Section 3.1: Enterprise and Remote Analysis Flashcards

1
Q

What is Kape?

A

Triage imaging tool that is manually used for standalone cases that is not designed for large scale use. It can though, be downloaded to a remote system and have the files sent a STFP server. It can retrieve locked files as well as volumne shadow copies or data streams. Deduplicates Sha-1 hashes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is remote access?

A

An agent that gives an analyst unfettered remote access to a remote system’s storage components such as disk or memory for analysis. It does not rely on the remote system’s API so its an advantage against rootkits. The only downside is that it causes congestion inside the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an remote analysis agent?

A

Its designed to actively parse/monitor artifacts back to analyst. It relies on the remote system’s API. Its downside is that it eats RAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Pros and cons of F-Response

A

Good for registry, file query, $MFT file or any locked file for parsing. It doesnt require reboot. Not so good for file carving or memory analysis so imaging it is best.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Pros and cons of Velociraptor

A

Good for deep analysis, memory analysis. Con is that it hogs RAM and needs a controller to manage the agent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Simple Kape command line to retrieve and create system triage.

A

Kape.exe –tsource <drive> --target !Sans_Triage --tdest <directory>. Other syntaxes: [vss][vhdx][debug]</directory></drive>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a bottleneck when it comes to server-to-client analysis? What are possible solutions?

A

Its bottlenecked because of the encryption. One method is to have a reverse proxy to offload encryption task. Another is to have multiple servers to handle client connections but sharing distributed filesystems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is VQL?

A

Velociraptor’s Query Language. It can do a one time collection of data or continuous monitoring. It can parse anything Ive read so far and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe the built-in artifacts in Velociraptor?

A

I can change the template names to parse what I want, all pre-built.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Best places to collect necessary data at the endpoint.

A

Process objects & file executions, commandlines, process trees, unusual API activity, networking, file, service and registry changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

EDR vs Forensics

A

EDR is more forward facing telling live activity while forensics tells a deep story. Use EDR as a supplement. EDR doesn’t collect a complete set of data as forensics does.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are EDR’s advanced capabilities?

A

In-memory detections such as: commandline, network activity, process tracking, DLL hooking, rootkits, thread creation and memory allocation..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly