4.5 Forensic Data Acquisition Flashcards

1
Q

State the order of volatility

A
CPU registers, CPU cache
Router table, ARP cache, process table, kernel stats, memory
Temporary file systems
Disk
Remote logging and monitoring
Physical configuration, network topology
Archival media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the best way to gather storage data?

A

Prepare the drive to be imaged by powering down the system to prevent changes.
Remove the storage drive and then connect it to an imaging device.
Make a forensic clone (bit-for-bit copy)
Preserve all data, even “deleted” data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the challenge of capturing RAM data and how do you do it?

A

RAM data changes constantly, even trying to capture it can change it.
Third party tools (mem dump) can grab everything and copy it to a seperate system or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What data is never written to a storage drive from RAM?

A

Browsing history, clipboard information, encryption keys, command history

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the swap/pagefile?

A

It’s a temporary storage area to swap in/out RAM when your RAM is full. We want to gather this data as well.
Each OS uses this area slightly differently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of information from the OS may be modified during a compromise?

A

The core operating system files. Executable files and libraries. We can compare these files to known good baselines.

Other important areas of note:

  • Logged in user
  • Open ports
  • Running processes
  • Attached device list
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you capture data from a mobile device and tablets?

A

Use an existing backup file or transfer an image of it via USB.

Areas of note:

  • Phone calls
  • Contact information
  • Text messages
  • Emails
  • Images and movies
  • More
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When Firmware is compromised, how should we investigate?

A

It depends on the product/model. Often the firmware has been reprogrammed or hacked by the attacker. If we look at how the device functions, we may be able to determine how it was hacked, what functionality the attacker had with the device, and possibly where the data is going to/from the device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do we handle VM compromises?

A

We need to investigate snapshots of the VM. Snapshots are basically images of the VM. Snapshots are essentially incremental backups of the original VM and each subsequent snapshot. Restoring requires all incremental snapshots.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a cache?

A

A temporary data storage area for later use. Designed to increase speed.

CPU cache, disk cache, internet cache, etc.

Cache is replace after a specific time or when the cache is full. Browser caches are long lived (days or weeks).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are artifacts?

A

Digital items left behind. (perhaps evidence) You might find them in:

Logs
Flash memory
Prefetch cache files
Recycle bin
Browser bookmarks and logins
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some challenges to cloud forensics?

A

Devices are not totally in your control
Potentially limited access
May be difficult to associate cloud data to a specific user because there may be many users at the same time.
Legal issues potentially depending on location of data and where you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a right-to-audit clause?

A

Legal agreement to have the option to perform a security audit at any time. Everyone agrees to terms and conditions. Allows you to verify security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the most important ideas to understand about data breaches?

A

If consumer data is breached, the consumer must be informed.

The legalities of this vary across countries and localities. If you are in the cloud, consider yourself a global entity.

Notification requirements also vary from location to location such as what data requires notification, who to notify, and how quickly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly