Forensics

Question 1

EU evidence Gathering

Answer 1

Data integrity - Data must be valid & not corrupted

Audit Trail - like chain of command

Specialist Support- Utilize Specialists where required

Appropriate Training - get appropriate training

Legality - Evince collected and handled according to applicable laws.

Question 2

Scientific Working Group on Digital Evidence standard

Answer 2

1- Visual Inspection - Get type of evidence, condition..It’s done during seizure

2-Forensic Duplication - Duplicate Media before examination

3- Media Examination - Actual forensic testing of the application

4- Evidence return - Exhibits are returned to the appropriate location

Question 3

US Secret service Guideline

Answer 3

1-Secure scene and make it safe

2-Take immediate steps to preserve evidence If you reasonably believe that the computer is involved in the crime you are investigating,

3-Determine if you have Legal basis to seize a computer

4- Avoid accessing computer files. If the computer is off, leave it off.

5-If the computer is on, do not start searching through it. Follow guide to properly shut it down.

6-If reason that evidence is been destroying, remove power cord from the back of computer

7 - Take photo of the screen if computer is on. If off, take pictures

Question 4

Logs

Answer 4

1- Security log: most important log from a forensics point of view. It has both successful and unsuccessful login events.

2-Application Logs : Contains various events logs by applications or programs

3- System Logs : logs by windows system

4- Forwarded Events log : Store events from remote computers

5- Application and Services log ; Store events from single application or component rather than event that might have system wide impact.

Question 5

auditpol.exe.

Answer 5

wipe out log events on server.

Question 6

/var/log/faillog

Answer 6

contains failed user logins– important when tracking attempts to crack into system

Question 7

/var/log/mail.*

Answer 7

mail server log

Question 8

/var/log/user.log

Answer 8

user activity logs

Question 9

Diskdigger

Answer 9

can be used to recover deleted windows files.

Question 10

net sessions

Answer 10

list active sessions connected to the computer you run it on.

Question 11

openfiles

Answer 11

useful command for finding live attacks - list any shared files currently opened

Question 12

netstat

Answer 12

to detect ongoing attacks –lists all current network connections (inbound and outbound)

Question 13

Window registry

Answer 13

hierarchical Window database containing system and user information.

Question 14

HKEY_LOCAL_MACHINE_SYSTEM_ControlSet\Enum\USBSTOR

Answer 14

Lists USB devices that have been connected to the machine

Question 15

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Answer 15

Will indicate what user was logged onto the system when the USB what connected

Question 16

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkLis t\Profiles\

Answer 16

gives you a list of all the Wi-Fi networks to which this network interface has connected.

Question 17

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

Answer 17

show software that have been uninstalled

Question 18

Logical Acquisition

Answer 18

Logical imaging refers to copying the active file system from the device into another file.

Question 19

Physical Acquisition

Answer 19

A physical acquisition creates a physical bit-by-bit copy of the file system, similar to the way a hard drive would be forensically imaged.

Question 20

Subscriber Identity Module (SIM)

Answer 20

The SIM is how you identify a phone.The SIM stores the International Mobile Subscriber Identity.SIM will also usually have network information, services the user has access to, and two passwords.

Question 21

Two passwords on SIM

Answer 21

PIN -Personal Identification Number

PUK - Personal Unblocking Code

Question 22

FTK

Answer 22

Analyze window registry and crack password

Question 23

Computer Hacking Forensic Investigator.

Answer 23

Test general forensics knowledge .