CHFI - Chapter 6 (Operating System Forensics)

Using Netstat with the which switch will display the routing table and show, if any persistent routes are enabled in the system.

-r

With Nbtstat, what parameter would you use to count all NETBIOS names resolved by broadcast via a WINS server

-r

Using Netstat with which switch will display per protocol stats

-s

What is the suffix of a file that the Windows Desktop Search stores its info in

.edb

Which file contains details of the printed file such as name of the printed file, location, name of the printer used and timestamp.

.shd

What kind of files are created by the print spooler

.spl, .shd, .emf

In Linux, where would you check for auto-start services

/etc/rcl.d

which switch will you use to check processes running on a remote machine

/s

In Linux, where would you go to check for login and system logs

/var/log

In Linux where do Running services such as squid, ntpd, etc write their logs?

/var/log/daemon.log

On a MAC, OS where is the network interface history stored?

/var/log/daily.out

Where does Linux log Kernel ring buffer information

/var/log/dmesg

In Linux, where are details of scheduled jobs stored?>

/var/spool/cron/ and /etc/cron.daily

EnablePrefetcher tells which form of prefetching the system uses. What is the value for prefetcing is disabled?

0

EnablePrefetcher tells which form of prefetching the system uses. What is the value for application prefetcing is enabled?

1

IN a prefetch file <>.pf, DWORD value at the offset ___within the file corresponds to the last time of the application run, this value is stored in UTC format

120

IN a prefetch file <>.pf, the DWORD value at the offset ___ within the file corresponds to the number of times the application is launched

144

EnablePrefetcher tells which form of prefetching the system uses. What is the value for boot prefetcing is enabled?

2

In which stage of the process creation are the EP objects created?

2nd

EnablePrefetcher tells which form of prefetching the system uses. What is the value for Both application and boot prefetching are enabled?

3

How many bytes is the eventID in the windows event log record?

4

In which stage of the process creation is the Windows subsystem notified of the creation of the new process?

4th

How many event types are possible for an event log record?

5

Modifications to the audit policy are recorded in Event ID ___ entries.

612

Small memory dump is a dump containing the stop code and a list of all the loaded drivers and parameters. What size is this dump?

64 KB

Which value from the TimeZoneInformation registry key can be used to translate or normalize the times to other sources from the system, such as entries in log files

ActiveTimeBias

This executable is a Sysinternals untility that allows the user to see what programs and processes are set to start automatically with the operating system.

Autoruns

This sysinternals tool is updated regularly so that they provide the most comprehensive list of Registry keys of the autostart locations.

Autoruns

This tool can extract text from a file and find plain ASCII text, Unicode (double byte ANSI) text, and Resource strings, providing useful information for each item in the optional "advanced" view mode.

BinText

Where does Firefox store its cache, cookies etc

C:\Users\fernada1\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX.default\

By default, in Windows operating system the '.SPL' and .SHD files are stored in the spool folder driver in __

C:\Windows\System32\spool\PRINTERS

Where are windows event logs files stored?

C:\Windows\System32\winevt\Logs

This tool can be used to enable, disable, install, configure, and remove devices. It also performs device management functions on local computers and remote computers.

DevCon

EnCase can be used to parse Windows event log files by means of an which feature?

EnScript

In the windows even log file header, what is the offset to the EOF record in the event log called

EndOffset

An alternative way for obtaining the system time details is by using the which function?

GetSystemTime

This registry hive contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data.

HKCR

This registry hive stores the necessary information which makes sure that the correct program opens when the user opens a file through the windows explorer.

HKCR

The configuration of the which branch of the registry is supported by the current user's Ntuser.dat file.

HKCU

Which key in the registry hive contains info on recently mapped drives

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion \Explorer\Map Network Drive MRU

Whether the user uses the Map Network Drive Wizard or the net use command, the volumes the user added to the system will appear in the which key?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion \Explorer\MountPoints2

Which registry key will you look up to check all programs accessed by the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Which key in the registry hive contains info on recently accessed documents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

All values in this registry key are executed at system startup everytime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

This registry hive contains a list of services that run at system startup. If the value Start is 2, startup is automatic. If the value Start is 3, startup is manual and starts on demand for service. If the value Start is 4, service is disabled

HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\

Which registry key stores the last shut down time

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows

Prefetch is controlled by which registry key?

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Session Manager\Memory Management\PrefetchParameters

Where in the registry is the hibernate option stored?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Power

Which registry key stores timezone info

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Where is information about shares stored in the registry?

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares key

This registry hive provide info about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives.

HKLM

Which registry key contains info about mounted drives

HKLM\System\MountedDevices

Where are wireless SSIDs stored?

HKLM|SOFTWARE\Microsoft\WZCSVC\Parameters \Interfaces \{GUID}

What command This command will open WinDbg, the GUI interface to the debugger tools.

LiveKD -w

What is the the local print provider dll that writes the contents to a spool file (.spl) and creates a separate graphics file (.emf) for each page.

Localspl.dll

This command lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session.

LogonSessions

Which perl program takes the same arguments as lspd.pl (the name and path of the dump file, and the physical offset within the file of the process structure) and extracts the available pages from the dump file, and writes them to a file within the current working directory.

Lspm.pl

In the registry hive for mapped network drives, Each entry is given a letter as the value name, and the ___ value represents the order in which the user connected to each drive or share

MRUList

Which key in the recentdocs hive contains the sequence in which docs were accessed

MRUListEx

This tool is an online tool to analyze the metadata contained in a file.

Metashield Analyzer

Each user's registry settings for their specific account is stored in which registry file.

NTUSER.DAT

Which command helps to troubleshoot NetBIOS name resolution problems.

Nbtstat

What does nbt in nbstat stand for?

NetBIOS over TCP/IP

This tool helps in collecting information about network connections operative in a Windows system. This CLI tool provides a simple view of TCP and UDP connections, their state and network traffic statistics.

Netstat

This is a system information gathering software, which extracts forensic data from computers and uncovers everything hidden inside a PC.

OS Forensics

The /o OpenMode parameter can be used with this command to Disconnect all open files with the specified OpenMode on the computer specified by the /s parameter.

OpenFiles

This command queries or displays open files and also queries, displays, or disconnects files opened by network users.

OpenFiles

a tool that lets you dump the memory contents of a process to a file without stopping the process.

PMDump

This is a self-managed tool for the examination of the user's hard disk security and is designed to operate under the National Institute of Standards' Disk Imaging Tool Specification 3.1.6

ProDiscover

This tool's primary purpose is to monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike.

ProcDump

This tool forensically dumps the memory of a running process. It is a command line interface tool that dumps the whole process space, uses meta-information to describe the different mappings, states and saves the process environment

Process Dumper

On running this tool it can be noticed that there were a significant number of accesses to the Registry even when there is apparently no user intervention.

Process Monitor

This is a command-line utility that can retrieve the list of remotely opened files on a system. It also allows the investigator to close the opened files either by name or by a file identifier. The default behavior of this command is to list the files on the local system that are open by remote systems.

PsFile

This is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.

PsLoggedOn

You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. This is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one

PsLoggedOn

Which encryption algorithm does the UserAssist registry key use?

ROT-13

What does SSID stand for?

Service Set Identifier,

Forensic experts require tools that can permit viewing as well as enumeration of a Registry that has been reconstructed from the component files with a system image. One such tool that serves this dual purpose is the Visual Basic script called ?

Silent Runners

This is a desktop search feature of the MAC OS, which indexes the files by their types and thus making the search easy.

Spotlight

In the windows even log file header, what is the offset to the oldest record in the event log called

StartOffset

This is a tool used to discover Hidden Alternate Data Streams (ADS) and clean them completely from system

Stream Armor

This small utility that lists all USB devices that are currently connected to a computer, as well as all the previously connected USB devices.

USBDeview

Name a tool for the extraction of digital artifacts from volatile memory (RAM) samples.

Volatility

This tool converts binary files (like Windows EXE applications, DLLs, and encrypted files) to text files, allowing you to look inside. T

Word Extractor

This is a tool to gather slack space, free space, inter-partition space, and generic text from drives and images

X-Ways Forensics

In windows 10, what format are the event logs stored in?

XML

In Linux, what can be used to translate protocol addresses to hardware interface addresses.

arp

which Linux command lists the kernel ring buffers

dmesg

What command can you use to check previous commands in a cmd prompt

doskey /history

Digital cameras embed what kind of information in images, which can include the model and manufacturer of the camera, and can even store thumbnails or audio information

exchangeable image file format (Exif) information

It is a tool to check the consistency of Linux file system and repair.

fsck

The second power management mode is the Hibernate mode, which completely writes the memory as a ___ file in HDD.

hiberfil.sys

This Linux command displays the activities of each user in detail such as number of login and logout attempts along with dates of the system.

last -F

Which perl program provides details about processes

lspd.pl

Which perl program locates processes but not threads

lsproc.pl

Data is readable only when the VHD is ___;

mounted

Name some utilities that can check for network information on windows systems

nbtstat -c netstat -a netstat -r

This command displays the names of all open shared files on a server and the number of file locks, if any, on each file

net file

Name some utilities that can check for open files on windows systems

net file PSfile openfiles

Name some utilities, commands you can use to check on logged on users on windows systems

net session PSLoggedon LogonSessions -p

This command can help us to see if users have any open files and how long each user's session has been in the idle mode.

net sessions

The command collects and displays the information about the network connections, routing tables, network interfaces and network protocol stats.

netstat

The location of the offset for the beginning of the active process list is derived from one of the important system files

ntoskrnl.exe

In larger operating systems (such as IBM's OS/390), the swapping is called __

paging

The output of this process memory dump tool cannot be read by debugging tools

pmdump.exe

NICs can capture network traffic data only when they are in __mode.

promiscuous

This command does not provide information about a process in regard to the path to the executable image, the command line used to launch the process, or the user context in which the process runs.

pslist

Which tool with the -x switch displays details about the threads and memory used by each process

pslist

In Linux, this command is used to analyze the file headers and section of the ELF files.

readelf

The USB removable devices connected across a Windows system can be tracked using the footprints or artifacts left by them in the registry and in this file

setupapi.app.log

Each registry key in a Windows Registry holds a time stamp embedded inside them which is referred to as __

the Last Write Time.

The output of this process memory dump tool CAN be read by debugging tools

userdump.exe

On a MAC OS, which file contains the system version details

version.plist

What command line command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface

wevtutil