Digital Forensics Exam 2 Study Guide
Describe proper procedure to follow when collecting, seizing, and protecting evidence.
1. Shutting down the computer: Before shutting it down check all running processes, all current established network communications/connections(netstat/net sessions), check if any shared files or folders are open(openfiles), capture and volatile/hard memory 2. Transporting the Computer System to a Secure Location: (Lab) Assure that the computer remains off, secure, untouched and follow and document the proper chain of custody in order to avoid tampering 3. Preparing the system: remove all drives, for mobile remove sim cards. Document all physical connections and label each wire, create a chain of custody form 4. Documenting the Hardware Configuration of the System: all hardware components, BIOS info/UEFI info, system date and time/BIOS time 5. Mathematically Authenticating Data on All Storage Devices: create a hash of original and copied data. Compare the hashes to ensure integrity.(encase, FTK, OSForensics, md5sum for linux)
10.Which of the following is NOT true of chain of custody forms? 1.You typically need to use a separate chain of custody form for each drive you have removed from a suspect computer. 2.A chain of custody form is a federal form and is therefore universal. 3.A chain of custody form typically requires a signature. 4.Some forensic examiners use both an evidence form and a separate chain of custody form.
1.You typically need to use a separate chain of custody form for each drive you have removed from a suspect computer.
9.An environment that has a controlled level of contamination, such as from dust, microbes, and other particles is the definition of a __________. 1.clean room 2.recovery room 3.test system 4.test room
1.clean room
7.In steganography, the ________ is the data to be covertly communicated. In other words, it is the message you want to hide. 1.payload 2.carrier 3.signal 4.channel
1.payload
4.How many rounds does DES have? 1.64 2.56 3.16 4
16
9.In FAT and NTFS file systems, a __________ is used to map files to specific clusters where they are stored on the disk. 1.cluster 2.table 3.partition Node
2 table
10.After a computer incident or disaster, staff must take actions to preserve forensic information. In what situation is determining the cause of an incident irrelevant to forensics? 1. Data theft from a hard drive 2. A drive that failed due to water damage from a sprinkler system 3. A drive that failed due to a malware infection 4. An incident that may have involved a crime
2. A drive that failed due to water damage from a sprinkler system
12.You are working on a business impact analysis. You are calculating the single loss expectancy (SLE) for a laptop computer. The laptop cost $2,500, which is its asset value (AV). You determined its exposure factor (EF) is 25%. What is the SLE? 1.$62,500 2.$625 3.$100 $10,000
2.$625
1.What type of encryption uses a different key to encrypt the message than it uses to decrypt the message? 1.Private key 2.Asymmetric 3.Symmetric 4.Secure
2.Asymmetric
9.What name is given to a technique for file system repair that involves scanning a disk's logical structure and ensuring that it is consistent with its specification? 1.File allocation checking 2.Consistency checking 3.Logical checking 4.Inode scan
2.Consistency checking
1.Once an intrusion into your organization's information system has been detected, which of the following actions should be performed first? 1.Eliminate all means of intruder access. 2.Contain the intrusion. 3.Determine to what extent systems and data are compromised. 4.Communicate with relevant parties.
2.Contain the intrusion.
3.Chandar is looking for Registry entries that reflect the settings of the last known good boot of a given Registry key. __________ could be what is known as the last known good control set, or the control set that last successfully booted Windows. 1.Controlset001 2.Controlset002 3.Currentcontrolset 4.Clone
2.Controlset002
10.The __________ format is a proprietary file format defined by Guidance Software for use in its forensic tool to store hard drive images and individual files. 1.The Advanced Forensic Format 2.EnCase 3.The Generic Forensic Zip 4.IXimager
2.EnCase
6.At which phase of incident response does computer forensics begin? 1.Containment 2.Eradication 3.Recovery 4.Follow-up
2.Eradication
1.What file system does OS X use? 1.HPFS 2.HFS+ 3.NTFS 4.EXT3
2.HFS+
5. __________ is offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. 1.Logical analysis 2.Physical analysis 3.Encryption 4.Steganography
2.Physical analysis
Which of the following drives would be least susceptible to damage when dropped? 1.SCSI 2.SSD 3.IDE 4.SATA
2.SSD
10.The Windows __________ log contains successful and unsuccessful logon events. 1.System 2.Security 3.Application 4.ForwardedEvents
2.Security
6.The space between the end of a file and the end of the cluster (if there is any such space) is called what? 1.Empty space 2.Slack space 3.Delete space Nothing; files occupy the entire cluster.
2.Slack space
1.Which of the following assesses potential loss that could be caused by a disaster? 1.The business assessment (BA) 2.The business impact analysis (BIA) 3.The risk assessment (RA) 4.BCP
2.The business impact analysis (BIA)
12.When attempting to recover a failed drive, which of the following is NOT true? 1.If the failed drive's disks are spinning, that's an indication that a catastrophic failure has not occurred. 2.You should connect the failed drive to a test system and make the failed drive bootable. 3.If the failed drive installs properly on a test system, copy all directories and files to a different hard drive on the test system. 4.If the drive fails on one system but installs on another, the drive may have failed because of a power supply failure or corruption of the operating system.
2.You should connect the failed drive to a test system and make the failed drive bootable.
7.In steganography, the ________ is the stream or file into which the data is hidden. 1.payload 2.carrier 3.signal 4.channel
2.carrier
10.What is the definition of dump? 1.A brief hardware test the BIOS performs upon boot-up 2.The record on the hard drive partition used to initiate booting that partition 3.A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper 4.Dynamic memory for a program comes from the heap segment. A process may use a memory allocator such as malloc to request dynamic memory
3.A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper
1.Which of the following encryption algorithms uses three key ciphers in a block system and uses the Rijndael algorithm? 1.DES 2.RSA 3.AES 4.NSA
3.AES
1.Which phase of disaster recovery is about discovering if the disaster was caused by some weakness in the system? 1.The recovery plan 2.The post recovery follow-up 3.Business impact analysis 4.Incident response plan
3.Business impact analysis
8.Suppose a virus takes a company's main web server offline. What would NOT be part of a business continuity plan (BCP) in this case? 1.Routing calls from customers who cannot access the website to a makeshift call center 2.Temporarily using an old server that could provide minimal functionality but that may not be as robust 3.Having a full web server, equivalent to the failed server, back online and running at full capacity 4.Taking orders over the phone on paper
3.Having a full web server, equivalent to the failed server, back online and running at full capacity
What Linux command can be used to create a hash? 1.SHA 2.MD5 3.MD5sum Sha3sum
3.MD5sum
6.Samuel provided illegal copies of software to others through a peer-to-peer (P2P) file-sharing service. The P2P software caused data leakage, resulting in private data from Sam's computer being shared on the Internet with anyone else using the same P2P software. What type of network security incident is being described? 1.Denial of service (DoS) attack 2.Unauthorized access 3.Malicious code 4.Inappropriate usage
3.Malicious code
8.Company AZ hosts an e-commerce server with a large hard drive. The manufacturer claims the drive is guaranteed to perform properly for 100,000 hours. What is this measure most closely related to? 1.Maximum tolerable downtime (MTD) 2.Mean time to repair (MTTR) 3.Mean time before failure (MTBF) 4.The business continuity plan (BCP)
3.Mean time before failure (MTBF)
1.What file system does Windows 7 use? 1.FAT 2.FAT32 3.NTFS HPFS
3.NTFS
4.Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from the malware infection? 1.Follow-up 2.Containment 3.Recovery Eradication
3.Recovery
5.Matthew is a forensic analyst with a private investigation firm. He has been asked to investigate a laptop that is suspected of being involved in the hacking of the organization's server. Matthew wants to find all the values typed into the Run box in the Start menu. Which of the following Registry keys should he check to find this information? 1.UserAssist key 2.MountedDevices key 3.RunMRU key 4.TypedURLs key
3.RunMRU key
10.__________ is a term that refers to hiding messages in sound files. 1.Asymmetric cryptography 2.Steganography 3.Steganophony Symmetric cryptography
3.Steganophony
3.Aidan is working on a case involving an employee who has been accused of visiting sites that violate company policy. He feels certain that there will be plenty of evidence, if he can extract the browser history. Aidan would like to extract the employee's browser history. Where does Internet Explorer store history? 1.Registry 2.index.dat 3.Webcache.dat 4.history.dat
3.Webcache.dat
4.Noah is performing an investigation of a Linux computer. The computer is part of an investigation into allegations of identity theft. The suspect who owns the computer is skilled with computers, and Noah is concerned that she may have deleted files from the system. In the Linux operating system, when is a file deleted? 1.When the Recycle Bin is emptied 2.When the Trashcan is emptied 3.When the iNode count reaches 0 4.When the MFT removes the file reference
3.When the iNode count reaches 0
Windows uses __________ on each system as a "scratch pad" to write data when additional random access memory (RAM) is needed. 1.metadata 2.an installed operating system 3.a swap file 4.a partition
3.a swap file
What Linux command can be used to wipe a target drive? 1.Del 2.Delete 3.dd nc
3.dd
6.In Linux, what is the data structure in the file system that stores all the information about a file except its name and its actual data? 1.MFT 2. FAT 3.Cluster 4. iNode
4. iNode
10. __________ obfuscates a message so that it cannot be read. 1.Substitution 2.Steganography 3.Steganalysis 4.Cryptography
4.Cryptography
13.The Windows Registry is organized into five sections. The __________ section stores information about drag-and-drop rules, program shortcuts, the user interface, and related items. 1.HKEY_LOCAL_MACHINE (HKLM) 2.HKEY_USERS (HKU) 3.HKEY_CURRENT_USER (HKCU) 4.HKEY_CLASSES_ROOT (HKCR)
4.HKEY_CLASSES_ROOT (HKCR)
7.What was designed as an area where computer vendors could store data that is shielded from user activities and operating system utilities, such as delete and format? 1.Master boot record (MBR) 2.File slack 3.Volume slack 4.Host protected area (HPA)
4.Host protected area (HPA)
4.Jennifer sends a threatening email to Rachel, a classmate, to bully her. What type of computer security incident is being described? 1.Denial of service (DoS) attack 2.Unauthorized access 3.Malicious code 4.Inappropriate usage
4.Inappropriate usage
7.The most common way steganography is accomplished via ________. 1.MSB 2.ASB 3.RSB 4.LSB
4.LSB
12.Kimberly is attempting to recover data from a failed hard disk. She removed the failed drive from the system on which it was installed, and then connected it to a test system. She made the connection by simply connecting the data and power cables but did not actually install the failed drive. What step should she perform next? 1.Install the failed drive. 2.Boot the test system from its own internal drive. 3.Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. 4.Listen to the failed drive to determine whether the internal disks are spinning.
4.Listen to the failed drive to determine whether the internal disks are spinning.
7.What term describes analysis performed on an evidence disk or a forensic duplicate using the native operating system? 1.Steganalysis 2.Physical analysis 3.Network analysis 4.Logical analysis
4.Logical analysis
10.Which tool uses a brute-force approach to enumerating processes and threads in a memory dump from a Windows system? 1.Userdump 2.PsList 3.PsInfo 4.PTFinder
4.PTFinder
1.Which of the following is an asymmetric cryptography algorithm invented by three mathematicians in the 1970s? 1.PGP 2.DES 3.DSA 4.RSA
4.RSA
10.What kind of data changes rapidly and may be lost when the machine that holds it is powered down? 1.A hash 2.Persistent data 3.Non-volatile data 4.Volatile data
4.Volatile data
7. EIDE is _________. 1.an operating system 2.a file format 3.a type of running process 4.a type of magnetic drive
4.a type of magnetic drive
5.A Windows program that queries the computer for basic device or configuration data like time/date from CMOS, system bus types, ports, and so on is __________. 1.lsass.exe 2.smss.exe 3.ntbootdd.sys 4.ntdetect.com
4.ntdetect.com
4.Hiding messages inside another medium is referred to as ________ 1.Cryptography 2.cryptology 3.steganalysis 4.steganography
4.steganography
Describe steps of steganography and steganalysis using Forensic Toolkit (FTK) or S-Tools or any other tool of your choice.
Invisible Secrets: Is very inexpensive and has a free trial version. It is also easy to use. You can download Invisible Secrets from http://www.invisiblesecrets.com/download.html. Step1: Choose to hide a file or extract a hidden file in the Invisible Secrets Select Action dialog box. Step2: Select an image to use as the carrier file in the Invisible Secrets Select a Carrier File dialog box. Step3: Select the file to hide in the Invisible Secrets Select Source Files dialog box. Step4: Select a password in the Invisible Secrets Encryption Settings dialog box. Step5: Select the file to hide in the Invisible Secrets Select Source Files dialog box.
What is importance of windows registry for forensics examiner.
It is a repository for all the information on a Windows system, for example, the configuration settings for a newly installed program are stored in the Registry. Among other things, the Registry: •Includes information about the computer's hardware configuration. •Allows the OS to keep multiple hardware configurations. •Allows multiple users with individual preferences. •Includes program shortcut menus and property sheets. •Supports remote administration through the network. The five hives are described here: 1.HKEY_CLASSES_ROOT (HKCR)—This hive stores information about drag-and-drop rules, program shortcuts, the user interface, and related items. 2.HKEY_CURRENT_USER (HKCU)—It stores information about the currently logged-on user, including desktop settings, user folders, and so forth. 3.HKEY_LOCAL_MACHINE (HKLM)—It contains those settings common to the entire machine. 4.HKEY_USERS (HKU)—It has profiles for all the users, including their settings. HKEY_CURRENT_CONFIG (HCU)—This hive contains the current system configuration.
Describe steps of Forensic imaging using Forensic Toolkit (FTK) or any other tool / method of your choice.
Once you have the suspect's hard drive disconnected from the suspect machine, you can connect that drive to the forensic server computer, that have EnCase installed In some cases, you first connect to a device that prevents writing to the suspect device. FastBlock and Tableau are two such devices that are widely used in forensics. At the top of the EnCase window, click New on the toolbar to start the new case you will be working. The Case Options dialog box opens, as shown in figure. you then need to add the suspect drive as evidence to the case file created
Explain File system view and slack space.
File systems view a cluster as entirely utilized if even 1 bit is used. To illustrate this, assume that a system has a sector size of 4096 bytes. Then further assume that it is using a cluster size of 10 sectors. This means each cluster has a total of 40,960 bytes of storage. Now, If the user saves a file suppose, that is of 42,000 bytes in size, the file system will need to utilize two clusters. All 10 sectors of the first cluster are used, but only one sector of the second cluster is used, as shown in figure 6-2. From the file system's point of view, both clusters are completely used. The space between where a file actually ends and the end of the cluster (if the file does not take up 100% of the cluster) is called slack space.
10.A common approach for manually managed backups is the Grandfather-Father-Son scheme. Consider a server using traditional tape backup that is backed up daily. At the end of the week, a weekly backup is made. At the end of the month, there is a monthly backup made. Which of the following is NOT true of the Grandfather-Father-Son scheme? 1. Each daily backup is the son, the weekly backup is the father, and the monthly backup is the grandfather. 2. Daily backups begin to be reused after a father is made. 3. Weekly backups are reused after a grandfather is made. Weekly backups are not reused, only sons and grandfathers
Weekly backups are not reused, only sons and grandfathers
What is Windows logs in general and Security log in importance of forensics.
Windows logs and security logs are very important as they hold a lot of information about system processes and information. events caused by processes, logon attempts, windows system component events, events from remote computers and single application information
7.Maintaining __________ is a problem with live system forensics in which data is not acquired at a unified moment. 1.data streams 2.Registry keys 3.segments data consistency
data consistency
Describe terms BCP, DRP, BIA and MTD in related to IT disaster recovery.
§A BCP is focused on keeping the organization functioning as well as possible until a full recovery can be made. §A DRP is focused on executing a full recovery to normal operations. 1.Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business processes. A template for developing the BIA is provided to assist the user. §How long can the system or systems be down before it is impossible for the organization to recover? That is known as Maximum tolerable downtime (MTD)
Describe what is Steganography and terms related to it, in digital forensic.
Steganography is the process of hiding data(The payload) into a stream of data or file(The carrier). The channel is the type of medium used. This may be a passive channel, such as photos, videos, or sound files, or even an active channel, such as a Voice over IP (VoIP) voice call or streaming video connection. The most common method is hiding data in pictures using the least significant bit method(changing the least significant bit to the value you need without affecting the original data too much.)
Write on "Describing the incident".
1) Common Vulnerability Scoring System (CVSS): A common method for scoring system vulnerabilities is the CVSS. The CVSS is widely used to classify vulnerabilities. This is an open industry standard that allows for the scoring of vulnerabilities based on severity. When responding to an incident, it is very helpful to describe the vulnerabilities that lead to the incident. 2) DREAD is an acronym for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. It is a mnemonic for risk rating using five categories. •How much damage would an attack cause? •How easy is it for an attacker to reproduce this attack? •How much effort is required to execute the attack? •How many users will be impacted? •And finally, how easy is it to discover the threat? DREAD asks what the likelihood of an attack is and what damage it would cause. DREAD is an effective model for evaluating the impact of an attack. §3) Remote Network MONitoring (RMON) was developed by the Internet Engineering Task Force (IETF) in order to support network monitoring and protocol analysis. RMON is a standard monitoring specification that allows various network monitors to exchange network monitoring data. The original version of RMON had 10 groups: 1.Statistics: real-time LAN statistics, e.g., utilization, collisions, CRC errors 2.History: history of selected statistics 3.Alarm: definitions for RMON SNMP traps to be set when statistics exceed defined thresholds 4.Hosts: host-specific LAN statistics, e.g., bytes sent/received, frames sent/received 5.Hosts top N: record of N most active connections over a given time period 6.Matrix: the sent-received traffic matrix between systems 7.Filter: defines packet data patterns of interest, e.g., MAC address or TCP port 8.Capture: collect and forward packets matching the Filter 9.Event: send alerts (SNMP traps) for the Alarm group Token Ring: extensions specific to Token Ring 4) Mean Squared deviation (MSD): The MSD formula provides insight into how any system deviates from expectations. It essentially takes the square of the errors or deviations from expected/desired outcomes. The closer to zero the MSD is, the more reliable the system in question is 5) Mean Percentage Error (MPE): The MPE is the arithmetic mean of errors from modeling. This metric compares expected values to actual values and calculates mean error. An error is defined as any deviation from the planned or expected value. This is critical in modeling, as it can be used to evaluate the efficacy of the model itself.
Describes steps of "Incidence response".
1. Implement disaster recovery 2. Business impact analysis 3. Describe the incident 4. implement recovery plan 5. preserve evidence 6. integrate forensics
4.What is the key length used for DES? 1.56 2.64 3.128 256
1.56
12.__________ is a common method for scoring system vulnerabilities. 1.Common Vulnerability Scoring System (CVSS) 2.Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) 3.A disaster recovery plan (DRP) 4.The single loss expectancy (SLE)
1.Common Vulnerability Scoring System (CVSS)
13.The Windows Registry is organized into five sections. The __________ section contains those settings common to the entire machine, regardless of the individual user. 1.HKEY_LOCAL_MACHINE (HKLM) 2.HKEY_USERS (HKU) 3.HKEY_CURRENT_USER (HKCU) 4.HKEY_CLASSES_ROOT (HKCR)
1.HKEY_LOCAL_MACHINE (HKLM)
6.In Windows, the Recycle Bin is a holding place for deleted files until the user decides to confirm deletion by emptying the Recycle Bin. Once the file is moved to the Recycle Bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin? 1.INFO2 file 2.INFO1 file 3.LOGINFO2 file 4.LOGINFO1 file
1.INFO2 file
4.You need to image a server that is set up with RAID 5. How would you approach this? 1.Image the entire array as a single disk. 2.Image each disk separately. 3.It cannot be done; you have to do live forensics. 4.It can be done only with special RAID imaging software.
1.Image the entire array as a single disk.
4.Why can you undelete files in Windows 7? 1.Nothing is deleted; it is just removed from MFT. 2.Nothing is deleted; it is just removed from FAT. 3.Fragments might exist, even though the file is deleted. You cannot.
1.Nothing is deleted; it is just removed from MFT.
7.Which tool lets you view process and thread statistics on a Windows system? 1.PsList 2.PsInfo 3.ListDLLs 4.netstat
1.PsList
13. What is the repository of all the information on a Windows system? 1.Registry 2.Volatile memory 3.Heap (h) 4.Master boot record
1.Registry
1.You are examining a Windows laptop. The suspect is accused of having illegal images on the laptop. The suspect insists that he did not know the images were on the laptop, so you decide to examine the Windows Registry to find evidence that he did access the folder in which the images are stored. Which of the following Registry keys would help you do this? 1.ShellBag 2.Prefetch 3.UserAssist 4.DeskIcon LNK
1.ShellBag
1.Which of the following is a concern for capturing live data that is caused by data being changed as it is being captured? 1.Slurred image 2.Corrupt image 3.Data corruption 4.Memory fragmenting
1.Slurred image
10. __________ is the process of analyzing a file or files for hidden content. 1.Steganalysis 2.Asymmetric cryptography 3.Symmetric cryptography Steganophony
1.Steganalysis
1.Which of the following is the Linux equivalent of a shortcut? 1.Hard link 2.Symbolic link 3.Partial link Faux link
1.Symbolic link
7. __________ is a live-system forensic technique in which you collect a memory dump and perform analysis in an isolated environment. 1.Volatile memory analysis 2.Forensic investigation 3.Power-on self test Master boot record
1.Volatile memory analysis
Write on Cryptographic Hashes
A hashing is a type of cryptographic algorithm that has some specific characteristics. 1st and foremost, it is oneway, not reversible. Means cannot "unhash" something. The 2nd is that you get a fixed-length output no matter what input is given. The 3rd is that the algorithm must be collision resistant. A collision occurs when two different inputs to the same hashing algorithm produce the same output (called a hash or digest). Cryptographic hashes are used by many systems to store passwords, including Microsoft Windows. For example, if your password is "password", then Windows will first hash it, producing like this: 0BD181063899C9239016320B50D3E896693A96DF Windows will then store that in the Security Accounts Manager (SAM) file in the Windows System directory. When you log on, Windows cannot unhash your password. Instead, it take whatever password you type in, hash it, and then compare the result with what is in the SAM file. If they match, then you can log in. There are various hashing algorithms. The 2 most common are MD5 and SHA. (More recent versions like SHA-256 are becoming more common.)
Describe "Deleting Files in Linux"
Blocks are divided into groups. There can be at most 32,768 (4096 × 8 = 32,768) normal blocks per group. Each group uses 1 block as a bitmap to keep track of which block inside that group is allocated/free. Another block is used as a bitmap for the number of allocated inodes. Inodes are data structures of 128 bytes that are stored in a table (4096 / 128 = 32 inodes per block) in each group. An inode that stores all the information about a file except its name and its actual data. An inode is reference to a file or a folder. The inode is really a link to the file. There are basically two types of links. The first type is the hard link. A hard link is an inode that links directly to a specific file. The OS keeps a count of references to this link. When the reference count reaches zero, the file is deleted. (In other words, you can have any number of names referencing a file, but if that number of references reaches zero, then the file is deleted.) The second type of file link is called a soft link or symbolic link. In this case, the link is not actually a file itself, but rather a pointer to another file or directory.
Write in detail on "NIST 800-61 disaster recovery standard".
Establishing an incident response capability should include the following actions: 1.Creating an incident response policy and plan 2.Developing procedures for performing incident handling and reporting 3.Setting guidelines for communicating with outside parties regarding incidents 4.Selecting a team structure and staffing model 5.Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) 6.Determining which services, the incident response team should provide 7.Staffing and training the incident response team
Describe steps of Undeleting Data using OSForensics or any other tool of your choice.
OSForensics is a robust forensics tool that also provides for undeletion. You can undelete from an image you have mounted, or from the live system. You can find the "Deleted Files search" on the menu on the left side of the main OSForensics screen, as shown in figure. The search result will be color-coded, indicating how likely it is that you can recover a given file.
Write on "Recovering Information from Damaged Media"
Physical Damage Recovery Techniques: Recovering data from a hard drive should start with the assumption that, unless the case is visibly damaged, the drive itself is still operable. Thus, when presented with a "failed hard drive," use the following techniques to evaluate the drive and retrieve needed data: 1.Remove the drive from the system on which it is installed and connect it to a test system— a compatible system that is functional. Make the connection without installing the drive but only connecting the data and power cables. 2.Boot the test system from its own internal drive. Listen to the failed drive to determine whether the internal disks are spinning. 3.Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. 4.Perform limited repair, If the hard drive is not spinning or the test system does not recognize it 5.Consult data recovery specialist: If necessary, send the device to data recovery specialists, who may be able to apply extraordinary recovery techniques. Two techniques are common for recovering data after logical damage: 1) Consistency checking and 2) Zero-knowledge analysis. Consistency checking: Consistency checking involves scanning a disk's logical structure and ensuring that it is consistent with its specification. For instance, in most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem. Both chkdsk and fsck work in this fashion A consistency check can fail if the file system is highly damaged. In this case, the repair program may crash, or it may believe the drive has an invalid file system. 2) Zero-knowledge analysis: With zero-knowledge analysis, few assumptions are made about the state of the file system. Three steps process. 1.The file system is rebuilt from scratch using knowledge of an undamaged file system structure. 2.In this process, scan the drive of the affected computer, noting all file system structures and possible file boundaries. 3.Then match the results to the specifications of a working file system. Zero-knowledge analysis is usually much slower than consistency checking. You can use it to recover data, when the logical structures are almost completely destroyed. This technique generally does not repair the damaged file system, but it allows you to extract the data to another storage device. File Carving: File carving is to extract the data from a single file from the larger set of data, that is, the entire disk or partition. When a file is only partially recovered, regardless of the file system, you can use file carving to attempt to recover the file. File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt. This is a common method of data recovery, particularly when the file metadata has been damaged. Most file carving utilities operate by looking for file headers and/or footers, and then pulling out the data that is found between these two boundaries.
Describe on File Formats used for storing forensics data.
The Advanced Forensic Format: AFF is an open file standard with three variations: AFF, AFM, and AFD. The AFF variation stores all data and meta-data in a single file. The AFM variation stores the data and the metadata in separate files. The AFD variation stores the data and metadata in multiple small files. The AFF file format is part of the AFF Library and Toolkit, which is a set of open-source computer forensics programs. EnCase: The EnCase format is a proprietary format that is defined by Guidance Software for use in its EnCase tool to store hard drive images and individual files. It includes a hash of the file to ensure nothing was changed when it was copied from the source. The Generic Forensic Zip: Gfzip is another open-source file format used to store evidence from a forensic examination. Iximager: This is a proprietary file format that is used by the iLook tool. This tool was developed by the U.S. Internal Revenue Service (IRS) and is restricted to law enforcement and government use only.
Describe various types / forms of steganography with example of each.
The Steganophony is a term for hiding messages in sound files. This can be done with the LSB method Steganophony can be used with static files, such as MP3 files, and dynamically with VoIP and similar multimedia technologies Video Steganography: Information can also be hidden in video files, a practice called video steganography. Whatever method is used, it is important to realize that video files are obviously larger than other file types. This provides a great deal of opportunity for hiding information. More Advanced Steganography: Other than the least significant bits, the other option is bit-plane complexity segmentation steganography (BPCS). In BPCS, the carrier is often an image that stores colors in 24 bits, and this fact can be used to increase storage area for payload. The complex areas on the bit planes are replaced with the payload. A bit plane of any discrete digital file is the set of bits that corresponds to a given bit position; for example, in 24-bit files there are 24-bit planes. This can be applied to signals as well as files.
Write on primary types of data that a forensic investigator must collect.
There are three primary types of data that a forensic investigator must collect: 1) volatile data, 2) temporary data, and 3) persistent data. For volatile and temporary data is lost whenever a system is used. You should collect it first to minimize corruption or loss. The following are examples of volatile data: •Swap file: The swap file is used to optimize the use of random access memory (RAM). Data is frequently found in the swap file. The details on how to extract data from the swap file vary depending on OS. •State of network connections: This data is captured before the system is shut down. •State of running processes: This data is captured before the system is shut down. Temporary data—that an operating system creates and overwrites without the computer user direct action. The likelihood of corrupting temporary data is less than that of volatile data. But it must collect before it is lost. Only after collecting volatile and temporary data should you begin to collect persistent data.
What is "live system forensic", explain in detail
Volatile memory analysis is a live system forensic technique in which you •Collect a memory dump •Compute the hash, and •Perform analysis in an isolated environment. PsList: Use to view process and thread statistics on a system. Running PsList lists all running processes on the system. However, it does not reveal the presence of the rootkit or the other processes that the rootkit has hidden. PsInfo: This tool is also from the PsTools suite. It can tell you system uptime (time since last reboot), operating system details, and other general information about the system. This is good background information to put into your forensic report. ListDLLs: The ListDLLs allows you to view the currently loaded dynamic-link libraries (DLLs) for a process. ListDLLs cannot show the DLLs loaded for hidden processes. Forensically it is important, when use a Trojan horse to compromise a program or system DLL, is a common attack vector. PsLoggedOn: PsLoggedOn helps you discover users who have logged on both locally and remotely. Of most importance, it tells you who is logged on to shares on the current machine. Using netstat: Important utility in the context of checking live system data. It displays both incoming and outgoing network connections. It also displays routing tables and a number of network interface statistics
Describe "Deleting Files in Windows NTFS"
When files are deleted from an NTFS system, the process is similar to what occurs in FAT, main difference is that clusters are first marked as deleted, thus "moved" to the Recycle Bin. In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista, Windows 7, Windows 8, and Windows 10, the name of the directory was changed to $recycle.bin. Only when you empty the Recycle Bin is the cluster marked as fully available. More specifically, when a file is deleted, the filename in the MFT is marked with a special character that signifies to the computer that the file has been deleted. Even at this point, not a single bit is actually deleted. The MFT is simply updated to note that the clusters in that file are deleted. This means that at this point, one can completely recover the entire file. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.
Write on steganalysis.
§Steganalysis is the process of analyzing a file or files for hidden content. A given file has additional information hidden in it. close-color pairs: A common method for detecting LSB steganography is to examine close-color pairs. Close-color pairs consist of two colors whose binary values differ only in the LSB. If this is seen too frequently in a given file, it can indicate that steganographically hidden messages may be present. Raw quick pair: One another method, for analyzing an image to detect hidden messages, is based on statistics of the numbers of unique colors and close-color pairs in a 24-bit image. It performs a quick analysis to determine if there are more close-color pairs than would be expected. Another method, Chi-square analysis calculates the average LSB and builds a table of frequencies and a second table with pairs of values. Then it performs a chi-square test on these two tables. Essentially, it measures the theoretical versus the calculated population difference. When analyzing audio files, you can use steganalysis that involves examining noise distortion in the carrier file. Noise distortion could indicate the presence of a hidden signal.
Describe steps of "live system forensic" using any tool. (of your choice).
•FPort •Allows you to view open TCP and UDP ports •Map ports to specific processes •Userdump •You can extract memory dumps of running processes for offline analysis. •PTFinder •Enumerates processes and threads in a memory dump. •It uses a brute-force approach to enumerate processes.