Ch. 13 - Performing Forensic Analysis and Techniques
What does the operator 'if' set in the dd utility?
'if' sets the input file
What does the operator 'of' set in the dd utility?
'of' sets the output file
What are some of the main locations in Linux that forensics analysts will initially investigate?
/var /home /etc
What are log viewers?
A built-in feature of forensics suites that allow log entries to be matched with other forensic information.
What piece of hardware is crucial to digital forensics for password cracking?
A powerful GPU can result in massive speed increases over traditional CPU-based cracking.
What is file carving?
A specialized forensics tool that looks at data on a block-to-block basis, looking for information like file headers and other indicators of file structure and then attempts to recover them.
What is a legal hold?
Conducted when information must be retained for a legal case.
What two files may contain encryption keys normally stored in memory on a Window system?
Core dumps an hibernation files
What is the most common forensic activity for endpoints?
Disk or storage-based analysis
Why is a forensic copy different than simply copying files from one drive to another?
It is a bit-by-bit copy that ensures that slack space and unallocated space are both copied as part of the image. This captures deleted files that have not yet been overwritten, fragments of older files in the space that was not written to by new files, and data that was stored on a drive before it was partitioned.
What is key to conducting memory forensics?
Running live forensic analysis on a running machine or making a copy of a live memory to point in time forensic memory analysis.
Which hashing algorithms are commonly used in forensics?
SHA1 and MD5
What makes cloud and virtualized environments more difficult to perform forensics on?
Systems may be ephemeral.
What Linux utility is used to clone drives and what format does it use?
The Linux dd utility is used to clone drives in a bit-by-bit format. It is copied in a RAW format.
What is a useful tool in reviewing the Windows history of USB devices connected to a system?
USB Historian
What is a common open source memory forensics framework?
Volatility
What is the difference between Wireshark and Tcpdump?
Wireshark is an open source network analyzer that allows the user to view network data in a GUI. It has to be downloaded and installed. Tcpdump is a command-line packet capture utility found on many Linux and Unix systems by default.
What forensics device is crucial to maintaining the integrity of the drive's data?
Write blockers.
What flag is used in 'dd' to set the block size?
bs For example, bs = 64k
What are the key components to a forensics toolkit?
• A digital forensics workstation • Forensics investigation suite like FTK, EnCase • Write blocker • Forensic drive duplicator • Wiped drives and removable media • Cables and drive adapters • Camera • Labeling and documentation tools • Notebooks and prepared documentation forms/checklists
What are some programs that could be evidence of antiforensics attempt?
• CCleaner, a system cleanup program that removes browser history and cache and wipes other information useful for forensics investigation • Eraser, a file wiping utility
What is the Order of Volatility in forensics investigations?
• CPU cache, registers, running processes and RAM • Network traffic • Disk Drives • Backups, printouts, optical media
What are the drawbacks of live imaging?
• Can leave remnants due to the imaging utility being mounted from a removable drive or installed • The contents of a drive or memory may change during the imaging process • Malware or other software may be able to detect the imaging tool and could take action to avoid it or disable it • Live images typically do not include unallocated space
What are commonly used forensics suites?
• FTK • EnCase • CAINE • Autopsy • SIFT
What are the three main components of the report at the end of a forensic investigation?
• Goals and scope of the investigation • Targets • Findings and analysis
What are the four primary modes of data acquisition from mobile devices?
• Physical, by acquisition of the SIM card, memory cards, or backups • Logical, which usually requires a forensic tool to create and image of the logical storage volumes • Manual access, which involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found • Filesystem, which can provide details of deleted files as well as existing files and directories
What characteristics are important to a reliable forensics workstation?
• Powerful, multicore CPU • Plenty of RAM • Ample, fast storage
What are some open source forensics utilities?
• Sleuth • Autopsy • SIFT • CAINE
Name some log analysis tools.
• Splunk • Sawmill • Event Log Analyzer • A text editor may be used to search and review logs.
What are the uses of hashing in a digital forensics investigation?
• To ensure that the copy matches the source drive or device • Used to validate binaries and other application related files to detect changes to the binaries • Used to check if a file matches a known good version or one from a backup
What mobile forensics tools are important to have on hand?
• Tools for accessing SIM cards and flash memory cards • Mobile device connection cable kit that contains most common connector types for current phones. • Mobile device-specific forensic software and tools
What must be tracked in a complete chain of custody?
• What is collected • Who collected or analyzed the data • When each action occurred • When devices and other evidence were transferred, handled, accessed, and securely stored
What are the common Windows and Linux utilities used in forensic applications?
• Windows - WinDbg • Linux - dd
What are some popular memory capture tools?
• fmem and LiME from Linux • DumpIT from Windows • The Volatility Framework supports multiple operating systems • EnCase and FTK both have built-in memory capture and analysis capabilities