent semi-active
Nascent state
New, no user data
iOS is based on which operating system?
OS X
Active state
On, performing tasks, and ready to store data
Linux is based off of
UNIX
· What are four (4) directories important for Android forensics?
acct cache data mnt
/var/log/apport.lol
application crashes
recovery
boot into a recovery console
IOS data partitions
calendar entries contacts notes ipod control directory
cp
copies files
mkdir
creates new directory
android dir data
data for each app
Quiescent
dormant to conserve battery while maintaining user data
o Heap
dynamic memory, can exist between functions. Less stable than data segment of memory
win log forwarded events
events collected from remote computers
win log application and services
events from a single application
win log application
events logged by apps or programs
win log system
events logged by windows components
Heap and stack x as needed
expand
cache
frequently accessed data and recovery logs
Smss.exe
handles services on your system
ios layer Cocoa Touch
handles user gestures
crss.exe
handles various tasks (e.g. creating threads, console windows, etc.)
boot loader
hardware initialization
boot
info needed to boot up
explorer.exe
interface the user interacts with
ls
lists contents of directory
stack
local § local variables and parameters ( the most dynamic)
wing log security
logon attempts
winlogon.exe
logs users on
user data
majority of user data including apps
android dir Mnt
mount point for all file systems
android dir acct
mountpoint for control group and provude user accounting
mv
move a file
ios layer Media
multimedia
how can swap file be useful for digital forensics analysis
o Contain remnants of word processing documents, emails, internet history, database entries, other work that has occurred in past sessions
· What issues must an analyst be aware of when conducting a memory dump.
o Data inconsistency o If run on a compromised system This could affect the collected data's reliability. Some response tools may even substantially alter the digital environment of the original system and cause an adverse impact on the dumped memory data.
· Be familiar with the National Institute of Standards and Technology guidelines for reporting phone analysis activities.
o Descriptive list of items submitted for examination (serial, make, model) o Identify and signature of examiner o Equipment setup used in examination o Brief description of analysis steps o Supporting materials o Findings Files related to investigation request Other files that support findings o Internet-related evidence (e.g., web site o traffic) o Graphic image analysis o Ownership info
· What was the Windows "User assist" feature created and how can it be useful during analysis?
o Feature that helps programs launch faster o Registry key shows all programs that have been executed on a windows machine
· If a user deletes their Internet Explorer browser history, what alternate technique might reveal their web activity?
o INDEX.DAT
two (2) ways to extract data from an Android phone?
o In developer mode o Adb (Android debugging bridge) shell command when connected to workstation
Why is it important for forensic analysts to know the steps in the boot up process for various operating systems?
o It's important because a a virus might be infecting a drive at a specific boot process. o Malware attacks can affect the boot process o Hard drive encryption programs operate during the boot process
guidelines to follow when transporting and storing digital evidence?
o Keep in secure location at all times o Direct to evidence locker (no stops)
some of the important processes on a Windows computer that hackers might attempt to mimic?
o Ntdetect.com o Ntbootdd.sys o Smss.exe o Winlogon.exe o Lsass.exe o Explorer.exe Crss.exe
· Be familiar with what information might be discovered by examining the Windows registry.
o Stores all configuration and preferences data o Look for auto-run programs o Five sections (hives) -root, current user, machine, users (HKU -user profiles), config o Files that run at startup o USB devices o WiFi connection info o MAC address of computer that created Word documents o All uninstalled software o Passwords stored in browsers o Shellbag -folder access
what is a swap file
o Volatile data, used to optimize the use of RAM o Augmented RAM (virtual memory) o Pagefile.sys in hard drive root
· the guidelines for collecting phone evidence.
o When plugging into computer, make sure phone does not sync o Follow same protocol for PC; touch device a little as possible and document everything you do o Can change setting in Windows registry to prevent writing to mobile device
Semi-active
o between active and quiescent; activated by timer and dims display
Hal.dll
o interface for hardware
ntdetect.com
o queries computer for basic device and configuration data
NTBootdd.sys
o storage controller device driver
/var/log/lpr.log
record of items printed
rm
remove a file
rmdir
remove directory
· What are five (5) types of Windows logs that might contain useful evidence?
security application system forwarded events application and services
/var/log/kern.log
system messages that can help rule out malware
system
usually not important
o Android characteristics
§ Based off linux - 2003 § Open source Acquired by Google in 2005 § Names based on sweets
Four Layers to iOS
· Core OS · Core services · Media · Cocoa Touch
§ IOS File system
· HFS+ and FAT32 For pc communications
§ Model and serial number information in
· iPod_control\device\sysinfo