CySa+ Study Notes 8

Question 1

heuristic analysis : software can use techniques to determine whether a set of data points are similar enough to a set signature that an alert should be generated.

Behavioral Analysis : anything that deviates from the baseline generates an alert.

Anomaly Analysis : process of defining an expected outcome or pattern to events, and then identifying any events that do not follow these patterns.

Answer 1

info

Question 2

awk is a scripting engine geared toward modifying and extracting data from files or data streams, which can be useful in preparing data for analysis. Programs and scripts run in awk are written in the AWK programming language.

(WMIC) is used to review log files on a remote Windows machine.

Answer 2

info

Question 3

Identification Phase : Ensure that the scene is safe. Secure the scene to prevent contamination of evidence. Identify the scope of evidence to be collected.

Collection Phase : Ensure authorization to collect the evidence. Use tools and methods that will withstand legal scrutiny.

Document and prove the integrity of evidence. Store evidence in secure, tamper-evident packaging.

Analysis Phase : Create a verifiable copy of evidence for analysis. Use repeatable methods and tools to analyze the evidence.

Reporting Phase : Create a report of the methods and tools used. Present findings and conclusions.

Answer 3

Digital Forensic Process

Question 4

??? is the process of obtaining a forensically clean copy of data from a device held as evidence.

Answer 4

Data Aquisition

Question 5

CPU Registers and cache memory (including cache on disk controllers, GPUs etc …)

• > Contents of RAM including : routing table, ARP cache, process table, kernel statistics, temporary file systems/swap space/virtual memory.
• > HDD/SSD, flash memory including file system and free space
• > remote logging and monitoring data
• > physical and network topology -> archival media.

Answer 5

Order of Volatility

Question 6

??? is an open-source collection of command line tools and programming libraries for disk imaging and file analysis. Autopsy is a graphical front-end for these tools and acts as a case management/workflow tool.

Answer 6

The Sleuth Kit

Question 7

??? creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, Registry data, network connections, cryptographic keys, etc …

Answer 7

System Memory Dump

Question 8

??? a specialist hardware or software tool can capture the contents of memory while the computer is running. Unfortunately, this type of tool needs to be pre-installed as it requires a kernel mode driver to function.

Answer 8

Live Acquisition

Question 9

??? when Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file.

Answer 9

Crash dump

Question 10

??? This file is created on disk when the computer is put into a sleep state. If it can be recovered, the data can be decompressed and loaded into a software tool for analysis. The drawback is that network connections will have been closed, and malware may have detected the use of a sleep state and performed antiforensics.

Answer 10

Hibernation File