Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CYSA+ > Chapter 7 Performing Forensic Analysis > Flashcards

Chapter 7 Performing Forensic Analysis Flashcards

1
Q
  • Forensic toolkit

- Design to allow data capture and Analysis and those tests can benefit from powerful multi-core CPU and plenty of RAM

A

Digital Forensic Workstation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  • Forensic toolkit
  • Provides the ability to capture and analyze forensic images as well as track forensic investigations
    Examples FTK, EnCase, the SANS Investigate Forensic Kit (SIFT), or Sleuth Kit (TSK)
A

Forensic Investigation Suite or Forensic Software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  • Forensic toolkit
  • Ensures that drives connected to a forensic system or device cannot be written to this helps to ensure the Integrity of the forensic investigation
A

Write blockers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • Forensic toolkit
  • Designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match
A

Forensic Drive Duplicators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • Forensic toolkit

- Large SSDs, USB thumb drives, or flash media make it easier to capture and transport multiple forensic images

A

Wiped drives and wiped removable media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  • Forensic toolkit
  • A form used to track who was in possession of evidence at any time
  • Reduces the potential for legal challenges based on poor custodial practices
A

Chain of custody form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  • Built into forensics suite or run independently to get a hash of the drive to validate the contents of the copy
  • The goal of this process is to ensure that the copy exactly matches the source drive or device
A

Hashing utilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • Used in malware packages to protect from reverse engineering
  • Intended to make direct analysis of the code difficult or impossible
A

Packers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What’s the forensic process?

A
  1. Determine what you are trying to find out - Compromise system, actions taken by malware, system admin made an unauthorized change.
  2. Outline the locations and types of data that would help you answer the questions you are answering from Step One - At this step you should be able to come up with the types of data and systems you need to capture data from
  3. Document in review your plan
  4. Acquire and preserve evidence - Cloning media, seizing systems or devices, making live memory images
  5. Perform initial analysis - Carefully tracking your actions, the systems and data you work within your findings
  6. Use the initial analysis to guide further work - including deeper investigations and review where the initial analysis pointed to additional data
  7. Report on the findings of the investigation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Measures how easily data is to lose (the top being the most volatile to lose)

  1. CPU cache, Registers, Running Processes, and RAM
  2. Network traffic
  3. Disk drives
  4. Backups, Printouts, Optical drives
A

Order of validity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  • Common location used for Windows forensics

- Information about files and services, locations of deleted files, evidence of applications being run

A

Windows registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  • Common location used for Windows forensics

- Program set to run at startup (often associated with malware or compromise)

A

Auto run keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Common location used for Windows forensics

- Details of an active / removed records

A

Master file table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • Common location used for Windows forensics

- Logins, service start / stop, evidence of applications being run

A

Event logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Common location used for Windows forensics

- Evidence of deleted files, MAC timestamps

A

INDX files and change logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  • Common location used for Windows forensics

- Point-in-time information from prior actions

A

Volume Shadow copies

17
Q
  • Common location used for Windows forensics

- Login user artifacts

A

User directories and files

18
Q
  • Common location used for Windows forensics

- Files that were intended to be deleted but forgotten

A

Recycle bin contents

19
Q
  • Common location used for Windows forensics

- Memory artifacts of commands run

A

Hibernation files and memory dumps

20
Q
  • Common location used for Windows forensics

- Artifacts of software installation, user temporary file storage or other limited lifespan data

A

Temporary directories

21
Q
  • Common location used for Windows forensics

- Application specific data

A

Application logs

22
Q
  • Common location used for Windows forensics

- System logs may indicate drives were plugged in; data may be relevant to investigations

A

Removable drives

23
Q

Linux utility used to clone drives in raw format, a bit-by-bit format

A

DD utility

24
Q

A full forensic suite and provides imaging capabilities from many types of devices

25
Physically prevents writes from occurring while the drive is connected to them
Hardware write blockers
26
Typically less popular than hardware write blockers due to the possibility of problems
Software write blockers
27
To preserve and analyze logs
1. Determine where the logs reside and what format they're stored in 2. Determine the time period that you need to preserve 3. Work with system administrators to obtain a copy of the logs and document how the logs were obtained 4. Identify items of Interest - might include actions, use your IDs, event IDs, time frames, or other events identified in your scope 5. Use log analysis tools like Splunk, Sawmill, event log analyzer to searching and review logs
28
- Linux kernel module that allows access to physical memory | - Designed to be used with DD or similar tools
fmem
29
- Linux kernel module that allows access to physical memory | - Directly copies data to a designated path and file
LiME
30
- Windows memory capture tool | - Copies a System’s physical memory to a folder where the program is
DumpIt
31
- Supports a broad range of operating systems | - Capabilities including tools to extract encryption keys and passphrases, user activity analysis, and rootkit analysis
The Volatility Framework
32
Two tools that have built-in memory capture and analysis capabilities
EnCase and FTK
33
- One of the ways used to acquire data from a mobile device | - Acquisition of the SIM card, memory cards, or backups
Physical
34
- One of the ways used to acquire data from a mobile device | - Usually requires a forensic tool to create an image of the storage volumes
Logical
35
- One of the ways used to acquire data from a mobile device | - Involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found
Manual access
36
- One of the ways used to acquire data from a mobile device | - Provides details of deleted files as well as existing files and directories
File system
37
If a cloud service is part of your forensic investigation you may do the following:
1. Determine what your contract says about investigations 2. Determine what legal recourse you have with the vendor 3. Determine the data that you need and whether it is available via methods you or your organization controls 4. Work with the vendor to identify a course of action if you do not control the data

CYSA+ (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions