(13) Forensic Toolset Building Flashcards
What computer components should a forensics investigator have on hand?
-A digital forensics workstation
-Forensic drive duplicator
-Wiped drives and wiped removeable media
-Write Blockers
-Camera
-Cables and Drive Adaptors
What record keeping components should a forensics investigator have on hand?
-Forensics investigation suite
-Labeling and documentation tools
-Notebooks and preprepared documentation forms and checklists
Describe the ins and outs of creating copies of media or disks that could contain useful data for an investigation
An imaging utility creates an exact image of the drive they are copying.
It includes slack space which is space left when a file is written, which can also be place where files are intentionally hidden
It also includes unallocated space that hasn’t been assigned (or partitioned)
What are three examples of the benefits of Analysis Utilities?
-Filesystem metadata analysis to determine file changes, access, and deletions
-File carving tools that recover files even if the file system isn’t working
-Log file review and file parsing
What are three records based benefits of Analysis Utilities?
-Timelines of changes to a system
-Analysis of the Windows Registry
-Tools that validate the files on a system compared to known good versions
What is file carving?
File carving is about checking tools on a block-by-block basis, to find information similar to file headers or other things that can indicate file structure.
If such items are found, the program tries to recover complete or partial files
What are three common file carving techniques?
Three common techniques are:
-Carving based on header and footers of files such as those found in JPEG type files
-Carving techniques based on the content of those files, which can include character count and recognition of text
-Techniques surrounding file structures, such as through the use of information about file structure
What three hashing utilities are commonly used in forensics?
MD5, SHA1, and SHA1 are often used in forensics
What is the most common forensic activity for an endpoint?
The most common forensic activity for an endpoint is disk or storage based analysis. Manual inspection of files, complete imaging and analysis of entire disks or volumes, etc. happen here
What is memory forensics?
Memory forensics is about running analysis on live memory activities in a machine, making a copy of live memory for what is called point in time forensic memory analysis, etc.
When are memory forensics particularly useful?
Memory forensics are really useful when trying to recover security artifacts that are stored in memory which include encryption keys and passwords.
Describe mobile device (cell phone) forensic tools options
Mobile phone forensics tools include the ability to extract data from locked or encrypted devices through specialized decryption and brute forcing capabilities.
Phone backup forensics are useful too because they can capture older data and deleted data that might not have the same security level
Describe password crackers and their usefulness in forensics
Password crackers are useful for lots of things, such as Microsoft Office Files, PDFs, and ZIP and RAR files.
What do we need to remember about cryptographic tools when it comes to forensics?
When it comes to forensics, cryptographic tools are there to protect forensic data and to protect data and applications from forensics.
Some forensics tools have encryption capabilities to make sure that sensitive data under investigation is not breached as part of the investigation when drives or files get tranferred
Describe how cryptography tools can be used when it comes to malware
When it comes to malware, cryptography tools are useful because the malware can use protection schemes to prevent code analysis of malware.
These types of tools are called packers, and they are there to protect malware packages from being reverse engineered.
