Set 3 Flashcards
Which areas of a windows host should you focus on investigating for windows information?
Registry, event logs, memory
Running commands on a suspects windows system, what is the best practice?
Run windows commands from a USB drive.
Out of these what would not be considered volatile evidence?
Open shares and files
Running processes
Network connections
Shadow volume copies
Shadow volume copies
Where to collect windows based tool?
Windows system control center
Which command would a forensics analyst use to determine what processes are running on windows based system?
Tasklist
Which command would be used to list active network connections?
Netstat
What does this command do?
Net users»_space; output.txt
Appends the information to a txt file.
» always has something to do with append
Juanita is performing windows laptop search, consent and search and seizure form, wants to make a copy of the contents of physical memory of the host, what does she use?
Dumpit
Forensic analyst on windows host, a registry key shows ClearpagefileatShutdown, what does this mean?
No virtual memory
Which registry hive is populated once the user logs in?
current user
Which is not considered a main give of registry?
Config update
Metadata is encrypted and hidden in a different file, True or false
false
Windows based laptop investigation, suspect may have installed malware on purpose, to confirm John runs in vm, what analysis is this?
Dynamic
Which area is best for investigation for users suspicious internet related activities?
Browser cache
In an investigation Liv uses volatility, employee wont give password, she tries every possible password to enter computer, what method is this called?
Brute force attack
During data investigation, aleta uses volatility, employee wont give password, what is a hydra tool used to get passwords?
Word list
What are volatility modules?
Hive list, image info, system info, hash dump
Which tool can be used to analyze hard drive images on linux, windows, mac?
Autopsy
One TB in size analysis, how much space should she have?
Three terabytes
Which soft skill is important to being important to being a data forensic analyst?
attention to detail
What password hash is considered the strongest?
SHA256
What nist program must verify tools?
CFTT computer forensics tools testing
Know what classifies as hardware
You should know this
Osi layer that routes traffic between ip hosts?
Layer 3 network layer
Tcp and udp operate at which level of the OSI?
Transport layer
Trivial FTP is _____
UDP
What port is associated with websites HTTPS?
443 tcp
85% of internet traffic is encrypted, why is this?
Due to intrusion detection
Which can be reviewed on a host to determine what other hosts have communicated with it?
ARP address resolution protocol
Wireshark three way handshake?
SYN > SYN, ACK > ACK
Which tool is used to view an output of active connections?
netstat
Which exe is associated with a specific process number?
PID
Greg is apart of information security team, server problem, greg does network tap, he enables what mode to see traffic?
Promiscuous
Attacker deletes an event log how do you know?
Centralized logs
Sending an event log to another host?
Udp 514, windows event forwarding
Blank protocol is used to synchronize?
Network time protocol NTP
Qraar or Splunk is only able to collect event logs form firewalls, as many firewalls as its licensed for? True or false
false
5 different parts of the network tuple?
source IP, source port, destination IP, destination port, and the protocol.
