CySA+ Study Notes 10 Flashcards
memory (buffer) overflow can be detected by anti-malware, IDS, or WAF.
data compressed then encrypted.
lsof (command - linux) : which retrieves a list of all files currently open on the OS.
On a live system, it might be possible to recover the decryption key from system memory.
info
??? scan host file systems for file archive, compression, and encryption types such as RAR or gzip that are atypical of normal end-user file creation on Windows systems. Also look for files in system folders, such as the root of the Recycle Bin or System Volume Information, or for the use of ADS.
To Detect Data Staging :
??? (1) Unauthorized Sessions, (2) Failed Log-ins, (3) New Accounts, (4) Guest Account usage, (5) Off-hours usage.
Auditing Account Usage :
In Windows, prefetch files record the names of applications that have been run plus a wealth of other information (date and time, file path, run count, and DLLs used by the executable). The absence of prefetch files or a period when prefetch was disabled would be suspicious (though do note that prefetch is disabled by default on SSDs).
info
If you suspect a device as an attack vector, observe a sandboxed lab system closely when attaching the device. Look for command prompt windows or processes, such as the command interpreter starting, and changes to the Registry or other system files.
two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order.
info
??? enumerate the open ports on the host using a tool such as netstat locally or Nmap remotely and compare with activity over the link. The ranges of ports used should match; if they do not, then something is concealing port usage on the host. If there is no use of unusual ports, check the traffic passing over a port using a sniffer to confirm that it is legitimate.
If you suspect the presence of malware or a C&C channel :
Authentication and authorization events are written to the Security log, but an audit policy must be configured and applied to capture specific events.
Active Directory User and Computers, to configure and monitor the accounts from Domain Controllers (DCs).
Saved state files—Suspending the VM causes the hypervisor to write the contents of memory to file. It is possible to load this data into a memory analysis tool such as Volatility.
VM introspection (VMI)—This uses tools installed to the hypervisor to retrieve pages of memory for analysis.
info
If a device is discovered in an unlocked state, steps should be taken to prevent the lock from activating. It is also acceptable to block network access, to prevent a remote wipe of the device. As with any evidence collection process, these steps must be recorded on video to show that no other modification of evidence was performed.
Mobile Devices
??? using utilities supplied with the device or the vendor’s tools to export data for analysis. This includes local and cloud backup procedures. It may be possible to obtain data from the cloud account that the device is linked to. This involves making a legal request (subpoena) to the cloud provider.
Logical Extraction
File System Extraction : If a copy can be made of unencrypted data, you can use file system tools to search for files, strings, and media.
Call Data Extraction : Information relating to the cellular provider, outgoing calls, and SMS text messages may be stored on the SIM card.
info
