Introduction to Digital Forensics Flashcards
What is Digital Forensics?
A specialized branch of cybersecurity that involves the collection, preservation, analysis, & presentation of digital evidence to investigate cyber incidents, criminal activities, and security breaches. It applies forensic techniques to digital artifacts to uncover the truth behind cyber-related events.
What is the aim of digital forensics?
To reconstruct timelines, identify malicious activities, assess the impact of incidents, and provide evidence for legal or regulatory proceedings.
Where is electronic evidence collected from and what is collected?
Electronic evidence is collected from computers, mobile devices, servers, cloud services, and other digital sources. And the evidence can include files, emails, logs, databases, network traffic, and more.
Preservation of Evidence
Ensuring the integrity and authenticity of digital evidence is crucial.
Stages in the Forensic Process
- Identification
- Collection
- Examination
- Analysis
- Presentation
Forensic Process: Identification
Determining potential sources of evidence
Forensic Process: Collection
Gathering data using forensically sound methods
Forensic Process: Examination
Analyzing the collected data for relevant information
Forensic Process: Analysis
Interpreting the data to draw conclusions about the incident
Forensic Process: Presentation
Presenting findings in a clear and comprehensible manner
Types of Cases
- Cybercrime investigations (hacking, fraud, data theft)
- Intellectual property theft
- Employee misconduct investigations
- Data breaches and incidents affecting organizations
- Litigation support in legal proceedings
Basic steps for performing a forensic investigation
- Create a Forensic Image
- Document the System’s State
- Identify and Preserve Evidence
- Analyze the Evidence
- Timeline Analysis
- Identify Indicators of Compromise (IOCs)
- Report and Documentation
New Technology File System (NTFS)
A proprietary file system developed by Microsoft
Predecessor of NTFS
File Allocation Table (FAT)
What File Metada is stored in NTFS
Creation time, modification time, & attribute information
Master File Table (MFT)
A crucial component of NTFS that stores metadata for all files and directories on a volume. When files are deleted, their MFT entries are marked as available, but the data may remain on the disk untiil overwritten.
What do MFT Entries provide during examination?
Insights into file names, sizes, timestamps, and data storage locations
Unallocated Space on an NTFS volume
May contain remnants of deleted files or fragments of data
File slack
The unused portion of a cluster that may contain data from a previous file
File Signatures
Useful, along with file headers, in identifying file types.
Update Sequence Number (USN) Journal
A log maintained by NTFS to record changes made to files and directories
LNK Files
Windows shortcut files (LNK files) contain information about the target file or program, as well as timestamps and metdata
Prefetch Files
Generated by Windows to improve the startup performance of applications. Can indicate which programs have been run on the system & when they were last executed
Registry Hives
Contain important configuration and system information. Malicious activities or unauthorized changes can leave traces in the registry. Not directly related to the file system
Shellbags
Registry entries that store folder view settings. Can reveal user navigation patterns and potentially identify accessed folders
Thumbnail Cache
Store miniature previews of images & documents. Can reveal files that were recently viewed, even if the original files have been deleted
Recycle Bin
Contains files that have been deleted from the file system
Alternate Data Streams (ADS)
Additional streams of data associated with files. Malicious actors may use ADS to hide data
Volume Shadow Copies
Snapshots of the file system at different points in time. Supported by NTFS
Secruity Descriptors and Access Control Lists (ACLs)
Determine file & folder permissions. Analyzing artifacts helps understand user access rights and potential security breaches
Default File Path for Log Storage
C:\Windows\System32\winevt\logs
Windows execution artifacts
Traces & evidence left behind on a Windows OS when programs & processes are executed.
Windows Execution Artifact: Prefetch Files
Windows maintains prefetch folder that contains metadat about the execution of various applications. Prefetch files can reveal a history of executed programs & the order in which they were run
C:\Windows\Prefetch
Windows Execution Artifact: Shimcache
Windows mechanism that logs information about program execution to assist with compatibility and performance optimizations. Can help identify recently executed programs & their associated files.
Registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Windows Execution Artifact: Amcache
A database introduced in Windows 8 that stores info about installed applications and executables. Can provide insights into program execution history & identify potentially suspicious or unauthorized software
C:\Windows\AppCompat\Programs\Amcache.hve (Binary Registry Hive)
Windows Execution Artifact: UserAssist
A registry key that maintains info about programs executed by users
Registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurentVersion\Explorer\UserAssist
Windows Execution Artifact: RunMRU Lists
RunMRU (Most Recently Used) lists in Windows Registry store info about recently executed programs from various locations. Can indicate which programs were run, when they were executed, & potentially reveal user activity
Registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Execution Artifact: Jump Lists
Store info about recently accessed files, folders, & tasks associated with specific applications.
User-specific folders (e.g., %AppData%\Microsoft\Windows\Recent)
Windows Execution Artifact: Shortcut (LNK) Files
Can contain info about the target executable, file paths, timestamps, & user interactions
Various locations (e.g., Desktop, Start Menu)
Windows Execution Artifact: Recent Items
Folder that maintains a list of recently opened files
User-specific folders (e.g., %AppData%\Microsoft\Windows\Recent)
Windows Execution Artifact: Windows Event Logs
Record events related to program execution, application crashes, & more
C:\Windows\System32\winevt\Logs
Windows Persistence
The techniques & mechanisms used by attackers to ensure their unauthorized presence & control over a compromised system, allowing them to maintain access & control even after initial intrusion
Windows Registry
Acts as a crucial database, storing critical system settings for the Windows OS
What are some Autorun keys used for persistence?
- Run/RunOnce Keys
- Keys used by WinLogon Process
- Startup Keys
Scheduled Tasks (Schtasks)
- saved as XML file, details creator, task’s timing/trigger, & path to command/program set to run
- C:\Windows\System32\Tasks
Services in Windows
Pivotal for maintaining processes on a system, enabling software components to operate in background w/o user intervention
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Web Browser: Cookies
Small data files stored by websites on a user’s device, containing info such as session details, preferences, & authentication tokens
Web Browser: Cache
Cached copies of web pages, images, & other content visited by the user. Can reveal websites even if the history is cleared
Web Browser: Session Data
Info about active browsing sessions, tabs, & windows
Web Browser: Typed URLs
URLs entered directly into the address bar
Web Browser: Favicons
Small icons associated w/ websites, which can reveal visited sites
System Resource Usage Monitor (SRUM)
Meticulously tracks resource utilization and application usage patterns. Data is housed in database file sru.db in C:\Windows\System32\sru. Can help reconstruct application & resource usage over specific durations
SRUM: Application Profiling
Provides comprehensive view of applications & processes that have been executed on a Windows system. Crucial for understanding software landscape on a system, identifying potentially malicious or unauthorized applications, & reconstructing user activities
SRUM: Resource Consumption
Captures data on CPU time, network usage, & memory consumption for each application & process.
SRUM: Timeline Reconstruction
Can create timelines of application & process execution, resource usage, & system activities by analyzing SRUM data
SRUM: User & System Context
Includes user identifiers, helps attribute activities to specific users
SRUM: Malware Analysis & Detection
Used to identify unusual or unauthorized applications taht may be indicative of malware or malicious activities
