Exam 3

Question 1

NTFS

Answer 1

New Technology File System
Allows for multiple filenames for same data.
Differentiates between upper and lower case.

Question 2

NTFS Structure

Answer 2

No system area, all data area.
Everything is a file.
Max number of files unlimited (only limited by drive size).

Question 3

NTFS System Files

Answer 3

Boot record, root directory, and system area all files.
Normally start with $.
When formatted, system files created on drive.

Question 4

Clusters in NTFS

Answer 4

Start counting at 0.

Cluster size usually 4096.

Question 5

$MFT

Answer 5

Master File Table.
Most important.
Takes the place of root directory and file allocation table.
Can take up to 12.5% of drive.

Question 6

$MFT Structure

Answer 6

Composed of records.
Includes $MFT itself.
First 16 records reserved for metadata files.
Every file and directory has at least one record here.

Question 7

$MFTMIRR

Answer 7

Backup Files.
First four records of $MFT.
    $MFT (0)
    $MFTMIRR (1)
    $Logfile (2)
    $Volume (3)

Question 8

$Logfile

Answer 8

Records operations affecting file structure.
Records file system changes.
Used for Recovery.

Question 9

$Volume

Answer 9

Information about the volume.
Volume name.
NTFS version.
State of volume.
Dirty Flag: requires checkdisk to run).
Checks for errors.

Question 10

$Logfile: Forensic Significance

Answer 10

Can contain information on creating, moving, or deleting files.

Question 11

$AttrDef

Answer 11

Info about all attributes defined on a volume.
Not the same as FAT Directory attributes.
List of attributes can be extended or change by modifying this file.

Question 12

.-Root Directory

Answer 12

Does not have $.
Listing of all files and folders.
\

Question 13

$Bitmap

Answer 13

Like file allocation table.
Tracks cluster usage.
Allocation state of each cluster in volume.
Each bit indicates if a cluster is free or not.
1 if occupied, 0 if empty.
Does not point to cluster.

Question 14

$Boot

Answer 14

Volume Boot Record.
Located in sector 0 of volume.
Up to 16 sectors in length.
# of sectors per cluster.
Location of MFT.
Total sectors in volume.
Serial number.
Back-up of first sector of $Boot at end of volume.

Question 15

Resident Files

Answer 15

Files under 1024 are contained completely within $MFT.

Question 16

Non-Resident Files

Answer 16

Files over 1024 will be stored somewhere other than $MFT.

Question 17

Metadata Files

Answer 17

File system files that are created during formatting process.
Not create by Windows.
Some can be used to recover deleted partitions ($Boot).

Question 18

$BadClus

Answer 18

File consisting of all bad clusters on volume.
If one cluster (sector?) entire cluster is marked bad.
1 for bad, 0 or good.

Question 19

$Secure

Answer 19

Contains all security descriptors used on volume and their hash.
File’s “security ID” is an index into $Secure.

Question 20

$UpCase

Answer 20

Translates upper and lower case letters.

Used to assist in sorting and searching file names.

Question 21

Files

Answer 21

Series of attributes.
Every file will have:
   Standard Information Attribute (SIA).
   Filename Attribute.
   Data Attribute.

Question 22

Attributes

Answer 22

Anything that describe the file.

Name, Dates, Data.

Question 23

Folders

Answer 23

Every folder will have:
Standard Information Attribute (SIA).
Filename Attribute.
Index Root Attributes.

Question 24

$MFT Records

Answer 24

Records are 1024 bytes in length.
Each record begins with 56 byte record header.
Offsets start at beginning of record.

Question 25

Standard Information Attribute

Answer 25

SIA.
Present in every record.
96 bytes in length.
Contains dates and times associated with file.
0x10 00 00 00.
SIA always resident.

Question 26

Update Sequence Array

Answer 26

If information goes over a sector (?) this keeps track of overflow data so it doesn’t get rewritten.
Has code so can find the rest elsewhere.
“fix-up” array.

Question 27

Record Header

Answer 27

Offsets 0-4 signature (FILE is good to search for in records in unallocated space).
Update Sequence Array.
Sequence Count: Number of times $MFT has reused this record.

Question 28

Filename Attribute

Answer 28

FNA.
Every file and folder has one.
Dates not updated as frequently as SIA so unreliable.
0x30 00 00 00

Question 29

Data Attribute

Answer 29

Every file has one.
0x80 00 00 00.
Can be Resident or Non-Resident.
Folders do not have a Data Attribute.

Question 30

Record Slack

Answer 30

Data from the End of Record Marker to end of 1024 record is Record Slack.

Question 31

Data Attribute: Non-Resident

Answer 31

If data exceeds $MFT record (1024) it is placed in next available cluster.
A runlist of clusters will point to their location.

Question 32

Runlist

Answer 32

Has number of clusters and starting location.
If file is fragmented, there will be multiple run lists.
If multiple lists, location can be a negative value.
Location is a signed integer.

Question 33

UTC

Answer 33

Grenich Mean Time.
Paris, France.
We are UTC-6.

Question 34

Triage Rules

Answer 34

#1: If the computer is off, leave it off!
#2: If the computer is on, it depends!

Question 35

Triage Documentation

Answer 35

Make, model, serial number.
What state is it in?
On? Off? Disconnected? Damaged?
Photograph.

Question 36

Triage: Live Computer First Steps

Answer 36

Wake computer (mouse, shift key).
Document and photograph all open windows.
Check task tray for open applications.
Check for encryption.
Do as little as possible.

Question 37

Triage: Live Computer: Things to Check

Answer 37

Check task tray for open applications.

Check for encryption or encryption programs that are running.

Question 38

Triage: Live Computer: Things to Get

Answer 38

Make image.
Check online/cloud storage.
Try to get encryption passwords and codes.
Consider logical acquisition/RAM dump.
Capture RAM.

Question 39

Triage: Online/Cloud Storage

Answer 39

When machine is off, access to these are gone.
Make sure warrant covers looking at this.
May need new/additional warrant.

Question 40

Triage: Encryption

Answer 40

Save encryption keys or get from IT if applicable/possible
OR Create forensic image of encrypted volume while accessible
OR Disable encryption if possible (this will change info, document everything!).

Question 41

Triage: Destructive Processes

Answer 41

Pull the plug!

Observe time from authoritative source.

Question 42

Triage: Client OS

Answer 42

Destructive processes: pull plug!
Observe time from authoritative source.
Document!
If client hosts network services, especially databases, shutdown normally.

Question 43

Triage: Server OS

Answer 43

Shutdown normally.
Observe time from authoritative source.
Document!

Question 44

Triage: Pull the Plug (Desktop)

Answer 44

Unplug power directly from the back of the computer.

NOT from the wall, because they can power runs through surge protectors and power filters.

Question 45

Triage: Pull the Plug (Laptop)

Answer 45

Laptops have more than one power source.
Power Supply.
Battery.
Disconnet both to shut down.
It can be easier to do battery first.
Be sure to take power supply!

Question 46

Computer Boot Process in Lab

Answer 46

Need to boot computer without changing evidence.

Question 47

BIOS

Answer 47

Basic Input Output System.
Small code segment generally stored in ROM.
Includes information for a computer interact with different I/O devices.

Question 48

Boot

Answer 48

The startup process of a computer.

Allegedly from the word “bootstrap”.

Question 49

Bootable Media

Answer 49

Media that contains startup software.
Can be a CDROM, diskette, USB device, etc.
Newer computers are set to boot from CD/USB but older computer generally are not.

Question 50

CMOS

Answer 50

Complimentary Metal Oxide Semiconductor.
Contains system date/time and initial startup info.
Powered by a “button” battery on motherboard.

Question 51

KERNAL

Answer 51

The core that provides basic services to all other parts of the operating system.

Question 52

POST

Answer 52

Power On Self Test.
CPU checks itself and POST program by comparing code against identical permanent records.
Checks system timer.
Pathways are available and functioning.
Verifies RTC.
Beeps tell you what's broken.

Question 53

RAM

Answer 53

Random Access Memory.

Volatile, lost when power is lost.

Question 54

ROM

Answer 54

Read Only Memory.

Does not rely on power for storage.

Question 55

BIOS: Booting

Answer 55

Typically try to disconnect hard drive first.
F2 usually boots into BIOS.
Hit boot sequence.
Change what you want to boot it to (Forensic tools, DVD, flashdrive, etc).
May do this right at scene if needed (missing child, etc).

Question 56

BIOS: Forensic Importance

Answer 56

Retrieve date and time that computer was seized.

Can show how many hard drives are connected.

Question 57

Forensic Examinations

Answer 57

These need to be done in every examination.
Document BIOS information.
Once recorded, make image.

Question 58

Extensible Firmware Interface

Answer 58

Much like BIOS except:
Has built-in boot manager.
Helps if there are multiple OS’s.
Specification that defines a software interface between an OS and platform firmware.

Question 59

BIOS Access

Answer 59

BIOS type.
System information (serial number, memory installed, model).
Date/time.
Boot sequence.

Question 60

RTC

Answer 60

Real Time Clock.

Question 61

Formats for Storing Digital Evidence.

Answer 61

Raw format.
Proprietary formats.
Advanced Forensics Format (AFF).

Question 62

Raw Format

Answer 62

Makes it possible to write bit-stream data to files.

Question 63

Raw Format: Advantages

Answer 63

Fast data transfers.
Can ignore minor data read errors on source drive.
Most computer forensics tools can read raw format.

Question 64

Raw Format: Disadvantages

Answer 64

Requires as much storage as original disk or data.

Tools might collect marginal (bad) sectors.

Question 65

Proprietary Formats

Answer 65

RAW, .dd, .001, .e01.
Option to compress or not compress image files.
Can split image into smaller segmented files.
Can integrate metadata into image file.

Question 66

Proprietary Formats: Disadvantages

Answer 66

Inability to share an image between different tools.

File size limitation on each segmented volume.

Question 67

AFF

Answer 67

Advanced Forensics Format.
Don’t see very often.
Provide compressed or uncompressed image files.
No size restriction for disk-to-image files.
Provide space in the image file or segmented files for metadata.
Open source for multiple platforms and OS’s.

Question 68

Types of Acquisitions

Answer 68

Static acquisitions.

Live acquisitions.

Question 69

Data Acquisition Methods

Answer 69

Bit-stream disk-to-image file.
Bit-stream disk-to-disk.
Logical disk-to-disk or disk-to-disk data.
Sparse data copy of a file or folder.

Question 70

Bit-stream Bit-to-image File

Answer 70

Most common method.
Can make more than one copy.
Copies are bit-for-bit replications of original drive.
ProDiscover, Encase, FTK.

Question 71

Bit-stream Disk-to-disk

Answer 71

When disk-to-image copy is not possible.
Consider disk’s geometry configuration.
Encase, SafeBack, SnapCopy.

Question 72

Logical Acquisition or Sparse Acquistion

Answer 72

When your time is limited.
Captures only specific files of interest to case.
Sparse also collects fragments of unallocated (deleted) data.
For large disks.
PST or OST mail files, RAID servers.

Question 73

Forensic Duplicate

Answer 73

Bit-for-bit copy of original media.

Copies all info and sectors on drive (deleted, slack, unallocated, etc.)

Question 74

File Copy

Answer 74

Only copies data files.

Does not include deleted or hidden files, file slack space, or unallocated or bad clusters.

Question 75

Physical Copy

Answer 75

Gets everything.

Want to do this unless not possible.

Question 76

Logical Copy

Answer 76

Only gets data area.

Question 77

Duplicate Imaging

Answer 77

Because computer evidence can be easily altered, destroyed, or hidden.
All data areas will be imaged.

Question 78

Duplicate Imaging: Advantages

Answer 78

Preservation of original evidence.
Prevention of inadvertently altering the original evidence during examination.
Can recreate perfect duplicate from duplicate and does not degrade.

Question 79

Sterilized Media

Answer 79

Start with this.
The media is wiped clean using software to write all zeroes to the media.
Ensures there is no residual data from previous investigations.

Question 80

Sterile Media

Answer 80

Media on which every byte has been overwritten by a known hex value or random hex value.
Also known as “wiping” or “sterilizing”.

Question 81

Forensic Sterilization

Answer 81

Forensic wiping.
0x00 is written over everything.
Allows for verification with checksum64 equals to 0.

Question 82

Non-Forensic Sterilization

Answer 82

Non 0x00 known characer or random character wipes.

Question 83

Wiping

Answer 83

Wiping resets to all 0’s.

Question 84

Deleting

Answer 84

Normal logical file removal operations:
Simple file deletion leaves data intact.
HDD format can leave data intact.
Removing a partition can leave data intact.

Question 85

When to Use Sterile Media

Answer 85

Whenever restoring suspect data to a drive.
Whenever someone brings you media (new or used) to place data or files onto.
Make them aware you will wipe it prior to placing the requested data on it.

Question 86

Validation of Sterile Media

Answer 86

Use PALADIN.
Does not matter if the media is recognizable by the OS.
If software requires that the OS recognize the media a successful wipe can never be validated.

Question 87

Validation

Answer 87

Not knowing = Not doing = DISASTER!

If you don’t know how to test and validate, should you really be a qualified forensic computer examiner?

Question 88

Write Blockers

Answer 88

Software or hardware process that will “block” all writes to the original media.

Question 89

Windows Based Imaging Tool

Answer 89

When using, media must be write protected.
Two methods:
Hardware.
Software.

Question 90

Hardware Write Blocker

Answer 90

Media is physically attached to write blocker before being attached to motherboard.

Question 91

Software Write Blocker

Answer 91

Is inserted between the OS and the disk/device drivers.

Question 92

Jumper Settings

Answer 92

Master to slave drive (IDE drives, SATAs do not have them).

Question 93

Hash

Answer 93

Check these to make sure they are duplicated properly (MD5 and SHA-1).
MD5 is 128 bit (16 byte) value.

Question 94

Orphan File

Answer 94

File where parent folder is overwritten.
EnCase calls them Lost Files/
$MFT record for the folder is overwritten by a new file entry.
Files in the original folder are now orphans.
No method to determine what original folder name was exists.

Question 95

Exam Stage

Answer 95

Check CMOS and BIOS for date/time.

Question 96

Index Root

Answer 96

Found in folders.
Can only hold a few filenames.
When additional names are added the attribute becomes non-resident.
When that happens, two additional attributes are incorporated.
Index Allocation Attribute.
Bitmap Attribute.