CHFI Flashcards
What is computer forensics?
A set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment that is acceptable in a court of law
What is cybercrime?
Any illegal act involving a computing device, network, its systems, or its applications. Categorized into:
internal - Attack performed by an entrusted person who has authorized access to the network
external - An attacker from outside the organization exploits security loopholes or uses social engineering to infiltrate the network
What are the different approaches to investigating cybercrime?
Civil, criminal, and administrative
Why are computer crimes challenging?
Due to their speed, anonymity, volatile nature of evidence, global origin and differences in laws, and limited legal understanding
What is digital evidence?
Any information of a probative value that is either stored or transmitted in a digital form. Comes in two forms:
volatile - Lost as soon as the device is powered off, such as system time, logged-on users, open files, memory, clipboard contents, command history
non-volatile - Data stored on secondary storage, such as hard disks. Includes hidden files, slack space, unallocated clusters, hidden partitions, etc.
What is forensic readiness?
an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs
What are the 5 rules of evidence?
1: Evidence must be clear and understandable to the judges
2: Evidence must be related to the fact being proved
3: Evidence must be real and appropriately related to the incident
4: There must be no doubt about the authenticity or veracity of the evidence
5: The evidence must prove the attacker’s actions or his/her innocence
Describe a civil investigation
Investigators show the opposite party some proof to support the claims and induce settlement.
Search is based on mutual understanding and provides wider window to hide evidence.
More informal.
Claimant responsible for collection and analysis of evidence.
Punishment is typically monetary.
Sometimes evidence can be in third-party control.
Describe a criminal investigation
Set of standard forensic processes must be followed as accepted by law
Computing devices may be forcibly seized under warrant
Formal report required
Law enforcement agencies responsible for collecting and analyzing evidence
Punishment includes fines, jail, or both
High standard of proof
Difficult to capture certain evidence, such as GPS device evidence
Describe an administrative investigation
Generally involve an agency or government performing inquiries to identify facts
Non-criminal in nature
Related to misconduct or activities of an employee that include violation of orgs policies, rules, etc.; resource misuse or damage or theft, threatening or violent behaviour, improper promotion or pay raise
Any violation may result in disciplinary action
What is the best evidence rule?
the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, a duplicate may be accepted if the reasons for duplication are genuine. Essentially, the original evidence is considered as the best evidence
What is federal rule 1001 of evidence?
1001 includes definitions of writings and recordings, photographs, original evidence, and duplicate evidence.
Describe federal rule 1002 of evidence
To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by an Act of Congress
Describe federal rule 1003
A duplicate is admissible to the same extent as an original unless:
a genuine question is raised as to the authenticity of the original or:
In the circumstances it would be unfair to admit the duplicate in lieu of the original
Describe federal rule 1004
The original is not required and other evidence of the contents of writing, recording, or photograph is admissible if: OGs are lost or destroyed; OGs not obtainable OG is in possession of the opponent Collateral matters
What are the steps to the forensic investigation process?
- Examination/Investigation goals
- Hypothesis Formulation / Criteria
- Experimental Design
- Tool Selection
- Results Review and Evaluation
- Conclusion and Opinion Formulation
What are some considerations that must be made when setting up a computer forensics lab?
- Planning and budgeting
- Physical and Structural design (size, HVAC, access, etc.)
- Work Area (ambience, lighting, internet, etc.)
- Physical security (intrusion alarm, fire suppression, etc.)
- Human resource (required personnel, training and certs)
- Forensics lab licensing
What are some considerations when building the investigation team?
- Keep team small to protect confidentiality
- ID team members and assign responsibilities
- Ensure everyone has proper clearance and authorization
- Assign one member as technical lead
What are the steps to ensuring QA in Forensic Lab ops?
- Arrange formal, documented trainings
- Validate equipment and document it
- Conduct annual proficiency tests
- Follow standards and/or controls in casework
- Have policies and procedures in place
- Attain accreditation
- Perform quality audits and management system review
- Ensure physical security
- Assure health and safety
- Review, update, and document policy standards annually
What is the first response role for non-forensics staff?
protect the crime scene and ensure it remains secure
Make notes and take photographs
Secure surrounding area linked to the incident
What is the first response role for system/network admins?
- Report incident according to organizational incident reporting procedures
- DO NOT perform actions unless directed to do so by forensics team
- May record what is on screen if computer is on, transfer copies of logs to clean media, isolate the system, or document every detail relevant to the incident
What is the first response role for Lab forensics staff?
- Document the electronic crime scene
- Collect incident information
- Plan search and seizure
- Identify and collect electronic evidence
- Package electronic evidence
- Transport Electronic evidence
What are best practices when dealing with powered-on computers?
- Photograph the screen and document running programs, open files, or data
- Pull the power cord immediately IF: Indication of data being overwritten/deleted; destructive processes observed
- Do NOT disconnect power If: evidential data visible on display; there are active programs or files in use such as chatrooms, open text files, etc.
- Perform volatile data collection and preservation process
- after collecting volatile data, pull plug from back of computer
- For portable computers, remove battery and unplug. If battery removal not possible, press power switch for 30 seconds
What are best practices for dealing with powered-off computers
- Leave it OFF
- Disassemble and package it (remove power supply cord; disconnect all wires and cables; check for removable media and secure it; tag evidence; document chain of custody)
- If monitor is off, turn it on and move mouse slightly. Photograph screen
- do not press any keys
What are the best practices for dealing with networked computers?
- Unplug network cable
- Photograph all devices connected to the victim computer, such as router, modem, printer, etc.
- If computer is off, leave it off
- If computer is on, photograph screen and follow powered-on procedures
What are best practices when dealing with mobile devices?
- Photograph screen’s display
- Do no turn device on if it is off
- Leave device as is if it is on and keep it charged
What are Lost Clusters?
when an OS marks clusters of a disk as used but does not allocate them to a file
What is slack space?
the storage area of a disk between the end of a file and teh end of a cluster
What is MBR?
Master Boot Record. The first sector (sector 0) of a disk. Contains information regarding files on the disk
What is disk partitioning?
creation of logical divisions on a storage device, allowing for OS-specific logical formatting
What is BPB?
BIOS parameter block. Describes the physical layout of the data storage volume. May also define filesystem structure. Can help investigators locate the file table on the hard drive
What is GUID?
Globally unique identifier. A 128-bit unique reference number used in computer software
What happens during the boot process?
OS is loaded from the hard disk to the RAM
What is RAID 0?
Striping only, no redundancy. Min 2 drives
What is RAID 1?
Mirroring only. Requires even number of drives
What is RAID 2?
Bit-level striping. Better data-integrity, but slower than RAID 0
What is RAID 3?
Byte-level striping and dedicated parity disk. Requires at least 3 drives
What is RAID 5?
Byte-level striping and distributed parity among drives. Data writing is slow. Min 3 drives
What is RAID 10?
Combo of 0 and 1. Min 4 drives. Includes fault tolerance of RAID 1 and includes redundancy through mirroring
What is RAID 6?
Double parity RAID. Data striped across multiple drives and uses dual parity for better redundancy than RAID 5. Min 4 drives.
What is disk spanning?
Combining multiple disks into one large logical drive (JBOD, used when disks don’t support RAID)
What is hexadecimal?
Base 16 numeral system. 0-9 represents 0-9, and A-F represents 10-15
How do you convert hex to binary?
take each digit in the hex and make it into a 4-digit binary
How do you convert hex to decimal?
each digit from right to left is the represented number * 16^the digit’s position, starting w/ 0
How do you convert binary to decimal?
each digit from right to left is the number * 2^ the digit’s position, starting w/ 0
What are the 2 types of data acquisition?
Live: collect data from system powered ON
Dead: collect data from system powered OFF
What is involved w/ live acquisition?
collection from volatile sources
What is a typical order of volatility, from most to least volatile?
- Registers and cache
- Routing table, process table, memory
- Temporary system files
- Disk
- Remote logging and monitoring data
- Physical configuration and network topology
- Archival media
What are the rules of thumb for data acquisition?
- Do not work on the original digital evidence
- Produce 2 or more copies of the original media
- Use clean media to store the copies
- Verify integrity of copies with the original
What is logical acquisition?
Capturing only selected files or file types of interest for the case
What is sparse acquisition?
similar to logical acquisition, but additionally collects fragments of unallocated data, allowing the acquisition of deleted files
What are the data acquisition steps?
- Determine data acquisition method
- Select the acquisition tool
- Sanitize target media
- If computer is on, acquire volatile data and turn off computer
- Remove hard disk
- Write protect the device
- Acquire non-volatile data
- Plan for contingency
- Validate data acquisition
What are key requirements for a data acquisition tool?
- Should not change original content
- should log I/O errors
- Should pass scientific and peer review
- Should alert if source is larger than destination
- Should create a bit-stream copy of content
- Should create qualified bit-stream copy if I/O errors occur
- should document content of destination that is not part of the copy
- Should contain correct documentation
What are common standards for sanitizing media?
GOST P50739-95 (russian) VSITR (german) NAVSO P-5239-26 (US) DoD 5220.22-M (US) NIST SP 800-88 (US)
what is anti-forensics?
counter forensics. techniques aimed at complicating or preventing proper forensics investigation
What are some common anti-forensics techniques?
data/file deletion password protection steganography data hiding in file systems trail obfuscation artifact wiping overwriting data/metadata encryption program packers minimizing footprint
What is ADS?
alternate data stream. allows data to be hidden in windows NTFS and cannot be revealed using command line or windows explorer.
Does not change file size, functionality, etc. except file date
What is the first step when investigating an incident?
Collect system time - exact date and time an incident happened in UTC
What utility is used to collect all open files on windows?
NetworkOpenedFiles
What command line utility is used to collect network information?
nbtstat
What command line utility is used to collect info about network connections?
netstat
What command line utility is used to maps the port used by a process?
netstat -a -n -o
What command is used to recall a history of commands entered in cmd?
doskey /history
What command allows for examination of time/date of OS installation, service packs, patches, and sub directories that auto-update?
dir /o:d
What tool can be used to examine slack space?
DriveSpy
What tool is used to examine crash dump file?
DumpChk
What tool dumps the memory of running processes?
pd.exe, Userdump.exe, or adplus.vbs
What is redline?
security tool to identify malicious activity through memory and helps establish the timeline and scope of an incident
What are the volatile portions of Windows Registry?
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG
What are the non-volatile portions of Windows Registry?
HKEY_LOCAL_MACHINE,
HKEY_USERS
Where can you look to see additional shares created via net share?
HKEY_LOCAL_MACHINE
Where does Windows store a list of connected SSIDs?
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\GUID
What utility can be used to investigate programs configured to run during system bootup or login?
Autoruns utility
What tools can be used to examine metadata present in a JPEG?
Exiv2, IrfanView, or Image::MetaData::JEPG Perl module Metashield Analyzer (online)
What are shellbags?
set of registry keys which record viewing preferences of folders for a users. provides evidence related to folders accessed by a user. Includes directories which have been removed, such as previously mounted drives, deleted files, etc
What is a LNK file?
a Windows shortcut file that points to an application or an executable file and has the .lnk extension.
stored in C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent
Can provide metadata on when files are accessed
What are the different types of logon events?
2: Interactive (user logged on)
3: Network (logged on from network)
4: Batch
5: Service (service started by service control manager)
7: Unlock
8: NetworkCleartext (logged on from network, PW passed unhashed)
9: NewCredentials (cloned current token and specified new credentials for outbound connections
10: RemoteInteractive (User logged on remotely)
11: CachedInteractive (user logged on with cached network credentials
What are some indicators of compromise for network security intrusions?
Unusual outbound network traffic
Uniform Resource Locators (URLs): Malicious URLs
User-agent strings
Log-in anomalies
Increased number of requests for same file
Network traffic traversing unusual ports
What are the types of network-based evidence?
Full Content Data: actual packets collected. can be analyzed with tcpdump or Wireshark
Session Data: A summary of conversation between two network entities. Includes destination IP/port, source IP/port, convo times, and amount of info exchanged
Alert Data: Triggered by tools like Snort IDS and Suricata. Must be careful to avoid false positives
Statistical Data: Overall profile or summaries of network traffic. Includes timestamps, protocols and services being used, average packet size, and packet rate
What needs to be kept in mind while creating/storing logs for legal admissibility?
- Logs must be created consistently with event under investigation
- Logs must be stored in secure location
- Logs must be maintained as routine business practice
- Random compilations of data are not permissible
- Logs instituted after commencement of incident do not qualify under business records exception
- Maintain logs regularly to use them as evidence later
- Custodian must testify accuracy and integrity of logs
- Custodian must testify as to reliability and integrity of hardware and software platform used, including logging software
- A record of failure/security breach on machine making logs leads to log impeachment
- If investigator claims machine is penetrated, logs are inherently suspect
What are some guidelines to ensure log file credibility and usability?
- Log everything
- Synchronze Time
- Use Multiple Sensors
- Missing Logs (continuously monitor for missing logs)
- Ensure System’s Integrity
- Control access to the log
What are some best practices for centralized logging?
- Ensure logging is enabled on all devices
- Admin able to xfer authorization to security personnel
- Consult legal dept when developing policies
- Ensure safe transmission/storage of logs
- Collect appropriate logs
- Data must be readily accessible when investigating
- Authentication/security must not be compromised in making data available
- Maintain consistent structure for logs
- Set severity levels for alerts
- Indexing and storing of incident logs must be considered mandatory
What are the two types of event correlation?
Same-platform correlation: used when one common OS is used throughout the network
Cross-platform correlation: used when different OS and network hardware platforms are used in the network
What are the 3 main prerequisites of event correlation?
Transmission of data: securely transmitting data to a consolidation point
Normalization: after gathering data, it must be formatting to a single consistent format for the database
Data Reduction: remove unnecessary data, such as repeated data
What is the graph-based correlation approach?
Construct a graph with the system components as nodes and dependencies between these components as edges
What is the Neural Network-based correlation approach?
use neural network to detect anomalies in the event stream, root causes of fault events, etc.
What is the Codebook-based correlation approach?
Use a codebook to store a set of events and correlate them
What is the rule-based correlation approach?
Events correlated according to a set of rules
What is the field-based correlation approach?
Basic approach where specific events are compared with single or multiple fields in normalized data
What is the automated field correlation approach?
Checks and compares all fields systematically for positive and negative correlation
What is the Packet parameter/payload correlation approach?
Used for correlating particular packets with other packets. Can produce a list of potential new attacks by comparing packets with attack signatures
What is the profile/fingerprint-based correlation approach?
Series of data sets gathered from forensic event data is used to ID whether a system serves as a relay to a hacker or is a formerly compromised host, and to detect the same hacker from different locations
What is the vulnerability-based correlation approach?
Used to map IDS events that target a particular vulnerable host. Also used to deduce an attack on a particular host in advance and prioritize attack data so you can respond to trouble spots quickly
What is open-port-based correlation approach?
Determine the rate of successful attacks by comparing the list of open ports available on the host with those under attack
What is the bayesian correlation approach?
advanced correlation approach that predicts what an attacker can do next after the attack by studying the stats and probability theory, using only 2 variables
What is the time or role-based correlation approach?
Used to monitor the behaviour of computers and their users and trigger alerts wen anomalies are found
What is the route correlation approach?
Used to extract information on the attack route and use it to single out other attack data
What are some indicators of a web attack?
- Customers being unable to access services
- Suspicious activities in user accounts
- Leakage of sensitive data
- URLs redirecting to incorrect sites
- Web page defacements
- Unusually slow network performance
- Frequent rebooting of the server
- Anomalies in log files
- Error messages
What is snort?
open-source network IDS capable of performing real-time traffic analysis and packet logging on IP networks
used to detect a variety of web app attacks and probes
At what OSI level does a web application firewall function?
7
What are some benefits of a WAF?
secures web apps
acts as reverse proxy between client and web server
real-time alerting and logging
provides cookie protection
What are some limitations of WAF?
not a replacement for proper app security such as input validation and user auth
WAF inspects traffic based on a particular protocol only
cannot read database commands
does not ensure security from false positives
what is ModSecurity?
free, cross-platform WAF module supported by Nginx, Apache, and IIS allows real-time HTTP traffic monitoring, logging, and analysis
Where should you look for SQL injection attack incidents?
IDS log files
Web server log files
WAF log files
SIEM-triggered alerts
What are some obfuscation methods used in SQL injection attacks?
In-line comments: attackers use in-line comments in the middle of attack strings “/* */” for comments
Char encoding/double encoding
Toggle case: alternating case such as “UnIoN/**/SeLecT”
Replaced Keywords: “UNunionION+SEselectLECT”
White space manipulation: using %0b to eliminate white space “uni%0bon+se%0blect”
What encoding can be used to obfuscate directory traversal attacks?
%2e%2e%2f (URI encoded)
%252e%252e%252f (URI double encoded)
..%c0%af (unicode/UTF-8 encoded)
What operators can be used in an input string to ask the command line to execute the command provided?
”,$()
What are some examples of volatile database data?
user login sessions, user transactions
Which MySQL utility program is used to dump single or multiple databases for backup purposes?
Mysqldump
Which MySQL utility program is used to check the access privileges defined for a hostname or username?
Mysqlaccess
Which MySQL utility program is used to process the MyISAM log file and perform recovery operation, display version information, etc?
myisamlog
Which MySQL utility program is used to obtain the status of the MyISAM table, identify the corrupted tables, repair the corrupted tables, etc.?
Myisamchk
Which MySQL utility program is used to display the content of bin logs (mysql-bin.nnnnnn) in text format?
Mysqlbinlog
Which MySQL utility program is used to export metadata, data, or both from one or more databases?
mysqldbexport
What are the 3 types of data files MSSQL server stores data and logs in?
Primary data files (MDF)
secondary data files (NDF)
transaction log data files (LDF)
What are the 3 types of cloud crimes?
Cloud as a subject: crime committed within the cloud environment
Cloud as an object: cloud provider is target of the crime
Cloud as tool: cloud is used to plan and commit the crime
What are some architecture challenges with cloud forensics?
Deletion in the cloud: limited number of backups, and retrieval may not be implemented for IaaS or PaaS models
Recovering overwritten data: When data is deleted, other shared users may overwrite the data
Interoperability issues: lack of interoperability between CSPs and lack of control from consumer
Single point of failure: cloud ecosystem has single points of failure, impacting evidence acquisition
What are some collection challenges with cloud forensics?
Decreased access and data control: investigator has limited access and control of forensic data
Chain of dependencies: CSPs often rely on other CSPs, so cloud investigation may depend on examining each link in the chain
Locating evidence: locating/collecting is difficult as data may be quickly altered or lost with limited knowledge regarding where or how it is stored
Data location: data may be stored in different data centers or geographic regions
Imaging and isolating data: difficult due to cloud elasticity, automatic provisioning, redundancy, and multi-tenancy
What are some log challenges with cloud forensics?
Decentralization of logs: logs not stored in any single log server
Evaporation of logs: some cloud logs are volatile, as in with VMs
Multiple layers/tiers: logs generated for each tier in cloud architecture, making collection difficult
Less evidentiary value: not all logs provide crucial information
What are some legal challenges with cloud forensics?
Missing terms in contract or SLA: can prevent generation and collection of existing data
Limited investigative power: investigators often provided with limited power in civil cases
Reliance on cloud providers: cooperation from CSPs may be limited by the number of employees and other resources
Physical data location: hard to specify physical location of data on a subpoena
Port protection: scanning ports is difficult because CSPs do not provide access to physical infrastructure
Transfer protocol: dumping TCP/IP network traffic is challenging–CSPs do not provide access to physical infrastructure
E-discover: response time is challenging due to ambiguity of data location and uncertainty of relevant data
What are some analysis challenges with cloud forensics?
Evidence correlation: correlation across multiple CSPs is challenging
Reconstructing virtual storage
Timestamp synchronization: timestamps may be inconsistent between different sources
Log format unification: unification/conversion is difficult due to different formats/amount of resources, may also result in loss of critical data. may also have to deal with proprietary formats
Use of metadata: using metadata as authentication may cause common fields (creation date, modified date, etc.) to change when data is xfered from cloud or during collection
Log capture: log data collection methods differ for each CSP
What are the forensic acquisition and analysis steps for an EC2 instances in AWS?
- Isolate the compromised EC2 instance
- Take a snapshot of the instance
- Provision and launch a forensic workstation
- Create evidence volume from the snapshot
- Attach the evidence volume to the forensic workstation
- Mount the evidence volume onto the workstation
What are the 4 types of data replication services in Azure?
Locally redundant storage (LRS): copies storage data 3 times in a single physical location in the primary region
Zone-redundant storage (ZRS): copies data in 3 availability zones within a primary region
Geo-redundant storage (GRS): replicates data 3 times synchronously within a single physical location, then copies it asynchronously to a single location in a secondary region
Geo-zone-redundant storage (GZRS) copies data in 3 availability zones in primary region synchronously, then copies asynchronously to single location in secondary region
What are the steps for forensic acquistiion of VMs in Azure?
- Create a snapshot of the SO disk of suspect VM via Azure portal
- Copy the snapshot to a storage account under different resource group
- Delete snapshot from source resource group and create backup copy
4 .Mount snapshot on forensic workstation
What is a container?
piece of software bundled with app code and all dependencies that helps the app run on any computing environment/infrastructure
Can run as isolated, independent processes by sharing the OS kernel
What are microservices?
architectural framework in app development in which all core functions in an app are built and deployed independently as a service
What are some challenges of forensics on containers?
Highly dynamic
Microservices: security team must look into multiple containers with multiple microservices, making process complex
Ephemeral in nature: lightweight and short lifecycle. data written to filesystem of containers gets deleted as soon as it’s stopped
No snapshot feature: cannot snapshot containers
What are the steps to investigate email crimes?
- Seize the computer and email accounts
- Acquire email data.
- Examine email messages.
- Retrieve email headers.
- Analyze email headers.
- Recover deleted email messages.
What is involved with step 1 of email crime investigation?
obtain search warrant including permission for on-site examination of suspect’s computer and email server used
seize all computers and email accounts suspected
can seize email account by changing existing password
What tools can be used to check the validity of an email address?
Email Dossier
Email Address Verifier
Email Checker
G-Lock Software Email Verifier
What are the different things to check when investigating a suspicious email?
- Email message: inspect body thoroughly looking for suspicious links or attachments. Also may have false sense of urgency.
- Links: Run links through forensic machines (or mouse over to see link BUT DON’T CLICK) to find suspect links
- Received header entries: find email ID and IP address of attacker
- Originating IP address: find general geographic area
- Received-SPF field: validation failure can indicate spoofing (sender does not permit the server to send mail on its behalf)
- Sender’s email validity
- Message ID (FQDN should typically be something like gmail or outlook.com, not localhost or other…)
- Return path: should match sender’s email
What tool can be used to recover deleted email messages?
Paraben’s Electronic Evidence Examiner
Which US Law sets rules for sending emails for commercial purposes, establishes min reqs for commercial messaging, gives recipients of emails the right to ask sender to stop emailing them, and spells out penalties for violation?
CAN-SPAM Act
Penalties up to $16,000
With regards to malware, what is a crypter?
Software that disguises malware as legitimate product through encryption or obfuscation
With regards to malware, what is a downloader?
type of trojan that downloads other malware
With regards to malware, what is a dropper?
Type of trojan that installs other malware files either from a malware package or the internet
With regards to malware, what is an exploit?
malicious code that breaches the system security via software vulnerabilities
With regards to malware, what is an injector?
program that injects its code into other vulnerable running processes and changes the way of execution to hide
With regards to malware, what is an obfuscator?
program that conceals its code and intended purpose
With regards to malware, what is a packer?
program that allows to bundle all files together into a single executable file to bypass security detection
With regards to malware, what is a payload?
piece of software that allows control of computer system after exploit
With regards to malware, what is malicious code
command that defines malware’s basic functionalities such as stealing data or creating back door
With regards to malware, what is fileless malware?
group of malware that do not write any file to the disk and use only approved Windows tools for installation and execution, thus circumventing security and whitelisting processes
What are some challenges with malware analysis?
accuracy of analysis process
Detection of malware pieces and traits
amount of data to analyze
changing technologies and dynamics of malware
anti-analysis procedures such as encryption, obfuscation, deletion, etc
What tools can be used to extract patterns from malicious files?
balbuzard and cryptam malware document detection suite
What should be done to prepare a testbed for malware analysis?
isolate system from network by setting NIC card to “host only” mode
disable “shared folders” and “guest isolation”
generate hash value of each OS and tool
What are some OS backup and imaging tools?
Genie backup manager pro
macrium reflect server
R-Drive Image
O&O DiskImage 16
What are some network and internet simulation tools?
NetSim
ns-3
Riverbed Modeler
QualNet
What are some Hypervisors?
Virtual Box (Windows, Linux, Mac, Solaris) Parallels Desktop (Mac) WMware vSphere (Bare metal)
What are some online malware analysis services?
Any.Run Hybrid Analysis Kaspersky Threat Intelligence Portal Valkyrie Virus Total
What is Windows Event ID 4688?
A new process has been created
What is Windows Event ID 5156?
Windows Filtering Platform has allowed connection (outbound network connection)
What is Windows Event ID 7045?
Service was installed in the system
What is Windows Event ID 4657?
Registry value was modified
What is Windows Event ID 4660?
Object was deleted (such as account name, domain, process ID, etc.)
What is Windows Event ID 4663?
An attempt was made to access an object
What is Windows Event ID 7036?
Windows Protection Service has entered the stopped state
What is Windows Event ID 7040?
The start of Windows Protection Service was changed from autostart to demand start/auto start disabled
What tool can be used to intercept API calls made by the malware to Windows API during runtime?
API Monitor
What tool can be used to check integrity of files?
FastSum - computes checksums according to MD5 checksum algorithm
What windows utility tool can be used to compute MD5 hashes of files?
WinMD5 - fingerprints can be used to ensure file is uncorrupted
What tools can be used to monitor ports?
TCPView (all TCP/UDP endpoints and state of TCP connections)
Currports (all currently open TCP/IP and UDP ports)
What are the 3 boot modes for iOS?
Normal
Direct Firmware Upgrade (DFU): allows investigators to obtain device info w/o entering passcode or bypassing USB restriction mode
Recovery mode: used to upgrade the device to a signed firmware version using iTunes by invoking the iBoot process
How is an iPhone booed into DFU mode?
- Connect iPhone to computer with USB cable
- Press and hold Home and Lock buttons (A9), press and hold Side and Volume Down buttons (A10), or quick press and release volume up then quick press volume down (A11+)
- Continue to hold for 8 seconds then release Lock or Side button (A9/10), OR press and hold side button until screen goes black (A11+)
4 (only A11+) continue holding side button and press volume down for 5s then release side button
5 (only A11+). release volume down after 10 seconds - screen remains black in DFU mode
what type of data does a SIM contain?
volatile AND nonvolatile
What are the 4 types of iOS jailbreaks?
tethered: cannot be rebooted w/o a computer. must re-jailbreak every time
untethered: can reboot w/o computer, jailbreak is automatic
semi-tethered: can reboot device, but jailbreak features are not loaded
semi-untethered: boots into non-jailbroken state but can be re-jailbroken using an app vs computer
What are some commercial tools that can be used for physical acquisition (bit-by-bit copies) of physical storage on mobile?
Cellebrite, MOBILedit, Elcomsoft
In mobile forensics, what are TAPs
Test Access Ports. Testing ports on devices that allow manufacturers to test devices. Can be used to instruct the processor to transfer all data stored in the memory chips
What is chip-off forensics?
physically removing the flash memory of a device for analysis. useful for locked devices or damaged/dismantled devices
What are some challenges in mobile forensics?
OS: Mobile devices use various OSes that are all handled differently
Security: security features protect the data and privacy making acquisition difficult
Cloud Data: acquiring cloud data often has legal constraints and is difficult
Data Preservation: device needs to be isolated from all communications to prevent remote wiping
Anti-forensics: data hiding, forgery, and secure wiping complicate the investigation process
What are some common security problems with IoT devices?
Application: validation of input strings, AuthN, AuthZ, no auto-security updates, default passwords
Network: firewall, improper comm encryption, services, lack of auto update
Mobile: insecure API, lack of comm encryption, authentication, lack of storage security
Cloud: improper authentication, no storage/comm encryption, insecure web interface
What are the OWASP top 10 IoT vulnerabilities?
- Weak or guessable passwords
- Insecure network services
- Insecure ecosystem interfaces
- lack of secure update mechanism
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data xfer or storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
What are some common IoT device attacks?
sybil attack: multiple forged identities used to create strong illusion of traffic congestion (used in vehicular ad hoc networks)
forged malicious device: replace authentic IoT device with malicious device
side channel attack: extract information about encryption keys by observing emission signals
what are common IoT forensics challenges?
ID, collection, and preservation of evidence: most devices work autonomously, so identification can be difficiult.
Analysis of evidence: most data is cloud based
autonomous nature: due to this function, it may be difficult to identify whether human intervention or design flaw caused the malfunction
Where is stego data hidden in a text file?
character positions.
detected by looking for text patterns or disturbances, blank spaces, etc.
Where is stego data hidden in an image file?
changes in size, file format, metadata, and color palette
detected through statistical analysis
Where is stego data hidden in an audio file?
inaudible frequencies or odd distortions and patterns in audio graph
Where is stego data hidden in a video file?
combo of image and audio
What is file carving?
technique to recover files and fragments of files from a hard disk in the absence of file system metadata
What tools can be used to look at file headers to verify the file format?
010 Editor CI Hex Viewer Hexinator Hex Editor Neo Qiew WinHex
What are the different types of search warrants?
Search warrant: written order authorizing search for particular evidence in particular location. include particulars of the object and devices being searched as well as the strategy used to investigate
Electronic storage search warrant: allows team to search and seize components including hardware, software, storage devices, documents
Service provider search warrant: allows investigators to consult w/ service provider to get: service records, billing records, subscriber info
When is seizure without a warrant allowed?
when destruction of evidence is imminent
where are IIS Logs located?
%SystemDrive%\inetpub\logs\LogFiles
What are the 2 outlook file formats?
.ost - used by non-POP accounts - cached storage
.pst - used by POP accounts - actual storage
What TSK command is used to odisplay general details of a file system?
fsstat
What TSK command is used to display the details of a metadata structure?
istat
What TSK command is used to display the file and directory names in a disk?
fls
What TSK command is used to display the details of an image file?
img_stat
What are the two components of an Apache Web Server?
Apache Core: basic functionalities such as allocation of requests and connection maintenance
Apache Modules: Add-ons used for extending core functionality
What are the elements of the Apache core component?
http_protocol: responsible for managing routines
http_main: handles server startup and timeouts as well as main server loop
http_request: controls stepwise procedure followed among modules to complete client request as well as error handling
http_core: Includes a header file thaht is not required by the app module
Alloc.c: handles allocation of resource pools
http_config: reads and handles configuration files and arranges the modules
What are the two types of Apache Web Server logs?
Access log: records all requests processed by server
error log: diagnostic information and errors the server faced during requests
Where are Apache Web Server logs located in each OS?
RHEL/Red Hat/CentOS/Fedora Linux: /usr/local/etc/apache22/httpd.conf
Debian/Ubuntu Linux: /etc/apache2/apache2.conf
FreeBSD: /etc/httpd/conf/httpd.conf
What is the hex signature for DOC files?
EC AF C1 00
What is the hex signature for XLS files?
FD FF FF FF nn 00 or FD FF FF FF nn 02 or 09 08 10 00 00 06 05 00
What is the hex signature for PPT files?
A0 46 1D F0 or 00 6E 1E F0 or 0F oo E8 03 or FD FF FF FF nn nn 00 00
What is the hex signature for DOCX, PPTX, and XLSX files?
50 4B 03 04 14 00 06 00
What is the hex signature for JPG?
FF D8
What is the hex signature for PNG?
89 50 4E 47 0D 0A 1A 0A
What is the hex signature for PDF?
25 50 44 46
What is the hex signature for ZIP files?
50 4B 03 04
What is the hex signature for PST files?
21 42 44 4E
What Linux command provides a hex dump of a given input file?
xxd
What is a stego-only attack?
only the stego object is available for analysis
What is a known-stego attack?
have access to the stego algorithm and both cover medium and stego-object
What is a known-message steganography attack?
have access to hidden message and stego object
What is a known-cover attack?
compare stego-object and cover medium to ID hidden message
What is a chosen-message attack?
generate stego objects from known message using specific tools to ID the stego algorithm
What is a chosen-stego attack?
have access to the stego-object and stego-algorithm
What is a chi-square attack?
perform probability analysis to test whether the object and original are the same or not
What is a distinguished statistical attack?
analyze the embedded algorithm used to detect distinguishing statistical changes along the length of the embedded data
What is a blind classifier attack?
blind detector is fed original or unmodified data to learn resemblance of original data from multiple perspectives
When is search without a warrant allowed?
when a person with authority has provided consent
