Study Guide - Chapter 13: Performing Forensic Analysis and Techniques for Incident Response Flashcards
1- Which format does dd produce files in while disk imaging?
- ddf
- RAW
- EN01
- OVF
RAW
dd creates files in RAW, bit‐by‐bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made‐up answer.
3- Mike is conducting a root cause analysis. Which of the following is not a typical phase in the root cause analysis process?
- Identifying contributing factors
- Identifying solutions to the root cause
- Performing a risk analysis
- Implementing controls or fixes to address the root cause
Performing a risk analysis
Whereas root cause analysis may involve cost–benefit analysis before controls or fixes are put in place, risk assessment is typically a separate process.
dd
dd is a Linux utility often used to clone drives in RAW format, creating a bit-by-bit copy. It is a tool that can create forensic images
phases of a root cause analysis
- Identify problems
- Establish timeline
- Determine root cause
- Identify solutions
- Implement changes
- Validate effectiveness
- Report findings
- Defining the event or incident that is going to be analyzed. This involves identifying the problems and events that occurred as part of the incident and describing them as well as possible.
- Identifying the causes or contributing factors to the event, including building a timeline or process flow. You need to establish a timeline of events. This helps determine what happened, and in what order, to help identify the root cause(s).
- Finding the underlying, or root cause, often by mapping each identified cause or effect and asking what led to it. Differentiate between each of the events and causal factors. Determine which cause is a root cause, which are results of the root cause, and which are causal factors (events that contributed to the issue but were not the root cause).
- Identifying solutions to the root cause.
- Implementing controls, fixes, or other changes to address the root cause.
- Validating the fixes have been effective.
- Reporting. Document the root cause analysis, often through the use of a diagram or chart.
4- Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process?
- A read blocker
- A drive cloner
- A write blocker
- A hash validator
A write blocker
Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but don’t stop changes to the source drive from occurring.
6- What process is often performed as part of incident response forensic analysis?
- Blame assignment
- Root cause analysis
- Reverse hashing
- Legal holds
Root cause analysis
A root cause analysis is often performed to identify what went wrong and why. Lessons learned are then identified and applied to ensure the organization doesn’t experience the same issue in the future. Blame assignment is not a part of a forensic procedure and is typically discouraged in most organizations. Reverse hashing isn’t possible, as hashes are one‐way functions. Legal holds are associated with legal action, not incident response forensics.
8- During her forensic copy validation process, Danielle hashed the original, cloned the image files, and received the following MD5 sums. What is likely wrong?
b49794e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img
- The original was modified.
- The clone was modified.
- dd failed.
- An unknown change or problem occurred.
An unknown change or problem occurred.
Since Danielle did not hash her source drive prior to cloning, you cannot determine where the problem occurred. If she had run MD5sum prior to the cloning process as well as after, she could verify that the original disk had not changed.
9- Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs?
- LiME
- DumpIt
- fmem
- The Volatility Framework
The Volatility Framework
The Volatility Framework is designed to work with Windows, macOS, and Linux, and it provides in‐depth memory forensics and analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windows‐only tool.
The Volatility Framework
The Volatility Framework is a memory analysis and forensics tool that supports a broad range of operating systems, including Windows, Linux, and macOS, and has a range of capabilities, including tools to extract encryption keys and passphrases, user activity analysis, and rootkit analysis
LiME
LiME is a Linux kernel module that allows access to physical memory and directly copies data to a designated path and file.
Considered a forensic tool
DumpIt
DumpIt is a Windows memory capture tool that simply copies a system’s physical memory to the folder where the DumpIt program is, allowing easy capture to a USB thumb drive.
Considered a forensic tool
fmem
fmem is a Linux kernel module that allows access to physical memory and is designed to be used with dd or similar tools.
Considered a forensic tool
12- Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
- Physical acquisition
- Logical access
- Filesystem access
- Manual access
Manual access
Manual access is used when phones cannot be forensically imaged or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone.
13- What forensic issue might the presence of a program like CCleaner indicate?
- Antiforensic activities
- Full disk encryption
- Malware packing
- MAC time modifications
Antiforensic activities
CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigations. CCleaner may be an indication of intentional antiforensic activities on a system. It is not a full‐disk encryption tool or malware packer, nor will it modify MAC times.
CCleaner
CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigations. CCleaner may be an indication of intentional antiforensic activities on a system.
14- Which of the following is not a potential issue with live imaging of a system?
- Remnant data from the imaging tool will remain.
- Unallocated space will be captured.
- Memory or drive contents may change during the imaging process.
- Malware may detect the imaging tool and work to avoid it.
Unallocated space will be captured.
Unallocated space is typically not captured during a live image, potentially resulting in data being missed. Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues.
16- Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form?
- Live imaging
- Offline imaging
- Brute‐force encryption cracking
- Causing a system crash and analyzing the memory dump
Live imaging
Imaging the system while the program is live has the best probability of allowing Jeff to capture the encryption keys or decrypted data from memory. An offline image after the system is shut down will likely result in having to deal with the encrypted file. Brute‐force attacks are typically slow and may not succeed, and causing a system crash may result in corrupted or nonexistent data.
17- Susan needs to capture network traffic from a Linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line?
- tcpdump
- netdd
- Wireshark
- Snifman
tcpdump
The tcpdump utility is a command‐line packet capture tool that is found on many Linux systems. Wireshark is a GUI tool available for most operating systems. Netdd and snifman were made up for this question.
18- During a forensic investigation, Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?
- Maintaining chain of custody
- Over‐the‐shoulder validation
- Pair forensics
- Separation of duties
Maintaining chain of custody
Ben is maintaining chain of custody documentation. Chris is acting as the validator for the actions that Ben takes and acts as a witness to the process.
19- Which tool is not commonly used to generate the hash of a forensic copy?
- MD5
- FTK
- SHA1
- AES
AES
While AES does have a hashing mode, MD5, SHA1, and built‐in hashing tools in FTK and other commercial tools are more commonly used for forensic hashes.
20- Which of the following issues makes both cloud and virtualized environments more difficult to perform forensics on?
- Other organizations manage them.
- Systems may be ephemeral.
- No forensic tools work in both environments.
- Drive images cannot be verified.
Systems may be ephemeral.
Both cloud and virtualized environments are often temporary (ephemeral) and thus can be difficult to perform forensics on. If you have a cloud, virtualized, or containerized environment, make sure you have considered how you would perform forensics, and what data preservation techniques you may need to use.
