CHFI Deck

Ace your homework & exams now with Quizwiz!

RGBQUAD array

A color table that comprises the array of elements equal to the colors present in the bitmap; this color table does not support bitmaps with 24 color bits, as each pixel is represented by24-bit RGB values in the actual bitmap.BMPFiles start with hex value 42 4d or BM in ASCII

Which of the following is NOT a disk editor tool to help view file headers and important information about a file?

A few of the disk editor tools are Disk Edit, WinHex, and Hex Workshop.

Radio interface, gateway, and network interface:

A mobile device communicates with the network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication

SWGDE Standard 1.2

Agency mgmt. must review SOPs on an annual basis to ensure their continued suitability and effectiveness.

SWGDE Standard 1.6

All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony

SWGDE Standard 1.1

All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document.

Passware Kit 4​

All passwords

what is snort?

An IDS

Obfuscator

A program to conceal the malicious code of a malware via various techniques

Which item describes the following UEFI boot process phase? The phase of EFI consisting of clearing the UEFI program from memory, transferring the UEFI program to the OS, and updating the OS calls for the runtime service using a small part of the memory.

RT

Guidance Software's EnCase

Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust

Recovering Deleted Partition Windows

Restart system with Windows install DVD then select repair. When DOS comes up type "fixboot". Slave the drive to another and try to recover that way. 3rdParty tool like: Active@ Partition Recovery, Acronis Recovery Expert, DiskInternals, GetDataBack, EaseUS, 7-Data

Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system?

Revision Level:

Rule 102. Purpose and Construction

Rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined.​

Rule 103​

Rulings on Evidence.

password guessing

Sometimes users set passwords that can be easily remembered, such as a relative's name, a pet's name, or an automobile license plate number.This can make the password easily guessed. Unlike other methods of password cracking, guessing requires only physical access or an open network path to a machine running a suitable service.

Crimes committed by sending e-mails

Spamming Phishing Mail bombing -primary objective behind mail bombing is to overload the email server and degrade the communication system by making it unserviceable. Mail storms -occurs when computers start communicating without human intervention.

SIM

Subsciber Indentity Module can store data such as contacts, messages, and time stamps. It also contains technical info like: Integrated Circuit Card Id (ICCID), International Mobile Subscriber Identity (IMSI), last dialed numbers, service provider name, etc.

Rapid Elasticity

The cloud offers instant provisioning of capabilities, to rapidly scale up or down, according to demand.

Resource pooling

The cloud service provider pools all the resources together to serve multiple customers in the multi-tenant environment, with physical and virtual resources dynamically assigned and reassigned on demand by the cloud consumer

last -F

The command last -F displays the activities of each user in detail such as number of login and logout attempts along with dates of the system

lsmod

The command lsmod displays the information about the loaded modules.

lsof

The command lsof is the short for 'list open files'. The command is used to list all the open files and the active processes that opened them

decision maker

The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.

Primary Data Files (MDF)

The primary data file is the starting point of a database and points to other files in the database. Every database has an MDF. The MDF stores all the data in the database objects(tables, schema, indexes, etc.).

User Space

The protected memory area where the user processes run and this area contains the available memory.

Rebuttal Session

The rebuttal session is the cross-examination of the expert witness by both the plaintiff and the defendant.

Transaction LOG Data Files (LDF)

The transaction log files hold the entire log information associated with the database. The transaction log file helps a forensic investigator to examine the transactions occurred on a database, and even recover data deleted from the database.

Universal MobileTelecommunications System (UMTS):

This is a 3-G mobile phone technology (upgrade to 4-G) that use W-CDMA as the underlying interface.

RIYG6VR.doc in recycle bin. What can be derived from the title?

This is a document file​.

Motion in Limine (Motion in Beginning):

This is a handwritten list of objections to a certain testimony. It is a special hearing on the acceptability of evidence or restriction of evidence. It is usually done a day or two before the beginning of the trial proceedings. This allows the judge to determine if the evidence should be allowed without the jury's presence.

Base Station Subsystem (BSS)

This is one of the major sections of a cellular network. It controls the BSC and BTS units. It is responsible for handling traffic, network switching system and signaling between cell phones

Base Station Controller (BSC)

This is one of the major sections of a cellular network. It controls the BSC and BTS units. It is responsible for handling traffic, network switching system and signaling between cell phones.

Visitor Location Register (VLR)

This is the database used in conjunction with the HLR for mobile phones roaming outside of their service area. It contains the current location of the mobile user as well as the Temporary Mobile Subscriber Identity (TMSI)

Visitor Location Register (VLR)

This is the database used in conjunction with the HLR for mobile phones roaming outside of their service area. It contains the current location of the mobile user as well as the Temporary Mobile Subscriber Identity (TMSI).

High Speed Downlink Packet Access (HSDPA)

This third generation mobile telephony communication protocol allows high data transfer speed for networks based on UMTS

Unlicensed Mobile Access (UMA)

UMA or the Generic Access Network (GAN) enables mobile services such as voice, IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP applications), and data to access IP networks.

Which of the two parts of the Linux file system architecture has the protected memory area where processes run?

User Space: The protected memory area where the user processes run and this area contains the available memory.

RAID 5

Uses byte level data striping across multiple drives, and distributes the parity information among all member drives. Data writing process is slow. It requires a minimum of three drives to set up. The RAID stripes and distributes the error detection and correction code or Data and parity code across three or more drives.

FAT32

Utilizes space 10-15% more effectively due to use of smaller clusters Very robust and has lesser failure rate than FAT16 devices No restriction on number of root folder entries

Reports can be categorized as:

Verbal-board, jury, managers=formal Written -court, under oath = formal

Search Warrant

a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location

The Sleuth Kit

cmd line tools and a C library to analyze disk images and recover files from them.

Profile/Fingerprint

collect data to see if system was used as a relay or comp'd host

Evidence Depository

collected intrusion evidence is stored in the evidence depository

The Sleuth Kit (TSK)​:

collection of command line tools and a C library to analyze disk images and recover files from them.

first step of investigation

collection of the system time. The next step is to figure out who was logged on and who is currently logged on to a system

Dedicate File (DF)

directories that can contain one or more EF's and holds only the header that contains information related to file structure and security

Doskey history:

displays all commands stored in memory

PsList.exe

displays basic information about the already running processes on a system, including the amount of time each process has been running. -x details about threads and memory, -t task tree, -d detail, -m memory, -e exact match for process name

PsLoggedOn

displays both the locally logged on users and users logged on via resources for either the local computer or a remote one.

Devcon​.exe

displays detailed information about devices on Windows computers

net sessions​

displays information about all logged in sessions of the local computer.

Net sessions command

displays information about all logged in sessions of the local computer.

handle

displays information about open handles for any process. -a all types, -c close, -l sizes, -y no prompt, -s print count, -u username, -p processes, name

fsstat

displays the details associated with a file system. The output of this command is file system specific. istat -Display details of a meta-data structure (inode) fls-List file and directory names in a disk image. img_stat-Display details of an image file

Net File

displays the names of all open shared files on a server and the number of file locks, if any, on each file. You can also close files and remove file locks

Code Division Multiple Access (CDMA)

dominant cellular network used. It employs spread-spectrum technology where channels for communication are defined in terms of codes.

Paraben's Email Examiner

examines email formats including Outlook (PST and OST), Thunderbird, Outlook Express, Windows mail and more. It allows to analyze message headers, bodies and attachments. It recovers email in the deleted folders, supports advanced searching, reporting and exporting to PST and other formats and supports all major email types that are stored on local computers for analysis, reporting, and exporting/conversion.

RAID 1​

executes mirroring as it duplicates or copies the drive data onto two different drives using a hardware RAID controller or a software. If one drive fails other drive functions as a single drive until the failed drive is replaced, requires 2 drives minimum

Curriculum vita (CV)

expert witness is helpful in qualifying his/her testimony by acknowledging his/her previous professional experiences.

Reliable

extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence

reliable evidence

extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence.

/var/log/faillog

failed user login attempts

CD File System (CDFS)

file system for the Linux operating system transfers all tracks and boot images on a CD, as normal files. These files can then be mounted (for example, for ISO and boot images), copied, and played. Goal was to unlock information in old ISO images.

Service Provider Search Warrant​

first responders can obtain things like service records, billing records, and subscriber information.

Busted access control

flaws related to access control are exploited•

Which command from The Sleuth Kit (TSK) lists the files and directory names in an image and can display file names of recently deleted files for the directory using the given inode?

fls

Process Dumper (PD)

forensically dumps the memory of a running process.The system stores the information about shared files and folders in the following registry root key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\SharesImportant Registry Entries:

Evidence Documenter

gathers info and documents it from incident occurrence to the end of the investigation.

RAID 1

generally executes mirroring as it duplicates or copies the drive data on to two different drives using a hardware RAID controller or a software. If one of the drives fail, the other will function as a single drive until a user replaces the failed drive with a new one. Requires minimum of 2 drives

Evidence Graph Generation

generates and updates the evidence graph using intrusion evidence from the depository

Which cmdlet can investigators use in Windows PowerShell to parse GPTs of both types of hard disks including the ones formatted with either UEFI or MBR?

get-gpt Get-mbr

/var/log/messages

global system messages

Hardware (mobile)

hardware such as a display device, keypad, RAM, flash, embedded processor, and media processor, which are responsible for mobile operation

ESN

has the manufacturer information

Rule 801

hearsay

Rules 801-804

hearsay

Vulnerability-based

helps map IDS events to vulnerability scanner output

nbtstat

helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. -a remote name, -A ip address, -c cache, -n names, -r resolved, -S sessions.

SysAnalyzer (for dynamic malware analysis)​:

helps you monitor the installation of executables, shows information like process ID, the new file path, open ports, process DLLs, loaded drivers, and tasks.

Home Location Register (HLR)

his is the database at the MSC. It is the central repository system for subscriber data and service information.

What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?

hybrid cloud

Crimes supported by e-mails

identity Fraud Cyber-stalking Child pornography Child abduction

Devcon or Device console.

is a command-line tool that displays detailed information about devices on computers running Windows operating system. DevCon can be used to enable, disable, install, configure, and remove devices.

Forensic Toolkit (FTK)

is a court-cited digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so that filtering and searching is fast.

International Organization of Computer Evidence (IOCE)

is an organization formed in 1995. This organization provides an international forum for law enforcement agencies around the world for exchanging information that are related with computer investigation and digital forensic issues.

SMTP (Simple Mail Transfer Protocol, port 25)

is an outgoing mail server, which allows a user to send emails to a valid email address

Fgdump

is basically a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines.

$Bitmap

is in NTFS​ and it keeps track of used and unused clusters

Network Forensics

is the capturing, recording, and analyzing network traffic and event logs to discover the source of security attacks

RAID 2

is the only level among all the RAID levels that does not implement even one of the standard techniques of parity, mirroring or striping. It uses a technique similar to striping with parity. It includes splitting of data at the bit level and distributing it to numerous data disks and redundancy disks.

Steganalysis

is the process of discovering the existence of the hidden information within a cover medium. Steganalysis is the reverse process of steganography.

Media sanitization

is the process of permanently deleting or destroying data from storage media.NIST SP 800-88 Guidelines= Clear, Purge, Destroy

Cross-examination

is the process of providing the opposing side in a trial the opportunity to question a witness

BinHex

is the short form for "binary-to-hexadecimal." It is a binary-to-text encoding system used on Mac OS to send binary files via e-mails. This system is similar to Uuencode, but BinHex combines both "forks" of the Mac file system including extended file information.

readelf

is the short notation for 'Read Executable and Linking Format'. The command is used to analyze the file headers and section of the ELF files.

Slack Space

is the wasted area of the disk cluster lying between end of the file and end of the cluster when the file system allocates a full cluster to a file, which is smaller than the cluster size.

OLE​ (Object Linking and Embedding)

is used by Microsoft Office, not used by PDF

Tripwire

is used for file integrity

command ss -l -p -n | grep

is used to check if that particular process running on the system is suspicious

Mysql db export

is used to export metadata or data, or both from one or more databases

Mysqldbexport

is used to export metadata or data, or both from one or more databases

aureport

is used to produce summary reports of the audit system logs.

Mobile Subscriber Identification Number (MSIN)

it is a 10-digit number MIN (mobile identification number) that helps identify the mobile phone service provider within a mobile carrier network.

Static Data Acquisition

it is the process of acquiring the non-volatile or unaltered data remains in the system even after shutdown. Investigators can recover such data from hard drives as well as from slack space, swap files, and unallocated drive space. Other sources of non-volatile data include CD-ROMs, USB thumb drives, smartphones, and PDAs.The static acquisition is usually applicable for the computers the police had seized during the raid and include an encrypted drive

Passware search index examiner

it makes all the data indexed by Windows Search accessible.Requires only one file from the target PC, a Windows Desktop Search Database (.edb)

sleep mode

keeps the system running in a low power state so that the user can instantaneously get back where he/she has paused working

/var/log/dmesg

kernel ring buffer information

Phone API

provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS. All phone APIs appear at the application layer.

Analyst Interface

provides visualization of the evidence graph and reasoning results to the analyst, who passes the feedback to the graph generation and reasoning components

Cain & Abel

pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols.

Advanced Disk Recovery

quick or deep scan for lost or deleted files

UndeletePlus

quick or deep scan for lost or deleted files

R-Studio (Mac, Windows, Linux)​:

raw file can be used for heavily damaged or unknown file systems, recovers data on disks even if partitions are formatted, damaged, or deleted.

/var/log/lastlog

recent login information

expert witness

recognized by the court of law as trustworthy for taking an opinion or verify a process by virtue of their education, skills, expertise, knowledge, and experience in a specific field. In this case, expert witnesses are the technically sound persons, who understand the working, process of attacks, investigative methods and the results obtained.

Recuva

recover all types of lost files from disk or removable media

recover my files

recover deleted files emptied from recycle bin, accidental format, hard disk crash, etc

Recuva

recover lost pictures, music, docs, video, email, or other file type from all types of media

Stellar Phoenix (Mac or Windows)​:

recovers deleted files with their original file name. Supports RAW recovery on lost volumes.

Data Rescue 4 for Mac (also Windows version)​:

recovers files from crashed or virus-corrupted hard drive, non-mounting hard drive, reinstalled OS, or accidentally reformatted hard drive, or damaged, missing, or previously deleted files. Recovers all file types from any HFS/HFS+ formatted drive.

Quick Recovery​:

recovers files that have been lost, deleted, corrupted, or deteriorated. Searches, scans, and recovers files that are encrypted and password protected​ and restores them. Repairs and recovers disk bad sectors​, recovers virus-prone files, hidden and password protected files.

File Salvage (Mac)​:

recovers lost files, iTunes libraries, iPhoto collections, lost data. Recovers from Mac OS hard drive, USB, PC disk, Linux disk, FAT32 disk, FLASH card, scratched CD, digital camera, iPod, and any other file system recognized by Mac OS.

File Salvage (Mac)​:

recovers lost files, iTunes libraries, iPhoto collections, lost data. Recovers from Mac OS hard drive, USB, PC disk, Linux disk, FAT32 disk, FLASH card, scratched CD, digital camera, iPod, and any other file system recognized by Mac OS.

Recuva​:

recovers pictures, music, documents, videos, emails, or any other file type that are lost. Can also recover from rewritable media like memory cards, external hard drives, USB, etc... Offers superior file recovery and can recover files from damaged or newly formatted drives and the chances of recovery are higher. Offers Advanced Deep Scan mode that scours a drive to find any traces of files that have been deleted. Securely deletes files with secure overwrite feature that meets military standards.

Bad sectors

refer to the portions of a disk that are unusable due to some flaws in them and do not support the read or write operations. The data stored in bad sectors is not completely accessible. Bad sectors might be due to configuration problems or any physical disturbances to the disk.

MicrosoftSecurityID

refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource.

Administrative Investigation

refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. Violation of company policies .Involves an agency or government performing inquiries to identify facts with reference to its own management and performance Non-criminal in nature and related to misconduct or activities of an employee that includes but are not limited to: Violation of the organization's policies, rules, or protocols. Resource misuse or damage or theft. Threatening or violent behavior. Sexual Exploitation, harassment, and abuse. Improper promotion or pay raise, corruption and bribery

Forensic Readiness

refers to an organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. It includes technical and nontechnical actions that maximize an organization's competence to use digital evidence. A forensic investigator performs the following tasks: Evaluates the damages of a security breach Identifies and recovers data required for investigation Extracts the evidence in a forensically sound manner Ensures proper handling of the evidence Acts as a guide to the investigation team Creates reports and documents about the investigation required to present in a court of law Reconstructs the damaged storage devices and uncovers the information hidden on the computer Updates the organization about various methods of attack and data recovery techniques, and maintains a record of them (following a variant of methods to document) regularly Addresses the issue in a court of law and attempts to win the case by testifying in court.

Event Masking

refers to missing events related to systems that are downstream of a failed system. It avoids the events that cause the system to crash or fail

Direct examination

refers to the process of a witness being questioned by the attorney who called him or her to the stand

The Frye Standard

related to the admissibility of scientific examinations or experiments in legal cases. According to this act, any kind of expert opinion based on scientific techniques is admissible, if the technique involved is acceptable by the relevant scientific community.

Admissible Evidence

relevant to the case, act in support of the client presenting it and be well communicated and non-prejudiced.

ListDLLs

reports DLLs loaded into processes. Process name, Pid, Dllname, -r relocated, -u unsigned, -v version

Gramm-Leach-Bliley Act (GLBA)

requires financial institutions to protect their customers' information against security threats. Log management can be useful in identifying possible security violations and resolving them effectively

POP3 (Post Office Protocol, v3, port 110)

s a simple protocol for retrieving emails from an email server. When the POP server receives emails, they are stored on the server until and unless the user requests it

operating system

scheduling multiple tasks, memory management tasks, synchronization, and priority allocation. It also provides interfaces for communication between application layers, middleware layers, and hardware

MBR almost always refers to the partition sector of a disk also known as:

sector 0. Master partition table.

Time Division Multiple Access (TDMA)

single-frequency channel provided to multiple users over a divided time slot

The GNUC Library (glibc)

sits between the User Space and Kernel Space and provides the system call interface that connects the kernel to the user-space applications

Capsa

sniffer with support for over 300 network protocols

Which of the following is NOT an element of cyber crime?

speed anonymity volatile nature of evidence evidence size and complexkty anti-digital forensics limited legal understanding

Payment Card Industry Data Security Standard (PCI DSS)

standard for organizations that handle cardholder information for the major debit, credit, prepaid, ATM, and POS cards

Fourth Amendment

states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant. Note: Private intrusions not acting in the color of governmental authority do not come under the Fourth Amendment.

Known Stego attack​

steganography tool (algorithm) is known and both original and stego-object are available

IMAP(port 143 or 993)

stores emails on the mail server and allows users to view and manipulate their emails, as if the mails are stored on their local systems. This enables the users to organize all the mails depending on their requirement

HKEY_CURRENT_CONFIG

stores information about the current hardware profile of the system. It is also a pointer to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\HardwareProfiles\Current

/var/log/lpr.log

stores printer logs

Codebook-Based

stores sets of events in codes

Authentication Center (AuC):

stores the user's IMSI, encryption, and authentication keys.

FRED

systems are optimized for stationary laboratory acquisition and analysis. FRED will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives

DoS

targeted attack to produce a loss of service or availability•

Directory Traversal

technique using http exploits to access outside http root directory•

DiskDigger (Windows 10, 8, 7, Vista, XP)​:

undeletes and recovers lost files from hard drives, memory cards, USB drives. Recovers documents or photos accidentally deleted or from a reformatted camera memory card, or can be used to check files on an old USB drive. Shows recoverable files as a thumbnail preview​,

Electronic Serial Number (ESN)

unique, 32-bit number attached on a chip inside a CDMA phone by manufacturer. There are two formats:8 bits manufacturer code and 24 bits for serial number OR14 bits for manufacturer code and 18 bits serial number

ZFS

used by Sun. High storage capacity, data protection, compression, volume management, integrity checks, deduplication, encryption, and auto repair.

Jv16 tool

used for registry change analysis​, not malware installation file analysis.

Nuix Corporate Investigation Suite​:

used to collect, process, analyze, review, and report evidence

Nuix Corporate Investigation Suite

used to collect, process, analyze, review, and report evidence.

DisableLastAccess

used to disable the updating of last access time on files Can invoke using the "fsutil" command

Registry Editor (regedit) (Windows)​:

used to load (open) or unload registry hives (hives begin with HKEY)

regedit.exe

used to load or unload registry hives (hives begin with HKEY).

OpenGL/ES and SGL

used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen

Warrantless Seizure​

used when the destruction of evidence is imminent and there is probable cause to believe that the item seized constitutes evidence of criminal activity. Agents may also search a place or object without a warrant or probable cause, if a person with authority has consented (example: you are a teenager and your parents give police the consent to search your room).

opening statement

An opening statement is important because it offers an outline of the case.

Incident Analyzer

Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it

Android Rooting

AndroidoOneClickRoot Kingo Android ROOT TowelrootoRescuRoot

File Recovery Tools for Mac

AppleXsoft File Recovery, Disk Doctor Mac Data Recovery, R-Studio for mac, Data Rescue 4, Stellar Phoenix, FileSalvage, 321Soft, Disk Drill, Mac Data Recovery Guru, Cisdem

Rule 502

Attorney-Client privilege and work product; Limitations on waiver

Rule 901

Authenticating or Identifying Evidence

Rule 901​

Authenticating or identifying evidence

Paraben's Stronghold

Faraday Bags block out wireless signals to protect evidence.

Which of the following is NOT an advantage of SSDs over HDDs?

Faster data access Less power usage Higher reliability

What is a method of lossy compression for digital images that allows users to adjust the degree of compression?

JPEG

Third Extended File System (Ext3)

Journaling file system used in GNU/Linux OS; enhanced version of EXT2 Main advantage is journaling and improves reliability/integrity and speed Can convert from ext2 to ext3 or vice or versa

Which component of the NTFS architecture is the processing mode that permits the executable code to have direct access to all the system components?

Kernel Mode

Which of the two parts of the Linux file system architecture has the memory space where the system supplies all services through an executed system call?

Kernel Space

What stage of the Linux boot process includes the task of loading the virtual root file system created by the initrd image and executes the Linuxrc program?

Kernel Stage

fsutil

Last access time change for Windows 10:

PRIV.STM

MIME​ Stream can be found in: PRIV.STM

Mobile Network Code (MNC)

MNC is a two-digit network identification number used along with the MCC printed on SIM. It used to identify the SIM user on a mobile phone network

Non-Volatile Data

Non-volatile data refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Information stored in non-volatile form includes hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, registry settings, and event logs.

Which component of the NTFS architecture reads the contents of the Boot.ini file?

Ntldlr.dll:

Mac forensic tools

OS X Auditor Mac Forensics Tool MacForensicLab Macintosh Forensic Software Memoryze for the Mac Mac Marshal F-Response Mac OS X Memory Analysis Toolkit Volatility 2.5 Avast Free Mac Security OS X Rootkit Hunter for Mac

Steps involved in investigating e-mail crimes and violations

Obtain a Search Warrant Examinee-mail messages Copy and print the e-mail messages View the e-mail headers Analyze the e-mail headers Trace the e-mail Acquire e-mail archives Examine e-mail logs Types of encoding in emails

expert witness

Offers a formal opinion as a testimony in a court of law.

Distributed Storage

Offers better scalability, availability, and reliability of data. However, cloud distributed storage does have the potential for security and compliance concerns.

On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?

On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interface

Generic Forensic Zip (gfzip)

Open format for compressed and signed files that uses SHA-256 Embeds user metadata with file metadata and signs with x.509

Rule 701

Opinion testimony by lay witnesses

Limitations of Cloud Computing:

Organizations have limited control and flexibility Prone to outages and other technical issues Security, privacy, and compliance issues Contracts and lock-ins Depends on network connections

ios rooting

PANGU JAIL BREAK Redsn0woSn0wbreeze GeekSn0w

PDF Password recovery

PDF Password recovery, PDF Password Genius, SmartKey, Tenorshare, Guaranteed

What is the RAID level that executes mirroring as it duplicates drive data onto multiple drives?

RAID 1

What is the RAID level that uses byte level data striping across multiple drives and distributes the parity information among all member drives?

RAID 5

Running processes:

RAM, Virt Mem, Swap space

Default Location off Access logs

RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/access_log Debian/Ubuntu Linux: /var/log/apache2/access.log FreeBSD Linux: /var/log/httpd-access.log

The default location of error logs:

RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/error_log Debian/Ubuntu Linux: /var/log/apache2/error.log FreeBSD: /var/log/httpd-error.log

Apache Configuration File Location

RHEL/Red Hat/CentOS/Fedora ````Linux: /usr/local/etc/apache22/httpd.conf Debian/Ubuntu Linux: /etc/apache2/apache2.conf FreeBSD: /etc/httpd/conf/httpd.con

netstat -na​

find if TCP/UDP ports have unusual listening

Rogue Access points

Client misassociation

Chapter 10 Summary

Cloud computing is an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network Cloud services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) Cloud forensics is the application of digital forensic investigation process in the cloud computing environment Crime committed with cloud as a subject, object, or tool is a cloud crime Forensic investigations in cloud involve a minimum of CSP and the client. But, the scope of the investigation extends when the CSP outsources services to third parties According to the NIST, cloud forensics challenges are categorized into nine major groups -architecture, data collection, analysis, legal, training, anti-forensics, incident first responders, role management, standards, etc. Cloud storage services such as Dropbox, Google Drive, etc. create artifacts on a system they are installed upon that may provide relevant information to investigation

What tool is used for format recovery, unformatting, and recovering deleted files emptied from the Recycle Bin or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID

EASEus

Rule 105​

Limited Admissibility.

Which RFC defines normal email communication?

RFC 5322

Rule 101​

Scope. Rules govern proceedings in the courts of the United States.

SWGDE Standard 1.5

The agency must use hw and sw that is appropriate and effective for the seizure/examination procedure.

Abbreviated dialing numbers (ADN):

These are three-digit dialing numbers. communication in emergency

Comodo Programs Manager

dynamic malware analysis to review installation files

Comodo Programs Manager​:

dynamic malware analysis tool that helps investigators detect hidden and background installations which the malware performs.

Install Watch​:

dynamic malware analysis tool that helps investigators detect hidden and background installations which the malware performs.

Most Recently Used lists (MRU​)

are the lists of recently visited web pages, opened documents, etc... The MRU list​ registry key IS​ the RecentDocs key​.

DDOS

attack on specific IP ​address of company's website is Network attack

FSUM

command line utility for file integrity verification. It offers a choice of 13 hash and checksum functions for file message digest and checksum calculation.

Automated Field Correlation

compares some or all fields and determines correlation across these fields

hibernate mode

completely writes the memory as a hiberfil.sys file in HDD.

Apache web server

comprises of a modular approach. It consists of two major components, the Apache Core and the Apache Modules

BIOS Parameter Block (BPB)

data at sector 1 in the volume boot record and explains the layout

Anti-forensics

data deletion, encryption, data hiding (Steganography), Trail Obfuscation (deleting log files, spoofing, zombie accounts, misinformation), Program Packers, Rootkits, Privacy Eraser (tool that deletes browser history)

FSUTIL

performs tasks related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume

Total Recall​:

recovers lost data from hard drives, RAID​, photos, deleted files, iPods, FireWire, and USB.

Which of the following is one of the five UEFI boot process phases?

SEC PEI DXE BDS RT

SWGDE Standard 1.3

SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner.

SQLite

SQLite is the database engine that stores data in Android devices

PC-3000 Flash

is a hardware and software suite for recovering flash-based storage

Error code 530

logon failure

net start​

look for unusual network services

logon events: 624

Account created

Resetting Admin Passwords

Active@ Password changer, Windows Recovery Bootdisk, Windows Password Recovery Lastic

Which of the following basic partitioning tools displays details about GPT partition tables in Linux OS?

GNU Parted

Electronic Storage Device Search Warrant​

-- allows the first responder to Search and Seize the victim's computer components like: hardware, software, storage devices, and documentation.

PsFile​ --

-- command-line utility that can retrieve the list of remotely opened files on a system

net file​

-- displays the names of all open shared files on a server and the number of file locks on each file

503 Event log

(503 error message: Service Unavailable), 530 = failed login attempt

Master Boot Record

(MBR)refers to a hard disk's first sector or sector zero that specifies the location of an operating system for the system to load into the main storage. Also called as, partition sector or master partition table contains a table, which locates partitioned disk data. HOW BIG IS IT?512 BYTES

FileMerlin

(document conversion): converts word processing, xls, ppt, and database files between wide range of file formats. Regarding as the premiere document conversion product.

Dependency Walker​

(for dynamic malware analysis): lists all dependent modules, builds hierarchical tree diagram, records all the functions each module exports and calls, can detect application problems like missing/invalid modules, import/export mismatch, circular dependency errors, mismatched machine modules, and module initialization failure.

Capsa​

(network analyzer): supports over 300 network protocols, monitors network traffic, email monitoring, can be used to detect Trojans​.

How many bytes does a directory entry have allotted for each file and directory in the FAT file system?

32

Forensics Investigation Reports

A forensic investigation report is a statement of allegations and conclusions drawn from the computer forensics investigation. It contains all the findings of the investigator in written form, thereby making it a concise, precise, accurate, and organized report. It represents all the aspects of an investigation, which is unbiased, organized, and understandable.

Plaintiff and Defendant

A plaintiff is a person who initiates the lawsuit, claiming for damages; whereas the defendant is the person who is answerable to the plaintiff's complaints or claims. The attorney and the opposing counsel presents the case, explains what, when, where, and how it happened.

On-demand self-service

A type of service rendered by cloud service providers that allow provisions for cloud resources such as computing power, storage, network, and so on, always on demand, without the need for human interaction with service providers.

Rule 1003​

Admissibility of Duplicates. States a duplicate is admissible to the same extent of the original, unless a genuine question is raised on the authenticity of an original or in circumstances where it would be unfair to admit the duplicate over the original.

Rule 1003

Admissibility of duplicates

Rule 1004​

Admissibility of other Evidence of Content. The original evidence is not required if the original is lost or destroyed (unless done in bad faith), original not obtainable, original in possession of opponent.

Rule 1004

Admissibility of other evidence of Content

Which is a required characteristic of digital evidence?

Admissible Authentic Complete Reliable Believable

Closing Arguments:

After the presentation of all the evidence, both the plaintiff and defendant have the chance to present the summarized closing statements of the case. The attorney and the opposing counsel can suggest solutions for the case but must leave the verdict to be decided by the jury.

Dealing with powered off computers

At this point of the investigation, do not change the state of any electronic devices or equipment: If it is switched OFF, leave it OFF If a monitor is switched OFF and the display is blank: Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen If a monitor is switched ON and the display is blank Move the mouse slightly. If the screen does not change, do not perform any other keystroke. Photograph the screen

Dropper:

Attackers need to install the malware program or code on the system to make it run and this program can do the installation task covertly.

Rule 502​

Attorney/Client privilege and work product

Which linux boot stage initializes the sys hd:

BIOS

netstat -r

Displays the contents of the IP routing table. This is equivalent to the route print command.

FileMerlin

Converts word processing, XLS, PPT and database files for backups or duplication purposes

Which is a threat to web applications?

Cookie poisoning

UTC

Coordinated Universal Time

What UFS file system part comprises a collection, including a header with statistics and free lists, a number of inodes containing file attributes, and a number of data blocks?

Cylinder groups

Prefetch

DWORD value at the offset 120 within the file corresponds to the last time of the application run, this value is stored in UTC format

prefetch

DWORD value at the offset 144within the file corresponds to the number of times the application is launched

Data to collect from a website attack

Date and time at which the request was sent2.IP Address from where the request has initiated 3.HTTP method used (GET/POST) 4.URI 5.HTTP Query 6.A full set of HTTP headers 7.The Full HTTP Request body 8.Event Logs (non-volatile data) 9.File listings and timestamps (non-volatile data)

Notify Decision Makers and Acquire Authorization

Decision makers are authorities who implement the policies and procedures for handling an incident. The decision maker must be notified for the authorization when written incident response policies and procedures do not exist.

Understanding Digital Evidence

Digital evidence includes all such information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering digital evidence as it is fragile in nature. According to Locard's Exchange Principle, "anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind."

Rule 701​

Disclosure of facts or data underlying expert opinion

Rule 705

Disclosure of facts or data underlying expert opinion

Rule 705​

Disclosure of facts or data underlying expert opinion

netstat -e

Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

Incident Response Preparation

Document all information about incident Use logbook to record all actions during collection

Brute Force

In a brute force attack, the attacker tries every possible combination of characters until the correct password is found including using different hashes for encrypted passwords

Dictionary Attack

In a dictionary attack, a dictionary file is loaded into the cracking application that runs against user accounts. The program uses every word present in the dictionary file to find the password. Dictionary attacks can be considered more useful than brute force attacks, although they do not work against systems that use pass phrases

offset

In computing, an offset usually refers to either the start of a file or the start of a memory address. Example: If "A" denotes address 80, then the expression A+20 implies the address 100, where 20 in the expression is the offset

Types of web application threats

Insecure direct object references Insufficient transport layer protection Failure to restrict URL access Insecure or improper cryptographic storage Cookie snooping Obfuscation application DMZ attacks

Cybersquatting

Involves conducting phishing scams by registering a domain name that is similar to a cloud service provider

relational analysis

It correlates the actions of suspect and victim

libc

It is a C system library tuned for embedded Linux-based devices

What is NOT one of the three tiers a log management infrastructure typically comprises?

Log Generation Log Analysis and Storage Log Monitoring

What is NOT one of the three tiers a log-management infrastructure typically comprises?

Log Generation Log analysis and storage Log monitoring

database of every file and directory in NTFS

MFT ​(Master File Table)

Which component of the NTFS architecture contains executable master boot code that the system BIOS loads into memory?

Master Boot Record

which file type offers journaling?

NTFS

Xplico​:

Open Source network forensic analysis tool (NFAT) that extracts applications data contained from an internet traffic capture. Example--- from a pcap file it would extract all email, HTTP contents, VOIP calls, FTP, etc...

Advanced Forensics Format (AFF)

Open source format w/no size restrictions and Space for metadata

photographer

Photographs the crime scene and all evidence. Should have an authentic certification.

Setting up a CFL

Planning and budgeting Location and structural concerns. Work area considerations (50-63 sqft per station) no windows HR Considerations (certifications and experience) Physical security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025

What partition holds the information regarding the operating system, system area, and other information required for booting?

Primary partition:

42 U.S.C. 2000aa-7 (a)

Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression

Types of clouds:

Private Public Hybrid Community(multi-tenant, common computing concerns)

Bit-stream disk-to-image

ProDiscover, EnCase, FTK, TSK, X-Ways, ILook

Injector

Program that injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal

18 USC 1361-2

Prohibits malicious mischief

Recover Files on Mac

Put back from trash Time Machine 3rd party software

Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated?

Quick Recovery

Crypter:

Refers to a software program that can conceal existence of malware

Rule 1002

Requirement of original

Advanced Forensic Framework 4 (AFF4)

Supports more file formats than AFF and much larger capacities Image signing and cryptography and is transparent to clients

Which of the following is NOT a command used to determine running processes in Windows?

Tasklist Pslist Listdlls Handle

ICCID XX254XXXXXXXXX

The 254 stands for: country code

What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk?

The Bootloader Stage

Kernel Space

The memory space where the system supplies all kernel services through kernel processes. The users can access this space through the system call only. A user process turns into kernel process only when it executes a system call.

Secondary Data Files (NDF)

The secondary data files are optional. While a database contains only one primary data file, it can contain zero/single/multiple secondary data files.

DD Command

The syntax for the dd command is as follows:dd if <source> of<target> bs<byte size> skip seekconv<conversion> source: from where to read the data target: where to write the data Bs: byte size (usually some power of 2, not less than 512 bytes[i.e., 512, 1024, 2048, 4096, 8192]) skip: number of blocks to skip at the start of the input seek: number of blocks to skip at the start of the output conv: conversion optionsAn investigator may use the following commands for the respective tasks:Suppose a 2GB hard disk is seized as evidence. Use DD to make a complete physical backup of the hard disk, use dd if=/dev/ hda of=/dev/case5img1 To copy one hard disk partition to another hard disk, use dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,no error command

WhatChanged Portable

The tool that can be used to extract artifacts from Google Drive and Dropbox is

Infrastructure as a Service (IaaS)

This cloud computing service enables subscribers to use fundamental IT resources such as computing power, virtualization, data storage, network, and so on, on demand.

Software as a Service (SaaS)

This cloud computing service offers application software to subscribers' on-demand, over the Internet. The provider charges for it on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users.

OPENFILES

This command queries or displays open files and also queries, displays, or disconnects files opened by network users.

Which inode field shows when the creation occurred and the last modification?

Timestamps

Court's Expert:

To advise the court on technical issues that the court fails to comprehend.

Consulting Expert

To offer technical explanations for a complex situation during court trials.

Which of the following is NOT used in the calculation of HDD density?

Track density: Refers to the number of tracks in a hard disk. Area density: Area density is the platters' storage capacity in bits per square inch. Bit density: It is bits per unit length of track.

copying data

Use Bit stream imaging

Sniffing tools

WireShark, SteelCentral Packet Analyzer, Tcpdump, Windump, Capsa, Omnipeek, Observer

Edge Cashed File Location

\Users \user_name\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\

Mysqldump

_________take action when a security incident has occurred and detection and analysis of the malicious activities performed by criminals over the SQL database file are required. MSSQL forensics is command line utility is used to take a backup of the database.

Incident Response Preparation

a.The following should be ready before an incident occurs: 1.A first responder toolkit (responsive disk) 2.An incident response team (IRT) or designated first responder 3.Forensic-related policies that allow forensic data collection

Linux bootloader

active in what stage​: Bootloader stage​ (LILO and/or GRUB load the Kernel)

Logical Block Addressing (LBA)

addresses data by allotting a sequential number to each sector

Pandora Recovery

allows you to locate and recover files deleted from FAT and NTFS-formatted volumes. Scans and builds an index of existing and deleted files and directories.

Fourth Extended File System (ext4)

better scale and reliability than EXT3 Replaces block mapping scheme of EXT2/3 to increase performance and reduce fragmentation

Remo Recover Pro (Mac)​:

binary application that makes Mac data recovery easy on PowerPC and Intel based machines, recovers files lost emptied from the Trash or lost due to inaccessible Mac volumes, able to recover data even if the Disk Verify and Repair tool fails to retrieve the lost data.

Verbal formal report​:

board, managers, jury

Windows Server 2012 Log Files

by default the log files are stored at %SystemDrive%\inetpub\Logs\LogFiles

Cross-Site Scripting (XSS)

bypassing client security and injecting malicious code

Physical Evidence includes​

cables, removable media, Publications, all computer equipment including peripherals (mice, keyboard, etc...), items taken from the trash.

HashMyFiles

calculate MD5 hash on one or more files. Can also display MD5 hashes of files or folders

internal Attacks

considered as a primary threat, refer to attacks by disgruntled individuals working in the same firm or household as the victim. Examples of internal attacks include espionage, theft of intellectual property, manipulation of records, and Trojan horse attack.

SSL/TLS downgrade attacks

constant failure to negotiate TLS, so browser goes back to SSL and a MiTM attack can occur•

Active File recovery

contains CD/DVD ISO image that allows you to burn a bootable CD or DVD with a lightweight version of Windows 7. Can recover from a system that is not bootable.

Elementary Files (EF)

contains both header and body; which hold actual data. Contains serial number of SIM.

HKEY_USERS

contains information about all the currently active user profiles on the computer.

Equipment Identity Register (EIR)

database that contains a list of devices with their IMEI numbers. A mobile network operator (MNO) can go through the EIR to track the IMEI of a mobile device and check if it is valid (whitelisted)or (blacklisted) suspected or stolen/blocked (blacklisted)and take action, if required.

Service Provider Network (SPN)

defines SIM card Service Provider

Integrated Digital Enhanced Network (iDEN)

developed by Motorola, is the mobile communication technology that provides its users with the benefit of a trunked radio and cellular telephone

PDF

device independent and support different systems like MAC, Linux, etc. Support different compression algorithms and several multimedia elements. Allows password protection

Proc Heap Viewer​:

enumerates process heaps in Windows. Uses a better process than Windows heap functions, which makes it fast and highly efficient. Can be used to discover heap related vulnerabilities.

Route correlation

extracts attack route info to single out other attack data

Error code 500

internal server error

paladin

is a modified "live" Linux distribution based on the PALADIN Toolbox.

data acquisition

is the first pro-active step in the forensic investigation process. The aim of forensic data acquisition is to extract every bit of information present on the victim's hard disk and create a forensic copy to use it as evidence in the court. In some cases, data duplication is preferable instead of data acquisition to collect the data. Investigators can also present the duplicated data in court.

Root Cause Analysis

is the most complex part in event correlation. During a root cause analysis, the event correlator identifies all the devices that became inaccessible due to network failures.

18 USC 2252A

law about child pornography

Attorney

legal advice about the investigation, and legal issues involved in the forensics investigation process.

The Sleuth Kit (TSK)

library and collection of command line tools that allows investigating disk images. The core functionality of TSK allows analyzing volume and filing system data. The plug-in framework also allows incorporating additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence

What is NOT one of the three major concerns regarding log management?

log creation and storage log protection log analysis

Bypass/reset BIOS password

manufacturer's backdoor password password-cracking software (CmosPwd, DaveGrohl) reset CMOS or remove battery professional service keyboard buffer overload

First 8 bits of ESN​

manufacturer's code

Media framework:

media codecs that allow the record and playback of all the media

18 U.S.C. 2252B

misleading domains on Internet

Which inode field determines what the inode describes and the permissions that users have to it?

mode

Cookie Poisoning

modification of information in cookies

ProcDump

monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike.

Time or role-based approach

monitors computer and user behavior for anomalies

Complete

must either prove or disprove the consensual fact in the litigation

netstat -o

netstat -o Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.

Law company wants to search for evidence themselves

no, because it might change date/time information. This alteration would prevent a criminal case from moving forward, since evidence is altered.

Mobile country code

of a SIM user internationally on a GSM network.

Tableau T8-R2 Forensic USB Bridge

offers secure, hw-based write blocking of USB storage devices.

Platform as a Service (PaaS)

offers the platform for the development of applications and services. Subscribers need not buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations.

RAID 2​

only RAID level that does not implement even one of the standard techniques of parity, mirroring, and striping. Uses technique similar to striping with parity, includes splitting of data at the bit level and distributing it to numerous data disks and redundancy disks, Hamming Code of ECC is in RAID 2.

Buffer Overflow

overwrites adjacent memory locations

General Packet Radio Service (GPRS)

packet-oriented mobile data service available to the users of GSM and IS-136 mobiles.

Which partition type designates the protective MBR from legacy MBR?

partition of type 0xEE

Recycle Bin

place to store files that are marked for deletion. The exceptions are large files and files from removable media

Attack Reasoning

process of automated reasoning based on the evidence graph

Mobile Switching Center (MSC)

processes calls and messages within a network and routes them between landline and wireless networks.

Cybercrime

refers to "any illegal act that involves a computer, its systems, or its applications."

GUI API

responsible for creating menus and sub-menus in designing applications. It acts as an interface where the developer has a chance of building other plugins.

Data Recovery Pro​:

restores deleted emails and email attachments​. Deeply scans hard drives, external drives, iPod Shuffle, iPod NANO, and iPod Classic to recover a wide variety of files.

net view​

review file shares to ensure their purpose net session -- verify the users using open sessions

Master File

root of filesystem and contains or more DF's and/or one or more EF's. Identified by 3F00

PsFile

s a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files

Prefetch folder

saves data about programs, so programs load faster at boot

PNG

short for Portable Network Graphics, is a lossless image format intended to replace the GIF and TIFF formats. Supports 24-bit true color, transparency in both the normal and alpha channels as well as indexed/palette-based images of 24-bit RGB or 32-bit RGBA colors and grayscale images. PNG file hex values begin with 89 50 4e, which is the hex value for GIF

nbtstat -c command​

shows the contents of the NetBIOS name cache, which contains the NetBIOS name-to-IP address mappings

Nbtstat -c

shows the contents of the NetBIOS name cache​, which contain NetBIOS name-to-IP address mappings

Process Explorer

shows the information about the handles and DLLs of the processes which have been opened or loaded.

Cross site request forgery

similar to phishing, user is made to click on a link •

RAID 0​

simplest RAID level, does not involve any redundancy and fragments the file into user-defined stripe size of the array, it then sends these stripes to every disk in the array, RAID 0 does not have redundancy, offers best overall performance of the single RAID levels, requires at least 2 drives

Communication API

simplifies the process of interacting with web services and other applications such as email, internet, and SMS

HKEY_CLASSES_ROOT

subkey of HKEY_LOCAL_MACHINE\Software and contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data.

HFS +

successor of HFS and is a primary file system in Macintosh.

/var/log/auth.log

system authorization information, including user login and authentication mechanism

MSSQL Forensics

take action when a security incident has occurred and detection and analysis of the malicious activities performed by criminals over the SQL database file are required.

FAT (File Deletion)

the OS replaces the first letter of the deleted filename with E5H. Corresponding clusters of that file are marked unused, even though they are not empty.Until these clusters are overwritten, the file can still be recovered.

Evidence Preprocessing

the analysis of assertive types of evidence, such as IDS alerts, into the appropriate format and reduces the repetition in low-level evidence by aggregation.

Steganography

the art of hidden writing, has been in use for centuries. It involves embedding a hidden message in some transport or carrier medium and mathematicians, military personnel, and scientists have been using it.

Evidence Collection

the collection of intrusion evidence from networks and hosts under investigation.

Daubert Standard

the rule of evidence regarding the admissibility of the expert witnesses' testimony during the federal legal proceedings. The trial judges should analyze the proffered expert witnesses to decide whether their testimony is both "relevant" and "reliable".

logon events: 2

title: interactive, description: a user logged on to this computer

Cellebrite UFED Cloud Analyzer

tool provides forensic practitioners with instant extraction, preservation, and analysis of private social media accounts --Facebook, Twitter, Kik, Instagram --file storage and other cloud-based account content that can help speed investigations.

swatch

tool used for monitoring log files produced by UNIX's syslog facility

(UFS) Unix File System

used by UNIX and UNIX-like OS

RAID 5​

uses byte level data striping across multiple drives and distributes parity information among all member drives, the data writing process is slow, requires a minimum of 3 drives to set up, the RAID stripes and distributes the error detection and correction code or data and parity code across three or more drives

RAID 3​

uses byte-level striping with a dedicated parity disk which stores checksums. Also supports a special processor for parity codes calculation. This RAID level cannot cater to multiple data requests simultaneously. If failure occurs, it enables data recovery by an applicable calculation of the parity bytes and the remaining bytes which relate with them.

Error code 505

usually related to an application installation error of HTTP error, especially on Android OS

Nist has launched the computer forensic tool testing project (CFTT)

which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."

ClearPageFileAtShutdown

will clear the page file at system shutdown; possibly deleting valuable data

Surface Manager

windows owned by different applications on different processes

DCFLDD functions that are not possible with DD:

Hashing on-the-fly -dcfldd can hash the input data, helping to ensure data integrity Status output -dcfldd can update the user of its progress in terms of time or data left Flexible disk wipes -dcfldd can be used to wipe disks quickly, and with a known pattern if desired Image/wipe Verify -dcfldd can verify that a target drive is a bit-for-bit match Multiple outputs -dcfldd can output to multiple files or disks at the same time Split output -dcfldd can split output to multiple files with more configurability than the split command Piped output and logs -dcfldd can send all its log data and output to commands as well as files natively Acquiring Data on Linux: dcfldd Command An advanced dcfldd command look like:dcfldd if=/dev/sdb hash=md5,sha256 hashwindow=2G md5log=md5.txt sha256log=sha256.txt \hashconv=after bs=4k conv=noerror,sync split=2G splitformat=aa of=sdb_image.img Acquiring Data on Windows: AccessData FTK ImagerCRC-32:Cyclic Redundancy Code algorithm-32 is a hash function based on polynomial division idea. The resulting hash value or checksum which is 32 bits. MD5:It is an algorithm used to check the data integrity by creating 128-bit message digest from the data input of any length. Every MD5 hash value is unique to that particular data input.SHA-1:Secure Hash Algorithm-1 is a cryptographic hash function developed by the NSA and it is a US Federal Information Processing Standard issued byNIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a hexadecimal number, 40 digits long.SHA-256: It is a cryptographic hash algorithm that creates a unique and fixed-size 256-bit (32-byte) hash. Hash is a one-way function which means, decryption is impossible. Therefore, it is apt for anti-tamper, password validation, digital signatures and challenge hash authentication

L0phtCrack

Helps to recover lost Microsoft Windows passwords by using dictionary attacks, hybrid attacks, rainbow tables, and brute-force attacks

New Technology File System (NTFS)

High-performance, self-repairing with advanced features like file-level security, compression, and auditing Supports larger and more powerful volume storage solutions like RAID Can encrypt/decrypt data, uses 16-bit Unicode for multi-language support, maintains fault tolerance via a backup log file Introduces concept of metadata and master file tables Supports files up to 16GB Uses MFT (relational database) for file attributes like size, time, date, permissions, and contents

Google Chrome

History, Downloads, CookiesLocation: C:\Users\{user}\AppData\Local\Google\Chrome\User Data\DefaultCacheLocation: C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Cache

malware entry routes

IM applications IRC Removable Devices Email and attachments Browser and software bugs File Downloads Network File Sharing Bluetooth and wireless networks

What file type is FF D8 FF​ E1?

JPEG

Open-Port based

; determine risk of attack by evaluating list of open ports

IP Address Locating Tools

SmartWhois, ActiveWhois, LanWhois, CallerIP, HotWhois

logon events: 4729

a member was removed from a security-enabled global group

logon events: 4727

a security-enabled global group was created

logon events: 4730

a security-enabled global group was deleted

ISO 9660

a standard that defines uses for file systems of CD-ROM and DVD media.

Which of the following should be considered before planning and evaluating the budget for the forensic investigation case?

Break down costs into daily and annual expenditure Refer to the investigation expenses in the past Be aware of updated technology Use of statistics to obtain an idea about the computer crimes that are more likely to occur

Which field type refers to the volume descriptor as a partition descriptor?

Number 0: refers that the volume descriptor is a boot record Number 1: refers that the volume descriptor is a primary volume descriptor Number 2: refers that the volume descriptor is a supplementary volume descriptor Number 3: refers that the volume descriptor is a volume partition descriptor Number 255: refers that the volume descriptor is a volume descriptor set terminat

Setting Windows Registry Key

"HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 disables updating of the last-accessed timestamp

How many tracks are typically contained on a platter of a 3.5" HDD?

A 3.5-inch hard disk can contain about thousand tracks.

Warrantless Seizures

"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973).

Lockard's Exchange Principle

"anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind."

Dxy.ext

"x" denotes the name of drive such as "C," "D," and others; "y" denotes the sequential number starting from one; and .ext is the extension of the original file.

Log FORMAT

%h %l %u %t \"%r\" %>s %bis the common percent directive log format%hclient's IP address.%lRemote log name. Returns a dash unless mod_ident is there and IdentityCheck is set on.%uis the client user ID.%trepresents the time when the server received the request.\"%r\"indicates the methods used for a request-response between a client and server, the resource requested by a client (apache_pb.gif), and the protocol used (HTTP/1.0).%>srepresents the status code which the server sends back to the client.%brepresents the size of the object which the server sends to the client.

What is the last addressable block where negative addressing of the logical blocks starts from the end of the volume in GPT?

- 1

netstat[-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]

-a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening •-e: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s. -n: Displays active TCP connections, however, addresses and port numbers are expressed numerically, and no attempt is made to determine names. -o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. •-p Protocol: Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6. -s: Displays statistics by the protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols. -r: Displays the contents of the IP routing table. This is equivalent to the route print command.NETSTAT -an to look for suspicious connections AND -ano for also Process ID

sqlcmd -S WIN-CQQMK62867E -e -s"," -E

-e is used to echo input -s is used for column separation -E is used for trusted connection

netstat -s

-s Displays statistics by the protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.

Tasklist​ /p (password), /v,/s,/u

/v: Specifies that verbose task information be displayed in the output. Should not be used with the /svc or the /m parameter /s​ Computer: Specifies the name or IP address of a remote computer (do not use backslashes). /u Domain \ User: Runs the command with the account permissions of the user specified by User or Domain\User.

Boot Record Signature (according to EC-Council)

00AA

prefetch

0:prefetch disabled 1:application prefetch enabled 2:boot prefetch enabled 3:application and boot prefetch enabled

Which attribute ID does NTFS set as a flag after encrypting a file where the Data Decryption Field (DDF) and Data Recovery Field (DRF) is stored?

0x100

BMP:

1 bit per pixel to 24 bits, RGBQUAD array (this table does not support bitmaps with 24 bits)

What is the maximum file system size in ext4?

1 eib

postmortem

1. Investigators perform postmortem of logs to detect something that has already occurred in a network/device and determine what it is. 2. Here, an investigator can go through the log files a number of times to examine and check the flow of previous runs. When compared to real-time analysis, it is an exhaustive process, since the investigators need to examine the attack in detail and give a final report.

Mac Boot Process

1.Activation of BootROM, which initializes system hardware and selects an operating system to run. 2.BootROM performs POST to test some hardware interfaces required for startup. 3.On PowerPC-based Macintosh computers, Open Firmware initializes the rest of the hardware interfaces. 4.On Intel-based Macintosh computers, EFI initializes the rest of the hardware interfaces. 5.After initializing the hardware interfaces, the system selects the operating system. 6.If the system contains multiple operating systems, it allows the user to choose the particular operating system by holding down the Option key. 7.Once the BootROM operation is finished, the control passes to the BootX (PowerPC) or boot.efi (Intel) boot loader, which is located in the /System/Library/CoreServices directory. 8.The boot loader loads a pre-linked version of the kernel, which is located at /System/Library/Caches /com.apple.kernelcaches . 9.Once the essential drivers are loaded, the boot loader starts initialization of the kernel, Mach and BSD data structures, as well as the I/O kit. 10.The I/O kit uses the device tree to link the loaded drivers to the kernel. 11.The launchd, which has replaced the mach_init process, runs startup items and prepares the system

Checklist to Prepare for a Computer Forensics Investigation

1.Do not turn the computer off or on, run any programs, or attempt to access data on the computer. 2.Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc subject may have used 3.Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue 4.Perform a preliminary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination 5.Once the machine is secured, obtain info about the machine, the peripherals, and network where connected 6.If possible, obtain passwords to access encrypted or password-protected files 7.Compile a list of names,e-mails, and other info of those with whom the subject might have communicated 8.If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred.If possible, find out why the pc was accessed 9.Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession. 10.Create a list of key words or phrases to use when searching for relevant data

Windows Boot Process

1.System switches ON, CPU sends a Power Good signal to mboard and checks for computer's BIOS firmware. 2.BIOS starts a POST and load all the firmware settings from nonvolatile memory on the mboard. 3.If POST is successful, add-on adapters perform a self-test for integration with the system. 4.The pre-boot process will complete with POST, detecting a valid system boot disk. 5.After POST, the computer's firmware scans boot disk and loads the master boot record (MBR), which search for basic boot information in Boot Configuration Data (BCD). 6.MBR triggers Bootmgr.exe, which locates Windows loader (Winload.exe) on theWindows boot partition and triggers Winload.exe. 7.Windows loader loads the OS kernel ntoskrnl.exe. 8.Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device drivers marked as BOOT_START and the SYSTEM registry hive into the memory. 9.Kernel passes the control of boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure Win32 subsystem run environment. 10.Session Manager Process triggers Winlogon.exe, which presents the user logon screen for user authorization. 11.Session Manager Process Initiates Service control manager, which starts all the services, rest of the non-essential device drivers, the security subsystem LSASS.EXE and Group policy scripts. 12.Once user logs in, Windows creates a session for the user. 13.Service control manager starts the Explorer.exe and initiates the Desktop Window Manager (DMW) process, which set the desktop for the user

American Standard Code for Information Interchange (ASCII)

128 specified characters coded into 7-bit integers. Source code of a program, batch files, macros, scripts, HTML and XML documents 0 to 9, a-z, A-Z, Basic punctuation symbols, Control codes that originated with teletype machines ASCII table has 3 divisions namely, non-printable (system codes between 0 and31), lower ASCII (codes between 32 and 127), and higher ASCII (codes between 128 and 255). The graphics files and documents use non-ASCII characters made in word processors, spreadsheet or database programs and sent as email file attachments.

Globally Unique Identifier (GUID)

128-bit unique number generated by windows used to identify COM DLLs, primary key values, browser sessions, and usernames contains four 16-byte master partition records

International Mobile Equipment Identifier(IMEI)

15-digit GSM-basedunique numberon handsetthat identifies mobile equipment.Obtained with *#06#Format is AA BBBBBB CCCCCC DAA:Reporting body ID that allocated the Type Allocation Code (TAC) 46BBBBBB:remainder of the TAC (FAC)CCCCCC:Serial sequence of the Model (SNR)D: Luhn check digit of entire model or 0 (CD)

Mobile international subscriber directory number (MSISDN):

15-digit number used for international identification of mobile phone numbers, and it contains the country code and nation-wide destination code.

International Mobile Subscriber Identity (IMSI)

15-digit subscriber identification number that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs

Chapter 2 Summary:

3 phases in Computer Forensics Investigation Process, Pre-investigation, Investigation and Post-Investigation A CFL is a location designated for conducting a computer-based investigation on the collected evidence Search warrant is an order from a judge that directs LE to search for a particular piece of evidence at a particular location Make a duplicate of the collected data so as to preserve the original To preserve the integrity of the physical evidence, all evidence collected should be handled carefully All digital evidence must be stored in a container, which must be secured to prevent unauthorized access Documentation of the electronic crime scene is a continuous process during the investigation that creates a permanent record of the scene Final report should include what the investigator did during the investigation, and what he or she found

What is the maximum file system size in ext3?

32 TB

Which of the following is the correct number of bytes reserved at the beginning of a CD-ROM for booting a computer?

32,768 bytes

How many bytes each are the logical blocks that HFS divides the volume into?

512

How many bytes is each logical block in GPT?

512

How large is the partition table structure that stores information about the partitions present on the hard disk?

64

Domain Hijacking

: Involves stealing a cloud service provider's domain name

HFS restricts the number of allocation blocks to

:65535

Rules of Forensics Investigation

A forensic examiner must keep in mind certain rules to follow during a computer forensic examination, as well as to handle and analyze the evidence. This will safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence and start by examining only the duplicates.The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level.Forensic investigators should memorize the rules listed below. Limit access and examination of the original evidence Record changes made to the evidence files Create a chain of custody document Set standards for investigating the evidence Comply with the standards Hire professionals for analysis of evidence Evidence should be strictly related to the incident The evidence should comply with the jurisdiction standards Document the procedures applied on the evidence Securely store the evidence Use recognized tools for analysis

What is put at the front of a deleted FAT file​:

E5H, a. E5h is a special tag that indicates the deleted file

Chapter 12 Summary

An e-mail system consists of e-mail servers and e-mail clients An e-mail client, also known as a mail user agent (MUA), is a computer program for accessing and managing emails An e-mail server connects to and serves several e-mail clients Headers contain significant information regarding the mail, such as sent time, unique identifying numbers, IP address of the sending server, etc. "Received" headers maintain a record of the detailed log history of message history, and they help to find out the origin of an e-mail, even when other headers have been forged Online e-mail programs such as AOL, Gmail, and Yahoo! leave the files containing e-mail messages on the computer in different folders such as History, Cookies, Temp, Cache, and Temporary Internet Folder

Chapter 14 Summary

An investigation report provides detailed information on the complete forensics investigation process An expert witness is a witness, who by virtue of education, profession, or experience, is believed to have special knowledge of his/her subject beyond that of the average person, sufficient that others legally depend upon his/her opinion Direct examination is the process of a witness being questioned by the attorney who called him or her to the stand Cross-examination is providing the opposing side in a trial the opportunity to question a witness Deposition is the process of questioning witnesses prior to a trial, and it is used in the pretrial stages of both civil and criminal cases Deposition differs from a trial as: Both attorneys are present No jury or judge present Opposing counsel asks questions Purpose of a deposition: Enables opposing counsel to preview your testimony at trial

What is a form of error correcting code (ECC) used to help calculate the redundant bits in a RAID 2?

Hamming code

Which item describes the following UEFI boot process phase? The phase of EFI consisting of interpreting the boot configuration data, selecting the Boot Policy for later implementation, working with the prior phase to check if the device drivers require signature verification, loading either MBR boot code into memory for Legacy BIOS Boot or the Bootloader program from the EFI partition for UEFI Boot, and providing an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.

BDS (Boot Device Selection) Phase In this phase, the BDS interprets the boot configuration data and selects the Boot Policy for later implementation. This phase works with the DXE to check if the device drivers require signature verification. In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.

What stage of the Linux boot process initializes the system hardware and retrieves the information stored in the CMOS (Complementary Metal-Oxide Semiconductor) chip?

BIOS Stage

Linux Boot Process

BIOS stage a.It initializes the system hardware. b.The BIOS retrieves the information, stored in the CMOS chip and then performs a POST test. c.BIOS starts searching for the drive or disk which contains the operating system in a standard sequence. 2.Bootloader Stage a.Load the Linux kernel and optional initial RAM disk. b.Load pre-cursor software in a virtual file system called the initrd image or initial RAMdiskc.System prepares to deploy the actual root file system. d.System detects the device that contains the file system and loads the necessary chapters. e.Lastly, load the kernel into the memory.3 .Kernel Stage a.Virtual root file system executes the Linuxrc program. This generates the real file system for the kernel and later removes the initrd image. b.Kernel searches for new hardware and loads any suitable device drivers found. c.mounts the actual root file system and then performs the init process. d.init reads the file "/etc/inittab" and uses this file to load the rest of the system daemons. This prepares the system and the user can log in and start using it. e.Bootloaders for Linux are LILO (Linux Loader) and GRUB (Grand Unified Bootloader). These bootloaders allow the user to select which OS kernel to load during boot time.

Error code 502

Bad Gateway

Event correlation approach uses only two variables?

Bayesian or binary

Review Policies and Laws

Before starting the investigation process, investigators need to understand the laws pertaining to the investigation. They must also be aware of the potential concerns associated with Federal laws, State statutes, and local policies and laws before beginning the investigation.

Malware distribution techniques

Blackhat SEO Social Engineering click jack Spearphishing Malvertising -malware laden advertisements Compromise legitimate websites Drive-by Download -browser exploits that install malware

Android Boot Process

Boot ROM is activated and loads Boot Loader into RAM 2.Boot Loader initializes and then starts the Kernel 3.Kernel initializes interrupt controllers, memory protections, caches, and scheduling. System can use virtual memory and launch the user space process (init) 4.Init process launches and is first process on device, parent process. Next init initializes Zygote, runtime, and daemon processes; the Android logo appears 5.Zygote is used to spin up new VMs for each app that is started; a new DVM with code sharing across the vms. 6.Runtime requestsZygote launch system server; which includes: power manager, battery service, and Bluetooth

Which component of the NTFS architecture is a bootable partition that stores data related to the layout of the volume and the file system structures?

Boot sector: It is a bootable partition that stores data related to the layout of the volume and the file system structures.

iOS Boot Process

BootRom initializes some components and checks signature of LLB (lower level bootloader) 2.LLB is loaded and checks signature of iBoot (stage-2 boot loader) 3.iBoot is loaded and checks kernel and device tree signatures(Not booted in Device Firmware Upgrade DFU mode) 4.Kernel and device trees load. Kernel checks signatures of all user applications

Automated management

By minimizing the user involvement, cloud automation speeds up the process, reduces labor costs, and reduces the possibility of human error.

Windows Vista, 7, 8, and 10 (recycle bin)

C:\$Recycle.Bin Files are named $Ry.ext "y" is sequence number and "ext" is original extension For the first document file deleted on C: drive would be: $R0.doc

Collect the database files (.mdf) and log files (.ldf) from:

C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER \MSSQL\DATA

to collect the trace files (.trc) or SQL Server error logs

C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG The SQL Server error logs contain user defined events and specific system events The trace files contain the events that occurred on a SQL server and the host databases

Windows 98 and earlier FAT (recycle bin)

C:\Recycled (4GB limit) Files are named Dxy.ext"x" is drive, "y" is sequence number(0-??) and "ext" is original extension. For the first document file deleted on C: drive would be: Dc0.doc

Windows 2000, xp, NT (NTFS) (Recycle Bin)

C:\Recycler\S-(based on windows SID)When a user deletes a file or folder, the OS stores all the details of the file such as its complete path, including the original file name, in a special hidden file called "Info" or "Info2" in the Recycle Bin folder.In Windows newer than Vista and XP, the OS stores the complete path and file or folder name in a hidden file called INFO2.INFO2 contains various details of deleted files such as: original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from.

Microsoft Edge

CacheLocation: C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCacheCookiesLocation: C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies HistoryLocation:C:\Users \Admin\AppData\Local\Microsoft\Windows \History

Rule 614​

Calling and Interrogation of witnesses by the court

Rule 614

Calling and interrogation of witnesses by court

Trojan network detection:

Capsa​ can be used for Trojan detection

Deleted and overwritten GUID Partitions

Case 1: In hard disks, the conversion or repartition of the MBR disk to GPT will generally overwrite the sector zero with a protective MBR, which will delete all the information about the old partition table. The investigators should follow the standard forensics methods of searching the filesystems to recover data about the previous MBR partitioned volumes. Case 2: When conversion or repartition of the GPT to MBR disk takes place, then the GPT header and tables may remain intact based on the tool used. Investigators can easily recover or analyze data of such disk partitions. Implementation of general partition deletion tools for deletion of partition on the GPT disk will delete the protective MBR only, which investigators can easily recreate by simply reconstructing the disk

Hardware tools (forensic toolkit)

Cellebrite UFED System Secure ViewKit for Forensics DS-Device Seizure & Toolbox USB reader for SIM cards iGo 44 DC Lab Power Supply 0-15V/3A Digital Display with Backlight Paraben's Phone Recovery Stick

%SEC-6-IPACCESSLOGP​

Cisco means that a Packet matching log criteria for the given access list has been detected (TCP or UDP)

Broad network access

Cloud resources are available over the network and accessed through standard procedures, via a wide-variety of platforms, including laptops, mobile phones, and PDAs.

measured service

Cloud systems employ "pay-per-use" metering method. Subscribers pay for cloud services by monthly subscription or according to the usage of resources such as storage levels, processing power, bandwidth, and so on. Cloud service providers monitor, control, report, and charge consumption of resources by customers with complete transparency.

What data to collect after RAM?

Collect any other volatile data​ (cache, registries). Non-volatile data that can be collected later is things like swap file, slackspace, CD-ROM, USB, etc...

Ch 1 summary

Computer forensics refers to a set of procedures and techniques to identify, gather, preserve, extract, interpret, document and present evidence from computing equipment that is acceptable in court Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications. Categorized into two types based on the line of attack: internal attacks and external attacks Computer crimes pose new challenges for investigators due to their speed, anonymity, volatile nature of evidence, global origin and difference in laws and limited legal understanding Approaches to managing cybercrime investigation include: civil, criminal, and administrative Digital evidence is "any information of probative value that is either stored or transmitted in a digital form". It is of two types: volatile and non-volatile Forensic readiness refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs Organizations often include computer forensics as part of incident response plan so as to track and prosecute perpetrators of an incident

Which item describes the UEFI boot process phase in which the majority of the initialization occurs? (

DXE

Cloud Computing Threats

Data Breach or Loss Abuse of Cloud Services to perpetrate attacks Insecure Interfacesand APIs Insufficient Due Diligence Shared Technology Issues (PaaS/IaaS; shared HW) Unknown Risk Profiles Inadequate Infrastructure Design and Planning Conflicts between Client Hardening Procedures and Cloud Environment Loss of Operational and Security Logs Malicious Insiders Illegal Access to the Cloud Privilege Escalation, etc

Chapter 4 Summary

Data acquisition is the use of established methods to extract the ESI from the suspect computer or storage media to gain insight into a crime or an incident Live data acquisition involves collecting volatile information that resides in registries, cache, and RAM When collecting volatile information, the collection should proceed from the most volatile to the least volatile Static data acquisition is defined as acquiring data that resides in the disk drive, USB, DVD, etc., which remains unaltered when the system is powered off or shutdown Select the data acquisition tool that accomplishes the tasks described as mandatory requirements Contingency plans must be made in the case the hardware or software does not work, or in case there is any type of failure during acquisition Digital evidence validation involves using a hashing algorithm utility to create a binary or hexadecimal number that represents the uniqueness of a data set such as a disk drive or file

Which inode field contains the pointer stating what is described?

Data blocks

Chapter 9 Summary

Database Forensics is the examination of the databases and related metadata in a forensically precise manner to make the findings presentable in the court of law MSSQL Server stores data and logs in Primary Data Files (MDF), Secondary Data Files (NDF) and Transaction Log Data Files (LDF), respectively SQL server data is stored natively within SQL Server, and externallyin windows machine hosting the server MySQL is based on a tiered architecture containing subsystems and support components, which work together in order to respond to the queries made to the database server MySQL server stores all the databases, status and log files; along with the data managed by the server under the data directory The database structure varies depending on the storage engine (MyISAM/InnoDB) used by MySQL

Analyze web server logs for small/medium website:

Deep Log Analyzer (web analytics for small/medium websites)

FAT (File Allocation Table-16)

Designed for small disks with simple folder structures. Stores all files at beginning of volume Creates two copies of allocation table for damage recovery Flash, digital cameras, and other portable devices

Hierarchical File System (HFS)

Developed to replace MFS or Mac File System

Volatile Data Collection Strategy

Devise strategy based on type of data, source(s) of data, type of media, etc..

Type of File Systems

Disk File System-used to store data on disks or other media Network File System-used to access files on other computers or a NAS. NFS, CIFS, or GFS Database File System-used to store and manage files stored on a computer or server Flash File System-stores files or data in flash memory devices Tape File System-stores data/files on tape in self-describing form; very slow Shared Disk File System-external disk array or SAN accessed by servers or workstations Special Purpose File System-organizes files during run time and uses them for tasks.UNIX uses this.

netstat -n

Displays active TCP connections, however, addresses and port numbers are expressed numerically, and no attempt is made to determine names.

Stat

Displays file or file system status. syntax: stat [option]...file...

CAN-SPAM's main requirements meant for senders

Do not use false or misleading header information Do not use deceptive subject lines The commercial e-mail must be identified as an ad The email must have your valid physical postal address The email must contain the necessary information regarding how to stop receiving e-mails from the sender in future Honor recipients opt-out request within 10 business days Both the company whose product is promoted in the message and the e-mailer hired on contract to send messages must comply with the law

Preserving Electronic Evidence

Document the actions and changes observed on the monitor, system, printer, or other electronic devices. Verify that the monitor is ON, OFF, or in sleep mode Remove the power cable, depending on the power state of the computer, i.e., ON, OFF, or in sleep mode Do not turn ON the computer if it is in the OFF state Take a photo of the monitor screen if the computer is in the ON state Check the connections of the telephone modem, cable, ISDN, and DSL Remove the power plug from the router or modem Remove any portable disks that are available at the scene to safeguard potential evidence Keep the tape on drive slots and the power connector Photograph the connections between the computer system and the related cables, and label them Label every connector and cable connected to the peripheral devices

Malware Tools

Dr. Web Online Scanner, Metascan Online, Bitdefender QuickScan, ThreatAnalyzer, Jotti, IDA Pro, OllyDbg,ESET SysInspector, YAPM, MONIT, OpManager, FCIV, SIGVERIF, Tripwire, FileVerifier++, CSP File Integrity Checker,

Where are deleted items stored on Windows Vista and later versions of Windows?

Drive:\$Recycle.Bin

Where are deleted items stored on Windows 98 and earlier versions of Windows?

Drive:\RECYCLED

Know: /proc (list process in Linux)

DumpChk= Microsoft Crash Dump File Checker Tool is used to perform a Quick Analysis of a crash dump file. Allows you a summary of what the dump file contains. RegEdit: Is the Registry Editor.

Enterprise Theory of Investigation (ETI)

ETI is a methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.

What was the first file system developed for Linux?

EXT

Bit-Stream disk-to-disk

EnCase, SafeBack, Norton Ghost

Virtualization technology

Enables rapid scaling of resources in a way that non-virtualized environments could not achieve.

Volatile Data Collection Strategy

Establish trusted command shell to minimize footprint and any malware triggers Establish transmission and storage method Ensure integrity of tool output with MD5 hash for admissibility

Field-based

Event Correlation Approach that uses and compares fields in the data for correlation

rule-based

Event Correlation Approach that uses rules to correlate events

Rule 608

Evidence of character and conduct of witness

Rule 608​

Evidence of character and conduct of witness

Evidence Examiner/Investigator:

Examines the evidence acquired and sorts the useful evidence.

External attacks:

External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when there are inadequate information security policies and procedures.

What component of a typical FAT32 file system contains duplicates of the File Allocation Table to help the system check for empty or idle spaces and detailed information about clusters and their contents including files and directories?

FAT Area This area holds two duplicates (may change) of the File Allocation Table to help the system check for the empty or idle spaces. This area contains detailed information about clusters and their contents including files and directories. Extra copies contained in this file system are in perfect sync with writes and read, and will replace when the first or main FAT seems to include mistakes or damage

What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?

FAT Partition Boot Sector

What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?

FAT partition boot sector.

Federal Information Security Management Act of 2002 (FISMA)_

Federal Information Security Management Act of 2002 that states several key security standards and guidelines, as required by Congressional legislation. FISMA emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, was developed in support of FISMA. NIST SP 800-53 is the primary source of recommended security controls for Federal agencies.

Extended File System (EXT)

First filesystem developed for Linux in 1992 Metadata structure similar to UFS

Digital Forensics Challenge

Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence. For example, system data that an intruder can easily change or destroy should have priority while assembling the evidence.

Further division of the previous categories includes:

Formal Informal It is advisable to include the contents of an informal written report in an informal verbal report and the essentials such as the subject system, tools used, and findings should be summarized in it. If the produced informal written report is destroyed then it is considered as destruction or concealing of evidence, which in legal terms is known as spoliation

power registry key

Found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power

18 USC 1029

Fraud and related activity in connection with access devices

18 USC 1030

Fraud and related activity in connection with computers

tools

GFI EventsManager, Eventlog Analyzer, Kibana, Syslog-ng, RSYSLOG, Firewall Analyzer, SEC, OSSEC, Ipswitch Log Management, Snare, Loggly, Sumo Logic, ArcSight, Logscape, LogRhythm, Sawmill, McAfee log manager, LogMeister,Sentinel, TripWire, etc.

Steganalysis tools

Gargoyle, StegAlyzerAS/RTS, StegExpose, StegAlyzerSS, Steganography Studio, Virtual Steganographic Lab (VSL), ImgStegano

Error code 504

Gateway timeout

Rule 402​

General Admissibility of Relevant Evidence

Rule 402.

General Admissibility of Relevant Evidence

MySQL server start/stop can be found in​ what log file?

General Query Log File

Best Practices

Get authorization to conduct the investigation, from an authorized decision maker Document all the events and decisions at the time of the incident and incident response Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm The following are the Computer Forensics Investigation Methodology: First Response Search and Seizure Collect the Evidence Secure the Evidence Data Acquisition Data Analysis Evidence Assessment Documentation and Reporting Testify as an Expert Witness

Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?

Get-GPT

Which cmdlet can investigators use in Windows PowerShell to analyze the GUID partition table to find the exact type of boot sector and display the partition object?

Get-GPT

The MRUListEx is located in this

HKEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Re centDocs

the most recently used documents:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Prefetching

HKLM\SYSTEM\ControlSet00x\Control\SessionManager\Memory Management\PrefetchParameters

Wireless SSIDs

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation=Time Zones HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{GUID}

Share Names

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

Enable Write Protection on the Evidence Media

If hardware write blocker is used: Install a write blocker device Boot the system with the examiner's controlled operating system Examples of hardware devices: CRU® WiebeTech® USB WriteBlockerTM, Tableau Forensic Bridges, etc. If software write blocker is used: Boot the system with the examiner's controlled operating system and activate write protection Examples of software applications: SAFE Block, MacForensicsLab Write Controller, etc.

Dealing with Networked Computer

If the victim's computer has an Internet connection, the first responder must follow the following procedure in order to protect the evidence: Unplug the network cable from the router and modem. internet can make it vulnerable to further attack Don't use the pc for evidence search because it may alter or change the integrity of the existing evidence Unplug all the cords and devices connected to the computer and label them for later identification Unplug the main power cord from the wall socket Pack the collected electronic evidence properly and place it in a static-free bag Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence Document all the steps that involved in searching and seizing the victim's computer for later investigation

Rule 609

Impeachment by evidence of a criminal conviction

Rule 609​

Impeachment by evidence of a criminal conviction

Enhanced Data Rates for GSM Evolution (EDGE)

Improved data transmission rates are possible through backward-compatible digital mobile phone technology. It delivers high bit-rates per radio channel that is used for any of the packet-switch applications.

nbtstat -S

In Windows command prompt, command to Analyze at NetBIOS over TCP/IP activity

lusrmgr.msc

In Windows command prompt, command to Check for creation of new accounts in administrator group

net use

In Windows command prompt, command to Check if the sessions have been opened with other systems

schtasks.exe

In Windows command prompt, command to Find scheduled and unscheduled tasks on the local host

eventvwr.msc

In Windows command prompt, command to Run Event Viewer to look at the logs

Rainbow Attack

In a rainbow attack, a password hash table called a rainbow table is created in advance and stored into memory. This rainbow table is a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext.

Ch 6 summary

In live response, collect the data about to change in a short time span Registry analysis provides more information to the investigator during live response The RAM contents analysis will help the investigator to find hidden things Gather more information about a suspicious process by dumping the used memory Collect information regarding network connections to and from the affected system Investigate the processes running on compromised system and collect info from the Task Manager

Insecure Storage

In this web application threat, ________________ is due to lack of controls around data storage

Which of the following stakeholders is the first responder for all the security events or occurrences taking place on a cloud?

Incident handler

Chapter 5 Summary

Intruders implement anti-forensics techniques to hinder or prevent proper forensics investigation process Anti-forensics techniques include file deletion, password protection, steganography, trail obfuscation, artifact wiping, overwriting data/metadata, encryption, program packers, rootkits, exploiting forensics tool bugs, etc. Intruders may use anti-forensics tools such as Privacy Eraser, QuickStego, CryptaPix, etc. to hide their malicious activities from being caught Strictly implementing countermeasures against anti-forensics may enable an investigator to successfully deal with a case

Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud? (

Investigators

Build a Forensics Workstation

Investigators build forensic workstations to perform the forensic investigation on mobile devices. The workstation includes hardware and software tools in the lab such as laptop or desktop computer, USB connector, FireWire, mobile forensics toolkit, cables (including Bluetooth and IR), SIM card reader, and micro-SD memory card reader

DNS Poisoning

Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user's system

Domain Snipping

Involves registering an elapsed domain name

Internal Phone Memory

It includes data stored in RAM, ROM, or flash memory. It stores the Mobile phone's OS, applications, and data. The investigator can extract information from internal phone memory using AT 43commands with the help of a USB cable, infrared, or Bluetooth.

PUB.EDB​:

It is a database file to store public folder hierarchies and contents

Malicious Code:

It is a piece of code that defines basic functionality of the malware and comprises commands that result in security breaches.

PRIV.EDB​:

It is a rich text database file that contains message headers, message text, and standard attachments.

PRIV.STM​:

It is a streaming Internet content file containing video, audio, and other media that are streams of MIME's.

MIME

It is an Internet standard that extends the email format for supporting the following: Text in non-ASCII character sets Attachments like application programs, images, audio, video, etc. other than text Multiple part message bodies Non-ASCII character set header information

Packer

It is software that compresses the malware file to convert the code and data of malware into an unreadable format

webkit

It is the browser engine used to display web pages

Live Data Acquisition

It is the process of acquiring volatile data from a working computer (either locked or in sleep condition) that is already powered on. Volatile data is fragile and lost when the system loses power or the user switches it off. Such data reside in registries, cache, and RAM. Since RAM and other volatile data are dynamic, a collection of this information should occur in real time.

RAID Level 0: Disk Striping

It is the simplest RAID level, which does not involve any redundancy and fragments the file into user-defined stripe size of the array. Then it sends these stripes to every disk in the array. As RAID 0does not have redundancy, it allows this RAID level to offer the best overall performance characteristics of the single RAID levels. Requires at least two drives

LogonSessions

It lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session.

Base Transceiver Station (BTS):

It manages the transceiver's equipment and performs channel assignment. It is part of the GSM architecture, which controls one or more base transceiver stations and the cell site's radio signals in order to reduce the load on the switch

Temporal Analysis

It produces a sequential event trail, which sheds light on important factors such as what happened and who was involved

functional analysis

It provides a description of the possible conditions of a crime. It testifies to the events responsible for a crime in relation to their functionalities

Cloud as a subject

It refers to a crime in which the attackers try to compromise the security of a cloud environment to steal data or inject a malware. Ex: Identity theft of cloud user's accounts, unauthorized modification or deletion of data stored in the Cloud, installation of malware on the cloud, etc.

FreeType

It renders the bitmap and vector fonts

Chapter 11 Summary

Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud Components of a malware software rely on the requirements of the malware author who designs it for a specific target to perform the intended tasks Malware forensics deals with identifying and capturing malicious code, and evidence of its effect on the infected system To analyze malware, a dedicated laboratory system is required, which can be infected keeping the production environment safe •Performing malware analysis enables you to know the type of malware, how it works, its behavior, and impact on the target system Static analysis/code analysis involves going through the executable binary code without actually executing it to have a better understanding of the malware and its purpose Dynamic analysis/behavioral analysis involves executing the malware code to know how it interacts with the host system and its impact on it

Email client to view DBX files​

Microsoft Outlook Express ​DBX files

Chapter 13 Summary

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions•Diversity in the mobile OS architecture may impact forensics analysis process •Knowledge of mobile OS booting process helps investigators to gain lower level access•Mobile storage and evidence locations include: internal memory, SIM card, and external memory•Identifying cell phone brand, model, OS, and network service provider assists in choosing an appropriate forensics tool for data acquisition•Rooting/Jailbreaking provides privileged control (known as "root access") within device's subsystem, enabling data acquisition•Standard tools such as Cellebrite UFED Touch can be used to prepare mobile forensics report

Second Extended File System (Ext2)

Most successful file system for linux and basis for all linux distros Data is stored in blocks of the same length during creation

Which information held by the superblock allows the system to determine if the file system needs to be fully checked and increments each time the system places access to the file system?

Mount Count

Cache, cookies, and History

Mozilla Firefox -Cache, Cookies, and History are stored in the following system locations:CacheLocation:C:\Users\<Username>\AppData\Local\Mozilla\Firefox\Profiles \XXXXXXXX.default\cache2CookiesLocation: C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\cookies.sqlite HistoryLocation:C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite

/var/log/mysql*

MySql server logs

Which of the following is NOT a type of flash-based memory?

NAND-based SSD Volatile RAM-based SSD

Netstat -ano option

Netstat tool helps in collecting information about network connections operative in a Windows system. The most common way to run Netstat is with the -ano switches. These switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs). -r routing table, -e ethernet stats, -p Protocol

Social Media Website Tools

Netvizz, twecoll, divud, Digitalfootprints, Netlytic, X1 Social Discovery, Facebook Forensic Software H&A forensics, Geo360, Navigator by LifeRaft Social, Emotive, etc.

Which architectural layer of mobile device environments allows a mobile device to communicate with the network?

Network

ch 7 summary

Network forensics is the capturing, recording, and analyzing network traffic and event logs to discover the source of security attacks Network Addressing Schemes are of two types, LAN and Internetwork Addressing Log files are the primary recorders of a user's activity on a system and of network activities Routers store network connectivity logs with details such as date, time, source and destination IPs and Ports used that help investigators in verifying the timestamps of an attack and correlate various events to find the source and destination IP 31 Investigators analyze network traffic to locate suspicious traffic, find the network generating the troublesome traffic, and identify network problems Gathering evidence on a network is cumbersome for the following reasons since the evidence is not static and not concentrated at a single point on the network

Which item describes the following UEFI boot process phase? The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV), locating and executing the chapters to initialize all the found hardware in the system, and creating a Hand-Off Block List with all found resources interface descriptors.

PEI (Pre-EFI Initialization) Phase The PEI phase initializes the CPU, temporary memory, and boot firmware volume (BFV). It locates and executes the Pre Initialization chapters (PEIMs) present in the BFV so as to initialize all the found hardware in the system. Finally, it creates a Hand-Off Block List with all found resources interface descriptors and passes it to the next phase i.e. the DXE phase.

ISO 13490

POSIX attributes and multi-byte characters efficient format that allows incremental recording and also permit the ISO 9660 format and the ISO/IEC 13490 format to exist on the same media specifies using multicasting properly.

Exploit

Part of the malware that contains code or sequence of commands that can take advantage of a bug or vulnerability in a digital system or device.

Payload

Part of the malware that performs desired activity when activated

Application Password Cracking

Passware Kit, SmartKey, Advanced Office Password Recovery(all versions of Office), Office password recovery

Criminal and Admin

Porn images from a company computer

Computer Investigation Phases

Pre-investigation Phase Investigation Phase Post Investigation Phase

Proprietary Format

Raw format and advanced forensics format are open source formats, and these are the only proprietary format. These formats can change from one vendor to another based on features they offer. Saves space on target drive and allows to compression of image files of a suspect drive Allows splitting an image into smaller segmented files Ensures data integrity by applying data integrity checks on each segment while splitting It can integrate metadata into image file by adding metadata such as date and time of the acquisition, examiner or investigator name, the hash value of the original medium or disk and case details or comments

Policy Verification

Read and examine all polices signed by the user of suspect computer Determine forensic capabilities and limitations of the investigator by determining legal rights of user

Volatile Data Collection Process

Record time, date, command history and do so when using tools/commands Document forensic activities and do not restart or shutdown until complete Maintain a log of all actions performed, photo the screen, identify OS Check system for use of encryption, dump RAM to sterile storage Complete full report of steps taken and evidence gathered

File recovery tools for Windows

Recover My Files, EaseUS, DiskDigger, Handy Recovery, Quick Recovery, Stellar Phoenix, Total Recall, Advanced Disk Recovery, Windows Data Recovery Software, R-Studio, Orion File Recovery, Data Rescue PC, Smart Undeleter, DDR Professional, GetDataBack, UndeletePlus, File Scavenger, VirtualLab, Active@UNDELETE, WinUndelete, R-Undelete, Recover4all, Recuva, Active@ File Recovery, Pandora Recovery, Ontrack EasyRecovery, Wise Data Recovery, Glary Undelete, Disk Drill, PhotoRec,

Disk Drill (Windows or Mac)​:

Recovers data from internal and external hard drives, USB, iPod, memory cards. Recovers files from partition loss, hard drive reformatting, failed bootup, accidental deletion, Recycle Bin cleanup, and memory card corruption.

iOS Jailbreaking tool​:

RedSn0w​ (tip: anything with Root in the name is Android)

Registry Tools

RegRipper ProDiscover ProcessMonitor RegScanner RegEdit Registry Viewer

Registry Tools include:

RegRipper, ProDiscover, Process Monitor, RegScanner, RegEdit, Registry Viewer, jv16

NTUSER.DATfile

Registry keys that track user's activities scan be found in the

Post-Investigation Phase

Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. Ensure that the target audience can easily understand the report ensure report provides adequate and acceptable evidence. the report should comply with all local laws and standards it should be legally sound and acceptable in the court of law.

Rule 1002​

Requirement of Original. Original is required to prove the content of a writing, recording, or photograph.

What component of a typical FAT32 file system contains a Volume Boot Record that comprises the BIOS Parameter Block (BPB) including basic file system information, such as file system type, pointers to the position of the other sections, and the OS's boot loader code?

Reserved Area The first reserved sector is the Volume Boot Record or VBR, which comprises the BIOS Parameter Block (BPB) containing basic file system information, such as type of file system and pointers to the position of the other sections as well as the operating system's boot loader code.

Incident Responder

Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident

When an attack occurs, what to do?

Run Event Viewer to look at the logs: oC:\> eventvwr.mscCheck if the following suspicious events have occurred:oEvent log service ends oWindows File Protection is inactive on the system oThe MS Telnet Service is runningFind if the system has failed login attempts or locked-out accounts Review file shares to ensure their purposeoC:\> net view <IP Address>Verify the users using open sessions oC:\> net sessionCheck if the sessions have been opened with other systems oC:\> net useAnalyze at NetBIOS over TCP/IP activity oC:\> nbtstat -SFind if TCP and UDP ports have unusual listening oC:\> netstat -naFind scheduled and unscheduled tasks on the local host oC:\>schtasks.exeCheck for creation of new accounts in administrator group oC:\> lusrmgr.mscSee if any unexpected processes are running in Task Manager oStart -> Run -> taskmgr -> OKLook for unusual network services oC:\> net startCheck file space usage tolook for a sudden decrease in free space oC:\> dir

Following are the steps to detect rootkits by examining the registry

Run regedit.exe from inside the potentially infected OS. export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format. Boot into a clean CD (such as WinPE). Run regedit.exe. Create a new key such as HKEY_LOCAL_MACHINE\Temp. Load the Registry hives named Software and System from the suspect OS. The default location will be c:\windows\system32\config\software and c:\windows \system32\config\system. Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.) Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).In a buffer overflow attack, attackers use buffer overflows in order to inject and run code in the address space of a running program, thereby successfully altering the victim program's behavior.Privacy Eraser is an anti-forensic solution to protectthe privacy of the user by deleting the browsing history and other computer activities. The software implements and exceeds the US Department of Defense and NSA clearing and sanitizing standards, giving you the confidence that once erased, your file data is gone forever and can never be recovered.

he information about the system users is stored in which file?

SAM

Software Tools

SEARCH Investigative Toolbar SIMiFOR AS 001Micron Data Recovery *SIM Explorer BitPim *Oxygen Forensics Analyst Paraben's Sim Card Seizure *MOBILedit! Forensic TULP2G iDEN Phonebook Manager SUMURI's PALADIN floAt's Mobile Agent XRY Logical & XRY Physical Forensic Explorer-forfile carving Scalpel -file carving for iphone Phone Image Carver *Blade Professional Autopsy FTK Imager/EnCase/Smartfor imaging IExplorer -to bypass iPhone passcode *ViaExtract ADB -bypass Android passcode SIMIS 2.0 SIMulate SIMXtractor Last SIM USIM Detective SIM Query SQLite Database extraction Andriller

Which item describes the following UEFI boot process phase? The phase of EFI consisting of initialization code the system executes after powering the system on, manages platform reset events, and sets the system state.

SEC

Brute force has taken out Domain Controller, where should you look next?

SIEM (could show you a large number of failure audits for a Brute Force dictionary type attack)

Types of Event Correlation

Same-Platform; same OS Cross-Platform; different OS for desktop, server, and network gear Transmission of Data; transmitting securely with authentication and encryption Normalization; after data is transmitted, return to common format for use Data Reduction; reducing or removing data for faster correlation

Cloud Computing Attacks

Service Hijacking using Social Engineering Session Hijacking DNS Attacks SQL Injection Wrapping(SOAP/TLS exploit) Side Channel or Cross-guest VM attacks Cryptanalysis DoS/DDoS

Error code 503

Service Unavailable

netstat

Show active network connections:

netstat -p

Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.

How many bytes is each partition entry in GPT?

The UEFI assigns 16,384 bytes for the Partition Entry Array. Since the disk has 512-byte sectors with a partition entry array of 16,384 bytes and the minimum size of 128 bytes for each partition entry, LBA 34 will be the first usable sector.

SWGDE Standard 1.4

The agency must maintain written copies of the appropriate technical procedures.

MySQL

The architecture of MySQL is based on a tiered architecture, which is the combination of subsystems and support components interacting with one another to read, analyze and execute the queries made to the database server, and return the results.MySQL is an open source relational database. Data entered in a MySQL database is duplicated and stored in multiple locations ACID(Atomicity, Consistency, Isolation, Durability) The default path to the data directory is mentioned below for the windows based machines C:\ProgramData\MySQL\MySQL Server 5.n\(or)C:\mysql\data

Best Evidence Rule

The best evidence rule is to prevent any alteration of digital evidence, either intentionally or unintentionally. Duplicate: will also suffice as evidence under the following conditions :Original evidence is destroyed due to fire and flood. Original evidence is destroyed in the normal course of business. Original evidence is in possession of a third party.

Chapter 3 Summary

The disk drive is a hardware device that reads data from a disk and writes onto another computer disk. Types of disk drives include: magnetic storage devices, optical storage devices, and flash memory devices The HDD is a non-volatile, random access digital data storage device used in any computer system SSD is a data storage device that uses solid state memory to store data and provides access to the stored data in the same manner as an HDD drive Slack space is the area of a disk cluster between the end of the file and cluster 15 A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as a hard disk Booting refers to the process of starting or resetting operating systems when the user turns on a computer system. It is of two types: Cold boot (Hard boot) and Warm boot (Soft boot) The file system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovering the data File carving is a technique to recover files and fragments of files from unallocated space of the hard disk in the absence of file metadata

Build the Investigation Team

The investigation team consists of persons who have expertise in responding, seizing,collecting, and reporting evidences from the mobile devices. Includes the expert witness, evidence manager, evidence documenter,evidence examiner/investigator, attorney, photographer, incident responder, decision maker, and incident analyzer

Jury Orders:

The judge educates the jury about the law points related to the case. They can be presented either before or after the closing statements. These are intended to assist the jury with the application of certain specific laws to the details involved in the case, which is then read and approved by the jury

Investigation Phase

The main phase of the computer forensics investigation performed by professionals acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. implementing the technical knowledge to find evidence, examine, document, and preserve the findings

Hybrid Attack

This type of attack is based on the dictionary attack and brute force.Often, people change their passwords by just adding numbers to their old passwords. In this attack, the program adds numbers and symbols to the words from the dictionary. For example, if the old password is "system", the user may have changed it to "system1" or "system2."

Rule Based Attack

This type of attack is used when an attacker already has some information about the password. He or she can then write a rule so that the password-cracking software will generate only passwords that meet this rule. For example, if the attacker knows that all passwords on a system consist of six letters and three numbers, he or she can craft a rule that generates only these types of passwords. This is considered the most powerful attack

network

To communicate with the network, the data must pass through various layers to reach the destination. The data travels over network layers to reach its destination

Scientific Working Group on Digital Evidence (SWGDE)Principle 1

To ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement, and forensic organizations must establish and maintain an effective system for quality control.

Testifying Expert:

To present testimony whenever required during the trial.

Downloader:

Type of Trojan that downloads other malware (or) malicious code and files from the Internet on to the PC.

Volatile Data

Volatile data refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. Important volatile data includes system time, the logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.

Metasploit

WaffenFS, FragFS, RuneFS, Slacker-- ​Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks. Only thing mentioned in the EC-Council text for Metasploit is Timestomp​, which is used to modify/edit/delete the date and time of metadata to make it useless for investigators.

Ch 8 summary

Web applications provide an interface between the end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client Web browser An attack vector is a path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome Web defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data Computer security logs contain information about the events occurring within an organization's systems and networks Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query Intrusion detection is the art of detecting inappropriate, incorrect, or anomalous activity

What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?

Web layer

Top Threats

Web/network based attacks Malware Social Engineering Resource Abuse Data Loss Data Integrity threats

/var/log/dpkg.log

What is the Linux log location that would contain package installation or removal logs

What happens when a file is deleted in Windows?

When a user deletes a file, the OS does not actually delete the file, but marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use

Artifacts Left by Dropbox Client

When a user installs Dropbox the files are saved at C:\Program Files (x86)\Dropbox Configuration is stored C:\Users\<username>\AppData\Local\Dropbox\instance(n)The system usesC:\Users\<username>\Dropbox as the default folder to sync files. ***YOU CAN USE "WhatChanged" as a tool to see what programs add to the registry or Magnet IEF for other data gathering on pcs, phones, and tablets***

Artifacts Left by Google Drive Client

When a user installs Google Drive the files are saved at C:\Program Files (x86)\Google\DriveConfiguration and Logs are stored C:\Users\<username>\AppData\Local\Google\Drive\user_defaultThe system uses C:\Users\<username>\Google Drive as the default folder to sync files.

Edge stores history records, Cookies, HTTP POST request header packets and downloads in

\Users \user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datIf the last browsing session open was in PrivacIE mode then the browser stores these records in:\Users \user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\{browsing-session-ID}.da

ESE database

\Users \username\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb

Edge Last Active Browsing Session

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\

Trace files:

\\Microsoft SQL Server\MSSQL11.MSSQLSERVER \MSSQL\LOG\LOG_#.TRC

Database & logs files

\\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\*.MDF | *.LDF

SQL Server error logs:

\\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG\ERRORLOGInvestigators can track the volatile database information like login sessions of an account and the transactions using ApexSQL DBA's ApexSQL Audit application.Pretty much this is the only tool mentioned.To initialize connection with the server (WIN-CQQMK62867E

Internet Information server IIS

a Microsoft-developed application, is a Visual Basic code application that 33lives on a Web server and responds to requests from the browser. It supports HTTP, HTTPS, FTP,FTPS, SMTP, and NNTP.

Eprocess​

a data structure that stores attributes of a process as well as pointers to the attributes and the data structures

logon events: 4728

a member was added to a security-enabled global group

Exhibit numbering:

aaa/ddmmyy/nnnn/zzz aaa​ is the initials of the forensic analyst or investigator that is seizing the equipment dd/mm/yy​ is the date of the actual seizure nnnn​ is the sequential number of exhibits seized by the forensic analyst/investigator, starting with 001 and going to nnnn zz​ is the sequence number for parts of the same exhibit (i.e.- A could be the CPU, B could the monitor, C could be the mouse, D could be the keyboard, etc...)

aaa/ddmmyy/nnnn/zz.

aaa: are the initials of the forensic analyst or law enforcement officer seizing the equipment. dd/mm/yy is the date of seizure. nnnn is the sequential number of the exhibits seized by aaa, starting with 001 and going to nnnn. zz is the sequence number for parts of the same exhibit (e.g., 'A' could be the CPU, 'B' the monitor, 'C' the keyboard, etc.)

/var/log/mail.*

all mail server message logs

Pre-Investigation Phase

all the tasks performed prior to the commencement of the actual investigation setting up a computer forensics lab(CFL), toolkit, and workstation the investigation team and getting approval from the relevant authority planning the process, defining mission goals, and securing the case perimeter and devices involved.

/var/log/user.log

all user level logs

Service Provider Search Warrant

allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information

GUID Partition Table (GPT)

allows for disks larger than 2T and allows users to have 128 partitions on windows partition and boot data is more secure than MBR uses CRC to ensure data integrity and CRC32 checksum for header and partition table

Electronic storage device warrant

allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation

PsLogList

allows users to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records

RAID 10

also known as RAID 1+0, is a combination of RAID 0 (Striping Volume Data) and RAID 1 (Disk Mirroring) to protect data. It requires at least four drives to implement. It has same fault tolerance as RAID level 1 and the same overheads as mirroring alone. It allows mirroring of disks in pairs for redundancy and improved performance, and then stripes data across multiple disks for maximum performance. The user retrieves data from the RAID if one disk in each mirrored pair is working; however, if two disks in the same mirrored pair fail, the data is not available

Uuencode

also known as UNIX-to-UNIX encoding or Uuencode/Uudecode, is a utility for encoding and decoding files shared between users or systems using the UNIX operating systems. It is also available for all other operating systems, and many e-mail applications offer it as an encoding alternative, especially for e-mail attachments. While sending e-mails with attachments, if the recipient(s) do not have an MIME-compliant system, the Uuencode should be used to send the attachment as an e-mail note.

Log tampering

an attempt to cover your tracks•

Real-Time Analysis

an ongoing process, which returns results simultaneously, so that the system or operators can respond to the attacks immediately.

Tempest

an unclassified short name referring to investigations and studies of compromising emanations. Compromising emanations are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment.

Static Analysis

analysis of malware without executing the code or instructions. Includes file fingerprinting(HashMyFiles), local and online scanning(VirusTotal), string searches(Strings, Resources Extract,Bintext), obfuscation methods(PEiD), finding portable executables(Anubis), identify file dependencies, malware disassembly

/var/log/apache2/*

apache web server logs

Tracks

are concentric rings on the platters that store data; each track has smaller partitions called disk blocks or sectors. Track numbering starts at 0 and goes to 1023.

Apache web server

are http_protocol, http_main, http_request, http_core, alloc, and http_config

Clusters

are the smallest accessible/logical storage units on the hard disk. Clusters form by combining sectors in order to ease the process of handling files. Also called allocation units, the clusters are sets of tracks and sectors ranging from 2 to 32, or more, depending on the formatting scheme

Sectors

are the smallest physical storage units located on a hard disk platter and are 512bytes long. New format sectors are 8 512B sectors to make one 4096B or 4KB sector; which is more efficient

Event Aggregation

called event de-duplication. It compiles the repeated events to a single event and avoids duplication of the same event.

AcessData FTK

can read dd image files (Ilook can also read dd image files), can calculate MD5 hash values and ensure data integrity, court-cited digital investigations platform that provides processing and indexing up front so filtering and searching is fast, can be setup for distributed processing and incorporate web-based case management and collaborative analysis, can create an image of a phone memory card.

Data Recovery Stick

can recover deleted files.

Drivespy​

carries out data acquisition and duplication:

net use​

check if sessions have been opened with other systems

18 USC 2252​A

child porn law

Platters

circular metal disks mounted into a drive enclosure

RAID 10 (1+0)​

combination of RAID 9 (striping volume data) and RAID 1 (Disk Mirroring) to protect data, requires at least 4 drives to implement, has same fault tolerance as RAID level 1 and the same overheads as mirroring alone. It allows mirroring of disks in pairs for redundancy and improved performance and then stripes data across multiple disks for maximum performance. User retrieves data from the RAID if one disk in each mirrored pair is working; however, if two disks in the same mirrored pair fail, the data is not available.

Syllable Attack

combination of both a brute force attack and a dictionary attack. This is often used when the password is a nonexistent word. The attacker takes syllables from dictionary words and combines them in every possible way to try to crack the password.

Database Consistency Checker (DBCC)

commands may give the investigator valuable insight into what is happening within the Server system. The DBCC LOG command allows investigators to view and retrieve the active transaction log files for a specific database.

Packet Parameter/Payload Correlation

compares packets with signatures (IPS/IDS)

Unicode

computing standard developed with the Universal Coded Character Set (UCS) standard for encoding, representation, and management of texts, which most of the world's writing systems use. more than 128,000 characters from about 135 modern and historic scripts Technologies such as modern operating systems, XML, Java, and the Microsoft .NET Framework have adopted the Unicode standards.

HKEY_LOCAL_MACHINE

contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives.

HKEY_CURRENT_USER

contains the configuration information related to the user currently logged on. Wallpaper, screen colors, display settings, etc..

AccessData FTK

court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.

18 USC 1030​

covers Fraud and related activity in connection with computers

Frye standard

covers scientific testimony

HashCalc

created MD5 hash for files, text and hex strings; 13 different algorithms

RAW Format

creates simple, sequential, flat files of a data set or suspect drive. Advantages: Data transferring is fast Can ignore minor data read errors on the source drive A Universal acquisition format that most of the forensic tools can read Disadvantages: Takes same storage space as that of original disk or data set Some tools like freeware versions may not collect bad sectors on the source drive

FTK Imager

data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explore

external memory

data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images

SIM Card Memory:

data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images.

SIM Card Memory:

data stored in the SIM card memory like address books, messages, and service-related information.

computer forensics

deals with the process of finding evidence related to a digital crime

Universal Disk Format File System (UDF)

defined by Optical Storage Technology Association (OSTA) to replace the ISO 9660 file system on optical media and also FAT on removable media. open source file system based on ISO/IEC 13346 and ECMA-167 standards that defines how a variety of optical media store and interchange the data.

What are the two main objects managed dynamically in the VFS in a cached manner to enhance file system access speed?

dentry and inode

email crimes

depend on the cyber laws created by the government of the place from where the email originates. We can categorize email crime in two ways: one committed by sending emails and the other supported by emails. When criminals use emails for selling narcotics, stalking, fraud, child pornography, or child abduction, spamming, fake email, mail bombing, or mail storms then we can say that emails support cybercrime.

Rapid Image 7020 X2

designed to copy one "Master" hard drive to up to 19 "Target" hard drives

Cisdem Data Recovery (DR) 3 (Mac OS)​:

designed to help you recover and restore your lost data like videos, music, documents, archives, photos, and more. Offers a Quick scan and Deep scan. Link: https://www.cisdem.com/manual/datarecovery.pdf

Cisdem Data Recovery (DR) 3 (Mac OS)​:

designed to help you recover and restore your lost data like videos, music, documents, archives, photos, and more. Offers a Quick scan and Deep scan. Link: https://www.cisdem.com/manual/datarecovery.pdf

Cylinders, heads, and sectors (CHS)

determine the sector addressing for individual sectors on a disk

BMP

device independent bitmap (DIB) file format or a bitmap, is a standard graphics image file format used to store images on Windows operating systems. Bitmap images can include animations. The size and color of these images can vary from 1 bit per pixel (black and white) to 24-bit color (16.7 million colors)

PC-3000 Data Extractor

diagnoses and fixes file system issues, so that the client's data can be obtained.

autopsy

digital forensics platform and gui to The Sleuth Kit® and other digital forensics tools.

Documentation of the electronic crime scene is a continuous process during the investigation, making a permanent record of the scene. it includes photographing and sketching the scene

if the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce the evidence in court. If the evidence suggests that the suspect has breached company policy, the CFP will hand over the evidence to the corporate entity. If the suspect is present at the time of the search and seizure, the incident manager or the laboratory manager may consider asking some questions. However, they must comply with the relevant human resources, or legislative guidelines with regard to jurisdiction.

Physical evidence

image file on hard disk is not physical evidence

Superblock

in UFS has magic number, in EXT2 Superblock stores info about size and shape of EXT2 filesystem

Data Duplication​

includes bit-by-bit copying of the original data using software or a hardware tool. Data Duplication can sometimes overwrite data fragments and damage the integrity of the evidence, can also alter the data stored in the swap file.

Mobile Forensics

includes extraction, recovery, and analysis of data from the internal memory, SD cards, and SIM cards of mobile devices. Forensics experts analyze the phone by examining the incoming and outgoing text messages, pictures stored in the memory of the phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the perpetrators of crimes that involve the use of mobile phones

Attack Knowledge Base

includes knowledge of prior exploits

Asset Knowledge Base

includes knowledge of the networks from the fundamentals and hosts under investigation

Health Insurance Portability and Accountability Act (HIPAA)

includes security standards for health information. NIST SP 800-66

logon events: 642

information about changes made to an account.

/var/log/cron

information about the cron job in this file

Improper Error Handling

information is returned due to improper internal error handling

/var/log/boot.log

information logged on system boots

/var/log/kern.log

initialization of kernels, kernel errors or informational messages sent from kernel

Injection Flaws

injecting of malicious code that returns sensitive information•

SQL Injection

injection of SQL commands via input data; no data checking Form tampering -manipulates communication parameters to change data

Unvalidated input

input strings to solicit XSS or SQL injection•

On Macintosh computers, which architecture utilizes EFI to initialize the hardware interfaces after the BootROM performs POST?

intel based

Authentic:

investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission.

Build a Mobile Forensics Toolkit

investigators require a collection of hardware and software tools to acquire data during the investigation. The investigator needs to use different tools to extract and analyze the data, depending on the make and model of the phone seized.The best practices to get authorization and define the course of action are as follows: An authorized decision maker should be chosen to obtain authorization for conducting the investigation. All the events occurring and decisions taken at the time of the incident and incident response should be documented. Investigators can use these documents in court proceedings to determine the course of action. Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm. After securing the organization, the services are reinstated, and the investigation is carried out for the incident.

Criminal Cases

involve actions that are against the norms of society. DID YOU KNOW WHAT YOU DID? IF SO, IT IS CRIMINAL. Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction. Investigators, under court's warrant, have the authority to seize the computing devices. A formal investigation report is required. The law enforcement agencies are responsible for collecting and analyzing evidence. Punishments are harsh and include fine, jail sentence or both. Standard of proof needs to be very high. Difficult to capture certain evidence, e.g., GPS device evidence

civil case

involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to a violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to the plaintiff.

Dynamic Analysis

involves execution of malware to examine its conduct, operations and identifies technical signatures that confirm the malicious intent.

GIF​

is XX RGB with 256 colors and 8 bits

Integrated Circuit Card Identifier (ICCID)

is a 19or 20-digit unique identification/serial number printed on the SIM to identify each SIM internationally.8944245252001451548Industry Identifier Country Issuer ID Individual Account ID

Lspd.pl

is a Perl script that allows you to list the details of a process

Ophcrack

is a Windows password cracker based on rainbow tables. GUI and runs on multiple platforms.

Nltest

is a command that can be used to get a list of Domain Controllers in Windows Server (2008R2, 2012, etc...)

Extensible Storage Engine (ESE)

is a data storage technology from MS to store and retrieve data sequential access. This helps the server to store various files, messages etc. and access folders, text messages, attachments, etc. for email service provision. These files have the extension .edb and can provide valuable case evidences in forensic investigations. The database is in the form of a B-Tree structure and has a hexadecimal file signature.Common artifact locations

autopsy

is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. Law enforcement, military, and corporate examiners use it to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card

GIF

is a file format that contains 8 bits per pixel and displays 256 colors per frame. GIF uses lossless data compression techniques, which maintain the visual quality of the image. The hex value of a GIF image file starts with the values 47 49 46, which represent the GIF file name.

RoadMASSter-3 X2

is a forensic ruggedized portable lab for hdd data acquisition and analysis.

Ophcrack

is a free GUI driven Windows password cracker based on rainbow tables

Image MASSterTM Wipe PRO

is a hard Drive Sanitization Station.

RainbowCrack

is a hash cracker. It uses a time-memory tradeoff algorithm to crack hashes. It pre-computes all possible plaintext-ciphertext pairs in advance and stores them in the "rainbow table" file.

The CAN-SPAM Act(Controlling the Assault of Non-Solicited Pornography and Marketing Act)

is a law that sets the rules for sending e-mails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of e-mails the right to ask the senders to stop e-mailing them, and spells out the penalties in case if the rules are violated

The Sleuth Kit® (TSK)

is a library and collection of command line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The plug-in framework allows you to incorporate additional chapters to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence. **To perform analysis, create a forensics image .dd or. E01**

L0phtCrack

is a password auditing and recovery software.

Cain and Abel

is a password recovery tool for Microsoft OSs. It sniffs the network, cracks encrypted passwords using dictionary, brute-force, and cryptanalysis attacks. It covers some security aspects/weaknesses present in a protocol's standards, caching mechanisms, and authentication methods. This offers a simplified recovery of passwords and credentials from various sources. It consists of an Arp Poison Routing (APR)that enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this tool is also capable of analyzing encrypted protocols, such as HTTP and SSH-1, and contains filters to capture credentials from a wide range of authentication mechanisms

IIS Centralized Binary Logging

is a process where most of the websites transmit binary and scattered log data to a single log file. IIS centralized binary logging reduces system resources that are used for logging and provides complete log data for organizations that need it

DumpChk (the Microsoft Crash Dump File Checker tool)

is a program that performs a quick analysis of a crash dump file.

Oxygen Forensic Kit

is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.

object file

is a sequence of bytes organized into blocks understandable by the systems Linker

Stellar Phoenix Deleted Email Recovery

is a software that safely recovers lost or deleted emails from MS Outlook data (PST) files and Outlook Express data (DBX) files

File Carving

is a technique to recover files and fragments of files from unallocated space of the hard disk in the absence of file metadata

Paraben's Chat Stick

is a thumb drive device that will search the entire computer and scan it for chat logs

PMDump

is a tool that lets you dump the memory contents of a process to a file without stopping the process. This tool is highly useful in forensic investigations

sparse file

is a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty.

Dalvik Virtual Machine (DVM)

is a type of the Java virtual machine responsible for power management and memory management

handle

is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have open files or to see the object types and names of all the handles of a program

The Deep Log Analyzer

is a web analytics solution for small and medium size websites. It analyzes web site visitors' behavior and getsthe complete website usage statistics in easy steps.Other tools: Apache Logs Viewer, WebLog Expert, AWStats, Nagios, Splunk, Webalize

A Chain of Custody Document

is a written record consisting of all the processes involved in the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It also includes the details of people, time and purpose involved in the investigation and evidence maintenance processes.

Kernel for PST Recovery

is able to repair corrupted PST file and recover all email items from them. It successfully fixes errors resulted due to damaged or corrupted PST file, virus attacks, deleted emails, broken PST files, header corruption, disk corruption, errors due to large PST file size and others.

PWdump7

is an application that dumps the password hashes (OWFs) from NT's SAM database. It extracts LM and NTLM password hashes of local user accounts from the SAM database.

chain of custody

legal document that demonstrates the progression of evidence as it travels from the original location to the forensic laboratory. it is a roadmap that shows how investigators collected, analyzed, and preserved the evidence. It ensures accurate auditing of the original data evidence, imaging of the source media, tracking of the logs, and so on. The chain of custody shows the technology used and the methodology adopted in the forensic phases as well as the persons involced in it. The chain of custody administers the collection, handling, storage, testing, and disposition of evidence. It helps ensure protection of evidence against tampering or substitution of evidence. Chain of custody documentation should list all the people involved in collection and preservation of evidence and their actions, with a stamp for each activity.

Master Boot Code

loads into BIOS and initiates system boot process Master Boot Record (MBR) 512 bytes long contains four 16-byte master partition records MBR starts @ sector 0 volume boot sector is present in cylinder 0, head 0, and sector 1 of the default drive MBR signature or end of sector is always 0x55AABack up the MBR: dd if=/dev/xxx of=mbr.backupbs=512 count=1 Restore the MBR: dd if=mbr.backup of=/dev/xxx bs=512 count=1

Linux log files

log files are records of all the activities performed over an operating system. linux log files store information about the systems' kernel and the services running in the system. in linux os, different log files hold different information, which helps the investigators to analyze various issues during a security incident. investigators should learn and understand about the content of various log files, which will help them during security incidents and help them understand the locations they might have to look for finding potential evidences.

Which HFS volume structure contains the Master Directory Block (MDB), which defines a wide variety of data about the volume itself?

logical block 2

What UFS file system part is composed of a few blocks in the partition reserved at the beginning?

logical block 3

JPEG

lossy compression file type for images, can achieve 90% compression. The first bits of a file represent the file type and JPEG files start with hex value ffd8ff

electronic records management

makes sure that the organization has all the documents or records it needs when they are required. It helps to the organizations to tackle any legal mandates pertaining to the protection of the organization. It protects against unauthorized access or manipulations of electronic data It reduces the retrieval costs of the records that are no longer required to be maintained on the system and also reduces the burden of keeping paper records It helps to produce data on demand and withhold it for inspection. It helps in capacity management for effective usage of the IT resources such as servers and disk storages. Helps in preserving the original form of email messages, thereby ensuring consistent mail forms.

NTFS (File Deletion)

marks the index field in the MFT with a special code.The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered

What prefetch does value 1 from the registry entry, EnablePrefetcher, tell the system to use?

o 0: Prefetching is disabled o 1: Application prefetching is enabled o 2: Boot prefetching is enabled o 3: Both application and boot prefetching are enabled

Cain & Abel​:

password recovery tool for Microsoft OS, offers cracking, password sniffing, VoIP recording, recover wireless network keys, reveals password boxes, uncovers cached passwords, analyzes routing protocols.

Broken account management

poor controls around passwords, accounts in general

Global System for Mobile communications(GSM):

popular cellular network.

EnCase Forensic Software

popular multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. It also generates an evidence report. EnCase Forensic can help investigators acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices. EnCase Forensic directly acquires the data and integrates the results into the cases.

What is the meaning of the acronym POST?

power-on self-test

Bayesian Correlation

predicts next steps based on statistics and probability

Believable

present evidence in a clear manner to the jury and obtain expert opinions where necessary

Sarbaness-Oxley Act (SOX) of 2002

protect investors from the possibility of fraudulent accounting activities by corporations,applies primarily to financial and accounting practices, it also includes IT functions that support these practices.

Apache Log

provide very important information during auditing and forensic investigations about all the operations performed on the web server. This information includes: Client IP address ident of the client machine time client user ID Request line from a client Status code Size of the object returned to the client.

Core Java

provides almost all the functionalities stated in Java software edition libraries

ZX-Tower

provides secure sanitization of hard disk

WriteProtect-DESKTOP

provides secure, read-only write-blocking of suspect hard drives.

Technical Witness

testimony may only provide facts found during the investigation to showcase an incident or a crime. He/she explains what exactly the evidence leads to in the process of acquisition; however, they cannot draw conclusions or offer opinion. They only conduct the fieldwork and submit the findings or facts of the investigation. On the other hand, expert witnesses can give opinions based on their observation and experiences. They can also perform a deductive analysis with facts found during an investigation. Since computer forensics is a comparatively new field and does not follow any standards of practice, the expert witnesses must provide a clear opinion to the jury who may not be fully aware of the latest developments in the field of computer forensics.

dmesg

the command dmesg is short for display message or 'driver message'. The command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. these messages are helpful in resolving the restoring the device's driver issues. syntax: dmesg options dmesg | grep -i eth0 (displays hardware information on the ethernet port eth0)

fsck

the command fsck, is meant for file system consistency check. It is a tool to check the consistency of Linux file system and repair. syntax: fsck -A (checks all configured filesystems)

history

the command history checks and lists the bash shell commands used. this command helps the users for auditing purposes. syntax: history n (lists the last n commands)

mount

the command mount causes mounting of a file system or a device to the directory structure, making it accessible by the system. syntax: mount -t type device dir (requests kernel to attach the file system found on device of type type at the directory dir)

Event Filtering

the event correlator filters or discards the irrelevant events.

Exhibit numbering

the process of tagging evidence with sequential number, which includes case and evidence details. This will allow the investigator to easily identify the evidence and know its details. The investigators should mark all the evidence in a pre-agreed format, such as: aaa/ddmmyy/nnnn/zz.

Slack Space

the space generated between the end of the file stored and the end of the disk cluster. Use X-WaysForensics tool to scan virtual memory.Linux operating system allocates certain amount of storage space on a hard disk called Swap Space. OS uses as the virtual memory extension of a computer's real memory (RAM).In Windows, this is called a Page File. Found in: Found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

netstat

the tool helps in collecting information about network connections operative in a Windows system. The most common way to run Netstat is with the -ano switches. These switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs). -r routing table, -e ethernet stats, -p Protocol

Which of the following is NOT an advantage of SSDs over HDDs?

these ARE the advantages: Faster data access Less power usage Higher reliability

Which is NOT a log management system function?

these ARE the functions: log parsing event filtering event aggregation log rotation log archival and retention log compression log reduction log conversion log normalization log file integrity checking event correlation log viewing log reporting log clearing

Jv16 (jv16 Power Tools)​:

this is used to analysis registry changes in malware analysis. Registry Cleaner is a part of this set of tools that detects errors that can have a measurable impact against system performance.

logon events: 4

title: batch, description: batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention

logon events: 11

title: cachedinteractive, description: a user logged on to this computer with network credentials that were stored locally on the computer

logon events: 3

title: network, description: a user or computer logged on to this computer from the network.

logon events: 9

title: newcredentials, description: a caller cloned its current token and specified new credentials for outbound connections

logon events: 10

title: remoteinteractive, description: a user logged on to this computer remotely using Terminal Services or Remote Desktop

logon events: 5

title: service, description: a service was started by the service control manager.

logon events: 7

title: unlock, description: this workstation was unlocked

logon events: 8

title:networkClearText, Description: a user logged on to this computer from the network. The user's password was passed to the authentication package in unhashed form.

netstat -an

to look for suspicious connections

Task List

tool displays the list of applications and services along with the Process IDs (PID) for all tasks that running on either a local or a remotely connected computer.

Mobile network code (MNC)

two-digit network identification number used along with the MCC printed on SIM. It used to identify the SIM user on a mobile phone network.

RAID 3

uses byte-level striping with a dedicated parity disk, which stores checksums. It also supports a special processor for parity codes calculation. This RAID cannot cater multiple data requests simultaneously. If a failure occurs, it enables data recovery by an applicable calculation of the parity bytes, and the remaining bytes which relate with them

Logcheck

utility that allows system administrators to view the log files, which are produced by hosts under their control. This is done by mailing summaries of the log files to the hosts, after first filtering out "normal" entries. Normal entries are entries that match one of the many regular expression files contained in the database

R-Drive Image

utility that provides creation of disk image files for backup or duplication purposes.

ListDLLs.exe

utility that reports the DLLs loaded into processes.

MDF Calculator

view MD5 hash to compare to provided hash value

Memory Viewer​:

view system memory configuration. Gives you information about the memory cards installed on the computer and the current memory allocation.

18 USC 2702

voluntary disclosure of contents to government and non-government entities

Platform exploits

vulnerability exploits based on java, .Net, etc..•

What tool enables you to retrieve information about event logs and publishers in Windows 10?

wevtutil

Cloud as a tool

when the attacker uses one compromised cloud account to attack other accounts. In such cases, both the source and target cloud can store the evidence data.

Cloud as an object

when the attacker uses the cloud to commit a crime targeted towards the CSP. The main aim of the attacker is to impact cloud service provider. Ex: DDoS attacks that can bring the whole cloud down.

Which web application threat occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input?

xss


Related study sets

Electrical General Test Equipment Operation, Function and Use

View Set

Organic Chemistry Lab I (CHEM 237) Experiment 10: Phase Transfer Catalysis

View Set