CHFI Flashcards
What is computer forensics?
A set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment that is acceptable in a court of law
What is cybercrime?
Any illegal act involving a computing device, network, its systems, or its applications. Categorized into:
internal - Attack performed by an entrusted person who has authorized access to the network
external - An attacker from outside the organization exploits security loopholes or uses social engineering to infiltrate the network
What are the different approaches to investigating cybercrime?
Civil, criminal, and administrative
Why are computer crimes challenging?
Due to their speed, anonymity, volatile nature of evidence, global origin and differences in laws, and limited legal understanding
What is digital evidence?
Any information of a probative value that is either stored or transmitted in a digital form. Comes in two forms:
volatile - Lost as soon as the device is powered off, such as system time, logged-on users, open files, memory, clipboard contents, command history
non-volatile - Data stored on secondary storage, such as hard disks. Includes hidden files, slack space, unallocated clusters, hidden partitions, etc.
What is forensic readiness?
an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs
What are the 5 rules of evidence?
1: Evidence must be clear and understandable to the judges
2: Evidence must be related to the fact being proved
3: Evidence must be real and appropriately related to the incident
4: There must be no doubt about the authenticity or veracity of the evidence
5: The evidence must prove the attacker’s actions or his/her innocence
Describe a civil investigation
Investigators show the opposite party some proof to support the claims and induce settlement.
Search is based on mutual understanding and provides wider window to hide evidence.
More informal.
Claimant responsible for collection and analysis of evidence.
Punishment is typically monetary.
Sometimes evidence can be in third-party control.
Describe a criminal investigation
Set of standard forensic processes must be followed as accepted by law
Computing devices may be forcibly seized under warrant
Formal report required
Law enforcement agencies responsible for collecting and analyzing evidence
Punishment includes fines, jail, or both
High standard of proof
Difficult to capture certain evidence, such as GPS device evidence
Describe an administrative investigation
Generally involve an agency or government performing inquiries to identify facts
Non-criminal in nature
Related to misconduct or activities of an employee that include violation of orgs policies, rules, etc.; resource misuse or damage or theft, threatening or violent behaviour, improper promotion or pay raise
Any violation may result in disciplinary action
What is the best evidence rule?
the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, a duplicate may be accepted if the reasons for duplication are genuine. Essentially, the original evidence is considered as the best evidence
What is federal rule 1001 of evidence?
1001 includes definitions of writings and recordings, photographs, original evidence, and duplicate evidence.
Describe federal rule 1002 of evidence
To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by an Act of Congress
Describe federal rule 1003
A duplicate is admissible to the same extent as an original unless:
a genuine question is raised as to the authenticity of the original or:
In the circumstances it would be unfair to admit the duplicate in lieu of the original
Describe federal rule 1004
The original is not required and other evidence of the contents of writing, recording, or photograph is admissible if: OGs are lost or destroyed; OGs not obtainable OG is in possession of the opponent Collateral matters
What are the steps to the forensic investigation process?
- Examination/Investigation goals
- Hypothesis Formulation / Criteria
- Experimental Design
- Tool Selection
- Results Review and Evaluation
- Conclusion and Opinion Formulation
What are some considerations that must be made when setting up a computer forensics lab?
- Planning and budgeting
- Physical and Structural design (size, HVAC, access, etc.)
- Work Area (ambience, lighting, internet, etc.)
- Physical security (intrusion alarm, fire suppression, etc.)
- Human resource (required personnel, training and certs)
- Forensics lab licensing
What are some considerations when building the investigation team?
- Keep team small to protect confidentiality
- ID team members and assign responsibilities
- Ensure everyone has proper clearance and authorization
- Assign one member as technical lead
What are the steps to ensuring QA in Forensic Lab ops?
- Arrange formal, documented trainings
- Validate equipment and document it
- Conduct annual proficiency tests
- Follow standards and/or controls in casework
- Have policies and procedures in place
- Attain accreditation
- Perform quality audits and management system review
- Ensure physical security
- Assure health and safety
- Review, update, and document policy standards annually
What is the first response role for non-forensics staff?
protect the crime scene and ensure it remains secure
Make notes and take photographs
Secure surrounding area linked to the incident
What is the first response role for system/network admins?
- Report incident according to organizational incident reporting procedures
- DO NOT perform actions unless directed to do so by forensics team
- May record what is on screen if computer is on, transfer copies of logs to clean media, isolate the system, or document every detail relevant to the incident
What is the first response role for Lab forensics staff?
- Document the electronic crime scene
- Collect incident information
- Plan search and seizure
- Identify and collect electronic evidence
- Package electronic evidence
- Transport Electronic evidence
What are best practices when dealing with powered-on computers?
- Photograph the screen and document running programs, open files, or data
- Pull the power cord immediately IF: Indication of data being overwritten/deleted; destructive processes observed
- Do NOT disconnect power If: evidential data visible on display; there are active programs or files in use such as chatrooms, open text files, etc.
- Perform volatile data collection and preservation process
- after collecting volatile data, pull plug from back of computer
- For portable computers, remove battery and unplug. If battery removal not possible, press power switch for 30 seconds
What are best practices for dealing with powered-off computers
- Leave it OFF
- Disassemble and package it (remove power supply cord; disconnect all wires and cables; check for removable media and secure it; tag evidence; document chain of custody)
- If monitor is off, turn it on and move mouse slightly. Photograph screen
- do not press any keys
What are the best practices for dealing with networked computers?
- Unplug network cable
- Photograph all devices connected to the victim computer, such as router, modem, printer, etc.
- If computer is off, leave it off
- If computer is on, photograph screen and follow powered-on procedures
What are best practices when dealing with mobile devices?
- Photograph screen’s display
- Do no turn device on if it is off
- Leave device as is if it is on and keep it charged
What are Lost Clusters?
when an OS marks clusters of a disk as used but does not allocate them to a file
What is slack space?
the storage area of a disk between the end of a file and teh end of a cluster
What is MBR?
Master Boot Record. The first sector (sector 0) of a disk. Contains information regarding files on the disk
What is disk partitioning?
creation of logical divisions on a storage device, allowing for OS-specific logical formatting
What is BPB?
BIOS parameter block. Describes the physical layout of the data storage volume. May also define filesystem structure. Can help investigators locate the file table on the hard drive
What is GUID?
Globally unique identifier. A 128-bit unique reference number used in computer software
What happens during the boot process?
OS is loaded from the hard disk to the RAM
What is RAID 0?
Striping only, no redundancy. Min 2 drives
What is RAID 1?
Mirroring only. Requires even number of drives
What is RAID 2?
Bit-level striping. Better data-integrity, but slower than RAID 0
What is RAID 3?
Byte-level striping and dedicated parity disk. Requires at least 3 drives
What is RAID 5?
Byte-level striping and distributed parity among drives. Data writing is slow. Min 3 drives
What is RAID 10?
Combo of 0 and 1. Min 4 drives. Includes fault tolerance of RAID 1 and includes redundancy through mirroring
What is RAID 6?
Double parity RAID. Data striped across multiple drives and uses dual parity for better redundancy than RAID 5. Min 4 drives.
What is disk spanning?
Combining multiple disks into one large logical drive (JBOD, used when disks don’t support RAID)
What is hexadecimal?
Base 16 numeral system. 0-9 represents 0-9, and A-F represents 10-15
How do you convert hex to binary?
take each digit in the hex and make it into a 4-digit binary
How do you convert hex to decimal?
each digit from right to left is the represented number * 16^the digit’s position, starting w/ 0
How do you convert binary to decimal?
each digit from right to left is the number * 2^ the digit’s position, starting w/ 0
What are the 2 types of data acquisition?
Live: collect data from system powered ON
Dead: collect data from system powered OFF
What is involved w/ live acquisition?
collection from volatile sources
What is a typical order of volatility, from most to least volatile?
- Registers and cache
- Routing table, process table, memory
- Temporary system files
- Disk
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival media
What are the rules of thumb for data acquisition?
- Do not work on the original digital evidence
- Produce 2 or more copies of the original media
- Use clean media to store the copies
- Verify integrity of copies with the original
What is logical acquisition?
Capturing only selected files or file types of interest for the case
What is sparse acquisition?
similar to logical acquisition, but additionally collects fragments of unallocated data, allowing the acquisition of deleted files
What are the data acquisition steps?
- Determine data acquisition method
- Select the acquisition tool
- Sanitize target media
- If computer is on, acquire volatile data and turn off computer
- Remove hard disk
- Write protect the device
- Acquire non-volatile data
- Plan for contingency
- Validate data acquisition
What are key requirements for a data acquisition tool?
- Should not change original content
- should log I/O errors
- Should pass scientific and peer review
- Should alert if source is larger than destination
- Should create a bit-stream copy of content
- Should create qualified bit-stream copy if I/O errors occur
- should document content of destination that is not part of the copy
- Should contain correct documentation
What are common standards for sanitizing media?
GOST P50739-95 (russian) VSITR (german) NAVSO P-5239-26 (US) DoD 5220.22-M (US) NIST SP 800-88 (US)
what is anti-forensics?
counter forensics. techniques aimed at complicating or preventing proper forensics investigation
What are some common anti-forensics techniques?
data/file deletion password protection steganography data hiding in file systems trail obfuscation artifact wiping overwriting data/metadata encryption program packers minimizing footprint
What is ADS?
alternate data stream. allows data to be hidden in windows NTFS and cannot be revealed using command line or windows explorer.
Does not change file size, functionality, etc. except file date
What is the first step when investigating an incident?
Collect system time - exact date and time an incident happened in UTC
What utility is used to collect all open files on windows?
NetworkOpenedFiles
What command line utility is used to collect network information?
nbtstat
What command line utility is used to collect info about network connections?
netstat
What command line utility is used to maps the port used by a process?
netstat -a -n -o
What command is used to recall a history of commands entered in cmd?
doskey /history
What command allows for examination of time/date of OS installation, service packs, patches, and sub directories that auto-update?
dir /o:d
What tool can be used to examine slack space?
DriveSpy
What tool is used to examine crash dump file?
DumpChk
What tool dumps the memory of running processes?
pd.exe, Userdump.exe, or adplus.vbs
What is redline?
security tool to identify malicious activity through memory and helps establish the timeline and scope of an incident
What are the volatile portions of Windows Registry?
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG
What are the non-volatile portions of Windows Registry?
HKEY_LOCAL_MACHINE,
HKEY_USERS
Where can you look to see additional shares created via net share?
HKEY_LOCAL_MACHINE
Where does Windows store a list of connected SSIDs?
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\GUID
What utility can be used to investigate programs configured to run during system bootup or login?
Autoruns utility
What tools can be used to examine metadata present in a JPEG?
Exiv2, IrfanView, or Image::MetaData::JEPG Perl module Metashield Analyzer (online)
What are shellbags?
set of registry keys which record viewing preferences of folders for a users. provides evidence related to folders accessed by a user. Includes directories which have been removed, such as previously mounted drives, deleted files, etc
What is a LNK file?
a Windows shortcut file that points to an application or an executable file and has the .lnk extension.
stored in C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent
Can provide metadata on when files are accessed
What are the different types of logon events?
2: Interactive (user logged on)
3: Network (logged on from network)
4: Batch
5: Service (service started by service control manager)
7: Unlock
8: NetworkCleartext (logged on from network, PW passed unhashed)
9: NewCredentials (cloned current token and specified new credentials for outbound connections
10: RemoteInteractive (User logged on remotely)
11: CachedInteractive (user logged on with cached network credentials
What are some indicators of compromise for network security intrusions?
Unusual outbound network traffic
Uniform Resource Locators (URLs): Malicious URLs
User-agent strings
Log-in anomalies
Increased number of requests for same file
Network traffic traversing unusual ports
What are the types of network-based evidence?
Full Content Data: actual packets collected. can be analyzed with tcpdump or Wireshark
Session Data: A summary of conversation between two network entities. Includes destination IP/port, source IP/port, convo times, and amount of info exchanged
Alert Data: Triggered by tools like Snort IDS and Suricata. Must be careful to avoid false positives
Statistical Data: Overall profile or summaries of network traffic. Includes timestamps, protocols and services being used, average packet size, and packet rate
What needs to be kept in mind while creating/storing logs for legal admissibility?
- Logs must be created consistently with event under investigation
- Logs must be stored in secure location
- Logs must be maintained as routine business practice
- Random compilations of data are not permissible
- Logs instituted after commencement of incident do not qualify under business records exception
- Maintain logs regularly to use them as evidence later
- Custodian must testify accuracy and integrity of logs
- Custodian must testify as to reliability and integrity of hardware and software platform used, including logging software
- A record of failure/security breach on machine making logs leads to log impeachment
- If investigator claims machine is penetrated, logs are inherently suspect
What are some guidelines to ensure log file credibility and usability?
- Log everything
- Synchronze Time
- Use Multiple Sensors
- Missing Logs (continuously monitor for missing logs)
- Ensure System’s Integrity
- Control access to the log
What are some best practices for centralized logging?
- Ensure logging is enabled on all devices
- Admin able to xfer authorization to security personnel
- Consult legal dept when developing policies
- Ensure safe transmission/storage of logs
- Collect appropriate logs
- Data must be readily accessible when investigating
- Authentication/security must not be compromised in making data available
- Maintain consistent structure for logs
- Set severity levels for alerts
- Indexing and storing of incident logs must be considered mandatory
What are the two types of event correlation?
Same-platform correlation: used when one common OS is used throughout the network
Cross-platform correlation: used when different OS and network hardware platforms are used in the network
What are the 3 main prerequisites of event correlation?
Transmission of data: securely transmitting data to a consolidation point
Normalization: after gathering data, it must be formatting to a single consistent format for the database
Data Reduction: remove unnecessary data, such as repeated data
