500.1 - Data Triage

Question 1

“Evidence of …” Categories

Answer 1

• User Communication
• File Download
• Program Execution
• File Opening/Creation
• File Knowledge
• Physical Location
• USB Key Usage
• Account Usage
• Browser Usage

Question 2

Whats in RAM (memory)?

Answer 2

• Volatile data
• Passwords (encrypted, non, Programs)
• Processes
• Open Files/ Files/ Directories
• Registry keys, and devices
• Network connections (active/open/listening)
• running apps
• configuration parameters
• memory-only exploits/root kit technology

Question 3

Windows Memory Acquisition: LIVE and DEAD system

Answer 3

• LIVE:
  
  • Image the local drive (unencrypted) instead of the physical one (encrypted)
• DEAD:
  
  • Hibernation File - created when computer hybernates/laptops closes (compressed RAM image) (SystemDrive/hiberfil.sys)
  • Page File - parts of memory sent to disk - not complete (SystemDrive/pagefile.sys)
  • Memory Dump - Crash dump files - (WinDIR/Memory.dmp)

Question 4

EDD.exe

Answer 4

Encryption checking tool - CMD line tool

Question 5

FTK Imager and DumpIT

Answer 5

Memory Imaging

Question 6

Mounting Disk Images Types

Answer 6

• RAW/DD - E01 - SO1 - Contains drive data, disk, partition, & full file structure
• AD1/LO1 - Have no drive geometry - Must be Logical image - contain full file structures, deleted files
• Two Key Tool Types: FTK Imager, Arsenal Image Mounter

Question 7

Characteristics of mounted images

Answer 7

• Logical (NTFS/FAT) - mounted to drive letter,
  - AD1 & LO1 have no drive geometry - Must be Logical image
  
  • Physical (Win App) - cannot be viewed by Windows Explorer
    
    • Can be viewed with a Win App that performs physical Name Querying

Question 8

FTK imager - Mounting Methods

Answer 8

• Block/Read Only - Treats the mounted image as a block device (disk). Image will be subject to NTFS permissions & Windows File/Folder protections
  - can only be viewed with Win. App w/ Physical name querying
• Block/Writable - Mounts image as a writable device, saving any changes in a cache file (no changes made to original image)
  
  • Allows you to write to the evidence, make notes. Notes are saved in a Cache file, not no changed are made to the original.
• Filesystem/ReadOnly- Creates a virtualized folder structure, circumventing Windows File/Folder protection. Shows deleted files. Filesystem starts in the ROOT folder.
  
  • Reads the device as a read-only device that you can view using Win Explorer. Show deleted & existing files.
  • ** PREFERRED image ***

Question 9

File Allocation Table (FAT)

Answer 9

Provides a linked list of the clusters that a file is stored inside. The # at the end of the FAT is an exponent of how many clusters can be addressed on the filesystem. (2^#)

• FAT12/16 -
  - MS-DOS, Win95/98/NT/2000
• FAT32 -
  - Win95 (OSR2), Win2000
• ExFat (Newest Version) - Improves upon the FAT filesystem by reducing the overhead of the FAT by removing continual use of FAT too keep track of cluster allocations for continuous files
  - 2008/2012/Vista//Win7/Win8/Win10
• Windows NT (NTFS) - Increased reliability & supports long & short files name. Is complex & has built in recovery capabilities in case of a crash
  - Winxp/2003/2008/2012/Vista/Win7/Win8/Win10
• ReFS - Intended for file serbers - Made up of 3 layers (Data, Metadata, Filename)
  - Server 2012/2016/Win8.1/Win10

Question 10

NTFS Clusters

Answer 10

• Allocated = data is being actively used by a file, exist on a file, not deleted
  
  • Unallocated - data not being used, may/not exist in block/cluster, deleted/unused, file fragments

Question 11

Deleted file vs Wiped File

Answer 11

• Deleted = exits on disk, fully recoverable until unallocated
• Wiped = one wipe is all that is necessary to stop recovery

Question 12

Master File Table (MFT)

Answer 12

• 1024 bytes
• Saved in “MFT Zone”
• $MFT, $MFTMIRR, $LOGFILE, $Volume, $BOOT etc.

Question 13

Windows Time Rules

Answer 13

• Files Modified/Accessed/Created = (File Copy, File Access, File Modify, File Creation)
• NTFS records - Last mod time, Last access time, Last mod of MFT record, & File creation time MFT record in vol.
• File Copy - Modified= inherited from original file , Access= Changed, Creation= Changed
• File Access - Modified= No Change , Access= Changed (no change on NTFS/Win7+), Creation= No Change
• File Modify - Modified= Stamped , Access= No Change, Creation= No Change
• File Creation - Modified= Change , Access= Change, Creation= Change
• • Last Access Time - Update when a file copy or move - not update for only opening the file
• • Creation date changes when CMD is used

Question 14

Alternate Data Stream (ADS)

Answer 14

• Alternate content for a file - uses Zone.Identifier to identity type of connection used
• C:\Windows\System32 - will show all file that have a Zone.Identifier
• Nozone = -1
• MyComputer= 0
• Intranet= 1
• Trusted= 2
• Internet = 3
• Untrusted = 4

Question 15

Win7-10 Volume Shadow Copy

Answer 15

• New “System restore” for Vista/Win7 and 2008
• Revert/Restore/Copy to prev. version of an entire volume, folder, or file
• Previous version not stored every time a file is saved
• SnapShots are staggered - 1 a week (Win7) - 24hrs = Vista
• Created when a computer is idle, turned off/on, rebooted
• All shadow copies are stored in “System Volume Information” folder on ROOT
• 3808876b - unique identifier that is specific to shadow copies

Question 16

System Restore and Previous Versions

Answer 16

• “Snapshot” created by VSS
• VSS - Vlume SnapShot Service - saves a “live” shadow copy in 16KB block
• Changes to VSS are saved to “current”/new shadow copy
• Windows versions Business, Enterprise, and Ultimate
• Browse capability not in Win8 but in Win10

Question 17

List available shadows

Answer 17

• System & Creation time shows when it was created

- C:\vssadmin list shadows /for=C

Question 18

Live Shadow volume examination

Answer 18

• Use on a live machine to manually browse/scan directory

- mklink - creates symbolic link of Vista/Win7 shadow copy to your machine

Question 19

Shadow Exploring

Answer 19

• Easily Examine/Export VSC files of your choosing

- Use “Write temporary” mode - mounts to a writeable disk - Changes saved to different file

Question 20

Trim and Wear Leveling

Answer 20

• Helps to maintain wear and tear on SSD - SSD storage only good for X # of writes
• Trim = Clear Data stored in flash, Clears “free space”, 1x a week Win7-10
• Wear Leveling = Move data around to ensure even usage storage ( - bad effects)

Question 21

DFIR Implications of SSD

Answer 21

• Sudden Power loss
• Write blocking = powered on drive
• No control of Wear Leveling, Controller-initiated trimming
• Drive integrity not met: MD5 would change over time, Data loss could occur
• Live acquisition

Question 22

Data Stream Carving vs File Carving

Answer 22

• Data Stream Carving
  
  • Memory/Pagefiles
  • Unallocated Space
  • Allocated database files
  • Examples: URLs, Chat, emails, Encrypt Keys
• File Carving
  
  • Memory/Pagefile
  • Unallocated space
  • Examples: .doc, .jpg, .zip, media (.mov)

Question 23

Internet Evidence Finder (IEF)

Answer 23

• Skype logs and locations

Question 24

Parsing Metadata in files

Answer 24

• a set of data that describes and gives information about other data.
• Pics, office docs, audio files, video files, exe files
• Exiftool - Pulls meta data (file name, Creation time, author, last print, version, last modified)

MS Office

• Author info
• Creation time
• Last print time
• MS version (sometimes)

Question 25

Metadata Method - “Deleted files”

Answer 25

• Fragmented files
  
  • Includes: MFT entry, FAT directory entry
  • Starting cluster , file size, filename, p. direct

Question 26

Data Layer Method - “Deleted files”

Answer 26

File headers (exe = MZ Headers)
    - file headers/footers, guess work , 64 bytes

Question 27

Photorec / How it works

Answer 27

• Reads boot sector to determine cluster size, reads target volume by cluster and exams headers to determine file size