Review 1
A user is suspected of deleting files using a wiping tool. Which artifact should be reviewed for Directory Metadata information?
$I30 file
Which two files track changes within the NTFS file system Journaling
$Logfile and $UsnJrnl
Evidence of Timestamp manipulation can include
$S_I (B) time prior to $F_N (B) time Fractional second values are all zeroes $S_I (M) time prior to ShimCache time $S_I times prior to $I30 slack entries MFT entry number is significantly out of sequence
Which variable can be used by fileless malware to call the executable CMD.EXE on a Windows System?
%COMSPEC%
Using MACTIME program what is the correct syntax to gather a timeline
./mactime -b (switch)
What file signature can be used to carve for deleted MFT entries?
0x 46 49 4C 45
$MFTMIRR
A backup copy of the first four records of the M FT
This file should be examined for indications of malicious content
A file in C:\Windows\System32 With an ADS of Zone.Identifier of 3
What command will list all persistent VSC on Windows host
Admin - CLI - vssadmin list shadows
what ca be detected by timeline analysis
Anti-Forensics
Which tools can be used for full-analysis of VSC
Arsenal Image Mounter, F-Response, VShadowMount
What type f Index does NTFS utilize?
B-Tree index
Term for classifying an attackers preferences by combining info such as: IP address, Custom Malware, Target selection?
Behavioral Indicators
What king of input does the MACTIME tool take?
Body File
Which NTFS timestamp will change when an Admin gives ownership permissions of a file to a User?
C- Metadata Change
Which MACB standard time field is updated when a file is renamed?
C- Metadata changed
An analyst us investigating a suspicious file, an executable, Prefetch indicates the file has executed numerous times. What would be the next step based off Prefetch Data?
Calculate the sha-256 hash of the executable and search for it on VirusTotal.com
When examining a system that has been mounted as a VM, which technique could identify persistent malware?
Checking for applications that start automatically in HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
Incident Response indicates a remote user clicked on a link and now the corporate site is upside down and they can't connect to a VPN. What should the IR team first action be?
Confirm website has not been defaced Review the recent access logs for the users Confirm the information relayed
What is the forensic purpose of investigating the $I30 file
Contains a list of the file name indexes for a Directory
$Logfile
Contains transactional info used by NTFS to maintain integrity of the filesystem in the even of a crash
Describe Reflective Code Injection
Custom loaders are used to bypass common API functions
What can be determined based on artifacts found in the Windows 8+ AppCompatCache registry key?
Date and time an executable was last modfied
A computer on a local area network has been compromised by a RAT, what is the next step in the identification phase of incident handling?
Determine if other network systems have been compromised
At offset 0x16 within the MFT record what is the value of 0x02
Directory ha been deleted
At offset 0x16 within the MFT record what is the value of 0x03
Directory in use
Which tool can be used to generate a bodyfile when examining a CD?
FLS
Name two places to find Filename layer artifacts - filenames
File System Metadata- MFT entry Directory Data $I30 contains list of children files/directories
At offset 0x16 within the MFT record what is the value of 0x01
File in use
What's the next step after creating a timeline with log2timeline.py?
Filter the timeline with PSORT.py
a third-party Audit of externally facing infrastructure after recent breaches falls under which category of the incident response process?
Follow-Up
$Volume
Friendly name of volume for display in My Computer. NTFS version and mount flags
Where are the excluded files and folders located for Volume Shadow Copies or Snapshot?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNottoSnapshot
A User deleted a key from: Software\Microsoft\Windows\CurrentVersion\Runonce Which Registry key could restore the Runonce key after reboot?
HKLM\System\CurrentControlSet\Services
Which tool is a cross platform tool for parsing $I30 index files?
INDXparse.py Tool
What is the purpose of Volatility's plugin KDBGscan?
Identifies the Windows OS build string
An Adversary has been identified within a network, they are actively moving through systems and encrypting data. What would contain this event?
Identify the attack vector and remove the compromised services from the workstations.
What type of artifacts can you analyze with TSK icat?
Image file, MFT or inode number, specific attribute Id "Zone.Identifier"
Which two tools can be used to parse $I30 files
Indx2Csv (export/carved) and Velociraptor for live systems
Characteristics of an NTFS resident file can include what?
It is a small file less than 600 kb
Which tool could be used along with third-party tools by and IR team looking to capture info on the applications which will be launched at Startup from a subnet of Windows hosts?
KANSA
Which tools can be used to Triage VSC
KAPE and Velociraptor
What type of credentials can be stolen by a successful attack on service that was started as a scheduled task?
LSA Secret - Schedules tasks have passwords saved as LSA secrets
What is a type 2 logon?
Logging on through the console
$LogFile
Low-Level transactional logs for NTFS, full payload, indexes, UsnJrnl, 64MB - but can be adjusted (Flight Recorder)
Which MFT Record is always reserved for the Root of the Volume?
MFT Record #5
Which MFT record number would the NTFS file system check to find if a cluster is in use?
MFT Record #6 - $Bitmap - shows free & unused clusters
What is the term for a Windows object that limits access to a single process at a time?
MUTEX
$MFT
Master File Table - A database that tracks every file in the volume
MFT Entry Allocated
Metadata filled out / Pointers to clusters
Which default Windows artifact would examine to detect a malicious executable maintaining persistence?
NTUSER.DAT
Which of the following should be collected in order to construct a timeline relevant to file downloading activities?
NTUSER.DAT hive Open/Save MRU
What are the possible ADS zones?
NoZone=1 MyComputer=0 Intranet=1 Trusted=2 Internet=3 Untrusted=4
At offset 0x16 within the MFT record what is the value of 0x00
Not in use unallocated
Using F-Response and KAPE
OS- Windows Use-Triage Imaging/artifact post processing Deployed-Manual -designed for standalone Advantage-Powerful & simple to use Disadvantage- Not designed for large-scale remote use
Describe KANSA
OS= Windows Use= IR & threat hunting Deploy= PowerShell remoting via GPO Advantages-Uses PS remoting for efficiency & credential safety Disadvantage- Not for acquisitions
At what offset is the Hard Link Count to determine how many $File_Name attributes exist for a record?
Offset 0x12
The portion of the MFT record that describes the states given as options resides at what offset
Offset 0x16 Values Can be 0x00, 0x01, 0x002, 0x03
Which attack technique uses an NT hash to request a service ticket and mount a remote file share?
Over Pass the Hash - OPTH
The tool Indx2Csv can be used to parse what artifact?
Parsing exported or carved $I30 files Active and slack entries
What is the tool istat used for?
Part of TSK displays statistics about a given metadaa structure aka inode, including MFT entries
Under which category of ATT&CK would a defender place and artifact that indicates tampering with component firmware?
Persistence
Applications running from a Temp Directory indicate what?
Processes should not continue to run from a Temp location, could indicate malicious activity
Which class of Malware can modify the input to a live incident response powershell collection script?
Rootkit
What are deleted $I30 Index entries called?
Slack entries
What is the best option for acquiring the memory of a compromised machine running in VMware?
Suspend the VM and copy the .vmem file from the host
What is Copy-On -Write (COW)
Technique to efficiently store just data differences on VSC/Snapshots
What is the size of backed up blocks within a VSC/Snapshot?
The backed up blocks are stored in 16kb chunks
Where are the VSC/Snapshot backup 16kb block chunks files stored?
The file are stored in the System Volume Information Directory at the Root of the Volume
How many timestamp values are present if the filename is too long and Windows has to shorten the filename to 8.3 standards?
The long and short filename attributes each have 4 timestamps each for a total of 12 $SI = 4 $FN=4 $8.3=4
What is the tracking file called for a VSC and in what format is the name?
The name of the tracking file is called the Catalog and it is in a GUID format
Running malfind plugin produces this output Process: lsass.exe Pid:1928 VadTag:Vad protection: Page_Execute_ReadWrite
The process memory section is marked as an executable with no associated mapped file on disk
Locating time stamps that have all zeroes is an indicator of what?
Timestamps were manually altered using an anti-forensics tools
$BITMAP
Tracks the allocation (in-use versus free) of each duster in the volume
What data structure is responsible for tracking every memory section assigned to a process?
Virtual Address Descriptor (VAD)
During the examination of a Windows 8 workstation application compatibility shim cache - What does the EXEC Flag value represent?
Whether the program has been run on the system
What does SIGCHECK tell you?
Will indicate if a certificate was explicitly revoked by its issuer This can be an indicator of malware trying to hide on the system
What tool can be used to analyze VSC within linux
Within Linux VM you can use Libvshadow, vshadowmount and vshadowinfo to analyze VSCs within linux - free tools
you've used log2timeline.py to analyze VSC snapshots, explain why you might have duplicates?
an entry MACB are the same, these files will produce duplicates, metadata info extracted from a file stored in numerous places
Which techniques can malware use to hide evidence or process injection?
by injecting code that does not use the portable executable format (mz) header
$Extend\$UsnJrnl
change journal, index listing all of the files that have changed on the system and why,
Vshadowmount command does what?
exposes all VSC as raw disk images for examination within Linux Sift
what is the size of a file that could be resident within an MFT record?
less than 600 bytes
Vshadowinfo
lists all available shadow snapshots in a disk image in Linux
MFT Entry Unallocated
metadata may or may not be filled out if filled out, its from a deleted file/folder The clusters may have been reused
What does the following volatility command tell you: vol.py -f bc2.vmem malfind | grep mz |wc -L output: 1
one section within the memory image contains an executable Window's binary
How does Windows Management Instrumentation (WMI) help and attacker evade detection?
the malware will only run when certain conditions are met WMI- allows triggers to be set when a condition is met Malware doesn't need to run on startup Avoids behavioral patterns this way
The Hard link County at offset 0x12 refers to?
the number of $File_Name attributes there are for the file
For the past 6 months, exactly 13 hrs after patches are released your web server receives 7 suspicious packets from and IP in Europe. How can you classify this activity?
the timing and recurrence of the attack demonstrate a Behavioral Indicator