C702

Rule 1003 -Admissibility of Duplicates

"A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original's authenticity, or the circumstances make it unfair to admit the duplicate."

Logon events

A service was started by the Service Control Manager, Interactive A user logged on to this computer, unlock the workstation is unlocked, network a user or computer logged onto this computer from the network

Event ID 7036 and 7040

Any malicious program might also disable vital Windows protection services, such as Windows Defender, Windows Firewall, or antivirus solution, to maintain persistence on the target system. Monitoring events · would enable an investigator to look for any such suspicious activities

var/log/crashreporter.log

Application crash history

~/Library/Logs

Application logs specific to Home directory

Validating Laboratory Software and Hardware

Digital forensic tools are used to examine evidence related to a crime and uncover the criminal acts to convict the perpetrator in the court of law. Therefore, the tools used need to undergo validity testing to ensure that the test results produced by them are reproducible and repeatable. This increases the admissibility of digital evidence into legal proceedings and supports the quality management process. The practices that ensure the best outcome from the forensic tools include the following: ▪ Validate every hardware or software tool prior to using them on an actual case to ensure they work correctly, are trustworthy, and yield precise results. ▪ All the software tools (ranging from the operating systems to applications) in the forensic laboratory must have licensed versions and be legal to use. ▪ Updating tools to their latest version, testing them for functionality, and validating them are mandatory and should be an ongoing process. Hardware instruments must be in working condition and maintained properly. ▪ Investigators need to document the test methodology, results, and theory of the test design while testing the tools. ▪ Investigators should maintain, audit, document, and demonstrate license compliance into the laboratory standard operating procedure in an integrated manner. ▪ Tool testing procedures must follow certain standards and policies e.g. NIST's Computer Forensic Tool Testing Project, which establishes a "methodology for testing computer forensic software tools by the development of general tool specifications, test procedures, test criteria, test sets, and test hardware."

Destroy

Enables target data recovery to be infeasible with the use of state-of-the-art laboratory techniques, which result in an inability to use the media for data storage

Mondo Rescue

GPL disaster recovery solution. It supports Linux (i386, x86_64, ia64) and FreeBSD (i386). It's packaged for multiple distributions (Fedora, RHEL, openSuSE, SLES, Mandriva, Mageia, Debian, Ubuntu, Gentoo). It supports tapes, disks, network and CD/DVD as backup media, multiple filesystems, LVM, software and hardware Raid, BIOS and UEFI.

~/Library/Logs/Sync

Information of devices on .Mac syncing

EnCase

Investigators can use tools such as EnCase, TAFT (an ATA (IDE) forensics tool), TSK, etc. to detect and image HPAs and/or DCOs

Purge

Involves physical or logical techniques to make the target data recovery infeasible by using state-of-the-art laboratory techniques

Apache Error Log

It contains diagnostic information and errors that the server faced while processing requests

Apache access log

It generally records all the requests processed by the Apache web server

Russian Standard, GOST P50739-95 (6 passes)

It is a wiping method that writes zeros in the first pass and then random bytes in the next pass

Clear

Logical techniques applied to sanitize data in all storage areas using the standard read and write commands

Data Rescue 4 Source

Mac software recovers files from a crashed or virus-corrupted hard drive. It recovers photos, videos, and documents from crashed, corrupted, or non-mounting hard drives; accidentally reformatted hard drives or reinstalled OS; and previous deletion, damaged, or missing files. It can recover all file types from any HFS/HFS+ formatted drive.

Event ID 4688

Malicious programs often include an.exe file into the filesystem to compromise a machine. generated whenever a new process is initiated, can help forensic investigators look for suspicious process names or process paths upon malware execution. Malicious process names are often misspelled, such as "scvhost.exe" instead of "svchost.exe," or "iexplorer.exe" instead of "explorer.exe." Any Windows process running from an unusual path should also be investigated, such as C:\Windows\svchost.exe instead of C:\Windows\System32\svchost.exe

Information_Schema

MySQL stores information related to all databases, along with the read-only tables

Event ID 4660 and 4663

Once executed, a malware might attempt to access, modify, or delete any files and folders from the compromised system. Investigators, therefore, should monitor event ID. generated on the deletion of any object, which can be a kernel, file system, or registry object. As this event ID does not contain the name of the deleted object, investigators need to track event. which confirms whether access right was actually exercised along with the name and type of the object, account name, and process name that accessed the object. Tracking event IDs. · useful for tracking other access request information, such as ReadAttributes, WriteAttributes, READ_CONTROL, etc.

/var/log/cups/error_log

Printer connection information

· Drive:\RECYCLER\

Recycle Bin Storage On Windows 2000, NT, and XP it is located in

Drive:\$Recycle.Bin\

Recycle Bin Storage On Windows Vista and later version and later it is located in

Drive:\RECYCLED

Recycle Bin storage location on FAT file systems: On older FAT file systems (Windows 98 and prior)

Unknown Risk Profile

The client organizations are less involved with the hardware and software ownership and maintenance in the cloud; therefore, they do not have a clear understanding of the internal security procedures, security compliance, configuration hardening, patching, auditing, and logging. Software updates, threat analysis, intrusion detection, and security practices, among others, determine the security posture of an organization and they should be aware of these issues.

Low-end or desktop NAS

The devices in this type of NAS are used in small businesses that required local shared storage

NIST SP 800-88

The proposed NIST SP 800-88 guidance explains three sanitization methods

Broken Access Control

This is a method in which an attacker identifies a flaw in access-control policies and exploits it to bypass the authentication mechanism. This enables the attacker to gain access to sensitive data, modify access rights, or operate accounts of other users. This is a part of 2017 OWASP top 10 security vulnerabilities.

(American) NAVSO P-5239-26 (MFM) (3 passes)

This is a three-pass overwriting algorithm that verifies in the last pass

(American) NAVSO P-5239-26 (RLL) (3 passes)

This is a three-pass overwriting algorithm that verifies in the last pass

(German) VSITR (7 passes)

This method overwrites in 6 passes with alternate sequences of 0x00 and 0xFF, and with 00xAA in the last (7th) pass

Entry/Guard Relay

This relay provides an entry point to the Tor network. When attempting to connect via the entry relay, the IP address of the client can be read. The entry relay/guard node transmits the client's data to the middle node.

(American) DoD 5220.22-M (7 passes)

This standard destroys the data on the drive's required area by overwriting with 010101 in the first pass, 101010 in the second pass and repeating this process thrice. This method then overwrites that area with random characters which is the 7th pass.

Mysqlaccess

To check the access privileges defined for a hostname or username

Mysqlbinlog

To display the content of bin logs (mysql-bin.nnnnnn) in text format

Mysqldump

To dump single or multiple databases for backup purpose

Mysqldbexport

To export metadata, data, or both from one or more databases

Myisamchk

To obtain the status of the MyISAM table, identify the corrupted tables, repair the corrupted tables, etc.

myisamlog

To process the MyISAM log file and perform recovery operation, display version information, etc., depending on the situation

ProDiscover

Tools such as ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc., can be used to create image files.

Apache Log Types Apache server generates how many logs

Two types of logs Access log, and Error Log

Path/Directory Traversal

When attackers exploit HTTP by using directory traversal, they gain unauthorized access to directories, following which they may execute commands outside the web server's root directory.

Active@ File Recovery

a CD/DVD ISO image that allows one to burn a bootable CD or DVD with a lightweight version of Windows 7 running in RAM (WinPE 3.0). It can recover data in case the system is not bootable and cannot attach the damaged hard disk drive to another machine.

Buffer Overflow

a certain data storage capacity. If the data count exceeds the original capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting legitimate data.

Sarbanes-Oxley Act (SOX) of 2002

an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. Although SOX applies primarily to financial and accounting practices, it also encompasses the information technology (IT) functions that support these practices. SOX can be supported by reviewing logs regularly to look for signs of security violations, including exploitation, as well as retaining logs and records of log reviews for future review by auditors.

network-attached storage (NAS)

centralized storage device in which one or more servers consist of multiple dedicated hard disks in a RAID configuration for redundancy. It stores and shares data among various clients on a shared network. It is present on the local area network (LAN) as an independent network node, can access the shared storage devices through a standard Ethernet connection, and is defined by its own unique IP address. When working in teams, NAS enables the effective sharing of data among various clients located remotely or in different time zones. NAS connects to a wireless router or switch, making it easy for clients to access files or folders from any device connected to the network. Based on the number of drives, drive support, drive capacity, and scalability, NAS devices are categorized into the following three types. 1. High-end or enterprise NAS: Enterprise NAS is driven by enterprises that store large quantities of file data, including virtual machine images. It also provides NAS clustering capabilities.

fsstat

command displays general details of a file system.

istat

command displays the details of a metadata structure, i.e., inode.

fls

command lists the file and directory names in a disk image.

R-STUDIO

data recovery solution for recovery of files from NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+, and APFS (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD/Solaris), and Ext2/Ext3/Ext4 FS (Linux) partitions. It also uses raw file recovery (scan for known file types) for heavily damaged or unknown file systems. It functions on local and network disks, even if such partitions are formatted, damaged, or deleted.

Civil cases

disputes between two parties, such as an individual versus a company; an individual versus another individual; a company versus another; or in some countries, a government regulatory agency versus an individual (or a company). They pertain to the violation of contracts and involve lawsuits, where a verdict generally results in monetary damages to the plaintiff. Criminal cases pertain to crimes that are considered harmful to society and involve action by law enforcement agencies against a company, individual, or group of individuals in response to a suspected violation of the law. A guilty outcome may result in monetary damages, imprisonment, or both.

A BMP bitmap

file always has 42 4D

UFT-32 a 32-bit

fixed-width encoding

The Sleuth Kit mmls command

helps investigators view the detailed partition layout for the GPT disk, along with the MBR details.

Seeking Consent

in computer forensics investigation, refers to the process of obtaining formal permission from the owner of the victim organization or an individual owning the target electronic device to perform a thorough investigation. Written consent from the authority is sufficient to commence search and seizure activity. At the time of consent, the investigating team should use properly written banners with suitable use policies. These should be signed by the owner of the target devices. If you have a properly worded banner as well as a suitable use policy informing users of your monitoring activities and how the information collected from search and seizure will be used, the consent burden will suffice in most cases. Use appropriate forms for the jurisdiction and carry these documents in the forensic grab bag to protect from any harm or damage. Activities related to the search and seizure should be part of a well-documented procedure in the obtained consent.

While performing live data acquisition

investigators need to collect data while considering their potential volatility and the impact of the collection on the suspect system. As not all data have the same level of volatility, investigators must collect the most volatile data first, and then proceed to the collection of the least volatile data. The order of volatility for a typical computing system as per the RFC 3227 Guidelines for Evidence Collection and Archiving is as follows: 1. Registers, processor cache: The information in the registers or the processor cache on the computer exists for nanoseconds. It is constantly changing and can be classified as the most volatile data. · 2. Routing table, process table, kernel statistics, and memory: The routing table, ARP cache, and kernel statistics reside in the ordinary memory of the computer. These are slightly less volatile than the information in the registers, with a life span of about ten nanoseconds. ·3. Temporary file systems: Temporary file systems tend to persist for a longer time on the computer compared to routing tables and ARP caches. These systems are eventually overwritten or changed, sometimes in seconds or minutes later. ·4. Disk or other storage media: Anything stored on a disk stay for a while. However, sometimes due to unforeseen events, these data can be erased or overwritten. Therefore, disk data may also be considered somewhat volatile, with a lifespan of some minutes. ·5. Remote logging and monitoring data related to the target system: Data that pass through a firewall cause a router or switch to generate logs. The system might store these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a week. However, these are generally less volatile data. ·6. Physical configuration and network topology: Physical configuration and network topology are less volatile and have a longer life span than some other logs ·7. Archival media: A DVD-ROM, a CD-ROM, or a tape contains the least volatile data because the digital information does not change in such data sources automatically unless damaged under a physical force

Civil Cases

involve a plaintiff and defendant, wherein the plaintiff registers the case and is responsible for the burden of proof while the authority hears both parties and passes the judgment based on the evidence presented. ▪ Investigators try to show the opposite party some proof to support the claims and induce settlement ▪ Searching of the devices is generally based on mutual understanding and provides a wider time window to the opposite party to hide the evidence ▪ The initial reporting of the evidence is generally informal ▪ The claimant is responsible for the collection and analysis of the evidence ▪ Punishments include monetary compensation ▪ Poorly documented or unknown chain-of-custody for evidence ▪ Sometimes, evidence can be in third-party control

Criminal Cases

involve actions that go against the interests of society, the burden of proving that the accused is guilty lies entirely with the prosecution. ▪ Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction ·Investigators, under a court's warrant, have the authority to forcibly seize computing devices A formal investigation report is required ▪ Law enforcement agencies are responsible for collecting and analyzing evidence ▪ Punishments are harsh and include a fine, jail sentence, or both ▪ Standard of proof needs to be very high ▪ It is difficult to capture certain evidence, e.g., Global Positioning System device evidence

TypedURLs

key similar to the RunMRU key. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This key maintains MRU list of URLs that a user types into the address bar.

Transaction Log Data Files (LDF)

log information associated with a database. A transaction log file helps a forensic investigator in examining the transactions that occur in a database and recover the deleted data, if required. The file name extension for the transaction log date files is .ldf and each file is divided into multiple virtual log files.

Acronis Disk Director Suite

partition recovery tool used to recover lost or deleted data. This tool explores partition data before performing partitioning operations. It recovers volumes that were accidentally deleted or damaged due to a hardware failure.

Foreign Intelligence Surveillance Act of 1978 (FISA)

procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power. Requests are adjudicated by a special eleven-member court called the Foreign Intelligence Surveillance Court. Under FISA, surveillance can be performed if the target of the surveillance is an agent of foreign power or a foreign power itself. In the case of U.S. persons, however, there should be a supporting cause that indicates some criminal activity performed by that person. Note: The term U.S. persons mentioned above refers to both U.S. citizens as well as permanent lawful residents of the U.S.

Information Leakage

refers to a drawback in a web application where the application unintentionally reveals sensitive information to an unauthorized user

Anti-forensics

set of techniques that attackers or perpetrators use in order to avert or sidetrack the forensic investigation process or try to make it much harder. These techniques negatively affect the quantity and quality of evidence from a crime scene, thereby making the forensic investigation process difficult. Therefore, the investigator might have to perform additional steps in order to fetch the data, thereby causing a delay in the investigation process. Goals of anti-forensics are listed below: ▪ Interrupt and prevent information collection ▪ Make the investigator's task of finding evidence difficult ▪ Hide traces of crime or illegal activity ▪ Compromise the accuracy of a forensics report or testimony ▪ Delete evidence that an anti-forensics tool has been run

Mid-market NAS

type of NAS accommodates enterprises that require several hundred terabytes of data. The devices cannot be clustered.

enterprise theory of crime

understands the organization of criminal behavior as reflective of specific environmental factors - market or economic forces, influencing the motivations of criminals, how they interact, their perceptions or risk versus benefit, and the efficiency and efficacy of their modus operandi. Under this theory, organized crime exists because legitimate markets leave many customers and potential customers unsatisfied. High demand for a particular good or service (e.g. drugs, prostitution, arms, slaves), low levels of risk detection and high profits lead to a conducive environment for entrepreneurial criminal groups to enter the market and profit by supplying those goods and services. For success, there must be: · an identified market; and, · a certain rate of consumption (demand) to maintain profit and outweigh perceived risks. Under these conditions competition is discouraged, ensuring criminal monopolies sustain profits. Legal substitution of goods or services may (by increasing competition) force the dynamic of organized criminal operations to adjust, as will deterrence measures (reducing demand), and the restriction of resources (controlling the ability to supply or produce to supply).

Dynamic analysis

uses a different approach, such as scanning the behavior of the software program while running it in a controlled environment. · It involves the execution of a malware to examine its conduct and impact on system resources and network. It identifies technical signatures that confirm a malicious intent and reveals various useful information, such as domain names, file path locations, created registry keys, IP addresses, additional files, installation files, DLLs, and linked files located on the system or network. This type of analysis requires virtual machines and sandboxes to deter the spread of malware. Debuggers such as GDB, OllyDbg, WinDbg, etc., are used to debug a malware at the time of its execution to study its behavior. ·Both techniques are recommended to better understand the functionality of a malware, but differ in the tools used, and time and skills required for performing the analysis.

UFT-16 a 16-bit

variable-width encoding

UFT-8 an 8-bit

variable-width encoding; maximizes compatibility with ASCII

SAFE Block

write blocker is a hardware device or software application that allows data acquisition from the storage media without altering its contents

Rule 1004 - Admissibility of Other Evidence of Content

· "An original is not required and other evidence of the content of a writing, recording, or photograph is admissible if: a. all the originals are lost or destroyed, and not by the proponent acting in bad faith; b. an original cannot be obtained by any available judicial process. ·c. the party against whom the original would be offered had control of the original; was at that time put on notice, by pleadings or otherwise, that the original would be a subject of proof at the trial or hearing; and fails to produce it at the trial or hearing; or ·d. the writing, recording, or photograph is not closely related to a controlling issue."

Rule 1002 - Requirement of original

· "An original writing, recording, or photograph is required in order to prove its content unless these rules or a federal statute provides otherwise."

OpenSavePidIMRU

· : HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidIMRU. This key maintains MRU lists of files opened via Open and SaveAs dialogs within the Windows shell

Exit Relay

· As the final relay of the Tor circuit, the exit relay receives the client's data from the middle relay and sends the data to the destination website's server. The exit relay's IP address is directly visible to the destination. Hence, in the event of transmission of malicious traffic, the exit relay is suspected to be the culprit, as it is perceived to be the origin of such malicious traffic. Hence, the exit relay faces the most exposure to legal issues, take-down notices, complaints, etc., even when it is not the origin of malicious traffic

Abuse of Cloud Services

· Attackers create anonymous access to cloud services and perpetrate various attacks such as password and key cracking, building rainbow tables, CAPTCHA-solving farms, launching dynamic attack points, hosting exploits on cloud platforms, as well as malicious data, botnet command, or control and distributed denial-of-service (DDoS) attacks. The presence of weak registration systems in the cloud-computing environment gives rise to this threat

QEMU Disk Image Utility

· Convert the acquired dd image file into a virtual machine file format

Federal Information Security Modernization Act of 2014 (FISMA)

· FISMA was introduced as an amendment to the Federal Information Security Management Act of 2002, which was implemented to provide a framework for federal information systems to have more effective information security controls in place. FISMA 2014 made several modifications to the existing articles of FISMA 2002 to modernize the security practices followed by federal agencies to address evolving security concerns. These changes resulted in less overall reporting, strengthened the use of continuous monitoring in systems, increased focus on the agencies for compliance, and encouraged reporting that is more focused on the issues caused by security incidents. FISMA 2014 required the Office of Management and Budget (OMB) to amend/revise A-130 to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology. Specific to security and privacy, the updated A-130 emphasizes their roles in the Federal information lifecycle and represents a shift from viewing security and privacy requirements as compliance exercises to crucial elements of a comprehensive, strategic, and continuous risk-based program at federal agencies.

RunMRU

· HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\RunMRU. ·Entries are added to this key when a user clicks the Start button, chooses Run, and types a command or the name of a file.

Insufficient Due Diligence

· Ignorance of CSP's cloud environment pose risks related to operational responsibilities such as security, encryption, incident response, and other issues such as contractual, design, and architectural issues.

BagMRU key

· Information related to folders that were most recently accessed by the user is stored in the BagMRU key and its subkeys. These subkeys are structured in a hierarchical format. Each of them stores the names of the folders in the file system and records the folder paths.

Malicious Insiders

· Malicious insiders are disgruntled current/former employees, contractors, or other business partners who have/had authorized access to cloud resources and could intentionally exceed or misuse that access to compromise the confidentiality, integrity, or availability of the organizational information. Threats include loss of reputation, productivity, and financial theft

Toggle Case

· Some applications block lowercase SQL keywords. In such case, attackers use code written in alternating case to bypass this security mechanism. ·Some firewalls contain the regular expression (regex) filter /union\select/g. Therefore, they may filter suspicious code written in lowercase letters.

General Data Protection Regulation (GDPR)

· The EU GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reshape the way organizations across the region approach data privacy. Article 32: Technical and organizational measures need to provide the following: ▪ The pseudonymization and encryption of personal data ▪ The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services ·▪ The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident · A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. ·Article 33(1): "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay." ·Data Protection Act of 2018 Source: The Data Protection Act, enacted in 2018, makes provisions for the regulation of the processing of information relating to individuals, in connection with the Information Commissioner's functions under certain regulations relating to information, for a direct marketing code of practice, and for connected purposes. It protects personal data in the following way: ·"(1) The GDPR, the applied GDPR, and this Act protect individuals with regard to the processing of personal data, in particular by: o requiring personal data to be processed lawfully and fairly as per the data subject's consent or another specified basis. ·o conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified; and ·o conferring functions on the Commissioner, giving the holder of that office responsible for monitoring and enforcing their provisions. ·(2) When carrying out functions under the GDPR, the applied GDPR, and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers, and others and matters of public interest."

Search and Seizure Process Flow

· The investigators should have in-depth knowledge of all the devices that could have played a part in transmitting the attack data to the victim device. They should be able to search for all the involved devices and seize them in a lawful manner for the acquisition and analysis of the evidential data

Event ID 5156

· This event is generated when Windows Filtering Platform allows a connection between a program and another process on the same or any other remote computer via UDP or TCP ports. During dynamic malware analysis, this event ID can be the key to detecting the origin of attack. Investigators can use the event description to identify the following details: o Name of Application The name of full path of the malicious executable used to communicate with external or internal IP ·irection It specifies whether the allowed connection is inbound or outbound ·o Destination Address It shows the IP address the connection was received from ·o Destination Port Port number used to start the connection from any remote machine

Improper Error Handling

· This threat arises when a web application is unable to handle internal errors properly. In such cases, the website returns information, such as database dumps, stack traces, and error codes, in the form of errors.

Locard's Exchange Principle

· anyone or anything entering a crime scene takes something of the scene with them and leaves something of themselves behind when they leave." For example, if information from a victim's computer is stored on the server or system itself at the time of the crime, the investigator can easily obtain this information by examining log files, Internet browsing history, and so on. Similarly, if an individual sends an intimidating message via an Internet-based e-mail service such as Hotmail, Gmail, or Yahoo Mail, both the victim and the actor's systems may store files, links, and other information that forensic investigators can extract and analyze

Storage Area Network (SAN)

· dedicated high-speed network that provides access to consolidated block-level storage. SAN is a network by itself and is not affected by network traffic such as bottlenecks in LAN. Its architecture makes the network of storage devices accessible to multiple servers as an attached drive. Servers access the data shared among several disk arrays as if it were a local hard drive. SAN consists of components such as interconnected hosts, multiple switches, and storage devices that can be connected using fiber channel (FC) technology, which supports high data rates and uninterrupted data access. Since FC SANs are expensive and difficult to handle, Ethernet-based Internet Small Computer Systems Interface (iSCSI), which is a cheaper alternative to a FC, is used in small and mid-size enterprises. Ethernet-based iSCSI reduces the challenges of FC technology by encapsulating SCSI commands into IP packets that do not require an FC connection.

Manual analysis

· involves starting at the highest-level handling method and determining whether it can actually be applied · Automated analytics is the analytical capability to automatically detect relevant anomalies, patterns and trends and deliver insights to business users in real-time, with no manual user-analysis or IT intervention required.

Middle Relay

· is used for the transmission of data in an encrypted format. It receives the client's data from the entry relay and passes it to the exit relay.

Volatile data

· refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. For example, the Random-Access Memory stores the most volatile data and discards it when the device is switched off. Important volatile data include system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

Gramm-Leach-Bliley Act (GLBA)

· requires financial institutions-companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data. The objective of the GLBA is to ease the transfer of financial information between institutions and banks while making the rights of the individual through security requirements more specific. The provisions of the GLBA limit when a "financial institution" may disclose a consumer's "non-public personal information" to non-affiliated third parties. The law covers a broad range of financial institutions, including many companies that are not traditionally considered to be financial institutions because they engage in certain "financial activities." Under the Privacy Rule, only an institution that is "significantly engaged" in financial activities is considered a financial institution. Financial institutions should notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they do not want their information to be shared with certain non-affiliated third parties. Additionally, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and re-disclosure of that information. It helps address incidents of unauthorized access to sensitive customer information maintained by the financial institution in a manner that could result in "substantial harm or inconvenience to any customer."

Rule 1001 - Contents of Writings, Recordings, and Photographs

· rule is related to the contents of writings, recordings, and photographs: "In this article: A. A 'writing' consists of letters, words, numbers, or their equivalent set down in any form. ·B. A 'recording' consists of letters, words, numbers, or their equivalent recorded in any manner. ·C. A 'photograph' means a photographic image or its equivalent stored in any form. ·D. An 'original' of a writing or recording means the writing or recording itself or any counterpart intended to have the same effect by the person who executed or issued it. For electronically stored information, 'original' means any printout — or other output readable by sight — if it accurately reflects the information. An 'original' of a photograph includes the negative or a print from it. ·E. A 'duplicate' means a counterpart produced by a mechanical, photographic, chemical, electronic, or other equivalent process or technique that accurately reproduces the original."

Primary Data Files (MDF)

· starting point of a database; it points to other files in the database. Every database has a primary data file that stores all data in the database objects (tables, schema, indexes, etc.). The file name extension for the primary data files is .md

A JPEG

· stream contains a sequence of data chunks. Every chunk starts with a marker value, with each marker having a 16-bit integer value, and it is stored in the big-endian byte format. The most significant bit of the marker is set to 0xff. The lower byte of the marker determines the type of marker. JPEG files allow a compression ratio of 90%, which is one-tenth the size of the data

RAID Storage System Redundant Array of Independent Disks (RAID)

· technology that simultaneously uses multiple small disks, which function as a single large volume. RAID provides a method of accessing one or many separate hard disks, thereby decreasing the risk of losing all data if a hard disk fails or is prone to damage. Further, RAID helps in improving access time. The RAID technology helps in the following: ▪ Maintain a large amount of data storage ▪ Achieve a high level of input/output performance ▪ Achieve great reliability through data redundancy ·The basic idea of the RAID storage system is to group multiple small and cheap hard disks into an array of hard disks that provides higher performance than a single large hard disk. A RAID storage system is a collection of hard disks that function as and appear to be a single large-capacity disk drive to the user. The main advantage of the RAID system is that even if any disk in the RAID array fails or is susceptible to damage, the system as a whole continues to function without any loss of data. This is possible because the data of each separate hard disk are stored on another disk in an array. The RAID system allows multiple simultaneous accesses to different files on different hard disks, reducing the time required to find the data on a hard disk. A RAID system has a considerably higher data transfer rate than a single hard disk

Static analysis

· the process of looking for known traces and values that indicate the presence of a malware. These traces include the presence of malicious codes, strings, executables, etc. in the software program. Static analysis It is a basic analysis of the binary code and comprehension of the malware that explains its functions. Behavioral analysis or dynamic analysis deals with the study of malware behavior during installation, on execution, and while running. A general static scrutiny involves the analysis of a malware without executing the code or instructions. The process includes the usage of different tools and techniques to determine the malicious part of the program or a file. It also gathers information about malware functionality and collects technical pointers or simple signatures it generates. Such pointers include file names, MD5 checksums or hashes, file types, and file sizes. Disassemblers such as IDA Pro can be used to disassemble the binary file

Just a Bunch of Drives/Disks (JBOD)

· type of data storage configuration for multiple hard disks that do not support RAID arrays ·▪ It is defined as the concatenation of multiple hard disks of varying capacities and specifications into a single, large logical drive. This integration of disks is referred to as "Spanning". ·▪ Every individual drive within the JBOD can be accessed as a separate drive volume by the host computer ·▪ It does not support redundancy, parity check, or striping, unlike RAID configurations ▪ In the event of a single disk failure, the entire system does not fail, and the data available on the other disks remain intact

The hex value of a GIF image

· values 47 49 46

Benefits of web application firewall

· ▪ WAF implementation secures existing and productive web applications. ▪ WAFs act as a reverse proxy between the client and web server and inspect every HTTP request for common web attacks. ·▪ WAF comes with real-time alerting and extensive logging capabilities ▪ WAF also provides cookies protection with encryption and signature methodology ▪ WAF can detect data validation issues by performing an in-depth testing of characters, character lengths, the range of a value, etc

Secondary Data Files (NDF)

·A database contains only one primary data file, but it can contain zero/single/multiple secondary data files. The secondary data files can be stored on a hard disk, separate from the primary data file. The file name extension for the secondary data files is .ndf.