Section 5.4: Advanced Evidence Recovery Flashcards

1
Q

Name the four wiping tools adversaries may use for anti-forensics

A

Sdelete, Eraser, Bleachbit, and BCWipe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Sdelete and how can I track it?

A

It is a Microsoft signed tool. Ways to track it is by looking into the journals by searching DataOverwrite with alphabetical letters, $I30, and prefetch to identify all the affected files by the tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

BCWipe features specifically for file wiping

A

Wipe file slack, MFT records, directories, slack space inside drives, and temporary data inside the LogFile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Where can track information that BCWipe was used?

A

On USNJournals and some LogFile data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

BCWipe process found inside USNJournal

A

BCWipe rewrites the file with random characters multiple times to delete MFT record. It then deletes it. It then creates a hidden directory named “~BCWipe.tmp” to overwrite the metadata on the parent root (5). It then creates many “SECRET.txt!!!” files to fill and replace the $I30 index of the parent directory of the file. It then creates a new parent directory named “BCW-DIR-NODES” for those text files and each of those files are renamed to dir1, dir2, etc. into that “BCW-DIR-NODES” directory. That parent directory then deletes itself. The remnants of this process is LOGFILEWIPER and SWP_INSBCB.tmp.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What executable can be found inside prefetch that indicates BCWIPE was completed?

A

INSBCBUS.exe-78A69D45.pf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some things the Eraser tool does not wipe? What does it wipe?

A

Journaling, the index, and MFT record completely, and Zone Identifiers. The Identifiers can carry URL information as well as the file that was wiped. It does wipe the file and its timestamps and does so by wiping the file seven times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does Cyper.exe do and what are some indicators that it was executed?

A

It is meant to encrypt data but can wipe the original data before encrypting it. Indicators include seeing [/w] and a directory in the journals named “EFSTMPWP”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name a few tools meant to wipe registries. What areas do adversaries tend to wipe on the registry?

A

CCleaner and BleachBit. Adversaries will go for keyword searches like WordWheelQuery, UserAssist, ComDlg32, and RecentDocs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What tool can I use to find deleted registry records? How can they be recovered? What gets recovered?

A

Registry Explorer. To recover data, check VSS files and registry transactional logs. Things that can be recovered are: keys, values, and timestamps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is %COMSPEC%?

A

A command use to obfuscate scripts such as ones that are placed inside the registry hive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a good method to find base64 scripts when using Registry Explorer?

A

Do a find search and check mark all values including the slack. Put byte size to 512 and base64 size to 50 as a starting point. Increase or decrease to adjust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name and briefly explain the two methods to recover files.

A

Metadata method: basically retrieving files that are deallocated and haven’t been overwritten.
Carving method: Retrieving files through file signatures if indeed they have been overwritten. The carving tool searches starting signature and carves until it finds a footer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name a few files of interest when carving files.

A

LNK, prefetch, recycle bin and executable files are of interest. Also look for exfil files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What tools can I use to recover metadata by means of the metadata method?

A

Icat to get deleted files individually or use tsk_recover to extract all unallocated files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name a tool that can be used by means of doing the carving method.

A

PhotoRec

17
Q

Name a tool that can carve deleted VSS files. What are some complications I can run into when using this tool? How can I access the files once they are carved?

A

Vss_carver. A complication I can run into is that the tool will try to set the snapshots in order but isn’t always successful. The best method to overcome this is to use the vss_catalog_manipulator. To access the files, use vshadowmount tool.

18
Q

What tool is used to delete event log files?

A

Wevtuitl.exe. Search for it in prefetch and other executable searching files.

19
Q

Name six fields that are useful to extract when using Bulk Extractor

A

evtx, ntfsindx, ntfslogfile, ntfsmft, ntfsusn, and utmp (Linux).

20
Q

If an allocated VSS or hibernation file is found to be corrupted, can Bulk Extractor be used to carve it?

A

Yes!

21
Q

Since Bulk Extractor isn’t filesystem aware, what can I use to just get unallocated data?

A

Use blkls tool.

22
Q

What can I do with files from Bulk Extractor that mark “_corrupted”?

A

Run strings on them.

23
Q

Name some tools that are meant to help find specific terms or values

A

Bstrings, grep, and hex editor. Using a forensic suite like FTK or the free Autopsy is good for index searching.