Forensics

Question 1

What is another name for a forensic drive controller?

Answer 1

write blocker

Question 2

What tool in Linux can be used to create a forensic copy of a hard drive that will be used in an investigation?

Answer 2

• dd
• dd creates a bit-by-bit copy of the target drive that is well suited to forensic use, and special forensic versions of dd exist that can provide even more forensic features

Question 3

What are the 4 functions of forensic disk controller?

Answer 3

• write blocking
  
  • intercepts write commands sent to the device and prevents them from modifying data on the device
• returning data requested by a read operation
• returning access-significant information from the device
• reporting errors from the device back to the forensic host

Question 4

What does forensics deal with?

Answer 4

investigation, preservation, analysis, and presentation of digital evidence that will be used in an investigation

Question 5

What is the goal of forensics?

Answer 5

establish the authenticity and integrity of the evidence, enabling it to be admissible in court, and ultimately, to assist in solving cyber crimes, intellectual property theft, fraud, and other digital-related offences

Question 6

What are the 4 types of forensics?

Answer 6

1. Computer Forensics
2. Network Forensics
3. Memory Forensics
4. Mobile Forensics

Question 7

What are the different security roles that deal with forensics?

Answer 7

• Tier 1 SOC Analyst
• Tier 2/3 SOC Analyst
• Malware Analyst
• Digital Forensics Analyst
• Insider Threat Analyst
• Threat Hunter
• Incident Responder

Question 8

What is the role of a Tier 1 SOC Analyst in terms of forensics?

Answer 8

• collect evidence that will be added to an investigation case
• the evidence is then used as justification for taking defensive measures, such as blocking an IP, domain, or email sender
• understand that these artefacts (IPs, emails, domains) are considered evidence for the investigation

Question 9

What is the role of a Tier 2/3 SOC Analyst in terms of forensics?

Answer 9

• typically handle escalated/more critical investigations that require more technical expertise, or access to additional tools or sensors
• related evidence is likely to be collected and handled under more strict conditions

Question 10

Is the process of malware analysis considered forensics?

Answer 10

yes

Question 11

What is the purpose of the KAPE (Kroll Artifact Parser and Extractor) tool and what is it used for?

Answer 11

• automate the collection and parsing of forensic artefacts from a computer’s file system and memory
• can be deployed locally or on remote systems to quickly gather key dat
• can retrieve artefacts relating to browser usage, program execution, the filesystem, logs, and much more

Question 12

What is the purpose of the FTK Imager tool and what is it used for?

Answer 12

• create hard drive images, but also memory images, which can be analyzed in other programs for analysis
• possible to import disk images into FTKi, allowing us to navigate through the file system as if we were on a live device

Question 13

What is the purpose of the EnCase tool and what is it used for?

Answer 13

take forensic images of computers, mobile phones, and internet-of-things devices, which can then be analyzed to collect digital evidence

Question 14

What is the purpose of the Cellebrite tool and what is it used for?

Answer 14

suite of tools designed primarily for mobile forensics, which allows easy acquisition of data from a mobile device so it can be processed in other tools

Question 15

What are the forensic tools used for evidence collection?

Answer 15

• KAPE
• FTK Imager
• EnCase
• Cellebrite

Question 16

What is the purpose of the Autopsy tool and what is it used for?

Answer 16

• helps investigators analyze and extract evidence from various data sources, such as hard drives and mobile devices
• works by creating a forensic image of the target storage media and then running in-depth searches to quickly retrieve key information, such as recently used programs, deleted files, emails, visited websites

Question 17

What is the purpose of the Volatility tool and what is it used for?

Answer 17

• memory forensics framework that enables the analysis of memory dumps or memory images
• captures a snapshot of a computer’s memory, allowing users to search for valuable information
• aids in understanding the computer’s past activities and uncovering potential evidence of malicious actions

Question 18

What are the forensic tools used for evidence analysis?

Answer 18

• Autopsy
• Volatility

Question 19

What OSs’ are supported by Volatility?

Answer 19

Windows, Linux, and Mac OS

Question 20

What are the two common ways of hiding data?

Answer 20

1. using disk’s slack space
2. using steganography

Question 21

What basic information should be tracked to preserve the chain of custody?

Answer 21

• Received From
• Received By
• Date
• Time

Question 22

What should be done with the original disk image when doing forensics?

Answer 22

• the disk needs to be hashed and then a full-bit copy should be taken, ensuring that absolutely everything is included in the copied image
• new file should then be hashed, and if it is an exact copy, the file hashes will be the same - analyst then work on the copy, so the original evidence is not modified, making it inadmissible in court

Question 23

Who’s the guy who crearted many tools for Windows forensics?

Answer 23

Eric Zimmerman

Question 24

What is the Redline tool?

Answer 24

• incident response tool developed and freely distributed by FireEye
• gather forensic data from a system and help with collected forensic information

Question 25

What is the Velociraptor tool?

Answer 25

• advanced endpoint-monitoring, forensics, and response platform
• open-source and powerful