Chapter 7

Question 1

what is a vital source of digital evidence that historically has been neglected and ignored

Answer 1

RAM

Question 2

what does RAM stand for

Answer 2

random access memory

Question 3

what info does RAM contain

Answer 3

• info about the current running state of the system before you shut it down
• any running programs (legit AND malware)
• info related to network connections the host has w other peers (legit peer-peer sharing AND attackers host)

Question 4

where would you look to find if a user has been sharing illicit images

Answer 4

RAM

Question 5

what is the kitchen table of the computer system

Answer 5

RAM

Question 6

where may we only find evidence of data being hosted in the cloud

Answer 6

RAM

Question 7

can you recover encryption keys for closed encryted containers that have been created by the user

Answer 7

sometimes through RAM

Question 8

if you were to take a forensic image of RAM at 2 diff times, what would you find

Answer 8

diff results

Question 9

are you changing evidence when you collect RAM

Answer 9

yes

Question 10

how is analyzing RAM diff from analyzing a hard drive

Answer 10

• RAM is a snapshot of a live running system
• hard drive examination is static

Question 11

is storing on RAM quick

Answer 11

extremely fast

Question 12

the data stored within RAM chips is considered to be _____

Answer 12

volatile

Question 13

when do we lose volatile data

Answer 13

when the computer system is no longer powered on

Question 14

what are the 2 diff types of RAM

Answer 14

• static RAM (SRAM)
• dynamic RAM (DRAM)

Question 15

what are the differences between SRAM and DRAM

Answer 15

• SRAM
• faster
• more efficient w respect to energy use
• DRAM
• cheaper to produce

Question 16

what is SRAM and DRAM typically used for

Answer 16

• SRAM cache memory for the CPU
• DRAM used for memory chips for the computer system

Question 17

what does ROM stand for

Answer 17

read-only memory

Question 18

what does ROM do

Answer 18

• permanently stores data within the memory chips
• NOT volatile

Question 19

for the CPU to access the data/execute code being stored in the memory chips, what must exist

Answer 19

a unique location identifier to that data (an address)

Question 20

what is privilege separation

Answer 20

• determines what a user, user account, the process is allowed to access
• a form of access control
• when used by the OS, helps provide system stability

Question 21

how does privilege separation provide system stability

Answer 21

isolates users and the CPU kernel’s actions

Question 22

what is the other term for the OS’s trusted mode

Answer 22

kernel mode

Question 23

what is the other term for untrusted mode

Answer 23

user mode

Question 24

do different operating systems access RAM in different or the same general manners

Answer 24

the same

Question 25

in privilege separation, what modes does the OS and user applications operate in

Answer 25

- **OS** trusted mode/ kernel mode - **user application** untrusted/ user mode

Question 26

what is system calls

Answer 26

- a bridge between the application and OS to allow untrusted mode to become trusted for a specific instance - used when the user application needs to request access to resources controlled by the OS's kernel

Question 27

what is process management

Answer 27

- program code executed in memory - OS is responsible for managing the processes

Question 28

what is threads

Answer 28

- the basic unit of using the system's resources (like CPU)

Question 29

the contents of RAM may include artifacts of what is/has occurred such as...

Answer 29

- configuration info - typed commands - passwords - encryption kets - unencrypted data - IP addresses - internet history - chat convo - emails - malware

Question 30

can you access RAM after the system has shut down

Answer 30

- no - but you can examine other sources that may have the data that you're looking for

Question 31

what are other sources that might have the same info as RAM

Answer 31

- hibernation file - pagefile - swapfile - crash dump

Question 32

what is hibernation

Answer 32

the process of powering down the computer while still maintaining the current state of the system

Question 33

how do you get RAM info from hibernation

Answer 33

- RAM will be compressed and stored in hiberfill.sys file - when the system is reactivated, the contents will be placed back in RAM

Question 34

how do you get RAM info from pagefile

Answer 34

the system will transfer data to pages, and hide away the least requested info

Question 35

what is paging

Answer 35

a method of storing/retrieving data being used in RAM chips w a virtual memory file on storage device

Question 36

what is swapfile

Answer 36

- very similar to page file - when an application is suspended, the system will write the app data completely into the swap file - this frees up space

Question 37

what is crash dump

Answer 37

when the system crashes, it may create a dump of memory to store info about the state of the system at the time of the crash

Question 38

what are the diff kinds of crash dump and what do they mean

Answer 38

- **complete memory dump* data contained within physical memory - **kernel memory dump** only pages of data in kernel mode - **small dump files** info about running processes/loaded divers at the time of crash

Question 39

what contains the key to determine which memory dumps may exist on the system you are examining

Answer 39

the SYSTEM hive

Question 40

the SWGDE has offered which considerations regarding the collection of volatile data

Answer 40

- the app used to collect data will overwrite some memory content - the larger the tool/ files, more data is overwritten - the system may load the USB device drievr into memory or registry - the app used to collect the RAM data will show up in some *most recently used* (MRUs)

Question 41

to successfully image the RAM, what do you need

Answer 41

1. a capturing device (such as a USB) 2. access to the system 3. administrator privileges

Question 42

what are some tools that can be used to capture RAM

Answer 42

- DumpIt - FTK Imager

Question 43

what software should be used to analyze RAM

Answer 43

open source or commercial (depends on examiner's preference)

Question 44

what are some open source software to analyze RAM

Answer 44

- bulk extractor - volatility - VOLIX II v2

Question 45

describe Bulk Extractor

Answer 45

- scans target media and extracts what it believes to be useful info - ignores filesystem structure, allowing it to process diff parts of source data - very fast

Question 46

describe Volix II

Answer 46

- a GUI frontend for the volatility framework - quick search

Question 47

Answer 47

A and B

Question 48

Answer 48

C

Question 49

Answer 49

C

Question 50

Answer 50

C

Question 51

Answer 51

false

Question 52

is it acceptable to install DumpIt on the suspect computer

Answer 52

false

Question 53

Answer 53

Volatility