Lab Week essentials Flashcards
What are the two kinds of disk images and how are they different?
Logical images only contain the files visible to the file system. Physical images however retrieve all the bits on the disk, and can therefore be used to (wholly or partially) reconstruct deleted files. One major advantage with logical images is the opportunity to compress the data imaged.
What are the two main tasks of a first responder? What is the major concern the first responder has to deal with?
The first responder is tasked with acquiring data from volatile memory (if possible), and to perform disk imaging (a decision must be made whether the a physical image is required or not). When collecting data the first responder must be carefully to do so in a forensically sound manner to ensure evidence integrity.
How should a first responder go about collecting data?
It is crucial that the investigator adheres to standards and procedures. In addition, it is almost always recommended that the first responder uses some well established tool when collecting data. There are two major reasons for this. Firstly, such tools are tried and tested, and will therefore manage to collect the data without tampering with it. Thereby ensuring evidence integrity. Secondly, such tools provide valuable automatically generated signatures (hashes), and documentation of the actions performed on the data, which is critical for chain of custody.
Examples of tools offering such capabilities are Redline and FTK Imager for disks, and SANS SIFT for imaging main memory.
What is a file system?
A file system is an abstraction used for storing data into distinct entities called files. The file system itself stores the content of the files along with metadata. File systems resides in what is known as a volume. A volume can exist on one or more disks. Examples of well known file systems are NTFS in Windows and ext2 in Linux.
What is prefetch in Windows?What is prefetch in Windows?
Preftech is a technuique used to cache files for frequently used applications. The prefetch folder has capacity for 128 entries. The applications cached in the prefetch folder is loaded into RAM upon boot to significantly reduce the time required to launch applications. Prefetch files provide much valuable information, for instance the last time the application ran, and how many times it has been executed.
What is stored in the $MFT?
The master file table stores most of the metadata for the NTFS filesystem. The file is structured into records containing metadata for files and dictionaries. Each object on the system has at least one entry in $MFT.
There are several fields in an entry, with the first being the entry header which stores information such as the MFT record number, header sequence, whether the object is a file or dir, and its status (active or deleted).
The $STD_INFO attribute contains the MACE timestamps which reveal when the entry was last modified, accessed, when the entry was itself was modified, and when the entry was created. $STD_INFO also contain ID numbers for security, app usage, and flags.
In addition, every MFT entry has a $FILE_NAME stores the name of the object, the parent directory record number, the object size, and the MACE timestamps for the object itself.
Depending on the type of object, there are two additional attributes, $DATA for files and $INDEX for directories.
What is the Windows Registry?
The Registry is a database used in Windows for storing configurations in binary, and can be used to store settings for the OS, applications and users. Investigators may find valuable evidence in the registry. For instance, under the root key HKEY_LOCAL_MACHINE exists the key autoruns. The values/files belonging to this key are launched on boot, meaning that any suspicious files found there (e.g., with a hash not matching a known good hash) has managed to obtain persistence on the system. This is a common way for attackers to make malware persist and always run.
What are the two variants of system analysis?
The inspection of file metadata consider artifacts such as file permissions, file or directory names, and timestamps. Any abnormalities here may indicate suspicious behaviour.
Examining file contents is another important method. Assessing artifacts such as hashes and checksum may indicate that the file has been tampered with. String searches is also frequently utilized to look for specific patterns (that are known to be bad).
How may the $MFT file be utilized to recover deleted files?
The $MFT file is the main source of information for deleted files. When a file is deleted, its $MFT entry is not, and may persist for a substantial period of time before being reclaimed. Therefore, all of the attributes found in the $MFT entry can be inspected. For instance, the ID of the parent directory and the file size will provide valuable clues as to where on disk the deleted file is located. Valuable information may also be found in the $DATA attribute.
What is the $DATA attribute?
The $DATA attribute is an attribute exclusive for file entries in $MFT. The attribute has two fields, Resident, and Non-Resident. Small files are exclusively stored in the Resident field. Larger files need more disk space and and will therefore be put into clusters on disks. Non-Resident points to these addresses.
What is the $INDEX attribute?
This attribute is exclusive for directories and is similar to that of the $DATA attribute for files. $INDEX stores the filename, file size, and MACE timestamps for all files. The entries for deleted files may also persist if they are not overwritten by new entries.
What is primarily stored in the Windows Event Log?
The log files used for event logs primarily store security, system, and application data.
Security is mainly logon and logoff, process execution, user (changes, deletions, creations), and changes to security policy.
System information is chiefly information about the loading and unloading of hardware drivers into RAM (which tells us what hardware is being used), as well as network configuration changes.
Applications log error reports, software installation, anti-virus and host intrusion detection system alert, and user events.
What kind of information is typically exclusive to main memory?
Hidden processes, loaded drivers, and hooking (a set of techniques used to alter OS behaviour, e.g., intercept keyboard input, or alter syscalls). Main memory may also hold crypto keys, unencrypted data, and command line arguments.
What is a DLL?
A DLL is a library files containing useful functions. DLLs can be utilized by applications and the OS. DLL files are essential for running most programs.
What is DLL load-order hijacking?
When a process is initiated, it assigned space in main memory, and the OS fetches all the components the application relies on (including DLL). When Windows attempts to fetch the necessary DLLs, it first looks at the values attatched to the known DLLs key in the Windows Registry, if the required DLL is not a known DLL, Windows starts looking trough the file system and will load the first DLL once found. This mechanism can be exploited by making a custom DLL with additional functionality, and placing it in the file system such that Windows finds the malicious DLL before the original.