DFIR-FOR500
Which location contains the browser artifacts for Chrome on Windows 7/8/10?
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
What is the outlook email attachment artifact location for Win7/8/10?
%USERPROFILE%\AppData\Local\Microsoft\Outlook
Which location contains the browser artifacts for Internet Explorer 10 and 11?
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Which location contains the browser artifacts for Internet Explorer 8 and 9?
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat
What is the Skype history artifact location for Win 7/8/10?
%USERPROFILE%\AppData\Roaming\Skype\<skype-name>
What is the outlook email attachment artifact location for Win XP?
%USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook
Which location contains the browser artifacts for Firefox versions 3 - 25?
%userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\downloads.sqlite
What is a Journaling File System?
A file system that keeps track of the information written to the hard drive in a journal.
CyLR
A free tool that can be used to select specific files, folders, and forensic artifacts to create a Custom Content Image.
FTK Imager
A free tool that can be used to select specific files, folders, and forensic artifacts to create a Custom Content Image.
What is NTFS journaling?
A key feature of NTFS that makes use of a log file to track changes to the metadata, to track the state and integrity of the filesystem at all times, and to correct inconsistencies caused by system crashes.
What other temporary folders can be checked for Outlook Artifacts?
The OLK and Content.Outlook folder
What artifacts can be found in the SOFTWARE\Microsoft\Windows NT\CurrentVersion registry key ?
Windows version, service pack level, and install date of the machine
Which location contains the browser artifacts for Firefox versions 26 and above?
%userprofile%\AppData\Roaming\Mozilla\ Firefox\Profiles\<random text>.default\places.sqlite - Table:moz_annos
What percentage of email data is stored via attachments according to the email industry?
80% of email data is stored via attachments.
DumpIT
A tool used to image RAM on a live system
What is the Skype history artifact location for Win XP?
C:\Documents and Settings\<username>\Application\Skype\<skype-name>
What data exists in the %USERPROFILE%\AppData\Local\Microsoft\Outlook location?
Data files found in these locations include OST and PST files.
What is Volatile Data
Data that disappears or is destroyed once the computer system is powered off.
What artifacts are contained in the Skype history?
Each entry will have a date/time value and a Skype username associated with the action.
In what format must email be encoded?
Email must be encoded with MIME/base64 format.
What tool do you use to check for signs of encryption on a live system?
Encrypted Disk Detector (EDD)
What happens if the NTFS Last Access Time On/Off registry key is disabled?
If disabled, the last access timestamp recording in the NTFS filesystem will not occur
Where can you obtain interface GUID for additional profiling in network connections?
In the SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
What artifacts will be based off of the system time zone information?
Internal log files and date/timestamps.
What happens if volatile data is not collected?
It becomes extremely difficult (not impossible) to refute claims that someone was remotely connected to the computer and controlling its activity if volatile data is not collected.
What information is contained in the SYSTEM\CurrentControlSet registry key?
It contains information about the systems configuration settings.
What is the purpose of the Current Control Set key in the registry?
It identifies which ControlSet00X is considered the "CurrentControlSet".
Why is the SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces important?
It ties machine to network activity that was logged.
What is the purpose of the NTFS Last Access Time On/Off registry key?
It turns last access timestamp On or Off.
Why is volatile data important?
Much of this data is extremely valuable to determine or refute the claim that someone was remotely connected to the computer controlling its activity and therefore the suspect/defendant is innocent.
What two journals does NTFS use to track files that have changed on a system?
NTFS is able to track all the files that have changed on the system via a USN Journal or Change Journal.
Why is NTFS journaling important to other programs?
NTFS journaling allows programs like a backup utility or virus scanner to know what files are new or changed since they last ran when they need to do an incremental pass over the drive.
What term is used by NTFS to refer to journaling?
NTFS refers to journaling as "transaction logging".
What is the Open/Save MRU Registry location for Windows XP?
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
What is the Open/Save MRU Registry location for Windows 7/8/10?
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDIMRU
Open/Save MRU
Registry key that tracks files that have been opened or saved within a windows shell dialog box
What key in the registry is used to identify the Microsoft OS Version?
SOFTWARE\Microsoft\Windows NT\CurrentVersion
What is the location of the Current Control Set key in the registry?
SYSTEM\CurrentControlSet
In which registry key can the Computer Name be found?
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Which registry key can be used as a verification of the PC that you are examining forensically?
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Which registry key identifies the computer's name as defined in System Properties?
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
What is the NTFS Last Access Time On/Off registry location?
SYSTEM\CurrentControlSet\Control\FileSystem
In which registry key is the artifact that identifies the current time zone located.
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
What is the location of the Time Zone of the Machine artifact in the registry?
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Which registry key can be used to correlate network devices with the collected time zone information
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
What is the location of the Network Interfaces artifact in the registry?
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
What registry key identifies the computer's network interface cards?
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
With which registry key can you determine whether the machine has a static IP address or whether it is configured by DHCP?
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Why is the Skype history important?
The Skype history keeps a log of chat sessions and files transferred from one machine to another
What is the importance of the SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName registry key?
The computer name can be linked to log file, network connections, and other activity
What is SSD Trim
The process of clearing data stored in flash memory that have been deleted by the user or operating system. This effectively clears free space on the device
What is useful for the correlation of activity
Time activity
True or False - Skype history is turned on by default
True
Where is volatile data found?
Typically, this is RAM, but it also includes current active network connections, running applications, open/listening network connections, etc.