Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
193 Cards in this Set
- Front
- Back
- 3rd side (hint)
Digital Forensics is also known as what? |
Computer Forensics
|
|
|
What is the practice of collecting and analyzing data while maintaining it's integrity for investigative purposes?
|
Digital Forensics
|
|
|
What are the two disciplines of digital forensics?
|
Network-based and host-based
|
|
|
Within digital Forensics what is Evidence?
|
Electronically stored information found on or in use by digital media devices.
Data |
|
|
Network-based Forensics collects and analyzes what and for what reason?
|
It collects and analyzes raw network data to determine how an attack was carried out or how an event occurred on a network.
|
|
|
What are some of the logs Network-based Forensics would look at to provide insight on an instance of intrusion ?
|
It would look at network logs from servers, routers, firewalls, and other networked devices.
|
|
|
What is Host-based Forensics primarily concerned with?
|
It is concerned with computer workstations, removable storage devices and other physical digital media storage devices.
|
|
|
What are the two system States and under which discipline do they fall under?
|
Live=Network-based
Dead=Host-based |
|
|
What is an analyst toolkit that resides on a separate storage media device?
|
Incident Response Disk aka Helix Linux Boot CD
|
|
|
A bit for bit image of the original device
|
Disk image
|
|
|
List of words and phrases used to search evidence
|
Keyword list or dirty word list
|
|
|
The route that evidence takes from the time you find it until the case is closed or goes to court
|
Chain of custody
|
|
|
Cryptographic hashes of data obtained prior to collection should match hashes obtained after collection
|
Evidence Integrity
|
|
|
Contains all the code necessary to successfully run as a standalone program and limit the impact(footprint) on the suspicious computer
|
Statically-linked executable or standalone executable
|
|
|
Evidence
|
Electronically stored information found on or in use by digital media devices.
|
|
|
What are 2 examples of collection tools?
|
dd
netstat Encase Ftk imager |
|
|
What are collection tools?
|
Tools used for gathering evidence
|
|
|
What are analysis tools?
|
Tools used to take data as input and display it in a more useful(human readable) format
|
|
|
Name some examples of Analysis tools?
|
EnCase
Autopsy Helix |
|
|
What is a standalone computer system utilized to perform forensic analysis of digital media?
|
Forensics workstation
|
|
|
What are the 2 types of write-blockers?
|
Hardware write-blocker
Software write-blocker |
|
|
What are write-blockers?
|
They are used to protect evidence disks by preventing accidental writes to source data. Used with Windows systems
|
|
|
What is the SANS Investigative Forensic Toolkit (SIFT)
|
Linux based VMware workstation configured to conduct forensic investigations.
It includes many native and open source tools: Autopsy and PTK The Sleuth Kit (TSK) Mac-Robber Static binaries Wireshark |
|
|
What is the Sleuth Kit (TSK) forensic Toolkit?
|
It is a library and collection of command line tools that allow you to investigate volume and file system data.
Works with Unix and Windows |
|
|
Who developed the EnCase Forensic software?
|
Guidance Software
|
|
|
What utility does EnCase have built-in in order to compare hash sets?
|
NSRL
National Software Reference Library |
|
|
What type of image does EnCase create from the original drive?
|
An exact binary duplicate (forensic image) of the original drive or media
|
|
|
What is an analyst toolkit that resides on a separate storage media device like a thumb drive, CD-ROM, or external hard drive?
|
An Incident Response Disk(IRD)
Or Helix Linux Boot CD |
|
|
What should you never assume about a suspicious computer?
|
You should never assume it is reliable. Use the trusted tools from the response disk.
|
|
|
What are the 4 steps to the Digital Forensics Methodology?
|
Incident Response
Acquisition Analysis Reporting |
|
|
Which phase of the Forensic methodology begins the documentation process in regards to chain of custody and evidence handling and serves as the basis of analysis?
|
Incident Response phase
|
|
|
This document is one of the most important documents maintained during an investigation and shows how the evidence was examined, by whom, and when it changed hands?
|
Chain of Custody documents
|
|
|
What are the things that should be documented during the Incident Response phase?
|
*Name of individual seizing the drive
*Time of acquisition *Method of acquisition *Location of Seizure *Make *Model and size *Serial Number *Exact commands typed *Other Information |
|
|
What should you label the evidence with?
|
Case name
Evidence number Description of evidence *Create a chain of custody form* |
|
|
What 3 questions should an analyst be able to answer in order to establish a basis for analysis?
|
Why was the device seized?
What type of information do I expect to obtain? How long do I have to conduct analysis? |
|
|
Which phase of the Forensic methodologies focus is to collect relevant volatile and non-volatile data using sound forensic techniques and tools that ensure data integrity?
|
Acquisition phase
|
|
|
What are the two main goals of data acquisition?
|
°Minimize data loss
°Avoid compromising the suspect system with additional data that may modify the access time of files |
|
|
What type of data should be collected first?
|
Data with the highest chance of being changed, modified or lost(volatile)
|
|
|
What is data that is likely to be erased if the device loses power?
|
Volatile data
|
|
|
What is another name for acquiring volatile data?
|
Live Response Analysis
|
|
|
What does the collection of volatile data help with?
|
It helps to determine a logical timeline and the possible users responsible
|
|
|
Name at least 5 volatile data types?
|
*System date, time, uptime
*System memory *Current network connections/open ports *Current running processes *Applications listening on open ports *Users currently logged on *Network caches and tables *Open files *Currently mounted file system *Physical data config(fdisk -l) *System profile (winmsd, systeminfo) *System identification(uname -a) *Encrypted file/drive that is not currently encrypted |
|
|
What are the steps to Acquiring Volatile Data?
|
1. Establish a trusted command shell
2. Establish a method for transmitting and storing the acquired information 3. Collect volatile data from the system and output the collected data to a forensic workstation/storage device 4. Correlate system/network based logs and mark the beginning and ending time when incident response was performed |
|
|
What should you never use on a suspicious computer?
|
Don't open or use a terminal or command shell from the suspicious computer
|
|
|
What is the process of acquiring non-volatile data?
|
Simply making an exact physical copy of the device
|
|
|
What is one of the most significant structures on a hard disk that is created when a hard disk is partitioned?
|
MBR master boot record
|
|
|
What are the 3 subdirectories of the MBR?
|
Master boot program
Master partition table 2 byte marker indicating the end of the sector (0x55AA) |
|
|
How big is the MBRs partition table and where is it located?
|
64 bytes
Located in bytes 446-509 |
|
|
True or false : the MBR is always located at the first physical sector of the disk and always ends with 0x55AA?
|
True
|
|
|
How many defined partition entries are in the partition table?
|
4
|
|
|
What type of partition is used to extend past the four-partition limitation?
|
Extended partition.
One of the defined partitions in the MBR partition table can be an extended partition. |
|
|
What is considered the best evidence and grabs the entire contents of a drive or digital media device?
|
Physical drive imaging
|
|
|
What type of imaging obtains only the file system partition?
|
Logical drive imaging
|
|
|
Name the 3 data acquisition methods?
|
Hardware
Software Live |
|
|
Which type of acquisition is conducted when the hard drive is removed from the suspect system and connected to the analyst's forensic workstation?
|
Hardware Acquisition
|
|
|
What should you use if using a Windows-based application to image a drive?
|
Write-blocker
Windows automatically mounts it as read+write, the Write-blocker ensure that no data is written back to the suspects hard drive |
|
|
Linux based applications like Helix and the Sleuth Kit don't require a_________ ___________.
|
Write-blocker
|
|
|
During this type of acquisition an analyst boots the suspect system with the Helix boot CD-ROM or incident response disk and images the local drives attached to the system
|
Software acquisition
|
|
|
Describe live acquisition
|
Evidence must be gathered before it is changed, deleted or overwritten in a way that minimizes the impact on the system.
|
|
|
dd is an imaging tool, what are the 3 different types?
|
dd
dd.exe (Windows version) dcfldd (Defense and Computer Forensics lab) |
|
|
What does dd.exe add that dd's (bs=; count=; skip=; conv=noerror, sync) does not cover?
|
md5sum
verifymd5 md5out |
|
|
What does dcfldd add that dd's (bs=; count=; skip=; conv=noerror, sync) does not cover?
|
hashlog
hashwindow |
|
|
What are the common image file formats and their extensions?
|
Raw(dd) - .dd or .img
Expert Witness Format(EWF) - .e01 Advanced Forensic Format(AFF) - .AFF |
|
|
When verifying integrity how can you tell if the copy made is a bit-for-bit duplicate of the evidence?
|
If the hashes are the same
|
|
|
How large is an MD5 hash?
|
128 bit hexadecimal
|
|
|
True or false : Analysts should make multiple copies of an image
|
True
You should make additional copies if third parties need the evidence as well. |
|
|
What type of analysis is used to sort system files by their modified, accessed, changed, and created timestamps?
|
Timeline analysis
|
|
|
What are 2 things that can be analyzed from a timeline perspective?
|
Similar items can be grouped together
Noticeable hacker activity |
|
|
Which file system has no "change" timestamp?
|
FAT
|
|
|
What are the two steps of the Sleuth Kit creation process?
|
Gather
Make |
|
|
What are the 7 data sources for media analysis?
|
Unallocated (free) space
Slack space Swap space Dump or Core files Hibernation files Temporary files OS Configuration files |
|
|
Deleted files remain in______ ___ _____, where clusters/blocks are not assigned but may contain data.
|
Unallocated(free) disk space
|
|
|
The unused portion of space where portions of file information from previous use is still available for examination?
|
Slack space
|
|
|
The hidden system file used by Windows for virtual memory when there isn't enough physical memory?
|
pagefile.sys
|
|
|
Which type of files are created during an error condition?
|
Dump or Core files
|
|
|
Which file is created to preserve the current state of the system (typically a laptop) by recording memory and open files before shutting off and what file is used in Windows?
|
Hibernation files
Hiberfil.sys |
|
|
What are the files that are created during OS/application install or upgrade?
|
Temporary files
|
|
|
What are the 10 OS Configuration files?
|
Users and Groups
Passwords Network shares Scheduled jobs Logs System Events Audit Records Application events Command history Recently accessed files |
|
|
What type of analysis explores the file system?
|
File system analysis
|
|
|
Explain hash analysis and one of the references?
|
Hash analysis is a technique to reduce the search space by identifying known files by their hashes.
The National Institute of Standards and Technology maintains a very large set of hashes called the National Software Reference Library or NSRL for short. |
|
|
What are the two main categories of files in a hash set and what is the difference
|
Known - typical system files that can be ignored
Notable - files that have been identified as illegal or inappropriate |
|
|
Which type of hashing is used to look for similar files and if one bit is different there are no similarities in the hash whatsoever?
|
Fuzzy hashing
|
|
|
What tool is used to help investigators check similarities in files? What does it compute to compare the files?
|
ssdeep
Context triggered piecewise hash (CTPH) |
|
|
This type of analysis looks at the header and/or footer within a file that indicates the application associated with the file or the type of file.
|
File Signature analysis
|
|
|
What are 3 common techniques for string and keyword searches?
|
Search files based on:
-their names or patterns in their names -a keyword in their content -their temporal data i.e. last accessed or written time |
|
|
What is the typical name for an analyst's list of keywords and phrases?
|
"Dirty Word List"
|
|
|
This type of analysis provides a collection of data files that store vital configuration data for the system? Examples are provided in the hints section
|
Windows Registry analysis
A very important source of evidence for analysts |
|
|
What file is created for users with an account on a Windows computer and contains configuration and environment settings as well as identifiable data pertaining to user activity?
|
NTUSER.DAT
|
|
|
What type of information can you find relating to a user with Windows Registry analysis?
|
Search history
Typed URLs Last Commands executed Last Files saved Recent Documents Application Artifacts |
|
|
Which type of analysis involves the one of the most commonly used forms of communication?
|
Email analysis
|
|
|
Which file extensions are associated with Outlook and Outlook Express
|
.pst and .ost are used by Outlook
.dbx and .mbx are used by Outlook Express |
|
|
In browser history analysis which file provides a user's Internet history?
|
Index.dat
|
|
|
This step stands by itself and involves the extraction of deleted files from a file system's unallocated space
|
Data Recovery
|
|
|
The purpose of a______is for the analyst to describe the actions performed, determine what else needs to be performed and recommend improvements for policies, guidelines, procedures, tools and other aspects of the forensic process.
|
Report
|
|
|
What are the three purposes of reporting?
|
Evidence to help prosecute specific individuals
Actionable intelligence to help stop or mitigate some activity Generate new leads for a case |
|
|
What is the regional intelligence reporting database?
|
NMEC
|
Used in-theatre
|
|
What is the global intelligence reporting database?
|
Harmony
|
|
|
This is a repository of electronic versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources and is accessible by the Intelligence community .
|
Harmony database
|
|
|
Basic and Smart phones have what type of OS |
Basic Phones have a proprietary OS Smart phones use either the same OS as PC's or a stripped down version |
|
|
If you acquire a device that is on or off what is one of the first things you should do |
find a power source for it until it can be examined |
|
|
What are the risks of leaving a mobile device attached to a PC via a cable, cradle or docking station? |
This will prevent them from synchronizing and overwriting data on the device in case it is set on a preset schedule |
|
|
Besides allowing a mobile device to work what are 4 other things a SIM card does? |
Identifies the subscriber to the network Stores personal information Stores address books and messages Stores service-related information. |
|
|
What should you make note of when seizing a mobile device? |
Be sure to note the time |
|
|
What keeps a mobile device from transmitting and receiving signals? |
Faraday bags |
|
|
What are the two ways to acquire SIM data? |
Indirectly through commands sent to the phone and passed to the SIM Directly through commands sent to a SIM reader |
|
|
____-____is an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time consuming or virtually impossible. |
Anti-Forensics |
|
|
What is the process of making data difficult to find while also keeping it accessible for future use? |
Data hiding |
|
|
This is one of the most commonly used techniques to defeat computer forensics |
Encryption |
|
|
Encryption uses a ______ and an ______ to change code in a way to make information unreadable. |
key algorithm |
|
|
Name the 4 levels of Encryption. |
File Level Encryption Whole Disk Encryption Partition Level Encryption Encrypted container (only what's inside) |
|
|
______is a technique to hide information and files inside of other files, in plain site |
Steganography |
|
|
This provides the ability to attach any kind of file to any kind of file without storing data in the file |
alternate data streams |
|
|
What contains a list of alldata streams? |
The MFT |
|
|
What are Memory, Slack space,Hidden directories, Bad blocks/ clusters, hidden partitions, Host protected Area(HPA) of the hard drive considered? |
Other forms of data hiding |
don't over-complicate the answer |
|
Name the other forms of hiding |
Memory Slack space Hidden directories Bad blocks/clusters Hidden partitions Host protected Area(HPA) of the hard drive |
|
|
The process of permanently eliminating a particular file or entire file systems |
Artifact Wiping |
|
|
Disk Wiping utilities use a variety of methods to do what to data? |
overwrite the existing data on disks |
|
|
what type of utilities are used to overwrite existing data on disks using zeros or ones |
Disk Wiping |
|
|
DIsk degaussing is process where a ___________ is applied to a digital media device in order to erase data |
magnetic field |
|
|
What are other forms of physical destruction? |
disintegration incineration pulverizing shredding melting |
|
|
What is the purpose of trail obfuscation? |
to confuse, disorient, and divert the forensic examination process |
|
|
What are some forms trail obfuscation? |
Log cleaners Spoofing Misinformation Zombie Accounts Trojaned commands |
|
|
What are some of the factors that have benefited anti-forensics methods? |
-Well-documented forensic examination procedure -Widely known forensic tool vulnerabilities -Digital forensic examiners' heavy reliance on their tools. |
|
|
Define Reverse Engineering |
analyzing malware to determine how and why it functions |
|
|
Define Malicios software(malware) |
programming(code, scripts, active content, and other software) that's designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, or otherwise exhibit abusive behavior. |
|
|
What are 2 reasons that malware analysis is performed |
Network Defense Understand how malware works |
|
|
Malware analysis is the process of analyzing malware to determine what? |
to determine exactly what the malware is designed to do. |
|
|
Name the 2 disciplines of malware analysis |
Dynamic Analysis Static Analysis |
|
|
Define Dynamic Analysis |
Analyzing the file based on observing its behavior. Triage |
|
|
Define Static Analysis |
Analyzing the file in a constant, non-changing state usually at code-level |
|
|
True or False: Olydebug is a forensic tool |
False |
|
|
What is Portable Executable(PE) format? |
a file format used by Windows executables, object code, and DLLs. |
|
|
What are 3 common malware formats? |
Portable Executable(PE), DLL and PDF |
|
|
Dynamic Link Libraries |
the current Windows way to use libraries to share code among multiple application |
|
|
What are the most common PE file header sections? |
.text .rdata .data .rsc (page 50, table 4) |
|
|
What is the current Windows way to use libraries to share code among multiple applications? |
Dynamic Link Libraries (DLLs) |
|
|
3 ways malware writers use DLLs |
To store malicious code By using Windows DLLs By using Third-party DLLs (page 51) |
|
|
What is the main DLL function |
DLLMain() |
|
|
True or false: A DLL is a binary file that cannot be executed on its own. |
True but it exports functions that can be used by other applications |
|
|
List the common DLLs |
Kernel32.dll Advapi32.dll User32.dll Ntdll.dll WSock32.dll & Ws_32.dll Wininet.dll |
|
|
True or false: PDF don't share the PE file format |
True |
|
|
PDF Injection Sequence |
1. User opens PDF 2. Embedded script is set to "execute on open" & script decodes and extracts embedded malware or 3.The script downloads from the internet(malicious file server) 4. Malware is installed on Victims machine
|
Note: the malicious PDF also opens a clean version of the PDF document to keep the usser from suspecting anything is wrong. |
|
What is Dynamic Malware analysis also known as? |
Reverse Engineering |
|
|
What are the methods of using MS word documents? |
-VBA Macros -Payload of a Microsoft Office Exploit(MS Office Vulnerabilities) -Embedded Flash Program _Embedded JavaScript(embeds ActiveX) |
|
|
Viruses, Worms, Trojans, Rootkits, Adware/Spyware, Scareware, Bots are all classifications of ________. |
Malware |
|
|
Rootkit |
Stealthy type of malware that hides the existences of certain processes or programs |
|
|
Malware that forces unsolicited advertising on end users |
Adware/Spyware |
|
|
Self-replicating Malicios malware that needs user interaction |
Virus |
|
|
Self-replicating malicious malware that doesn't need user interaction to spread. |
Worm |
|
|
A seemingly innocent file that contains malicious code that works in behind a functional program |
Trojan |
|
|
Malware that makes you think your computer is infected and the only way to remove it is a specific link |
Scareware |
|
|
Allows an attacker access to the system and the machine receives its instructions from a command-and-control server |
Bot |
|
|
Tool that provides a sterile and easily re-configurable environment in which to analyze and test malware |
VMWare |
|
|
VMWare Workstations(VM-WS) give you the capability to create what so you can revert to a previously known state? |
snapshot |
|
|
What type of environment must an analyst set up before analysis? |
An analysis environment |
|
|
What type of machines need to be setup in an analysis environment ? |
Victim Machine Listener Machine |
|
|
What programs can be used to verify the file header? |
PEview Hexplorer Winhex |
hex viewers |
|
What are the 5 Pre-Malware anlysis Activities? |
-Verify the file header -Virus Scan -Hash the file -Strings Analysis -Identify Packer |
|
|
What is the Hex and ASCII file header of a Portable Executable? |
4D 5A MZ |
|
|
Where can you find a files hash? |
by right clicking on it and selecting MD5 hash or in the strings |
|
|
What are some reasons a program contains strings? |
-If it prints a message -Connects to a URL -Copies a file to a specific location |
|
|
What are the common strings to look for |
Action Words IP addresses or domains Developer Information Suspicious Files or API calls Registry Keys Packing Routine Identification |
|
|
What are some action words to look for during strings analysis? |
install, create, del, set, move, run, copy, attrib, malware
Changes to file properties
|
|
|
True or False: During strings analysis .exe files are considered suspicious files |
True |
|
|
What program is used to look at comparisons of Registry Keys before and after install |
Regshot |
|
|
What can be viewed with RegShot? |
Changes to the Registry Keys Changes to Attributes Files added Folders added |
|
|
What can be used to Identify the packer? |
PEiD Or in the begining of strings |
|
|
If a file is packed what hashes do you need? |
packed and unpacked |
Note: If a file is packed you cannot pull strings on it |
|
When should a snapshot of the registry be made? |
Before and after you run malware on the system |
|
|
What is the goal of dynamic malware analysis? |
to identify changes such as Registry key creation/modification, created (dropped) files, or network activity |
|
|
What are the six core steps of behavioral analysis |
1. Activate monitoring tools on victim and listener 2. Run Malware in the virtual lab 3. Terminate the malware after a short period of time 4. Pause monitoring tools 5. Observe logs for suspicious activities. 6. Repeat as necessary
|
Note: Fill out your report throughout the process |
|
The Windows _______ is used to store OS and program configuration information , such as settings and options. |
Registry |
|
|
Malware often uses the registry for ______ or configuration data. |
persistence |
|
|
What are the registries 5 top level sections or root-keys? |
HKEY_LOCAL_MACHINE (HKLM) HKEY_CURRENT_USER (HKCU) HKEY_CLASSES_ROOT HKEY_CURRENT_CONFIG HKEY_USERS |
|
|
List the reasons malware create/copy (drop) files. |
To hide themselves To install malicious tools To take advantage of an exploit To install files needed for the tools to run properly |
|
|
Why would malware require network activity
|
-To be completely malicious
-Backdoors -Trojan droppers that download malicious files from a server -Bot that tries to connect to a bot controller |
|
|
Anti-Virus Signatures, Strings, Created(dropped)/Deleted files, registry keys, callbacks, network traffic, Obfuscation Identification, Miscillaneous information are all _____information. |
Reportable |
|
|
List all the reportable information. |
Anti-Virus Signatures, Strings, Created(dropped)/Deleted files, registry keys, callbacks, network traffic, Obfuscation Identification, Miscillaneous information |
|
|
What would fit under Reportable informations miscellaneous information? |
Information that didn't fit the other categories but may be important enough to mention. |
|
|
What are the different registers? |
EAX, EBX, EDX ECX ESI/EDI EBP ESP |
|
|
What does the SI and DI stand for in the ESI/EDI registers? |
Source Index Destination Index |
|
|
What is the difference between stacks and registers? |
They are both memory but stacks(short-term) are longer term memory than registers(immediate). |
|
|
What are flags used to create? |
Conditional Codes |
|
|
List the most common conditional flags? |
Overflow Flags --CF(carry flag) --OF Zero Flag(ZF) Sign Flag(SF)(0=pos,1=neg) Parity Flag(PF) |
|
|
What does the instructional format usually consist of? |
opcode(operation code) operands(1 or 2) |
|
|
List the main Anti-Analysis techniques |
VM detection Anti-debbuging checks Rootkit use Code Obfuscation Encoding techniques |
|
|
What are some of the common methods for VM detection? |
Virtual Hardware Global Unique Identifiers(GUID) Driver Detection I/O Port Detection(VMWare uses port 0x5658 "VX" in ascii) The Red Pill(doesn't look at file system artifacts) |
|
|
How does an analyst combat VM checks?
|
Use physical systems
*Don't install VM tools on VM *Disable tool-detecting method by commenting out code |
|
|
Using static analysis on the malware to debug and comment out code that's causing the problem is known as ______. |
Patching |
|
|
List the encoding techniques |
XOR ROL|ROR ROT Base 64 |
|
|
Explain XOR encoding |
where some or all bytes have been XOR'd |
|
|
Explain ROL|ROR encoding |
the file has its bytes rotated by a number of bits - the key |
|
|
Explain ROT Encoding |
the files alphabetic characters(A-Z,a-z)are rotated by a certain number of positions. |
|