Alllllll Flashcards
Windows Registry
Information about files and services, locations of deleted files, evidence of applications being run
Autorun Keys
Programs set to run at startup (often associated with malware or compromise)
Master File Table (MFT)
Details of inactive/removed records
Event Logs
Logins, service start/stop, evidence of applications being run
INDX files and change logs
Evidence of deleted files, MAC timestamps
Volume Shadow Copies
Point-in-time information from prior actions
Recycle bin contents
Files that were intended to be deleted but forgotten
Hibernation files and memory dumps
Memory artifacts of commands run
Temporary Directories
Artifacts of software installation, user temporary file storage, or other limited lifespan data
Removable Drives
System logs may indicate drives were plugged in; data may be relevant to investigations
POP3 Port
Port 110
NTP Port
Port 123
SQL Server (2 Ports)
Port 1433 & 1443
Oracle Port
Port 1521
RADIUS (2 Ports)
Port 1812 & 1813
MySQL Port
Port 3306
STIX Protocol
XML Language. Current version includes things like attack patterns, identities, malware, threat actors and tools. Conveys data so humans and security technologies can understand