Midterm Flashcards

Question

APT: Gain Access

Answer 1

Like a burglar forcing open a door with a crowbar, cybercriminals usually gain entry through a network, an infected file, junk email, or an app vulnerability to insert malware into a target network

Answer 2

Cybercriminals implant malware that allows the creation of a network of backdoors and tunnels used to move around in systems undetected. The malware often employs techniques like rewriting code to help hackers cover their tracks.

Answer 3

Once inside, hackers use techniques such as password cracking to gain access to administrator rights so they can control more of the system and get even greater levels of access.

Answer 4

Deeper inside the system with administrator rights, hackers can move around at will. They can also attempt to access other servers and other secure parts of the network.

Answer 5

From inside system, hackers understand how it works and its vulnerabilities Harvest the information they want at will. Hackers keep this process running indefinitely or withdraw once they accomplish a specific goal. They often leave a back door open to access the system again in the future.

Answer 6

Dwell Time: The time an attack goes undetected (i.e., the delta between intrusion and detection) around 90 min

Answer 7

Test types: Functional Testing: Performance/Load Testing Penetration Testing:

Answer 8

Test cases performed to confirm the system operates as it was designed/specified and meets all functional requirements – Availability and Integrity

Answer 9

Test cases performed to confirm the system operates as it was designed/specified and meets performance requirements under a real or simulated load - Availability

Answer 10

Test cases performed to simulate intrusion by an intentional or unintentional cyber threat actor – Confidentiality and Availability (perhaps some Integrity)

Answer 11

``` Preparation Detection Analysis containment eradication/recovery post incident activity ```

Answer 12

``` Harden -> preparation Detect -> Detection and Analysis Isolate-> Analysis and containment Deceive -> Containment Evict-> Eradicate and recover All Defend strategy -> post-incident activity ```

Answer 13

Without good preparation, any subsequent incident response is going to be disorganized and has the potential to make the incident worse. Create incident response plan Train the team Acquire tools (altering systems, workflow apps, SIEM, ad hoc/automated reports) and make them available to the team Prepping the environment for defense (hardening) and altering Tourist to busker: How do you get to Carnegie Hall? Busker: Practice, man. Practice.

Answer 14

Process where the organization first becomes aware of a set of events that possibly indicates malicious activity. Depending on the size, an org may receive >100 million events per day. Human analysts are inundated with data Filter indicators of compromise (signals of interest) from records of legitimate actions (noise) Security Incident and Event Management (SIEM) tools lose effectiveness if heuristics not updated to identify potential incidents AI/ML tools (e.g., Vectra.ai, Cylance, Darktrace, ExtraHop) are better than humans at detecting some incidents, but take time to learn what “normal” behavior is

Answer 15

Activity logs: A security analyst may receive an alert that a specific administrator account was in use during the time where the administrator was on vacation. External sources: An ISP or law enforcement agency may detect malicious activity originating in an organization's network and contact them and advise them of the situation. I nternal users: An employee contacting the help desk and informing agent that services are no longer available, or files are suddenly encrypted

Answer 16

Personnel begin the task of collecting evidence from systems such as running memory, log files, network connections, and running software processes. Depending on the incident, this can take a few hours or several days Once the evidence is collected, data are be examined Analysts attempt to ascertain what happened, what it affected, whether any other systems were involved, and whether any confidential data was removed/altered/destroyed Determine the root cause of the incident and reconstruct the actions of the threat actor from initial compromise to detection

Answer 17

Organizations take measures to limit the ability for threat actors to continue compromising other network resources, communicating with command and control infrastructures, or exfiltrating confidential data Alter system configuration: lock down ports and IP addresses on a firewall, applying security updates, even removing the network cable from the back of an infected machine Have several options available to allow for flexibility in response Stop the bleeding at the source if you can Respond as quickly as possible to limit damage done

Answer 18

Organization removes the threat actor from the impacted network Organization may run an enhanced anti-malware solution Infected machines may be wiped/reimaged or fresh OS installed Remove or change compromised user accounts; ensure no new user accounts created by threat actors Apply security patches Restore to last known good backup Comprehensive vulnerability scan Steps align with business continuity / disaster recovery

Answer 19

Complete review of the incident with all the principal stakeholders Review of all the actions taken during the incident Retrospective: What worked, and more importantly, what did not work, lessons learned Written report: detailed and clear, focus on root cause and cause-effect relationships Avoid jargon (or explain terms) Vet language with contracts/legal to ensure compliance with regulatory and statutory requirements

Answer 20

CY6: cover for legal liability Minimize risk of future breaches Understand the risk Build the “right” culture – problem solving vice blame, be aware of our surroundings

Answer 21

Individual often has overall responsibility for the security of the organization's information; responsible for management of the CSIRT prior to, during, and after an incident Chief Security Officer (CSO) Chief Information Security Officer (CISO) Information Security Officer (ISO)

Answer 22

Personnel with extensive training and experience in incident response, digital forensics, network data examination Often take part in training junior personnel Engage with other CSIRT members to acquire and analyze evidence, direct containment activities, and assist other personnel with remediation

Answer 23

Personnel with CSIRT responsibilities that have less exposure or experience in incident response activities Take part in reviews and updates to the incident response plan Gather evidence from potentially compromised hosts, network devices, or log files Take part in analysis of evidence and assist team in remediation activities Data scientists, network admins who want to roll into Cybersecurity

Answer 24

Analysts assigned to the 24/7 Security Operations Center (SOC) monitoring capability; serve as the point person when it comes to incident detection and alerting In-House SOC Outsourced: On-premises contractors, Remote monitoring, SOCaaS

Answer 25

Personnel tasked with deployment, maintenance, and monitoring of security software or hardware Preparation component of the incident response process Ensure security applications (e.g., antivirus) and devices (e.g., firewalls, SIEM) are properly configured to alert to possible incidents and to ensure devices properly log events to support post hoc analysis / reconstruction

Answer 26

``` May not be formal members of CSIRT, but have expertise or access to systems / processes that may be affected by an incident Network/Server Administrators Application Support Desktop Support Help Desk ```

Answer 27

causes alert fatigue Thousands of alerts emanating from security tools across the enterprise - it’s easy to become overwhelmed and miss important threats

Answer 28

mismatch control to threat need to devote time and resources to implement security controls that are irrelevant to the threats the organization is trying to mitigate

Answer 29

Using firewalls to prevent data theft from applications that are allowed to operate through the firewall Using standard antivirus tools that to protect against zero-day attacks, APT Using controls at the operating-system level to detect application-layer attacks Using ingress-only firewall rules to protect against data exfiltration

Answer 30

``` Assist with a variety of non-technical issues that fall outside those that are addressed by the CSIRT core and technical support personnel Legal Human Resources Marketing / Communications Facilities Corporate Security ```

Answer 31

``` A well-documented IR Playbook contains clear steps/roles and responsibilities: Preparation Detection Analysis Containment Eradication Recovery Post-incident Activity ```

Answer 32

You must test your IR Plan/Procedures: Validate steps Lessons Learned Build muscle memory Test approaches: Cyber Table Top Pen Test events Process Review/Audit

Answer 33

CSIRT is like organization’s 911 Force: Engagement procedures are important Multiple models for CSIRT Engagement exist

Answer 34

Incident -> SOC /Tier 1 analyst ->SOC manager -> incident escalation -> CSIRT manager -> TIer2 IR Analyst and Tier 3 IR analyst

Answer 35

Several individuals handling an incident before CSIRT engaged If incident escalation is not properly documented, CSIRT manager would have to engage SOC manager for clarification or additional information, increasing time to address incident SOC personnel require training to determine which observed events constitute an incident and which may be false positives CSIRT may suffer from burnout and become weary of the SOC chasing up false incidents Communication between the SOC and the CSIRT needs to be clear and concise to avoid confusion

Answer 36

incident->SOC Analyst/Tier 1 Analyst ->Incident escalation Tier 2 analyst and Tier 3 analyst All managed by CSIRT manager

Answer 37

SOC analyst serves as the first tier and escalates directly to CSIRT analyst

Answer 38

CSIRT has greater visibility into what SOC is seeing and doing Allows CSIRT manager and team to craft more efficient policies and procedures related to incidents Incident escalation is faster more precise Reduced back-and-forth for clarification

Answer 39

Not realistic for organizations making use of a network operations center or a helpdesk, and without a dedicated SOC, Additional CSIRT managers may be required, in order to address day-to-day workload of both the SOC and the CSIRT

Answer 40

CSIRT analysts, SOC analysts, and threat intelligence analysts are teamed up together, within a single team structure

Answer 41

Model allows the CSIRT to make use threat intelligence without having to create new processes Likely to see this model at SOCaaS organizations

Answer 42

CSIRT fusion center is not widely deployed Threat intelligence integration is relatively new Resource-intensive

Answer 43

Identify Scope: What data affected? Which systems? Identify Impact: Based on CIA Triad Identify Root Cause: How did this happen? What were the Indicators of Compromise? Identify sequence of events leading to incident. Incident Attribution: CSIRT or investigative body attempts to determine which organization was behind the attack. Nation-state Actors? Criminals? Hacktivists?

Answer 44

Physical containment: Physical connection to the network is removed from the system. Best for limited scope incidents. Network containment: Network administrator(s) modify switch configurations to limit the traffic on a subnet to other portions of the network. May require modification of configurations on individual switches. Perimeter containment: CSIRT contains network traffic at the perimeter firewall. Virtual containment: Contain incident via software defined infrastructure, Software Defined Networking, Infrastructure as Code, serverless cloud architectures

Answer 45

Network segmentation: Subdivide network into Virtual LAN(VLAN) segments Reimage affected machines: Restore to last known good configuration prior to incident ``` Test new image: Ideally in air gapped Test environment Promote test image to Staging (sneakernet) Retest in Staging environment Promote to Produciton ```

Answer 46

Cyber hygiene check: Ensure that all systems (i.e., not only those that have been through the eradication phase) are properly patched with the most up-to-date patches Update alert profile: CSIRT coordinates with IT, SOC, NOC personnel to refine additional detection and prevention alerts Change review: Review changes made in response to incident and determine if emergency changes need to be permanent, or backed out from Production Vulnerability scan: Scan all assets in environment; remediate issues After Action Report: Document events of incident, IoCs; identify recommendations / lessons learned

Answer 47

Some applicable U.S. legal considerations Title 18, US Code (Fraud and related activity): addresses the use of a computer to commit fraud Computer Fraud and Abuse Act (CFAA: Makes denial of service (DoS) attacks illegal Electronic Communications Privacy Act (ECPA): Amendment to the Federal Wiretap Statute makes illegal the unauthorized interception of communications through electronic means, such as telecommunications and the internet. Communications Assistance for Law Enforcement Act (CALEA). Forces ISPS to make networks available to law enforcement agencies for lawfully authorized surveillance. Economic Espionage Act of 1996 (EEA): Makes economic espionage and the theft of trade secrets a crime Riley v. California (2014): U.S. Supreme Court ruling that the warrantless search and seizure of digital contents of a cell phone during an arrest is unconstitutional Carpenter v. United States (2017): Law enforcement can seize cell phone records with a valid warrant

Answer 48

Test for Relevant Evidence: Evidence should be relevant to the proceedings and should prove or disprove a facet of the case Attorney-Client Privilege and Work Product: Digital Forensics reports are often written concerning actions taken and information obtained. Incident responders may be working directly for attorneys on behalf of their clients. As a result, these reports prepared in conjunction with an incident may fall under attorney work product rules. Testimony by Expert Witnesses: CSIRT/SOC analyst may be allowed to testify as an expert witness Evidence that is Self-Authenticating: Requires that a qualified person presents the evidence and that the evidence being presented has been collected according to best practices. Allows the verification of digital evidence integrity through hashing. Best Evidence Rule: In civil or criminal proceedings, the original writings, recordings, or photographs need to be offered up as evidence, unless a reasonable exception can be made. Courts have held that a forensically sound image of a hard drive/flash storage is a reasonable substitute for the actual drive. Admissibility of Duplicates: Allows for such an image to be admitted into court. Analyst who performed that action will most likely have to testify to having performed the action correctly

Answer 49

1.Identification 2. preservation 3. collection 4 examination 5. analysis 6 presentation

Answer 50

``` Examples of trace evidence in Digital World Cookies Firewall records Event logs (success/failure) IP packet captures Proxy logs ```

Answer 51

Important to safeguard it from any type of modification or deletion Secure backups if all systems Enable controls that protect log files from removal or modification Isolate the system from the rest of the network (physical or logical controls, network access controls, perimeter controls) Make sure users are not able to access a suspect system Virtual machines/IaC/SDx: Take snapshot/backup of virtual systems affected and store in nonvolatile memory

Answer 52

Collect volatile data to a non-volatile medium, such as an external hard drive Internet Engineering Task Force (IETF) order of volatility of digital evidence: Registers and cache Routing table, ARP cache, process table, kernel statistics, memory (RAM) Temporary filesystems Disk Remote logging and monitoring data Physical configuration, network topology Archival media

Answer 53

``` Specific tools and forensic techniques that are used to discover and extract data from the evidence that is seized as part of an incident Memory images Desktop images Log file analysis Network captures ``` Perform examination on a copy of the backup (vice the sole backup) – examination of data could result in contamination of evidence!

Answer 54

Analyze the data in light of any other relevant data obtained Example: A compromised host has an open connection to an external IP address, they would then correlate that information with an analysis of a packet capture taken from the network Using IP address as a starting point, the analyst would be able to isolate traffic Eventually find that compromised host is sending out a beacon to a C2 server FireEye investigation led to identification of Solarwinds incident

Answer 55

Reporting of facts related to digital forensics needs to be clear, concise, and unbiased Detailed written report that addresses every action and captures the critical data required Report should be thorough, accurate, and without opinion or bias May require court testimony Testifying in court may be required Testimony may include opinions/conclusions based on experience of the analyst

Answer 56

Disk Imager/duplicator Network scanner PC/Linux machine with MANY I/O ports, Hard drives Specialty Products

Answer 57

``` Tableau HDD Duplicator Image SATA, USB 3.0, and IDE drives Disk-to-File (image) duplication Format/Wipe Hash (MD5 or SHA-1) Blank Disk Check ``` ``` ATRIO All-in-one hardware/software solution Devices and HDDs Patented parallel processing capability Customizable AI-based object detection Rugged, durable casing NIST-Accredited ``` FRED Image multiple drives simultaneously, sequentially User selectable RO or RW via LCD Integrated high availability heat sink, power Multiple RAID Controller options RAM/CPU optimized for Forensics software tools

Answer 58

1. Performance tuned for specialty software 2. designed by HW engineers who specialize in performance 3. designed by forensics specialists 4. may be more likely to be admissible in court 5. available tech support, warranty coverage

Answer 59

1. expensive 2. staff needs to be trained to use it 3. EOL issues 4. hardware supply chain questions 5. designed to the 80% of market needs. may not be customizable.

Answer 60

``` Network Scanner/sniffer Data analysis Regedit analysis Deep Packet inspection UEBA (User/Entity Behavior Analysis): Heuristics based AI/ML tools ```

Answer 61

Open source software that automates key digital forensics tasks Open source modules extend functionality Timeline Analysis - Advanced graphical event viewing interface Hash Filtering - Flag known bad files and ignore known good Keyword Search - Find files that mention relevant terms Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE Data Carving - Recover deleted files from unallocated space Multimedia - Extract EXIF from pictures and watch videos. Indicators of Compromise - Scan a computer using STIX

Answer 62

-Open Source library and collection of command line tools that allow you to investigate disk images -Analyze volume and file system data -Library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence - Functions: Volume and File System Analysis Download Documents History Licenses

Answer 63

- Full-spectrum digital forensics application, performing the entire gamut of tasks in the examination of digital evidence, primarily from hard drives and other storage me - Proprietary software from OpenText - Reporting capability that allows examiners to output case data in an easy-to-digest format - Widely deployed in government and law enforcement agencies - Drawback is the cost associated with the application

Answer 64

- Full-service forensic application that is in wide use by government and law enforcement agencies - Proprietary software from AccessData (competitor to OpenText) - Specializes in dead-box forensics - Unmatched speed through distributed processing engines - Wizard-driven to ensure no data is missed - State-of-the-art data visualization to highlight relationships and patterns

Answer 65

Similar forensics functionality to FTK and EnCase Lower Cost option (~$1300/year/seat) Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016*, 32 Bit/64 Bit, standard/PE/FE As a German product is potentially more trustworthy (NOTE: vendor’s claim, not mine or author’s) Portable: Runs off a USB stick on any Windows system NOTE: DOES NOT include imaging or investigative tools (sold separately)

Answer 66

- Forensics tools that looks at RAM and other volatile storage - Free, open source software (FOSS) - Windows, Mac, Linux options - Annual contents to build plugins for software!

Answer 67

- Forensics tools that focuses on Windows Registry - Parses Registry data so that Registries which have existed on a Windows system over time can be rebuilt - Provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel - Subscription-based pricing: monthly, annual, 3 year, 5 year

Answer 68

- Forensics tools for mobile devices - Bypass pattern, password or PIN locks and overcome encryption challenges quickly on popular Android and iOS devices - Collect data from mobile phones, drones, SIM Cards, SD cards, GPS devices, etc. - Access to 40+ apps on Android devices - Software or hardware/software packages available

Answer 69

- Based on the Ubuntu 16.04 Base OS - Tools are included for imaging, memory analysis, timeline creation, and a host of other digital forensics tasks - SIFT Workstation VM Appliance is an option! - Runs on Microsoft Windows using -Windows Subsystem for Linux

Answer 70

NOTE: Capturing network traffic can be considered an invasion of privacy if there is no policy clearly stating that network monitoring takes place. Work with Legal to ensure all employees of the organization understand that their use of the information system will be monitored.

Answer 71

- Switch: Allows multiple hosts to connect and intercommunicate - Router: Allows organizations to connect multiple networks - Firewall: Contains a wide variety of features such as intrusion detection and prevention, web filtering, data loss prevention, and detailed logs about allowed and denied traffic. - Network intrusion detection and prevention systems: Provide security personnel and incident responders with information concerning potential malicious activity on the network infrastructure. - Web proxy servers: Control how users interact with websites and other internet-based resources. - Domain controllers or authentication servers: Primary location for details on successful or unsuccessful logins, credential manipulation, or other credential uses. - DHCP server: Allows for the dynamic assignment of IP addresses to systems on the LAN. - Application servers: A wide range of applications from email to web applications is housed on network servers - can provide logs that are specific to the type of application.

Answer 72

A map of your computer network | Allows for the quick identification of potential evidence sources

Answer 73

Ingress/egress points into the network from the internet

Answer 74

- Provides the source and destination IP addresses and protocols of connections - Can help determine whether any internal systems may have contacted an adversary-controlled system or are possibly being controlled - Provide an insight into connections that were denied (adversaries use tools to attempt to connect to well-known ports that are commonly in use) - successive denies across a range of ports are indicative of reconnaissance activity.

Answer 75

- Firewalls often serve as the Virtual Private Network (VPN) concentrator for remote access - Remote access logs will show systems that are connected and what time they connected - May allow incident responders to correlate activities and determine whether a remote user was the source of the infection.

Answer 76

- Exploit packages (e.g., droppers, C2 calls, etc.) often use URLs to point to an outside (i.e., internet) resource - Organizations that make use of web proxy servers for HTTP and HTTPS requests will have a record of any system on the internal network that reached out to an external site - Incident responders can view the history of an activity that has happened over weeks or even months – this is critical info for reconstructing the attack for an incident report

Answer 77

Allows network administrators to monitor traffic across the network provides deep insights into the internal traffic of systems as they communicate with each other

Answer 78

lateral movement within a network segment

Answer 79

movement from one network segment to another

Answer 80

Process of intercepting and logging network data as packets travel across a network

Answer 81

In-line connection that detects/inspects packets as they flow within a segment

Answer 82

Linux command-line tool to offload network flow history of a network node (e.g., switch, router, edge device) from memory to a file

Answer 83

Windows application to enable tcpdump on Windows machines

Answer 84

Standard tool for packet capture on Windows systems Drawback of WinPcap tools is they have to be installed on every Windows host to be used

Answer 85

An alternative to WinPcap with the same basic capability as WinPcap without the need to install it on the local system – can run via command line off a USB drive

Answer 86

GUI-based tool and has a number of packet capture and analysis features Available for multiple platforms Can be run from a USB drive

Answer 87

File Name: CSIRT should have a naming convention for different types of evidence files Description: A brief description of the file. There does not need to be too much detail unless it is a unique file that warrants more detail (e.g., suspicious file of unknown origin) Location: Usually IP address or other description of host node of the file Date and Time: Record the date and time the file was transferred to the medium MD5 Hash: a one-way algorithm that is utilized to provide a digital fingerprint for a file

Answer 88

Volatility is used to describe how data on a host system is maintained after changes such as log-offs or power shutdowns Data that will be lost if the system is powered down is referred to as volatile data Malware leaves a number of key pieces of evidence within the memory of a system and, if lost, can leave the incident response analyst with little or no room to investigate

Answer 89

Local: Having access to the system under investigation is often a luxury, but when CSIRT members have direct access, tey can capture more data Remote: Incident response analysts leverage tools and network connections to acquire evidence; can also be useful if incident response analysts cannot be onsite immediately

Answer 90

Analyst acquires the evidence from a system that is currently powered on and running Some of the techniques must be deployed on a live system (for example, running memory) May be necessary in high-availability environments where a suspected system cannot be taken offline

Answer 91

often used by law enforcement agencies to preserve digital evidence on the hard drive. Technique requires that the system be powered down and the hard drive removed.

Answer 92

Sound approach for law enforcement to inspect evidence | Works well for systems that are no longer functional

Answer 93

Requires specialized tools to acquire the hd evidence Loss of any volatile memory Time-consuming to acquire a suspect system's hd, image it, and process the image for investigation

Answer 94

Great deal of evidence for a security incident is contained within the memory of a potentially compromised system; trace evidence is often found within the running memory of the system Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account login credentials for many webmail and social network services

Answer 95

If you have direct access to the system, you can run tools from a USB device (or other removable media) Tools include FTK Imager, WinPmem, RAMCapturer. Make sure your USB drive has TWO partitions – one for tools, one for the data captured

Answer 96

Default open source memory acquisition driver for windows for a long time Capture raw memory from Linux, macOS, and Windows systems Open source Support for WinXP - Win 10, x86 + x64 Three different independent methods to create a memory dump.

Answer 97

Default open source memory acquisition driver for windows for a long time Simple tool; small footprint Can be run from a USB Designed to work correctly even if an aggressive anti-debugging or anti-memory dumping system is running

Answer 98

Local access may not be possible or feasible in a timely manner Same tools, but you first access the system remotely (e.g., via Remote Desktop) Drawback: Remote tools may not be possible if the system had to be taken offline

Answer 99

Virtual machines include multiple files to operate. Virtual memory is often stored as a separate file. VMware stores volatile memory in a VMEM file VMware stores a snapshot of the VM in a VMSS file Access the host of the Virtual Machine (locally or remote) Pause the Virtual Machine Transfer VMEM and VMSS files to USB or network storage location

Answer 100

Registry Keys: Contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating system Event Logs: Record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems CyLR.exe is a useful tool (small footprint, runs from USB) to capture registry keys and log files

Answer 101

Forensic Imaging ≠ Copying files Copying files from provides analysts with the actual data associated with a file Imaging allows the analyst to capture the entire drive Slack space Unallocated space Possible access to deleted files Metadata on the volume, including file timestamps

Answer 102

Cloning a drive creates a one-to-one copy of the drive, resulting in a fully function al/bootable drive Can be cumbersome for dead box forensic analysis Includes Master Boot Record Full Disk Encryption makes a clone difficult to analyze Imaging copies all relevant files but is not intended to create a bootable/usable drive Easier for forensics tools to analyze Does not require the Master Boot Record

Answer 103

Logical image of a partitioned drive allows analyst to copy only the suspected portion, not include Full Disk Encryption protections, and accelerate the process Major drawback of Logical Image: Does not capture unallocated space on physical drive or any data not part of the file system (e.g., deleted files, trace data)

Answer 104

Raw Image: Contains only the data from the imaged volume EnCase Evidence File: Includes additional useful data Metadata about the image (type, OS, timestamps) Cyclical Redundancy Check (CRC) to ensure file integrity of blocks copied Preferred output for law enforcement and legal entities as it combines the ability to verify evidence integrity with software features such as compression

Answer 105

FTK Imager: GUI-based FOSS application allows for the forensically sound acquisition of logical and physical volumes, memory, and other protected files and outputs images in multiple formats; runs on removable media AFF4 Imager: CLI imager; Capable of isolating files based on time creation and splitting volumes to reduce time to image dd: Linux command to clone whole drives or a partition Virtualization: Defining the entire OS environment in software as a virtual machine makes imaging a virtual image easier: pause the VM, create a copy of the VM and state files

Answer 106

Delete: Hide a file from the OS, making is no longer visible; OS ONLY overwrites the data when you require that disk space for other files Wipe/Erase: Permanently remove all data from a drive/partition by removing all files on the drive, then overwriting with a random pattern of 1s and 0s Shred: Applying wipe/erase function to a single file Quick Format: Basically a delete of a drive or partition Full Format: Wipe/Erase of a drive/partition (Single Pass Overwrite)

Answer 107

Write Blockers: Tools to ensure that no changes are made to digital evidence while processing and examining it Software Write Blockers: Sit between the OS and the evidence, ensure that there is read-only access to the evidence file Hardware Write Blockers: Physical piece of hardware that sits between the evidence drive and the system performing the acquisition, and allows only one-way data transfer from the disk to the evidence analysis system (i.e., data diode)

Answer 108

Used on media that is not energized (and often removed from the potentially compromised system) Most comprehensive imaging method for evidence collection; allows for the complete preservation and analysis of physical volume Usually involves use of a hardware write blocker to preserve evidence integrity of compromised system

Answer 109

Used on when system must remain running due to criticality Run imaging from a USB drive/stick Allows the incident response analyst to image the drive without changing the operational system

Answer 110

Preferred method for the acquisition of memory is through direct contact with the suspect system Adaptability in case primary approach fails Faster (independent of network) Two primary tools discussed in text WinPmem: Open Source, local installation, command line F-Response: Can run remotely, does no require installation on target host

Answer 111

In this configuration, the switch closest to the compromised host will have port mirroring enabled. This then sends the traffic from the entire segment the switch is on to the system that is on used for network traffic capture

Answer 112

The VMSS file contains the files that are saved as part of the suspended state of the virtual machine.

Answer 113

The VMEM file is the RAM or physical memory of the virtual machine.

Answer 114

CPU, registers ->RAM -> PageFile/Swap File -> Storage Drives