Module 4 - More Network Traffic Analysis and Other Artifacts Flashcards
Analyze a network packet capture Differentiate between noise in a packet capture and data of interest Identify artifacts associated with a virtual environment hosted locally on a Windows system Identify artifacts associated with a cloud-based VM Characterize the importance of the files associated with a VM
1
Q
Name 4 artifacts worth examining related to operation of a VM
A
Logs
Memory Files
Configuration Files
Images of the computer
2
Q
VMWare Files - What Types (8)?
A
- Config Info (.vmx, .vmtm, and .vmfx)
- Config of Disk (.vmdk)
- Log Info (.log)
- BIOS state (.nvram)
- Info of suspended state VM (.vmss)
- Snapshot Info (.vmsn)
- Snapshot Metadata (.vmsd)
- Paging file or stored memory file (.vmem)
3
Q
VMWare Files - Name Important Files
A
.vmx - Configuration Information
.vmdk - Disk Configuration Information
.log - Log Information
.vmem - Paging file or stored memory file
4
Q
Name 5 Tools to Mount VMDK Disk / Workstation
A
Mount Image Pro EnCase VFC LiveView FTK
5
Q
What is VDDK?
A
VMWare’s Virtual Disk Development Kit
- set of tools to manipulate VMDK files
- direct access to virtual disk
6
Q
Indicators on system a VM was installed, run, or deleted
A
- Prefetch file
- Registry Keys (UserAssist, Installation Keys, Configuration Keys)
- Page File
- Link files
- Virtual Machine NIC adapters
7
Q
Tools to look for VM artifacts on a system
A
Scoopy Doo and Jerry (by TrapKit)
8
Q
Artifacts found on the Cloud regarding VM
A
- Cloud Mgmt system audit logs (by cloud software and OS logs of system driving management system)
- Hypervisor logs (if exist, may show migration of virtual machine and/or backups and snapshots within the cloud.
- Virtual switch logs (associate IP with a virtual machine)
