CySa+ Study Notes 9 Flashcards
??? this stores pages of memory in use that exceed the capacity of the host’s RAM modules. The ??? is not structured in a way that analysis tools can interpret, but it is possible to search for strings.
*** live acquisition generates a snapshot of data that is changing second-by-second.
Pagefile
??? refers to nonvolatile storage media, such as hard disk drives (HDDs), solid-state drives (SSDs), and USB flash media drives. To obtain a forensically sound image from non-volatile storage, you need to ensure that nothing you do alters data or metadata (properties) on the source disk or file system.
Disk Image Acquisition
??? by shutting down the computer—This runs the risk that the malware will detect the shut-down process and perform anti-forensics to try to remove traces of itself.
??? is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files.
Static acquisition / File Carving
??? or amplification attack, the adversary spoofs the victim’s IP address and tries to open connections with multiple servers.
DRDoS
??? The key to repelling a sustained attack will lie in real-time analysis of log files to identify the pattern of suspicious traffic and redirecting that to a black hole or sinkhole. You can use geolocation and IP reputation data to shun suspicious traffic. Other approaches are to aggressively close slow connections by reducing timeouts on the affected server and make use of caching and back-end infrastructure to offload processing to other servers.
DDoS Mitigation Techniques
??? command that can be anything from a ping or whatever to verify the bot is still alive in the botnet.
*** Irregular peer-to-peer communication may also indicate various kinds of man-in-the-middle attacks. ARP spoofing, or ARP poisoning.
Beaconing
??? a physical device might be attached to cabling to record packets passing over that segment. Once attached, taps cannot usually be detected from other devices inline with the network.
??? scan against host to find what ports are open and identify software/firmware/device type of host (also called fingerprinting).
??? probing certain port or port range or multiple IP addresses to discover hosts that respond “alive” (sometimes called footprinting).
Network taps / Port scan / Sweep
??? is to configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces; but causes support issues for legitimate apps.
best way of mitigating use of non-standard ports
Data exfiltration procedures that use covert channels can send data outside of the network without alerting any intrusion detection or data loss countermeasures.
A covert storage channel includes one process writing to a storage location and another process reading from that location. A covert timing channel includes one process altering system resource so that changes in response time can signal information to the recipient process.
info
Resource consumption (CPU and memory) are 2 indicators of compromise. memory leak, where a process claims more and more memory without releasing it again, can also be a sign of malware.
free (command) : which outputs a summary of the amount of used and freely available memory on the computer.
Top (command) : shows every running process and is constantly refreshed to see up-to-date statistics; default information provided by the table includes the process ID, user, CPU percentage being used, memory percentage being used, execution time etc …
info
