Operating System Forensics Flashcards

Question 1

Q

Windows O/S Forensics Methodology

Answer

A

Collecting Volatile Information
Collecting Non-Volatile Information
Windows Memory Analysis
Windows Registry Analysis
Cache, Cookie & History Analysis
Windows File Analysis
Metadata Investigation
Event Logs Analysis

Question 2

Q

What is the first volatile information you need to collect?

Answer

A

System time/date

Question 3

Q

The second piece of volatile information you collect is logged on users. What are the three tools you can use for this?

Answer

A

PSloggedon
LogonSessions -p
net session

Question 4

Q

What are the three ways you can check for open files?

Answer

A

net file
psfile
openfiles

Question 5

Q

What two commands can show you network information?

Answer

A

nbtstat -c

2. netstat -a | -r

Question 6

Q

What can show you the memory contents of processes?

Answer

A

a. tasklist /v
b. pslist -x
c. listdlls
d. handle

Question 7

Q

Process to port mapping

Answer

A

netstat -o

2. netstat -fport

Question 8

Q

Process Memory Tools

Answer

A

process explorer
pmdump
userdump

Question 9

Q

Network Status Tools

Answer

A

ipconfig
promqry
promisdetect

Question 10

Q

Print Spool Files

Answer

A

The temporary files can store print details such as owner, document, printer, printing processor - format, number of copies printed and the print method

Question 11

Q

Print Spool Files Support what two data types?

Answer

A

RAW - .SPL file consists of data to be printed EMF - .SPL file consists the metadata and can be printed on any printer

Question 12

Q

FSUTIL Object ID

Answer

A

Manages object identifiers, which are used by the Windows operating system to track objects such as files and directories. fsutil quota. Manages disk quotas on NTFS volumes to provide more precise control of network-based storage

Question 13

Q

FSUTIL Disable LAST ACCESS UPDATE on files:

Answer

A

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\Disablas tacess
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
NTFSDisablelastacessupdate

Question 14

Q

Autoruns

Answer

A

a great tool for checking areas within the file system, such as scheduled tasks.

Question 15

Q

Microsoft Security IDs for users

Answer

A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Question 16

Q

Event Logs-PSLogList

Answer

A

PsLogList allows to login to remote systems in situations when current set of security credentials would not permit access to the Event Log.

Question 17

Q

ESE Database

Answer

A

Windows 10 comes with Microsoft Edge as the default web browser. It uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies.

Question 18

Q

ESE Database Tables

Answer

A

categorized as FileCleanup, Folder, ReadingList, RowId, MSysObjids, MSysObjects, FolderStash, MSysLocales, and MSysObjectsShadow. These tables contain information of all the applications stored and accessed from the system. This information can act as evidence in case of criminal incidents.

Question 19

Q

ESE Database Path

Answer

A

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Micr osoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb

Question 20

Q

Microsoft Edge cached Files

Answer

A

Edge cached files location:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC#!001\MicrosoftEdge\Cache\

Question 21

Q

Edge last active browsing session data location:

Answer

A

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC\MicrosoftEdge\User\Default\Recovery\Active\

Question 22

Q

Edge stores history records, Cookies, HTTP POST request header packets and downloads in:

Answer

A

\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCac heV01.dat

Question 23

Q

If the last browsing session was opened in InPrivate mode then the browser stores these records in:

Answer

A

\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC\MicrosoftEdge\User\Default\Recovery\Active{browsing-session- ID}.dat

Question 24

Q

DevCon Tool

Answer

A

Device Console , is a command-line tool that displays detailed information about devices on computers running Windows operating system. DevCon can be used to enable, disable, install, configure, and remove devices. It also performs device management functions on local computers and remote computers.

Question 25

Q

What can you do with Slack Space?

Answer

A

Hide Data

Question 26

Q

Virtual Memory

Answer

A

Virtual (or logical) memory is a concept that, when implemented by a computer and its OS, allows programmers to use a large range of memory addresses for stored data.
Virtual memory can be scanned to find out the hidden running processes.
Use X-Ways Forensics tool to scan virtual memory.

Question 27

Q

What is X-Ways Forensic Tool Used for?

Answer

A

Use X-Ways Forensics tool to scan virtual memory.

Question 28

Q

What is the DRIVESPY Tool used for?

Answer

A

Finding Drive Slack Space

Question 29

Q

Swap Space

Answer

A

Linux operating system allocates a certain amount of storage space on a hard disk called Swap Space. OS uses as the virtual memory extension of a computer’s real memory (RAM).

Question 30

Q

Hibernate Files/aka sleep modes. What ar ethe two types of sleep modes

Answer

A

Sleep Mode

Hibernate mode

Question 31

Q

Hibernate Mode

Answer

A

completely writes the memory as a hiberfil.sys file in HDD. the hiberfil.sys file is a crucial source of evidence, as it consists of the crucial information of all programs, applications, files, and processes that were running on the RAM at a given time.

Question 32

Q

Where can you see if hibernate mode was enabled?

Answer

A

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power

Question 33

Q

Sleep Mode

Answer

A

keeps the system running in a low power state so that the user can quickly resume where he/she has paused working.

Question 34

Q

Where is the pagefile.sys file?

Answer

A

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Question 35

Q

What is the pagefile.sys?

Answer

A

a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system. To increase the RAM performance, the system moves the least used “pages” of memory into pagefile.sys file to free the RAM space and pools in the running applications.

Question 36

Q

Windows Search Index

Answer

A

supports indexing for over 200 common file types by maintaining a record of all the documents. It also allows the users to quickly access any document such as messages, calendar events, contacts, and media files.

Question 37

Q

Partition Logic

Answer

A

Partition Logic is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another.

Question 38

Q

Partition Find & Mount

Answer

A

Partition Find & Mount implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten.

Question 39

Q

Web Browser Cache

Answer

A

The web browser cache allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache.

Question 40

Q

ChromwCacheView

Answer

A

ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.

Question 41

Q

Cookies

Answer

A

Cookies are small packages of data made to track, validate, and maintain specific user information. Cookies may have an expiration date, after which the browser deletes it. The system can also delete the cookies without the need of an expiration date at the end of a user session. The users may also delete cookie data directly from the browser.

Question 42

Q

Temp Files

Answer

A

Programs and processes create temporary files when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind. These files contain information about all the system processes which can be useful to gather evidences in any forensic investigation

Question 43

Q

Windows Thumbnail caches

Answer

A

Thumbcache Viewer
Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_.db and iconcache_.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface.

Question 44

Q

Windows Memory Analysis

Answer

A

Memory of a system refers to the storage space, where the system saves important data required for processing, such as application files, virtual memory, etc. This space contains files and metadata required for functioning of the in-built and external applications. Investigators can analyze this space to find the installed application, recent events, and other related data.

Question 45

Q

Memory Dump Files

Answer

A

Memory dump or crash dump is a storage space, where the system stores a memory backup, in case of a system failure. aka BSOD
Dumpchk is a tool that can be used

Question 46

Q

Types of Memory dumps

Answer

A

Automatic
Complete
Kernal- created by default in the %systemroot% folder as a memory dump file whenever a machine has kernel faults.
Small- a 64 KB dump containing the stop code and a list of all the loaded drivers and parameters.

Question 47

Q

What is important about the EProcess Block Structure?

Answer

A

PPEB_LDR_DATA (pointer to the loader data) structure that includes pointers or references to DLLs used by the process
A pointer to the image base address, where the beginning of the executable image file can be found
A pointer to the process parameters structure, which maintains the DLL path, the path to the executable image, and the command line used to launch the process

Question 48

Q

What tools can be used to view EProcess info?

Answer

A

Microsoft debug toolset or LiveKD

Question 49

Q

How do you parse memory?

Answer

A

Lsproc.pl
Lsproc (short for list processes) locates processes but not threads. It takes single argument, the path, and name, to a RAM dump file:

Question 50

Q

Lspd.pl

Parsing Memory Contents

Answer

A

Lspd.pl is a Perl script that will allow the user to list the details of the process. Like the other tools, lspd.pl is a command-line Perl script that relies on the output of lsproc.pl to obtain its information. Specifically, lspd.pl takes two arguments: the path and name of the dump file and the offset from the lsproc.pl output of the process that the investigators are interested in.

Question 51

Q

Lspi.pl

Extracting the Process Image

Answer

A

takes the same arguments as lspd.pl and lspm.pl It locates the beginning of the executable image for the process. If the Image Base Address Offset leads to an executable image file, Lspi.pl parses the values
contained in the PE header to locate the pages that make up the rest of the executable image file.

Question 52

Q

Lspm.pl

Parsing Process Memory

Answer

A

takes the same arguments as lspd.pl (the name and path of the dump file, and the physical offset within the file of the process structure) and extracts the available pages from the dump file, and writes them to a file within the current working directory. To run lspm.pl against the ITPROtv.exe process, use the following command line:

Question 53

Q

Collecting/Dumping Process Memory

Answer

A

pmdump.exe tool- allows dumping the contents of process memory without stopping the process.

Process Dumper - It dumps the entire process space along with additional metadata and the process environment to the console (STDOUT), so that the output can be redirected to a file or a socket.

Userdump.exe - allows dumping of any process, without attaching a debugger and without terminating the process once the dump has been completed.

Question 54

Q

Powershell script to get basic details on memory for a process:

Answer

A

Get-Process | Sort-Object WorkingSet64 | Select-Object Name,@{Name=’WorkingSet’;

Question 55

Q

The Volatility Framework

Answer

A

is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offers visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Question 56

Q

Five Windows Registry Root Folders

Answer

A

HKEY_CLASSES_ROOT - Config info f/which application is used to open what
HKEY_CURRENT_USER - Current logged on user
HKEY_LOCAL_MACHINE - System Config Info
HKEY_USERS - All active loaded user profiles
HKEY_CURRENT_CONFIG - h/w profile used during startup

Question 57

Q

HKEY_USERS

Answer

A

HKU
Each registry key under HKU hive relates to a user on the computer, which is named after the user’s security identifier (SID). The registry keys and registry values under each SID control the user specific mapped drives, installed printers, environmental variables and so on.

Question 58

Q

HKEY_CLASSES_ROOT

Answer

A

HKCR
A subkey of HKEY_LOCAL_MACHINE\Software.
It contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data. This hive stores the necessary information which makes sure that the correct program opens when the user opens a file through the windows explorer

Question 59

Q

HKEY_CURRENT_USERS

Answer

A

HKCU
Contains the configuration information related to the user currently logged on. This hive controls the user level settings associated with user profile such as desktop wall paper, screen colors, display settings etc.

Question 60

Q

HKEY_CURRENT_CONFIG

Answer

A

HKCC
Stores information about the current hardware profile of the system.
The information stored under this hive explains the differences between the current hardware configuration and the standard configuration. The HKEY_CURRENT_CONFIG is simply a pointer to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current registry key, which contains the information about the standard hardware configuration that is stored under the Software and System keys.

Question 61

Q

HKEY_LOCAL_MACHINE

Answer

A

HKLM
contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives

Question 62

Q

Find the time when the system was last shut down in the following key:

Answer

A

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Windows\Shutdowntime

Question 63

Q

Registry Analysis

Answer

A

ProDiscover - a self-managed tool for the examination of the user’s hard disk security.

RegRipper - a flexible open source tool that facilitates registry analysis with ease. It contains pre-written Perl scripts for the purpose of fetching frequently needed information during an investigation involving a Windows box.

Question 64

Q

System Information

Answer

A

asically the system information is stored in the System and Software database files, and partially in the Security hive file. The information about the system users is stored in the Security Account Manager (SAM) database file. Each user’s registry settings for their specific account is stored in the NTUSER.DAT registry file.

Answer 65

A

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses

Answer 66

A

HKEY_LOCAL_MACHINE\System\MountedDevice

Answer 67

A

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnc

Answer 68

A

HKLM\SOFTWARE\Classes\exefile\shell\open\command

HKCR\exefile\shell\open\Commad

Answer 69

A

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

Answer 70

A

Process Monitor - is an advanced monitoring tool for windows that shows real-time file system, registry and process/thread activity. It monitors and records all activities performed against the Microsoft Windows Registry. compatible with Windows Vista and higher

Answer 71

A

Plug and Play (PnP) Manager

USBDeview

Answer 72

A

ROT-13 Encryptor & Decryptor. ROT-13 is basically a ceaser cipher

Answer 73

A

Most Recently Used List are the lists of recently visited webpages, opened documents, etc., maintained by the Windows operating system in the Windows Registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\RecentDocs

Answer 74

A

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRe stor

Answer 75

A

2 = automatic
3 = manual and starts on demand for service
4 = disabled

Answer 76

A

HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders

HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folders

HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders

HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folder

Answer 77

A

C:\Users\AppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX. defaul\cache2

Answer 78

A

C:\Users\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\cookies.sqlite

Answer 79

A

C:\Users\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\places.sqlite

Answer 80

A

C:\Users{user}\AppData\Local\Google\Chrome\User Data\Default

Answer 81

A

C:\Users{user}\AppData\Local\Google\Chrome\User Data\Default\Cache

Answer 82

A

C:\Users\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

Answer 83

A

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache

Answer 84

A

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8weky b3d8bbwe\AC\MicrosoftEdge\Cookies

Answer 85

A

C:\Users\Admin\AppData\Local\Microsoft\Windows\History

Answer 86

A

MZCacheView
MZCookiesView
MZHistoryView

Answer 87

A

ChromeCacheView
ChromeCookiesView
ChromeHistoryView

Answer 88

A

IECacheView
IECookiesView
BrowsingHistoryView

Answer 89

A

Rp.log Files

Includes value indicating the type of the restore point; a descriptive name for the restore point creation event, and the 64-bit FILETIME object indicating when the restore point was created
Description of the restore point can be useful for information regarding the installation or removal of an application

Answer 90

A

Once the data is processed, it is written to a .pf file in the Windows\Prefetch directory
DWORD value at the offset 144 within the file corresponds to the number of times the application is launched
DWORD value at the offset 120 within the file corresponds to the last time of the application run, this value is stored in UTC format
Information from .pf file can be correlated with Registry or Event Log information to determine who was logged on to the system, who was running which applications, etc.

Answer 91

A

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Session Manager\Memory Management\PrefetchParameters

Answer 92

A

0: Prefetching is disabled
1: Application prefetching is enabled
2: Boot prefetching is enabled
3: Both application and boot prefetching are enabled

Answer 93

A

It is important to collect the data, as it provides information about:
Hidden data about the document
Who tried to hide, delete, or obscure the data
Correlated documents from different sources

Answer 94

A

Descriptive
Structural
Administrative

Answer 95

A

MAC = modified, accessed, and created
The MAC times are timestamps that refer to the time at which the file was last modified in some way (data was either added to the file or removed from it), the time when it was last accessed (when the file was last opened), and when the file was originally created.

Answer 96

A

Coordinated Universal Time

Answer 97

A

Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.

Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates.

Copy myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.

Move myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification and creation dates

Answer 98

A

Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.

Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates.

Answer 99

A

Portable Document Format (PDF) files can contain metadata such as the name of the author, the date that the file was created, and the application used to create that file. The metadata shows that the PDF file was created on Mac or it was created by converting a Word document to PDF format. The pdfmeta.pl and pdfdmp.pl scripts can be used to extract metadata from PDF files. Another way to retrieve metadata is to open the file in Adobe Reader and click File  Properties. The Description tab of the Properties dialog box contains all the available metadata

Answer 100

A

Metashield Analyzer

Answer 101

A

Fixed Size Header (ELF_LOGFILE_HEADER)
Variable number of event records
End of file record (ELF_EOF_RECORD)

Answer 102

A

Non-Wrapping

Wrapping

Answer 103

A

In non-wrapping event record organization, the oldest record exists after event log header and the new record is placed last. This method is implemented for maximum log sizes. This size depends on the configured size value or number of system resources. Wrapping method is applied when the log size limit is crossed.

Answer 104

A

In wrapping event record organization, the oldest record is 102 instead of 1. The oldest record and ELF_EOF_RECORD have some empty space between them, in order to make a place for the new records. The event log file size has a limit and when this file size exceeds, the file records are wrapped. When wrapping begins the last record of the file will be divided into tw

Answer 105

A

Error: It denotes an issue or problem like data loss
Warning: It is an indication of future occurrence of error Information: This event gives details of the occurrence of a successful operation
Success Audit: This event records a successful audited security access attempt
Failure Audit: This event records a failed audited security access attempt

Answer 106

A

wevtutil command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface

Answer 107

A

.xml format

Answer 108

A

Changes to the OS
Changes to hardware configuration
Device Driver installation
Starting and Stopping of services

Answer 109

A

Can be used to parse windows event logs by means of an EnScript. Investigators often opt to use EnCase for examining log traffic.

Answer 110

A

OS Forensics - information gathering software, which extracts forensic data from computers and uncovers everything hidden inside a PC

Belkasoft Evidence Center - search, analyze, and store digital evidences found in Instant Messenger histories, Internet browser histories, and Outlook mailboxes.

RegScanner - scans the registry

MultiMon - displays highly detailed output of a very wide range of system activities in real time.

Process Explorer - shows the information about which handles and DLLs processes have been opened or loaded.

Security Task Manager - detects unknown malware and rootkits hidden from anti-virus software.

Proc Heap Viewer - enumerates process heaps on Windows

Memory Viewer - View your system memory configuration

Word Extractor - converts binary files to text files
Belkasoft Browser Analyzer - Allows you to search and analyze various internet browser histories

Metadata Assistant - analyzes Word/Excel/PowerPoint (2000 and higher) files to determine the type and amount of metadata (hidden information) that exists within

HstEx - Windows-based, advanced professional forensic data recovery solution designed to recover browser artifacts and Internet history from a number of different source evidence types.

XpoLog Log Management - turns your Data into actionable insights, with in-depth analytics.

Event Log Explorer - a software solution for viewing, monitoring, and analyzing events recorded in security, system, application, and other logs of Microsoft Windows operating systems.

LogMeister - monitors virtually any log your systems and applications can generate, including event logs, text logs and RSS.

System Explorer - is free software for exploration and management of system internals.

Helix3 Pro - is the cyber security solution providing incident response, computer forensics and e-discovery

ThumbsDisplay - is a tool for examining and reporting on the contents of Thumbs.db files used by Windows.

Registry Viewer - allows you to view the contents of Windows operating system registries. Unlike the Windows Registry Editor, which displays only the current system’s registry, Registry Viewer lets you view registry files from any Windows system.

Windows Forensic Toolchest (WFT) - is designed to provide a structured and repeatable automated live forensic response, incident response, or audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell, capable of running other security tools and producing HTML-based reports in a forensically sound manner.

Answer 111

A

Managed through the IIS Console

Answer 112

A

%WinDir%\System32\LogFiles\MSFTPSVC1\exyymm dd.log

Answer 113

A

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall WithAdvanced Security%4Firewall.evtx

Answer 114

A

Display Message or Driver Message
The command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. These messages are helpful in resolving the restoring the device’s driver issues

Answer 115

A

File System Consistency Check

Answer 116

A

displays file or file system status

Answer 117

A

checks and lists the bash shell commands used/ helps the user for auditing purposes.

Answer 118

A

mounts a file system or device to the directory structure.

Answer 119

A

Searches for presence of text or an expression or pattern in files

Answer 120

A

/var/log/auth.log - System authorization information, including user logins and authentication mechanism
/var/log/kern.log - Initialization of kernels, kernel errors or informational messages sent from kernel
/var/log/faillog - Failed user login attempts
/var/log/lpr.log - Stores printer logs
/var/log/mail.* - All mail server message logs
/var/log/my.sql.* - MySQL server logs
/var/log/apache2/* - Apache web server logs
/var/log/apport.log - Application crash report / log /var/log/lighttpd/* - Lighttpd web server log files directory
/var/log/daemon.log - Running services such as squid, ntpd, etc.
/var/log/debug - Debugging log messages
/var/log/dpkg.log - Package installation or removal logs

Answer 121

A

In a web based attack the investigator primarily focuses on network related logs. Investigators use the command netstat to view the network logs. The command collects and displays the information about the network connections, routing tables, network interfaces and network protocol stats.

Answer 122

A

The command last –F displays the activities of each user in detail such as number of login and logout attempts along with dates of the syste

Answer 123

A

displays the hostname of the system

Answer 124

A

Used to view the config of all network, both up and down interfaces on the system.

Answer 125

A

short for list open files. Command is used to list all the open files and the active processes that opened them.

Answer 126

A

displays information about the loaded modules

Answer 127

A

command line interface, enabling the users to directly interact with the x clipboard instead of using a mouse to copy paste. To output the contents to the clipboard use xclip -o

Answer 128

A

used to produce summery reports of the audit system logs.

Answer 129

A

determines the specified user ID and the group information for a specified user.

Answer 130

A

the short notion for “Read Executable and Linking Format”. The command is used to analyze the file headers and section of the ELF Files.

Answer 131

A

Often used for scheduling tasks (backdoors) to run at specific points of time.
nvestigators collect the contents in /var/spool/cron/ and /etc/cron.daily to identify the presence of the scheduled tasks in a compromised system

Answer 132

A

The .bash_history file stores the command history. These file helps the investigator to analyze the commands used in the terminal by the malicious user.

Answer 133

A

The /proc/ directory is also known as proc file system. The directory comprises of the order of special files that represent the current state of a kernel. Investigators can find the information of the systems hardware and the processes running them. The proc file system acts as interface for the internal data structures within the kernel.

Answer 134

A

Short for “process status” and used to view the list of processes running in the system.

Answer 135

A

short for address resolution protocol. Used to clear, add to or extract the kernals ARP cache.

Answer 136

A

Used to check if a particular process running on the system is suspicious.

Answer 137

A

Run cat /proc/sys/kernel/domainname command to know the domain name

Answer 138

A

Run cat /proc/swaps command to see total and used swap size

Answer 139

A

Run cat /proc/partitions command to see the list of disk partitions

Answer 140

A

Run cat /proc/cpuinfo command to see details about the CPU on a machine

Answer 141

A

Run cat /proc/self/mounts to view the count points and mounted external devices

Answer 142

A

Run cat /proc/uptime to measure the computers working time

Answer 143

A

View the swap space

Answer 144

A

Identify the system version by viewing the SystemVersion.plist file located at
/System/Library/CoreServices/SystemVersion.plist

Answer 145

A

Provides important info such as creation, access and modification times of any file Use the command stat to see the timestamp of any file
Usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file …]

Answer 146

A

OS X Auditor-Mac Forensics Tool 
MacForensicLab 
Macintosh Forensic Software 
Memoryze for the Mac 
Mac Marshal 
F-Response 
Mac OS X Memory Analysis Toolkit 
Volatility 2.5 
Avast Free Mac Security 
OS X Rootkit Hunter for Mac

Brainscape's Knowledge GenomeTM

Operating System Forensics Flashcards

Brainscape's Knowledge Genome^TM