9 - 4: Forensic Techniques

Question 1

Four main types of investigations

Answer 1

1) Operational/Administrative 2) Criminal Investigations 3) Civil Investigations 4) Regulatory

Question 2

Operational investigations

Answer 2

Investigate issues in technology services/performance

Question 3

Criminal investigations

Answer 3

Intended to investigate criminal activity

Question 4

Civil investigations

Answer 4

Non-criminal legal offenses involving a dispute between two parties

Question 5

Regulatory investigations

Answer 5

Carried out by government or other regulatory bodies

Question 6

Interrogations

Answer 6

When an interview subject withdraws consent, is only for law enforcement

Question 7

Types of evidence

Answer 7

1) Real evidence 2) Documentary evidence 3) Testimonial evidence

Question 8

Real evidence

Answer 8

Tangible items

Question 9

Documentary evidence

Answer 9

Information in written or digital form, including logs

Question 10

Documentary evidence rules

Answer 10

1) must be authenticated, attested to its legitimacy 2) best evidence 3) parole evidence

Question 11

Best evidence rule

Answer 11

Original documents are always superior

Question 12

Parole evidence rule

Answer 12

The court assumes a written agreement between to parties to be the only agreement and no verbal agreement is legally binding

Question 13

Testimonial evidence

Answer 13

A statement written or said under oath

Question 14

Direct evidence

Answer 14

Witness recounts what they observed

Question 15

Testimonial evidence types

Answer 15

1) Direct evidence 2) Expert Opinion

Question 16

Expert opinion

Answer 16

The court recognizes an authority in a field to interpret information

Question 17

Hearsay

Answer 17

Evidence based on what one person told another, not admissible

Question 18

Goal of digital forensics

Answer 18

Collect, preserve, analyze, and interpret digital evidence

Question 19

Volatility

Answer 19

The permanence or likelihood to change a piece of evidence has

Question 20

Order of volatility

Answer 20

1) Network traffic 2) Memory Contents 3) System and process data 4) Files 5) Logs 6) Archived Records

Question 21

Time offsets

Answer 21

Difference in timestamps between data evidence

Question 22

First rule of investigation

Answer 22

NEVER alter data captured

Question 23

Forensic file reading

Answer 23

1) Create an image of the physical media 2) use a write-blocker/forensic disk controller to prevent any data editing or creation

Question 24

Tamper-proofing

Answer 24

Sealed bags for physical media, hashing for digital

Question 25

File carving

Answer 25

Technique for combing through unallocated disk space to find deleted files

Question 26

Bulk extractor

Answer 26

A command-line file carving tool

Question 27

WinHex

Answer 27

A file carving tool that allows accessing binary file data

Question 28

Disc acquisition

Answer 28

Create an image of a disk for forensic review

Question 29

Common forensics tools

Answer 29

Autopsy, EnCase, and FTK (Forensics toolkit)

Question 30

Forensic workstation

Answer 30

Needs a lot of RAM, high-end CPU, lots of disk storage

Question 31

Live analysis

Answer 31

Retrieves volatile data components

Question 32

Memory dump

Answer 32

A technique for dumping RAM to forensic storage

Question 33

Sysinternals

Answer 33

A Windows-only forensics tool

Question 34

AccessEnum

Answer 34

Access enumerator, a forensic tool showing what users and groups have what permissions

Question 35

Swap files/page files

Answer 35

Temporary files that contain portions of memory at a point-in-time while memory is being written

Question 36

Autoruns

Answer 36

A utility showing what programs or scripts run at system boot

Question 37

Process Explorer

Answer 37

A hierarchical diagram of Windows programs showing what processes have activated other processes

Question 38

TCPView

Answer 38

Shows all active network connections to or from your system

Question 39

Linux password storage

Answer 39

Passwords are kept on a file with a one-way hash

Question 40

Shadow password file

Answer 40

A separate file where Linux password hashes are stored

Question 41

Secure hashing requires avoiding ____

Answer 41

Collision

Question 42

Dictionary attack

Answer 42

Tries English words as passwords first

Question 43

Rainbow Table attack

Answer 43

attempts pre-computed hashes

Question 44

Hybrid attack

Answer 44

Uses variations in spelling and characters while guessing passwords

Question 45

Ethernet networks

Answer 45

Send electrical signals over copper wire

Question 46

Wireless networks

Answer 46

Emit radio waves over the air

Question 47

Fiber-optic networks

Answer 47

Light pulses sent over glass

Question 48

Major uses of software forensics

Answer 48

1) resolve intellectual property disputes 2) identify malware origins

Question 49

Embedded devices

Answer 49

Special-purpose computers within smart devices. Typically cloud connected

Question 50

Chain of custody

Answer 50

A documented trail of who has owned what evidence

Question 51

3 Major steps of legal electronic discovery

Answer 51

1) Preservation 2) Collection 3) Production

Question 52

Preservation

Answer 52

A legal hold is issued notifying electronic records must be kept for a certain timeframe

Question 53

Preservation includes stopping:

Answer 53

Any process that automatically destroys data

Question 54

Collection

Answer 54

Once legal has decided to pursue litigation, cybersecurity teams may be required to assist with finding data

Question 55

Production

Answer 55

Legal provides collected electronic evidence to the other party

Question 56

Metasploit

Answer 56

The most commonly used exploitation tool

Question 57

shasum

Answer 57

A hashing tool available in a forensic toolkit

Question 58

dd

Answer 58

A disk imaging tool