Digital Forensics 7 Flashcards
Word documents store a value in Registry like MAC address of machine on which the document was created, tracking origin of document can be very important for theft of intellectual property, etc …
Malware in Registry : Winlogon tells Windows Exporer logon is completed, check Registry to find exe files that may be malware.
The Registry \Uninstall key lets you see all uninstalled software from machine. Also can check Registry for passwords.
info …
Windows Volume Shadow Copy keeps a record or copy of changes. These state changes are stored in blocks of data that are compared daily, and changed blocks are copied to Volume Shadow. The Volume Shadow Copy service runs once per day and uses 16-KB blocks of data. In differential copies of VSS, only the changes are backed up, on a cluster-by-cluster basis. For a full copy or clone, entire files are backed up. This can be an excellent place to seek evidence that the suspect may not even be aware is available.
info …
pslist: Lists the processes that were in the memory dump.
psscan: Finds the processes that were previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit.
svcscan: Lists details of all services that were in memory when the memory dump was taken.
The history command allows you to see the commands that have previously been entered. By default, this command returns the last 500 shell commands (linux).
commands info …
is the switching system for the cellular network, responsible for routing calls between base stations and the public switched telephone network (PSTN). MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. The MSC processes all the connections between mobile devices and between mobile devices and landline phones.
mobile switching center (MSC)
BTS is the part of the cellular network responsible for communications between the mobile phone and the network switching system. The BTS, together with a base station controller (BSC), makes up the base station system (BSS). The BSC is a central controller coordinating the other pieces of the BSS. The BSS is the combined radio transceiver equipment between the actual cellular devices and the MSC.
BTS / BSC / BSS / MSC
is a database used by the MSC that contains subscriber data and service information.
The home location register (HLR)
This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.
ICCID
The user data partition is the one most relevant to forensic investigations. Here you will find the majority of user data, including all the data for apps. And The cache partition stores frequently accessed data and recovery logs.
*** 3 important info for Iphone : iOS version number, phone number, serial number.
Android / iPhone
Mobile Devices useful info : Call history, Emails, texts, and/or other messages, Photos and video, Phone information, Global positioning system (GPS) information, Network information.
*** Mobile Device Seizing Info : (1) If you are going to plug the phone into a computer, make sure the phone does not synchronize with the computer. This is particularly important with the iPhone, which routinely auto-syncs. (2) Follow the same advice you follow for PCs. Make sure you touch the evidence as little as possible, and document what you do to the device.
Mobile Device Info
the header contains the address information (to and from and any special handling), and the payload contains the content of the letter.
packets
