Digital Forensics 6 Flashcards
purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance. It requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real-time.
CALEA’s
is a live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment. Volatile memory analysis is similar to live response in that you must first establish a trusted command shell. Next, you establish a data collection system and a method for transmitting the data. However, you would only acquire a physical memory dump of the compromised system and transmit it to the data collection system for analysis. In this case, VMware allows you to simply suspend the virtual machine and use the .vmem file as a memory image. Also compute hash after completion of memory capture, but traditional HDD do hash before, and volatile nature of running memory, the imaging process takes snapshot of “moving target”.
Volatile memory analysis
To produce digital data from a live system as evidence in court, it is essential to justify the validity of the acquired memory data. One common approach is to acquire volatile memory data in a dump file for offline examination. A dump is a complete copy of every bit of memory or cache recorded in permanent storage or printed on paper. You can then analyze the dump electronically or manually in its static state.
*** Volatile memory analysis is a live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.
info …
The Windows swap file is used to augment the RAM. Essentially, it is a special place on the hard drive where items from memory can be temporarily stored for fast retrieval.
Even if the suspect’s browsing history has been erased, it is still possible to retrieve it if he or she was using Internet Explorer. Index.dat is a file used by Microsoft Internet Explorer to store web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file.
info …
Check files modified, files accessed, files created in Windows (MAC = Modified, Accessed, Created), check for changes for forensics.
info …
It is a repository for all the information on a Windows system. When you install a new program, its configuration settings are stored in the Registry. When you change the desktop background, that is also stored in the Registry.
Registry
All Registry keys contain a value associated with them called LastWriteTime. You can think of this like the modification time on a file or folder. Looking at the LastWriteTime tells you when this Registry value was last changed. Rather than being a standard date/time, this value is stored as a FILETIME structure.
info …
are Registry keys that launch programs automatically during boot-up. It is common for viruses and spyware to be automatically run at start-up. Another setting to look at is the MRU, or most recently used. These are program specific; for example, Microsoft Word might have an MRU describing the most recently used documents.
Auto-run locations
The Registry key HKEY_LOCAL_MACHINE\System\ControlSet\Enum\USBTOR lists USB devices that have been connected to the machine. It is often the case that a criminal will move evidence or exfiltrate other information to an external device and take it with him or her. This could indicate to you that there are devices you need to find and examine. Often, criminals attempt to move files offline onto an external drive. This Registry setting tells you about the external drives that have been connected to this system.
info …
The Wireless Network SSID passphrase is stored in the Registry, and which wifi networks the interface has connected, stores MAC addresses of WAP to which it was connected.
info …
