Mod 16

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

what are the parts of Anti-Forensics

1. Data Hiding 2. Artifact Wiping 3. Trail Obfuscation

Assembly language: registers frequently used as a course/destination pointer that copy memory

1. ESI - Source index 2. EDI - Destination index

what are some common forensic analysis tools associated with host based forensics

1. EnCase 2. Sleuth Kit/Autopsy 3. FTK (forensic tool kit)

Analysis: what are the three file systems

1. Ext2/3 2. FAT 3. NTFS

what are the four phases used in the digital forensics methodology

1. Incident Response 2. Acquisition 3. Analysis 4. Reporting

malware analysis: what are some common DLLs

1. Kernel32.dll 2. Advapi32.dll 3. User32.dll 4. Ntdll.dll 5. WSock32.dll & Ws_32.dll 6. Wininet.dll

what are the two possible computer system states

1. Live 2. Dead

what are the two goals of Acquisition

1. Minimize data loss 2. avoid compromising the suspect system with additional data that may modify access time of files

Analysis: what are the two email programs and associated extensions

1. Outlook -- .pst and .ost 2. Outlook Express -- .dbx and .mbx

malware analysis: what three ways do malware writers use DLLs

1. store malicious code 2. by using windows DLLs 3. by using third party DLLs

what are the four reasons why malware can create/copy (drop) files onto a system

1. to hide themselves 2. to install the malicious tools 3. to take advantage of an exploit 4. to install files needed for the tool to run properly

Analysis: what are the data sources for media analysis

1. unallocated space 2. slack space 3. swap space 4. dump or core files 5. hibernation files 6. temporary files 7. OS configuration files

Anti-Analysis: what are the three analyst countermeasures to VM checks

1. use a physical system vice a virtual system for your lab 2. do not install VM tools on your VM 3. disable tool detecting code. this is referred to as patching

malware analysis: what are the steps to a PDF file malware execution

1. user opens file 2. embedded script executes...... 3. ...or the script downloads from the internet 4. malware is installed note- also opens a legit PDF file

what are the five pre-malware analysis activities

1. verify file header 2. virus scan 3. hash the file 4. strings analysis 5. identify packer

malware analysis: what are the classifications of malware

1. virus 2. worm 3. trojan 4. rootkit 5. adware/spyware 6. scareware 7. bot

what three questions must be answered before analysis can be conducted on a device

1. why was this device seized 2. what type of information do I expect to obtain 3. how long do I have to conduct analysis

what are the components of the analysis phase

1.timeline analysis 2. data sources for media analysis 3. file system analysis 4. hash analysis 5. fuzzy hashing 6. file signature analysis 7. string and keyword search 8. windows registry analysis 9. email analysis 10. browser history analysis 11. data recovery

methodology phase: this is the second phase, and is performed in a timely manner based on the nature of the investigation. the focus is to collect the relevant volatile and non volatile data using sound forensic techniques and tools that ensure data integrity

Acquisition

these are used to take data as input and display it in a more useful format

Analysis tools

this is defined as an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time consuming, or virtually impossible

Anti-Forensics

this state applies when systems are powered off leaving data "at rest" making it easier to gather the non-volatile unchanging data

Dead systems

static malware analysis: Program that allows software developers to observe their program while it is running. when using a debugger, the file is viewed in assembly language; however the analyst can execute the file instruction by instruction

Debugger

methodology phase: this phase begins the documentation process in regards to chain of custody. It also serves as the basis of the analysis

Incident Response

Assembly language: register that acts as the CPU's stack pointer. stores the current position in the stack

ESP

this forensic workstation was developed by Guidance software. it contains the ability to analyze both linux/unix as well as windows OS based storage devices

EnCase forensic workstation

defined as electronically stored information found on or in use by digital media devices.

Evidence

Analysis: where contents of memory automatically get stored during an error condition, creating files to assist in subsequent troubleshooting

dump or core files

Analysis: which file system annotates a file "deleted" timestamp

Ext2/3

Analysis: which file system does not have a metadata change time

FAT

malware analysis: this file format is the current windows way to use libraries to share code among multple applications. cannot be executed on its own

dynamic link libraries (DLL)

the goal of this process is to identify system changes such as registry key creation/modification, created files, or network activity

dynamic malware analysis

Anti-forensics: this is the technique of using a key and an algorithm to change the code in a way to make information unreadable

encryption

Terminology: electronically stored information found on or in use by digital media devices

evidence

Terminology: cryptographic hashes or files obtained prior to collection should match hashes obtained after collection

evidence integrity

Analysis: a header or footer within a file that indicates the application associated with a file or the type of file

file signature/ file signature analysis

Analysis: explores the file systems allocated space by mounting the image file on the forensic workstation as read-only

file system analysis

Anti-forensics: these utilities are used to delete indiviudual files as well as unallocated/free space from an OS

file wiping

Assembly language: the basic tool for creating conditional code

flags

what is a standalone computer system utilized to perform forensic analysis of digital media

forensic workstation

Analysis: can be used to look for similar files

fuzzy hashing

acquisition: conducted when the hard drive is removed from the suspect system and connected to the analyst's forensics workstation

hardware acquisition

this is placed between the suspect hard drive and the acquisition system

hardware write-blocker

Analysis: a technique to reduce the search space by identifying known files by their hashes

hash analysis

Analysis: what is the name of the windows hibernation file

hiberfil.sys

Analysis: created to preserve the current state of a system.

hibernation files

Terminology: the initial response to a computer related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss

incident response

Terminology: an analyst toolkit that resides on a seperate storage media device

incident response disk

a helix linux boot cd is an example of what

incident response disk

Analysis: what file contains a users internet history

index.dat

Anti-Analysis: a popular language used for designing malicious web pages and obfuscating code to deter analysts or hide true intent

javascript

Terminology: list of words and phrases used to search evidence

keyword list

acquisition: in this situation the investigator my be forced to work on a live system. -system stays powered on -image can be obtained locally or over network

live acquisition

obtains only the file system partition

logical drive imaging

this is defined as programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation. blah blah blah

malicious software (malware)

the process of analyzing malware to determine exactly what the malware is designed to do

malware analysis

a one-way hash algorithm that takes as an input a file of arbitrary length and outputs a 128-bit hexadecimal formatted number that is unique to a file's contents

message digest (MD5)

what does malware often require to be completely malicious

network connectivity

what are the two disciplines of digital forensics

network-based, host-based

Anti-Analysis: this tool allows for debugging programs

ollyDbg

pre-malware: this refers to the process of compressing the original malicious executable and concealing it inside another executable

packing

Anti-Analysis: what are the two easiest methods of code obfuscating

packing or compressing

Analysis: a hidden system file that is used by windows for virtual memory when there is not enough physical memory to run programs

pagefile.sys

for what purpose does malware often make changes to the system registry

persistence or configuration data

considered the best evidence. grabs the entire contents of a drive or digital media device, including slack space, unallocated space, and swap space

physical drive imaging

malware analysis: this file format is used by windows executables, object code, and DLLs

portable executable (PE)

Assembly language: these are small chunks of internal memory that reside within the processor and can be accessed very easily

registers

the purpose of this, is for the analyst to describe the actions performed, determine what other actions need to be performed, and recommend improvements to policies, guidelines, blah blah blah

reporting

malware analysis: this is the process of analyzing something that has already been built, to determine how and why it functions

reverse engineering

class of malware: stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detectoin and enable continued privileged access

rootkit

class of malware: malware that makes you believe your computer is infected

scareware

what is the process of acquiring non-volatile data

simply making an exact physical copy of the device

acquisition: uses an incident response boot disk that can be used to collect or analyze files forensically

software acquisition

this is placed and used on the acquisition system to prevent writes to source data

software write-blocker

Analysis: a tool to help investigator check similarities in files by computing and comparing context triggered piecewise hashes (CTPH)

ssdeep

information on malware that cannot be identified when the program is executing is gained by what method

static malware analysis

Terminology: contains all the code necessary to successfully run as a standalone program and limit the impact on the suspicious computer

statically linked executable

Anti-forensics: this is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight

steganography

Analysis: uses string searches to aid in examining large amounts of data to find keywords or strings

string and keyword searches

pre-malware: In a program this is a sequence of characters such as "the". searching them can be a simple way to get hints about the functionality of a program

strings

Analysis: used by OS in conjunction with RAM to provide a large virtual memory area for data and code n use by applications

swap space

Analysis: created during OS/application install or upgrade

temporary files

what is the location of the master boot record (MBR)

the first physical sector of the drive (sector 0)

Analysis: used to sort file system files by their modified, accessed, changed, and created timestamps

timelines/ timeline analysis

Anti-forensics: the purpose of this is to confuse, and divert the forensics examination process

trail obfuscation

class of malware: seemingly innocent file that contains malicious code

trojan

Analysis: deleted files remain here where clusters/blocks are not assigned but may contain data

unallocated space

class of malware: self replicating. attaches to executable programs and makes copies

virus

pre-malware: what must be done before analyzing a file to see if a known signature exists

virus scan

what is data that is likely to be erased if the device loses power.

volatile data

class of malware: self replicating. replicates over a network and does not need human interaction

worm

what are used to protect evidence disks by preventing accidental writes to source data

write-blockers

what hexadecimal represents the end of the MBR sector

0x55AA

malware analysis: what are the portable executable file header sections

1) .text - instructions for CPU 2) .rdata - import/export 3) .data - global data 4) .rsrc - resources used that are not part of executable

Assembly language: what are the different flags

1. CF & OF - overflow flags 2. ZF - zero flag 3. SF - sign flag 4. PF - parity flag

what are the three image file formats and extensions

1. Raw (dd) - uses .dd or .img -- no compression 2. Expert Witness Format (EWF) - uses .e01 -- can compress -- created by EnCase 3. Advanced Forensic Format (AFF) - uses .AFF -- can compress

Analysis: what are the OS configuration files analyzed

1. Users and groups 2. passwords 3. network shares 4. scheduled jobs 5. logs 6. system events 7. audit records 8. application events 9. command history 10. recently accessed files

malware analysis: what are four methods involving the use of MS word document file format

1. VBA Macros 2. Payload of a microsoft office exploit 3. embedded flash program 4. embedded javascript

Anti-Analysis: what are the four methods of anti analysis

1. VM detection 2. Anti-debugging checks 3. rootkit use 4. code obfuscation

analysis environment: what two machines make up the basic analysis environment

1. Victim machine- where all system and file analysis is conducted 2. Listener machine- contains the tools required for packet analysis or other type of networking traffic

pre-malware: what are 6 common examples of strings to look for

1. action words 2. IP addresses or domains 3. developer information 4. suspicious files or API calls 5. registry keys 6. packing routine identification

what are the eight different pieces of reportable information

1. anti-virus signatures 2. strings 3. created/deleted files 4. registry keys 5. callbacks 6. network traffic 7. obfuscation identification 8. miscellaneous information

Analysis: what are the three common string and keyword search techniques

1. based on patters in their names 2. based on keyword in their content 3. based on temporal data, such as the last accessed

what are some features of EnCase

1. can acquire data from multiple sources 2. produces exact binary duplicate of original drive 3. has National Software Reference Library (NSRL) included 4. automatically generates reports

what are the three versions of the dd image tool

1. dd 2. dd.exe 3. dcfldd

malware analysis: what are the two disciplines of malware analysis

1. dynamic analysis - analysis based on the file behavior (triage). this technique involves monitoring the system in which the file is executed to determine what has changed 2. static analysis - analyzing the file in a constant, non changing state. usually involves analyzing the file from a code level

what are the four steps to acquiring volatile data

1. establish a trusted command shell 2. establish a method for transmitting and storing the acquired information 3. collect volatile data from the system and output the collected data to a forensic workstation/storage device 4. correlate system/network based logs and mark the beginning and ending time when incident response was performed

what are the three purposes reports may be used for

1. evidence to help prosecute specific individuals 2. actionable intelligence to help stop or mitigate some activity 3. generate new leads for a case

what are the three reasons listed for performing static malware analysis

1. file is packed and unpacker is not available 2. file requires an encryption key 3. file does not reveal any activity during dynamic analysis

Anti-forensics: what are the different levels of encryption

1. file level encryption 2. whole disk encryption 3. partition level encryption 4. encrypted containers

what are the three data acquisition methods dependent on the incident situation

1. hardware 2. software 3. live

what four things are the SIM card necessary for

1. identifies subscriber to the network 2. stores personal information 3. stores address books and messages 4. stores service-related information

Analysis: what are the two categories of hashes in hash analysis

1. known - files that can be ignored. system files 2. notable - identified as illegal or inappropriate

Anti-forensics: what are methods of trail obfuscation

1. log cleaners 2. spoofing 3. misinformation 4. zombie accounts 5. trojaned commands

what are the three sub directories of the MBR

1. master boot program 2. master partition table 3. 2-byte marker indicating the end of the sector

Anti-forensics: what are additional forms of data hiding, other than encryption, steganography, and ADS

1. memory 2. slack space 3. hidden directories 4. bad blocks/clusters 5. hidden partitions 6. host protected area of hard drive

what are the reasons for malware analysis

1. network defense 2. understand how malware works

what are five examples of volatile data

1. open ports 2. running processes 3. registers and cache 4. logged on users 5. timestamps

Anti-Analysis: what things can a malware check to avoid running in a VM

1. organizationally unique indentifier (OUI) 2. global unique identifiers (GUID) 3. Driver detection 4. I/O port detection

malware analysis: what are the common malware formats

1. portable executable format 2. dynamic link library 3. PDF 4. MS word document

Anti-Analysis: what are some clues that could identify the code as being obfuscated

1. random symbol names or random combinations of numbers and letters 2. use of non printable characters in symbol names 3. strings that identify packing routines 4. static analysis does not reveal any readable ASCII terms

Assembly language: what are the basic parts of assembly language

1. registers 2. memory stack 3. flags 4. instructional format

Analysis: what are things learned from NTUSER.dat

1. search history 2. typed URL's 3. last commands executed 4. last files saved 5. recent documents 6. application artifacts

Analysis: what are the five things learned from windows registry analysis

1. software that has been installed 2. system configuration 3. recently used files 4. startup programs 5. user data

Anti-forensics: this is the process by which a magnetic field is applied to a digital media device

disk degaussing

Anti-forensics: these utilities use a variety of methods to overwrite the existing data on disks

disk wiping

malware analysis: what is the main DLL function

DLLMain()

Analysis: this usually refers to the extraction of deleted files from a file systems unallocated space

Data Recovery

defined as the practice of collecting and analyzing computer related data for investigative purposes in a manner that maintains the integrity of the data

Digital forensics

static malware analysis: Takes a programs executable binary as input and generates textual files that contain the assembly language code for the entire program or parts of it

Disassembler

Terminology: a bit for bit image of the original evidence gathered from a system such as the hard drive, memory, or removable media

Disk image

Assembly language: generic registers used for any integer, boolean, or memory operatoin

EAX, EBX, EDX, ECX

Assembly language: register mostly used as the stack base pointer

EBP

this is a repository of electronic versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources

Harmony database

what type of forensics are associated with dead systems

Host forensics

primarily concerned with computer workstations, removable storage devices, and other physical digital media storage devices

Host-based forensics

Anti-Analysis: allows you to load executable files and reverse engineer them by disassembling the program

IDA pro

this state applies when the systems are powered on with system processes running

Live system

malware analysis: this file format is one of the most effective methods of compromising computer secruity. involves emailing the victim a malicious office document

MS word document

Analysis: contains the configuration and environment settings which includes a great deal of identifiable data pertaining to user activity

NTUSER.dat

Intelligence gathered in theater will ultimately be logged where

National Media Exploitation Center (NMEC) database

Analysis: what is the name of the very large set of hashes maintained by the national institute of standards and technology

National Software Reference Library (NSRL)

what type of forensics are associated with live systems

Network forensics

collects and analyzes raw network data to systematically track network traffic to determine how an attack was carried out or how an event occurred on a network

Network-Based Forensics

Analysis: store OS and application settings that list the services to be started automatically after system boot

OS configuration files

malware analysis: malicious code writers have been embedding malicious scripts into this file format since 2001

PDF

Anti-Analysis: encoded file has its bytes rotated by certain number of bits

ROL/ROR

Anti-Analysis: encoded file has its alphabetic characters rotated by a certain number of positions

ROT

Anti-Analysis: released in 2004 by joanna rutkowska. a simple tool that reliably detects VM usage without looing for file system artificats

Red pill

this is a VMWare appliance created by SANS faculty fellow Rob Lee

SANS SIFT forensic workstation

Analysis: where file information from previous use is still available, long after deletions and rewrites, due to file system not using entire fixed length of clusters to store files

Slack space

Assembly language: an area in program memory that is used for short term storage of information by the CPU and the program. Used for storing slightly longer term data

Stack

this is a library and collection of command line tools that allow you to investigate volume and file system data. It works on both unix and windows platforms

The Sleuth Kit (TSK)

T/F: analysis involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest

True

T/F: if two hashes are the same, then the copy made is a bit for bit duplicate of the evidence

True

T/F: smart phones use either the same OS as PCs or a stripped down OS version

True

T/F: the SANS SIFT workstation is linux based

True

T/F: the file contents alone determine a hash value

True

malware analysis: T/F: DLLs use PE file format

True

what action may trigger Trojans, time bombs, and other malware to delete key volatile data

Using native commands on the suspicious computer

Anti-Analysis: this is the most popular self defense mechanism that malware authors will place in their code

VM detection

which OS requires the use of write-blockers

Windows

Anti-Analysis: method of encoding strings in a binary file. some or all bytes have been XOR'd with a constant value

XOR

volatile data provides the current state of a system or network device and is useful when dealing with what types of attacks

active network intrusion attacks

class of malware: a program that forces unsolicited advertising on end users

adware/spyware

Anti-forensics: this provides the ability to attach any kind of file to any kind of other file without storing the data in the file

alternate data streams

methodology phase: during this third phase, forensic tools and techniques are used to identify and extract the relevant information from the acquired data while protecting its integrity

analysis

Anti-Analysis: can be performed to detect whether or not a debuger is running on the system and if so either refuse to run or attmept to diable it

anti-debugging checks

Anti-forensics: this is the process of permanently eliminating a particular file or entire file system

artifact wiping

Anti-Analysis: takes three bytes, each consisting of eight bits, and represents them as four printable characters in the ASCII standard

base64

class of malware: allows an attacker access to the system, but all computers infected with the same botnet receive instructions form a single command and control server

bot

what byte range contains the 64-byte MBR partition table

bytes 446 - 509

Terminology: the route the evidence takes from the time you find it until the case is closed or goes to court

chain of custody

This is one of the most important documents maintained during an investigation. it documents how the evidence was examined, by whom, and when it changed hands

chain of custody

Anti-Analysis: intentionally hiding or misleading source code to prevent reverse engineering or masquerade the true intent of a progarm.

code obfuscaton

Anti-forensics: this is the process of making data difficult to find while also keeping it accessible for future use

data hiding

what are the mobile forensics steps to take when the device is either ON or OFF

device off - leave device off, but find charger asap. note in log file device on - do everything possible to keep the device powered on until a full examination can be performed. store in a faraday bag to prevent transmitting/receiving


Ensembles d'études connexes

Ch 5 Evaluating employee performance

View Set

Chapter 13 membrane channels and pumps questions

View Set

Rad Onc Clinical Boards '23 Review

View Set

Clayton's Basic Pharmacology for Nurses 18th Edition: Chapter 3 Drug Action Across the Life Span

View Set

UNIT 3 study guide CH 17-4🐇🐇🐇

View Set

Chapter 30 Immune Disorders Adaptive Quizzing

View Set

nursing 6 unit 5 Brunner chapter 30 Assessment and management of patients with vascular disorders and problems of peripheral circulation

View Set