Chapter 7 Performing Forensic Analysis
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date? A.A timeline B.A log viewer C.Registry analysis D.Timestamp validator
A.A timeline Explanation: Timelines are one of the most useful tools when conducting an investigation of a compromise or other events Forensic tools provide built-in timeline capabilities to allow this type of analysis
What forensic issue might the presence of a program like CCleaner indicate? A.Anti-forensic activities B.Full disk encryption C.Malware packing D.MAC time modifications
A.Anti-forensic activities Explanation: CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigation CCleaner may be an indication of intentional anti-forensic activities on a system It is not a full disk encryption tool or malware packer, nor will it modify MAC times
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing the data in an unencrypted form? A.Live imaging B. Offline imaging C.Brute force encryption cracking D.Cause a system crash and analyze the memory dump
A.Live imaging Explanation: Imaging the system while the program is live has the best probability of allowing Jeff to capture the encryption keys or decrypted data from memory An offline image after the system is shut down will likely result in having to deal with the encrypted file. Brute-force attacks are typically slow and may not succeed and causing a system crash may result in corrupted or nonexistant data
During a forensic investigation Ben asks Chris to sit with him and to sign off the action he has taken. What is he doing? A.Maintaining chain of custody B.Over-the-shoulder validation C.Pair forensics D.Separation of duties
A.Maintaining the chain of custody Explanation: Ben is maintaining chain-of-custody documentation. Chris is acting as the validator for the actions that Ben takes, and acts as a witness to the process
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the Information she needs? A.The Registry B.%SystemRoot%\MEMORY.DMP C.A system restore point file D.%SystemRoot%\WINDBG
B.%RegistryRoot%MEMORY.DMP Explanation: WIndows crash dumps are stored in%SystemRoots%\MEMORY.DMP and contain the memroy state of the system when the system crash occurred. This is her best bet for gathering the infomration she needs without access to a live image. The Registry and sstem restore point do not contain the information and WinDbg is a Windows debugger, not an image of live memory
Which format does dd produce files in? A.ddf B.RAW C.EN01 D.OVF
B.RAW ExplanationL dd creates files in RAW, bit-by-bit format Incorrect answers: EN01 is the EnCase forensic file format OVF is a virtualization file format ddf is a made up answer
Files remnant found in clusters that have been only partially rewritten by new files found are in what type of space? A.Outer B.Slack C,Unallocated space D.Non-Euclidean
B.Slack space Explanation: Slack space is the space that remains when only a portion of a cluster is used by a file Data from previous files may remain in the slack space since it is typically not wiped or overwritten Unallocated space is space on a drive that has not been made into a part of a partition Outer space and non-Euclidean space are not terms used for file system or forensics
Which of the follow is not a potential issue with live imaging of a system? A.Remnant data from the imaging tool B.Unallocated space will be captured C.Memory or drive contents may change during the imaging process D.Malware may detect the imaging tool and work to avoid it
B.Unallocated space will be captured Explanation: Unallocated space is typically not captured during a live image, potentially resulting in data being missed Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues
Which of the following Linux command line tools will show you how much disk space is in use? A.top B.df C. lsof D.ps
B.df Explanation: The df tool will show you a systems current disk utilization Both the top and ps command/tools will show you information about processes, CPU, and memory utilization and lsof is a multifunction tool for listing open files
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this doesnt happen? A.A read blocker B.A drive cloner C.A write blocker D.A hash validator
C.A write blocker Explanation: Write blockers ensure that no changes are made to a source drives when creating a forensic copy Preventing reads would stop you from copying the drive, drive clones may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but dont stop changes to the source drive from occurring
Mike is looking for information about files that were changed on a Windows system. Which of the following least likely to contain useful information for his investigation? A.The MFT B.INDX files C.Event logs D.Volume shadow copies
C.Event logs Explanation: Events logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time
Susan has been asked to identify the applications that start when a Window system does. Where should she look first? A.INDX files B.Volume shadow copies C.The Registry D.The MFT
C.The Registry Explanation: Windows stores information about programs that run when Windows starts in the Registry as Run and RunOnce registry keys, which run each time a user logs in INDX files and the MFT are both useful for file information, and volume shadow copies can be used to see point-in-time information about a system
Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? A.Review the MFT B.Check the systems live memory C.Use USB Historian D.Create a forensic image of the drive
C.Use USB historian Explanation: USB Historian provides a list of devices that are logged in to the Windows Registry Frederick can check the USB devices serial number and other identifying information against the Windows systems historical data If the device isnt listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device
What two files may contain encryption keys normally stored only in memroy on a Windows system? A.The MFT and the hash file B.The Registry and hibernation files C.Core dumps and encryption logs D.Core dumps and hibernation files
D. Core dumps and hibernation files Explanation: Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing encryption keys to be retrieved from the stored file The MFT provides information about the file layout The Registry contains system information but shouldn't have encryption jets stored it in There is no hash file or encryption log stored as a Windows default file
Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs? A.LiME B.DumpIt C.fmem D.The Volatility Framework
D. The Volaitility Framework Explanation: The Volatility Framework is designed to work with Windows, macOS, and Linux and it provides in-depth memory forensics and analysis capabilities LiME and fmem are Linux tools whereas DumpIT is a Windows-only tool
Which tool is not commonly used to generate the hash of a forensic copy? A.MD5 B.FTK C.SHA1 D.AES
D.AES Explanation: While AES does have hasing mode, MDS5, SHA1, and built-in hashing tools in FTK and other commercial tools are more commonly used for forensic hashes
During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the cloned image after using dd. What is likely wrong? A.The original was modified B.The clone was modified C.dd failed D.An unknown change or problem occurred
D.An unknown change or problem occurred Explanation: Since Danielle did not hash her source drive prior to cloning you cannot determine where the problem occurred. If she had run MD5sum prior to the cloning process as well as after, she could verify that the original disk had not changed
Alex is conducting a forensic examiniation of a Windows system and wants to determine if an application was installed. Where can he find the Windows installed log files for a user named Jim? A.C:\Windows\System 32\Installers B.C:\Windows\Install.log C.C:\Windows\Jim\Install.log D.C:\Windows\Jim\AppData\Local\Temp
D.C:\Windows\Jim\AppData\Local\Temp Explanation: Windows installer logs are typically kept in the users temporary app data folder, Windows does not keep install log files and System32 does not contain an Installers directory
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff memeber and is asked to add it to his forensic case. What is the most important issue could Jeff encounter if the case goes to court? A.Bad checksums B.Hash mismatch C.Anti-forensic activities D.Inability to certify chain of custody
D.Inability to ceritfy chain of custody Explanation: Jeff did not create the image and cannot validate chain of custody for the drive. This also means he cannot prove that the drive is a copy of the original. SInce we do not know the checksum for the original drive, we do not have a bad checksum or a hash mismatch- there isnt an original to compare it to Anti-forensic activities may have occurred, but that is not able to determine from the question
Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is the best option to ensure he can see email and other data stored there? A.Physical acquistion B.Logical access C.File system access D.Manual access
D.Manual access Explanation: Manual access is used when phones cannot be forensically imaged or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents on the phone