Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Digital Forensics > Topic 8 > Flashcards

Topic 8 Flashcards

1
Q

Name and define the 2 types of software that runs virtual machines

A

Type 1 and Type 2 hypervisors.
Type 1 hypervisors run on bare metal and are typically found on servers.
Type 2 hypervisors are usually the once that you find loaded on a suspect machine. They are booted from the native OS and simulate a different machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you conduct an investigation with Type 2 hypervisors? (3 steps)

A
  • Acquire an image of the host computer
  • acquire network logs
  • export associated VM files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you determine whether a Virtual machine is running?

A
  • Windows host - look in Users or Documents folders
  • Linux host - usr directory
  • Check registry - file name associations
  • look for virtual network adapter
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What six steps do you take in performing a live acquisition?

A
  1. Create a bootable forensic CD or USB drive
  2. Keep a log
    3 Connect your target drive - external hard drive or network drive
    4 Copy the physical memory (RAM)
    5 Potentially shut down and perform static acquisition later.
    6 Hash all files that you live acquired
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is network forensics?

A

Network Forensics is the process of collecting and analyzing raw network data and tracking network traffic systematically to ascertain how an attack was carried out or how an event occurred on a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What 5 steps do you take in Network Forensics

A

1 Use a standard installation image for systems on a network, containing all the standard applications used. You should also have MD5 and SHA-1 hash values of all application and OS files.
2 When an intrusion incident happens make sure the vulnerability has been fixed to prevent other attacks from taking advantage of the opening
3 Attempt to retrieve all volatile data, such as RAM and running processes, by doing a live acquisition before turning the system off.
4. Acquire the compromised drive and make a forensic image of it.
5. Compare files on the forensic image with the original installation image. Compare hash values of common files and determine whether they have changed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name 3 ways to examine network logs

A

TCPdump command
Use network tools
Using Packet Analyzers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some forms that network attacks might take?

A

Distributed denial of service of service (DDoS) attcks
using zombies
zero day attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Digital Forensics (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions