Exam Questions Flashcards
What principle is traditional forensics dominated by?
Locard’s Exchange Principle - “Every contact leaves a trace”. Mostly related to criminal forensics. Someone comes into contact with the crime sceme, brings something into and takes something out of the crime scene. CSI eg. fingerprint, tyre print, strand of hair etc.
What is Locards Principle is the digital world?
Kornblum Principle and Harlan Carvey’s new principle/law is “There is evidence of every action”.
“the absence of an artifact is itself an artifact”.
What is the cyber exchange principle?
Artifacts of electronic activity in computers are detectable through forensic examination. This requires access to computer or network resources beyond the “crime scene”.
Electronic contact does not leave a physical trace but may leave only digital evidence beyond physical crime scene. This examination typically involves bits and bytes of information.
What are the 8 Digital Forensics Processes?
- Search Authority- First step, authorised to be there
- Chain of Custody - list of evidence and who has had them
- Imaging/Hashing - Duplicate copy to work on
- Validated Tools - use multiple tools, latest version, proven to do what it says it will.
- Analysis - analyse the findings of the examination
- Repeatablility - another examiner should be able to follow through and have the same output - documentation is important.
- Reporting - needs to be written for and understood by audience.
- Presentation - may be needed to present to experts in nontechnical way.
What is the Digital Forensics Safety Net?
Is a list of procedures and actions that are taken to ensure that digital evidence is
- properly preserved and protected
- is not altered or destroyed
- can be authenticated
- maintained with a chain of custody.
- Protects against challenges on authenticity
- Can be reproduced again using same steps
- Protects examiner from liability if something went wrong
What are the 5 categories of file system?
- File System Descriptive Data - layout of file system, forensics examination begins here
- Content Category - storage allocated for files and data. Consists of blocks, sectors clusters. Allocated or unallocated.
- Metadata Category - Contains descriptive data of files that are present and deleted. Is often located in a file directory.
- File Name - Allows users to find files, root directory is the base of file names on volume. Can be used to find metadata
- Application - not actually part of the file system, useful for journaling.
What is the difference between Stream Carving and File Carving?
Data Stream Carving is the carving of small fragments and not the entire file. The smaller fragments may have greater meaning, but usually are part of a larger file or fragment. Eg. URL’s, chat sessions e-mails, encryption keys.
File Carving is recovering intact files from memeory or unallocated space. Useful for when you want to carve out a known specific deleted file. Eg. Word files, pictures, archives, media.
Difference between VCL (virtual cluster number) and LCN (logical cluster number)?
VCN is cluster number relative to the start of file and LCN is relative to the strat of the volume.
What happens when a FAT file is created/deleted?
FAT File Created:
- 32 bytes of information
- File or subdirectory name (long and short file name)
- Starting cluster of file (beginning on chain of clusters)
- Size in bytes
- Date and time groups
- attributes
FAT file deleted:
- When a file is deleted the filename will be preserved minus the first letter. (replaced by E5).
- Modification/creation/access times will be preserved.
- File attributes, size and starting cluster will be preserved.
- Data clusters in FAT will be marked unallocated (0x00). Data will be preserved at the original cluster location.
What happens when a NTFS file is created/deleted?
NTFS File Created:
- More files added to file system = more records added to MFT. Entries on the disk are stored so they are touching each other, it improves performance.
NTFS File Deletion:
- The name is removed from parent directory index, MFT entry and clusters are unallocated but link between entry and cluster still exists.
- When filename is removed from the parent directory, the index is restored and name information could be lost.
- To recover all deleted files in NTFS, examine MFT for unallocated entries and determine name using $FILE_NAME attribute and parent directory file reference
David Cowens (Shell Items - More Than Meets The Eye) Presentation and paul’s lecture on powerpoint lecture 10
Shell items are data or a file that has information to access another file.
What is the difference between date/time stamps made by the file vs the file system or link vs source
Date and Time Stamps
There are three sets of timestamps:
- The target file itself
- Snapshot of target file timestamps embedded in shortcut (.lnk) file
- The link itself
Some of the forensic utilities show only the embedded timestamps (snapshot) of the target file.
The file system timestamps of the LNK file will show you some important details. The creation date of the file will be the first time a file that has the exact name has been opened regardless of the location.
Shortcut files are often useful in identifying files that no longer exist on a local machine. They might have been wiped or deleted, but often the shortcut file will remain and provide an important clue that a file used to exist at that point.
Where can you find evidence of program execution?
- UserAssist
- BAM/DAM
- RecentApps
- Shimcache
- Jumplists
- Prefetch
- Amcache.hve
What are the two mandatory attributes of file record and are they resident or not?
(MFT attributes) = named files have “standard information” and “file name” attributes, unnamed files have “standard information” attributes
Evolution of artifacts from windows xp to win 10?
Thumbs.db is a hidden file in each directory where pictures on a Windows XP machine exist. It catalogs all the pictures and stores a copy of the thumbnails, even if the pictures were deleted.
It’s useful to see if original pictures once existed in a directory. It is only created if the files are viewed in thumbnail or filmstrip mode.
Essentially, what you get with the thumbs.db file is that it will list all the files, both deleted and existing, that resided inside this directory. While you might only see a few pictures in a directory, the thumbs.db file will show us all the pictures that once existed inside this directory. The thumbs.db file has proved invaluable for child exploitation cases.
On windows 8+, Thumbs.db files will be created automatically the user’s profile directory structure under their username (e.g. c:\Users\Documents). In this example, if a user views pictures in C:\Windows\Temp, it will not create a thumbs.db file in that directory.
The data now sits under a single directory for each user of the machine located in their application data directory under their home directory.
The location of the thumbcache files is:
C:\Users\AppData\Local\Microsoft\Windows\Explorer.
These are created when a user switches a folder to thumbnail mode or views pictures via a slide show. As it were, our thumbs are now stored in separate database files. Vista/Win7 has 4 sizes for thumbnails and the files in the cache folder reflect this. 32 -> small 96 -> medium 256 -> large 1024 -> extra large
Windows 8 has additional sizes including 16, 48, 1600, and also a new database type called iconcache that follows the similar format.
The thumbcache will store the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file.
One of the more interesting things about the thumbcache is that it stores thumbnails of office documents. In these thumbnails you can often see the first page of the PowerPoint, the Word document, or Excel spreadsheet and some of the data it contained. In addition, folders where you can peer into some of the file contents are also visible.
Mapping files using Windows.edb (ESE database) should be done on an operating system that shares the same or newer operating system version in which the Windows.edb was generated. Mapped entries that included extended information while searching the Windows.edb will be displayed in green.
The Windows.edb can’t be dirty and must first be recovered or repaired before you begin.
Also in XP there used to be a INFO2 file that used to refer to each deleted item in the recycle bin but in win7, 8, 10, onwards the INFO2 file ceased to exist. and in these when something gets deleted it generates two files in the recycle bin. $I $R files
