Chapter 7 Performing Forensic Analysis

Question 1

• Forensic toolkit

- Design to allow data capture and Analysis and those tests can benefit from powerful multi-core CPU and plenty of RAM

Answer 1

Digital Forensic Workstation

Question 2

• Forensic toolkit
• Provides the ability to capture and analyze forensic images as well as track forensic investigations
  Examples FTK, EnCase, the SANS Investigate Forensic Kit (SIFT), or Sleuth Kit (TSK)

Answer 2

Forensic Investigation Suite or Forensic Software

Question 3

• Forensic toolkit
• Ensures that drives connected to a forensic system or device cannot be written to this helps to ensure the Integrity of the forensic investigation

Answer 3

Write blockers

Question 4

• Forensic toolkit
• Designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match

Answer 4

Forensic Drive Duplicators

Question 5

• Forensic toolkit

- Large SSDs, USB thumb drives, or flash media make it easier to capture and transport multiple forensic images

Answer 5

Wiped drives and wiped removable media

Question 6

• Forensic toolkit
• A form used to track who was in possession of evidence at any time
• Reduces the potential for legal challenges based on poor custodial practices

Answer 6

Chain of custody form

Question 7

• Built into forensics suite or run independently to get a hash of the drive to validate the contents of the copy
• The goal of this process is to ensure that the copy exactly matches the source drive or device

Answer 7

Hashing utilities

Question 8

• Used in malware packages to protect from reverse engineering
• Intended to make direct analysis of the code difficult or impossible

Answer 8

Packers

Question 9

What’s the forensic process?

Answer 9

1. Determine what you are trying to find out - Compromise system, actions taken by malware, system admin made an unauthorized change.
2. Outline the locations and types of data that would help you answer the questions you are answering from Step One - At this step you should be able to come up with the types of data and systems you need to capture data from
3. Document in review your plan
4. Acquire and preserve evidence - Cloning media, seizing systems or devices, making live memory images
5. Perform initial analysis - Carefully tracking your actions, the systems and data you work within your findings
6. Use the initial analysis to guide further work - including deeper investigations and review where the initial analysis pointed to additional data
7. Report on the findings of the investigation

Question 10

Measures how easily data is to lose (the top being the most volatile to lose)

1. CPU cache, Registers, Running Processes, and RAM
2. Network traffic
3. Disk drives
4. Backups, Printouts, Optical drives

Answer 10

Order of validity

Question 11

• Common location used for Windows forensics

- Information about files and services, locations of deleted files, evidence of applications being run

Answer 11

Windows registry

Question 12

• Common location used for Windows forensics

- Program set to run at startup (often associated with malware or compromise)

Answer 12

Auto run keys

Question 13

• Common location used for Windows forensics

- Details of an active / removed records

Answer 13

Master file table

Question 14

• Common location used for Windows forensics

- Logins, service start / stop, evidence of applications being run

Answer 14

Event logs

Question 15

• Common location used for Windows forensics

- Evidence of deleted files, MAC timestamps

Answer 15

INDX files and change logs

Question 16

• Common location used for Windows forensics

- Point-in-time information from prior actions

Answer 16

Volume Shadow copies

Question 17

• Common location used for Windows forensics

- Login user artifacts

Answer 17

User directories and files

Question 18

• Common location used for Windows forensics

- Files that were intended to be deleted but forgotten

Answer 18

Recycle bin contents

Question 19

• Common location used for Windows forensics

- Memory artifacts of commands run

Answer 19

Hibernation files and memory dumps

Question 20

• Common location used for Windows forensics

- Artifacts of software installation, user temporary file storage or other limited lifespan data

Answer 20

Temporary directories

Question 21

• Common location used for Windows forensics

- Application specific data

Answer 21

Application logs

Question 22

• Common location used for Windows forensics

- System logs may indicate drives were plugged in; data may be relevant to investigations

Answer 22

Removable drives

Question 23

Linux utility used to clone drives in raw format, a bit-by-bit format

Answer 23

DD utility

Question 24

A full forensic suite and provides imaging capabilities from many types of devices

Answer 24

FTK

Question 25

Physically prevents writes from occurring while the drive is connected to them

Answer 25

Hardware write blockers

Question 26

Typically less popular than hardware write blockers due to the possibility of problems

Answer 26

Software write blockers

Question 27

To preserve and analyze logs

Answer 27

1. Determine where the logs reside and what format they’re stored in
2. Determine the time period that you need to preserve
3. Work with system administrators to obtain a copy of the logs and document how the logs were obtained
4. Identify items of Interest - might include actions, use your IDs, event IDs, time frames, or other events identified in your scope
5. Use log analysis tools like Splunk, Sawmill, event log analyzer to searching and review logs

Question 28

• Linux kernel module that allows access to physical memory

- Designed to be used with DD or similar tools

Answer 28

fmem

Question 29

• Linux kernel module that allows access to physical memory

- Directly copies data to a designated path and file

Answer 29

LiME

Question 30

• Windows memory capture tool

- Copies a System’s physical memory to a folder where the program is

Answer 30

DumpIt

Question 31

• Supports a broad range of operating systems

- Capabilities including tools to extract encryption keys and passphrases, user activity analysis, and rootkit analysis

Answer 31

The Volatility Framework

Question 32

Two tools that have built-in memory capture and analysis capabilities

Answer 32

EnCase and FTK

Question 33

• One of the ways used to acquire data from a mobile device

- Acquisition of the SIM card, memory cards, or backups

Answer 33

Physical

Question 34

• One of the ways used to acquire data from a mobile device

- Usually requires a forensic tool to create an image of the storage volumes

Answer 34

Logical

Question 35

• One of the ways used to acquire data from a mobile device

- Involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found

Answer 35

Manual access

Question 36

• One of the ways used to acquire data from a mobile device

- Provides details of deleted files as well as existing files and directories

Answer 36

File system

Question 37

If a cloud service is part of your forensic investigation you may do the following:

Answer 37

1. Determine what your contract says about investigations
2. Determine what legal recourse you have with the vendor
3. Determine the data that you need and whether it is available via methods you or your organization controls
4. Work with the vendor to identify a course of action if you do not control the data