16 3

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

VBA macro, payload of MO document, embedded flash program, embedded javascript

4 most popular methods to attack microsoft office document

whole disk, file level, partition level, encrypted containers

4 way to use encryption

data hiding, artifact wiping, trail obfuscation, attacks against computer forensics processes and tools

4 ways to perform anti-forensics

.rsrc

PE header that contains the executable resources that are not a part of the executable

.rdata

PE header that contains the import and export info

.text

PE header that contains the instruction that the CPU executes

.data

PE header that contains the programs global data

dropped file

a file created during malware execution

dll injection

a piece of malware designed to run code into the address space of another process by forcing it to load a DLL

dropper

a program designed to install malware to a target system

disassembler

a program that takes a program's executable binary as input and generates textual files that contain the assembly language code for the entire program

trojan

a seemingly innocent file that contains malicious code underneath

worm

a self-replicating program with malicious intent

string

a sequence of chars representing text

ransomeware

a type of malware that restricts access to the computer system it infects and demands a ransom for the malware creator to remove the restirction

virus

a user-triggered program with malicious intent

botnet

allows an attacker system access, receives instructions from a single command and control server

reports

analysts use these to detail the discovery of info during an investigation, describe actions performed, determine what other actions to perform, and recommend improvements to policies

dynamic analysis

analyzing a file by observing its behavior; triage

static analysis

analyzing a file in a constant, non changing state; code level

file system, hidden partitions, host protected area of harddrive

common locations for data hiding in a computer system

callback

destination IP or domain to which malware is trying to connect

sim card

device user phone number or the MSISDN call logs text messages

reasons why reports are useful

evidence to help prosecute specific individuals actionable intel to help stop or mitigate some activity generate new leads for a case

portable executable

file format is a data structure containing the info necessary for the windows OS loader to manage the wrapped executable code

NMEC

intel gathered in theater along with the collected image are sent to this

code obfuscation

intentionally hiding or misleading source code to prevent reverse engineering or masquerade the true intent of a program

trail obfuscation

log cleaners, spoofing, misinfo, zombie accounts, trojaned commands

DLLMain, DLLENTRYPOINT

main functions of a DLL

downloader

malicious code that exists only to download the primary malicious payload

backdoor

malicious code that installs itself onto a computer to allow attacker access

laucnher

malicious program used to launch other malicious programs

info-stealers

malware that collects info from a victims computer and sends it to an attacker

scareware

malware that makes users believe their computers are infected, and the only way to remove infection is to click a specific link on the screen

wsock32.dll, ws_32.dll

networking dlls

debugger

program that allows software developers to observe their program while its running

rootkit

stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer

dynamic, static

the two disciplines of malware analysis

file wiping

these type of utilities can delete individual files as well as unallocated/free space from an OS

disk wiping

these type of utilities use a variety of methods to overwrite the existing data on disks

kernel32.dll

this dll contains core functionality, such as access and manipulation of memory, files, and hardware

wininet.dll

this dll contains higher-level networking functions

user32.dll

this dll contains user interface components, such as buttons, scroll bars, and components for controlling and responding to user actions

ntdll.dll

this dll is the interface to the windows kernel

DLL

this is a binary file that cannot execute on its own, but exports functions that can be utilized by other apps

encryption

this is a commonly used data hiding technique using a key and an algorithm to change the data in a way to make the info unreadable

trail obfuscation

this is a data hiding technique used to confuse, disorient, and divert the forensic examination process

disk degaussing

this is a process that applies a magnetic field to a digital media device making it entirely clean of any previously stored data

Harmony database

this is a repository of electronics versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources

steganography

this is a technique used to hide info or files within another file attempting to hide data by leaving it in plain sight

physical destruction

this is accomplished by disintegration, incineration, pulverizing, shredding, and melting can render a device useless

anit forensics

this is an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time consuming, or virtually impossible

malware

this is programming designed to disrupt or deny operations, gather info leading to loss of privacy or exploitation, gain unauthorized access to system resources, or otherwise exhibit abusive behavior

malware analysis

this is the process of analyzing malware to determine what the malware is designed to do

data hiding

this is the process of making it difficult to find data while keeping it accessible for future use

artifact wiping

this is the process of permanently eliminating particular files or entire file systems

mobile forensics

this is the science of retrieving digital evidence from a mobile device using forensically sound tools and techniques

rundll32.exe

this program lets user run DLL files

store malicious code, use existing windows dlls, use third party dlls

three way malware writers use DLLs

ADS

using this on NFTS provides the ability to attach a file to another file without affecting the original file's metadata. $DATA attribute

device is on

while a mobile device is in this state do everything possible to keep the device in the current stat until able to perform a full examination


Ensembles d'études connexes

Anatomy & Physiology: Cardiac Conduction System

View Set

Exam 2 med surg chapter level 1-5

View Set

3 - Life Insurance Policies - Provisions, Options and Riders Part A (15 questions)

View Set

Principles of Auditing Chapter 17

View Set

Prep U's - Chapter 31 - Mental Health Disorders of Older Adults

View Set