CpE 449 - Computer Networks and Forensics
==Intro to File System and Media Forensics== What is computer forensics?
"detection, identification, classification, interpretation, documentation and reporting of anomalous, inappropriate or potentially damaging activity relating to digital, electronic devices or media"
==Intro to File System and Media Forensics== What is the relative volatility of data hiding areas?
(1) - Host Protected Area and Device Configuration Overlay (2) - Unused space in Master Boot Record (MBR) or extended partition (3) - Volume slack (4) - Partition slack (5) - Boot sector in a non-bootable partition (6) Unallocated space in a partition (7) Good sectors marked "bad" (8) Disk Slack (9) Unused space in Superblock (ExtX) (10) Unused space in block group (ExtX) (11) Unused portion of an ExtX directory
==Intro to File System and Media Forensics== What are things that can be done to a computer to change digital evidence?
-Create files -Kill processes -Power off -Power on -Disconnect from a network -Connect to a network
==Disk Wiping by any other name (8/2006)== Of the 7 disk wiping utilities analyzed, how many were shown to be effective?
1 was shown to be effective in erasing the data and all data residue
==BRAP Forensics (6/08)== Give two examples of BRAP forensics.
1. Browser Residue: Looking at cookies stored in Windows restore points or cache and URL history" 2. Application Residue: Looking at metadata from Microsoft applications (like Word)
==Better-than-nothing security practices (8/2007)== Four organizations were mentioned that promote specific security standards. List 2 of them.
1. Control Objectives for Information and related Technology (COBIT) 2. Federal Information System Controls Audit Manual (FISCAM) 3. Certified Information Systems Auditors (CISA) 4. BSI 7799/ISO 17799/ISO 27001??
==Watermarking Cyberspace (1997)== Give 2 uses of digital watermarks
1. Copies can be determined to be authentic by comparing the original document and the removal of an imprint from hashing algorithms. 2. Authorized source of unauthorized copies may be easily identified to avoid duplication and transmission.
==Watermarking Cyberspace (1997)== Give 3 examples of digital fingerprinting.
1. Cyclic redundancy check 2. Checksum algorithm 3. Digests (hashing algorithm)
==Better-than-nothing security practices (8/2007)== List 3 federal laws that mandate IT standards.
1. Sarbanes-Oxley (SOX) 2. Gramm-Leach-Biley (GLB) 3. Health Insurance Portability and Accountability Act (HIPAA) 4. Federal Information Security Management Act (FISMA) They provide means of which one might determine compliance.
==Watermarking Cyberspace (1997)== What are the two mail categories of watermarking techniques?
1. Text 2. Image
==Watermarking Cyberspace (1997)== What are the three common techniques for watermarking text?
1. Text-line coding (altering the space between lines) 2. Word-space coding (altering the space between words) 3. Character encoding (changing the appearance of the font of some characters)
==Disk Wiping by any other name (8/2006)== What are the two problems caused when a disk sanitizer fails to overwrite old MFT entries?
1. The file and directory names are commonly indicative of content (i.e. the nature of business, level of confidentiality, etc.) 2. If the file are small enough (if the resident attribute was set), $DATA will contain all of the original data.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What were the two early incarnations of data hiding mentioned in the article?
1. The storage of data on out-of-standard tracks on floppy disks that were beyond the reach of the operating system. 2. Store information in non-data fields of network packets.
==Watermarking Cyberspace (1997)== List two characteristics of effective watermarks.
1. They must be difficult or impossible to remove. 2. They must survive common document modifications and transformations such as cropping or compressing. 3. In principle, be easily detectable and removable by authorized users with such privileges.
==Better-than-nothing security practices (8/2007)== List 3 of the different security models that have been recommended by professionals and organizations in IT mentioned in the article.
1. Time-based security 2. Principle of least privilege 3. Defense-in-depth 4. Baseline security 5. Perimeter hardening 6. Intrusion detection 7. Intrusion prevention
==Watermarking Cyberspace (1997)== What are the two main classes of digital watermarks?
1. Visible 2. Invisible
==Data Hiding Tactics for Windows and Unix File Systems (2008)== (T/F) The number of tracks/cylinders recognized by a disk controller has to be the same as the number of tracks/cylinders recognized by the operating system.
False. (e.g. The floppy drive controller could usually access 81 or 82 but the operating system DOS could only recognize 80)
==Data Hiding Tactics for Windows and Unix File Systems (2008)== How long will an alternate data stream persist?
For the life of the attached file or folder as long as that file or folder remains in an NTFS file structure.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is a file carver?
Forensic tools (or data recovery tools) that analyze the data on a drive (typically sector by sector or block by block) without any regard for the actual logical organization of the disk. Each sector or block is then checked for known file signatures and, if one is found, the data is extracted or marked appropriately.
==BRAP Forensics (6/08)== What is media analysis/file system forensics?
Looks at artifacts left by the user(data stored) instead of activity.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the name of the DOS partition at the beginning of a drive that contains the boot code and partition table?
Master Boot Record (MBR)
==Better-than-nothing security practices (8/2007)== What is the Windows equivalent of "root privilege"?
Run as "administrator"
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the primary goal of steganographery?
Steganographery is concerned with hiding the very communication of the message (like wolves among sheep ).
==Disk Wiping by any other name (8/2006)== What was the name of the Windows built-in disk wiping utility?
cipher
==Watermarking Cyberspace (1997)== What are two techniques for image watermarking?
1. Flip low-order bits of selected pixels 2. Superimpose a watermark over an area of a graphic. 3. Color separation (the watermark appears in only one of the color bands) 4. Applying the Fast Fourier Transform (FFT) to alter the pixel values of an image (applied to lower frequencies).
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What are the two structures of a hard disk drive?
1. Geometric structure (e.g. cylinders, tracks, blocks, clusters, and sectors) 2. Nested data structures (e.g. file system, file, record, and field)
==Data Hiding Tactics for Windows and Unix File Systems (2008)== Eleven digital disk warrens in Windows and Unix file systems were discussed in this article. List 5.
1. Host Protected Area 2. Unused space in Master Boot Record (MBR) or extended partition 3. Volume slack 4. Partition slack 5. Boot sector in non-bootable partition 6. Unallocated space in a partition 7. Good sectors marked "bad" (fake bad sectors) 8. Disk slack 9. Unused space in superblock 10. Unused space in block group 11. Unused portion of an EtxX directory
==BRAP Forensics (6/08)== List two core areas of modern computer forensics
1. Log analysis 2. Timeline analysis 3. Key-stroke capture and analysis
==Intro to File System and Media Forensics== What are NIST Categories of Mobile Forensics?
1. Manual extraction - no forensics, just documented inspection 2. Logical extraction - forensic workstation 3. HEX dumping - use a boot loader to access RAM 4. Joint Test Action Group (JTAG) extraction - data derived from hardware 5. Chip-off - physical removal of memory chip 6. Micro Read - electron microscopy of hardware (CIA, NSA)
==Intro to File System and Media Forensics== What are the 4 goals of evidence handling?
1. Preserve 2. Protect 3. Provide provable chain-of-custody 4. Ensure tamper prevention
==Disk Wiping by any other name (8/2006)== What is the term used to describe data that was unaffected by the disk wiping?
Data residue
==Watermarking Cyberspace (1997)== What is a digital watermark?
A digital signal or pattern inserted into a digital document (text, graphics, multimedia presentation) that are a guarantee of authenticity, quality, ownership, and source.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the name of the set of consecutive blocks on a hard disk that appear to an operating system as a separate volume (aka, drive in Windows or directory of mount point in Unix)?
A partition
==Watermarking Cyberspace (1997)== How does digital watermarking work?
A signal or pattern is digitally imposed prior to sale or distribution and the it persists under transmission and some common forms of transformation. For text, methods include text line coding (elevating certain lines), word-space coding (altering space between words), and character encoding (altering some characters or font).
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the primary goal of digital watermarking?
Add sufficient metadata to a message to establish ownership, provenance, source, and so on (like with dollar bills).
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is Microsoft's version of a resource fork?
Alternate data streams Note: A resource fork stores information in a specific form, containing details such as icon bitmaps, the shapes of windows, definitions of menus and their contents, and application code
==Better-than-nothing security practices (8/2007)== What does an IT security model do?
Attempt to circumscribe and quantify some measure of risk as the function of real or potential vulnerabilities and threats.
==BRAP Forensics (6/08)== What does BRAP forensics do?
Bridges the gap by revealing stored data as well as information about user behavior... It can be used in the prosecution of cases involving "unacceptable computer use, sexual harassment, child pornography, EULA, computer fraud, identity theft, and intellectual property cases."
==Data Hiding Tactics for Windows and Unix File Systems (2008)== Provide two examples of nonphysical data hiding
Cryptography, steganography, and watermarking
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the feature that allows modification of the characteristics of a hard drive (e.g., the number of available clusters)?
Device Configuration Overlay (DCO)
==Disk Wiping by any other name (8/2006)== What is the other category of utilities that are designed to be used prior to repurposing or recycling disk drives?
Disk sanitizers or disk purgers
==Data Hiding Tactics for Windows and Unix File Systems (2008)== According to the article, hidden data may be thought of as a special case of what?
Either "dark data" that is intentionally hidden or unintentionally concealed, misplaced, misplaced or accidentally erased.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the name of the remaining area of a partition on a hard drive that cannot be accessed by the operating system by conventional means?
Extended partition
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the name of the area of a secondary storage device where vendors could store data that is protected from normal user activities?
Host Protected Area (HPA).
==BRAP Forensics (6/08)== In what file is the cache and URL history organized and stored on a Windows computer?
INDEX.DAT, which is stored in "Documents" and "Settings\<User>\Local Settings\Temporary Internet Files\Content IE5"
==Disk Wiping by any other name (8/2006)== Windows doesn't delete file data. What does it do when the delete file command is executed?
It simply marks the physical space that the files occupied as unallocated and available for reuse.
==Disk Wiping by any other name (8/2006)== How did cipher work?
It wipes disks by filling a file, EFSTMPWP, with enough data to consume all available non-allocated space.
==Better-than-nothing security practices (8/2007)== What is the primary measure of risk in the principle of least privilege model?
Less control = better security. Applications should not be given more privilege than they need (otherwise it breaches the least privilege model).
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is "ram slack?
Modern OS write data in complete 'blocks', where a block could be a sector or a cluster. If a file is not an exact multiple of the sector size, the OS (old ones) must pad the last sector, and this padding comes from memory (hence the name RAM slack). Modern operating systems tend to pad with nulls.
==BRAP Forensics (6/08)== What part of the files are deleted when the recycle bin on a Windows computer is emptied?
Modern operating systems do not overwrite deleted file data areas but rather just reassign the affected disk space to the operating system for further use (it just deletes the reference). The actual file data remains recoverable with a hex editor (unless the clusters have been reallocated to another file -- which isn't all that likely on high-capacity drives).
==Better-than-nothing security practices (8/2007)== What is the primary measure of risk in the time-based security model?
More time = better security. As long as advance warning exceeds the sum of the detection and response times, the system remains protected. (The greater the difference, the greater the safety margin).
==Disk Wiping by any other name (8/2006)== Do disk wiping utilities typically clean the registry hive?
No, because "messing with the registry is really dangerous" according to Microsoft.
==Disk Wiping by any other name (8/2006)== Were the majority of disk wiping utilities effective at removing Alternate Data Streams?
No, because 4 of the 7 (Cipher.exe, CyberScrub 3.5, PGP Shred, and PGP Wipe) had alternate data stream information left intact.
==Disk Wiping by any other name (8/2006)== Did the majority of disk wiping utilities effectively remove small datafiles that were present in the MFT?
No, because 5 of the 7 (Cipher.exe, CyberScrub 3.5 TEST 1, CyberScrub 3.5 TEST 2, PGP Shred, and PGP Wipe) left small files stored in $MFT intact.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the primary goal of cryptgraphy?
Obscure the content of the message, but not the communication of the message (like a lock on
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the name given to the unused sectors at the end of a partition that cannot be accessed by the operating system?
Partition slack
==BRAP Forensics (6/08)== What is computer activity mining?
The recovery of information about a computer user, or a computer's use, from the computer itself
==Watermarking Cyberspace (1997)== How does digital watermarking differ from encryption?
They are designed to be persistent in viewing, printing, or subsequent retransmission or dissemination, which is unlike decrypted documents that are free of any residual effects.
==BRAP Forensics (6/08)== Why were "cookies" developed?
They are used to store information about the client-server exchange for subsequent connections, either during the current browser session (session identifiers) or during subsequent browser sessions (persistent identifiers). They were developed to give companies a real-time view into both online visitor activity and offline customer information.
==Disk Wiping by any other name (8/2006)== Why do the disk wiping utilities frequently miss small files that are stored in the MFT?
They typically wipe unallocated space, but if the data is small enough, it is stored within $MFT and $MFT_MIRROR, which are allocated space.
==Data Hiding Tactics for Windows and Unix File Systems (2008)== (T/F) Hidden data may be stored in bad blocks/sectors (e.g., $BadClus in NTFS).
True. (According to article)
==Data Hiding Tactics for Windows and Unix File Systems (2008)== (T/F) Bad blocks/sectors (e.g., $BadClus in NTFS) are not accessible to the operating system.
True. (By definition)
==Data Hiding Tactics for Windows and Unix File Systems (2008)== What is the example given in the article of dark data that resides within light data?
Watermarking where dark data (an imperceptible watermark) resides within light data).
==Disk Wiping by any other name (8/2006)== What was the problem with cipher?
When it filled up the file EFSTMPWP to wipe a file it could on occasion take up so much space that the OS no longer had room to breath and would hang up. Windows wouldn't reload EFSTMPWP was deleted by booting to a non-resident OS.