Final 2 Flashcards
APFS
A new file system for MAC that offers more option when turning a partition into a volume
What is alternative data stream:
ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing.
With FAT
To find names /dates, we look for directories entries. Allocation table is the FAT table
With NTFS,
To find names and dates, we look for the Master Table file Records. Allocation table is $Bitmap
With HFS,
we look for the CNID catalog the CNID does not get reused. Allocation table is catalog/allocation
Where is a partition table?
A partition table is found on a MBR
File System Tunneling:
deleting a file and immediately recreating a file with the same name in the same directory. The new file will inherit its creation date from the original file
Hacker methodology :
a- Reconnaissance: obtaining info on the target
b- Attack : Applying technique against target
c- Entrenchment : continue hidden the attack
d- Abuse: Conducting further activities on target.
File carving:
Data carving is the process of extracting a collection of data from a larger data set. Data carving is done on a disk when the unallocated file system space is analyzed to extract files because data cannot be identified due to missing of allocation info.
Page file:
Are reserved portion of a hard drive disk that is used as an extension of RAM for data..
Internal metadata:
Metadata that is stored internally to the file. They find on EXIF file (photographs, and media file), on pdf file
File system metadata.
Information about file stored by the filesystem. It contains the create, modified, access, record update. They constitute file system metadata.
OST File:
Offline stored file – Makes possible to work offline, and synchronize changes with the extend server once online.
PST file :
Outlook data file used for most mail accounts. Used by POP3, IMAP and web based mail accounts. It’s a personal folder that store messages and other items on the computer.
Gmail takeout
Allows google user to export their data to a downloadable zip. would do a dump of the user Gmail account.
What is data obfuscation:
Form of data masking that helps in concealing data. Example: Stenography, changing data extension, compressing data, write data into file or volume slack, create a small partition on a disk, populating it, then delete it., blurring data, shuffling data.
Virus
Malicious software that self-replicate
.
Alternate data stream in window where to found it:
It’s a Zone identifier which is created when a file is downloaded on the internet. It helps window to determine if a downloaded data on the internet is from a trusted zone.
Hard link:
A label or names associated to a file i.e. Created multiple names that refer to a single file.
Registry hive:
logical group of keys, sub keys, and values in the registry that has a set of supporting files containing backups of its data. All keys that are considered hives begin with “HKEYUser profiles hives are located in HkeyUSERS
ADS in Mac
Data Force and Resource force :
Forensics Soundness:
Any forensics method or technique of evidence collection that is verifiable and repeatable.
What are link files:
are windows shortcut files that link to an application or file commonly found on a user’s desktop. Each link file has its own Created, Modified and Accessed dates and within each link file there are Created, Modified and Accessed dates which belong to the target file.
Backup volume boot record (where it’s is found )
- In NTFS, It’s the sector at the very end of the volume
- For FAT 32, it’s 6 sectors beyond the primary volume.
