A software company suspects that employees have set up automatic corporate email forwarding to their personal inboxes against company policy. The company hires forensic investigators to identify the employees violating policy, with the intention of issuing warnings to them.
Which type of cybercrime investigation approach is this company taking?
A Civil
B Criminal
C Administrative
D Punitive
C
Which model or legislation applies a holistic approach toward any criminal activity as a criminal operation?
A Enterprise Theory of Investigation
B Racketeer Influenced and Corrupt Organizations Act
C Evidence Examination
D Law Enforcement Cyber Incident Reporting
A
What does a forensic investigator need to obtain before seizing a computing device in a criminal case?
A Court warrant
B Completed crime report
C Chain of custody document
D Plaintiff’s permission
A
Which activity should be used to check whether an application has ever been installed on a computer?
A Penetration test
B Risk analysis
C Log review
D Security review
C
Which characteristic describes an organization’s forensic readiness in the context of cybercrimes?
A It includes moral considerations.
B It includes cost considerations.
C It excludes nontechnical actions.
D It excludes technical actions.
B
A cybercrime investigator identifies a Universal Serial Bus (USB) memory stick containing emails as a primary piece of evidence.
Who must sign the chain of custody document once the USB stick is in evidence?
A Those who obtain access to the device
B Anyone who has ever used the device
C Recipients of emails on the device
D Authors of emails on the device
A
Which type of attack is a denial-of-service technique that sends a large amount of data to overwhelm system resources?
A Phishing
B Spamming
C Mail bombing
D Bluejacking
C
Which computer crime forensics step requires an investigator to duplicate and image the collected digital information?
A Securing evidence
B Acquiring data
C Analyzing data
D Assessing evidence
B
What is the last step of a criminal investigation that requires the involvement of a computer forensic investigator?
A Analyzing the data collected
B Testifying in court
C Assessing the evidence
D Performing search and seizure
B
How can a forensic investigator verify an Android mobile device is on, without potentially changing the original evidence or interacting with the operating system?
A Check to see if it is plugged into a computer
B Tap the screen multiple times
C Look for flashing lights
D Hold down the power button
C
What should a forensic investigator use to protect a mobile device if a Faraday bag is not available?
A Aluminum foil
B Sturdy container
C Cardboard box
D Bubble wrap
A
Which criterion determines whether a technology used by government to obtain information in a computer search is considered innovative and requires a search warrant?
A Availability to the general public
B Dependency on third-party software
C Implementation based on open source software
D Use of cloud-based machine learning
A
Which situation allows a law enforcement officer to seize a hard drive from a residence without obtaining a search warrant?
A The computer is left unattended.
B The front door is wide open.
C The occupant is acting suspicious.
D The evidence is in imminent danger.
D
Which legal document contains a summary of findings and is used to prosecute?
A Investigation report
B Search warrant
C Search and seizure
D Chain of custody
A
What should an investigator use to prevent any signals from reaching a mobile phone?
A Faraday bag
B Dry bag
C Anti-static container
D Lock box
A
A forensic investigator is called to the stand as a technical witness in an internet payment fraud case.
Which behavior is considered ethical by this investigator while testifying?
A Providing and explaining facts found during the investigation
B Interpreting the findings and offering a clear opinion to the jury
C Helping the jury arrive at a conclusion based on the facts
D Assisting the attorney in compiling a list of essential questions
A
A government agent is testifying in a case involving malware on a system.
What should this agent have complied with during search and seizure?
A Fourth Amendment
B Stored Communications Act
C Net Neutrality Bill
D Federal Rules of Evidence
A
Which path should a forensic investigator use to look for system logs in a Mac?
A /var/log/cups/access_log
B /var/log/
C /var/audit/
D /var/log/install.log
B
Which tool should a forensic investigator use to view information from Linux kernel ring buffers?
A arp
B dmesg
C fsck
D grep
B
A forensic investigator makes a bit-stream copy of a Windows hard drive that has been reformatted. The investigator needs to locate only the Adobe PDF files on the hard drive.
Which tool should this investigator use?
A Quick Recovery
B Handy Recovery
C EaseUS Data Recovery
D Stellar Data Recovery
C
Which hexadecimal value should an investigator search for to find JPEG images on a device?
A 0x424D
B 0xD0CF11E0A1B11AE1
C 0x504B030414000600
D 0xFFD8
D
Which type of steganography allows the user to physically move a file but keep the associated files in their original location for recovery?
A Whitespace
B Folder
C Image
D Web
B
An employee steals a sensitive text file by embedding it into a PNG file. The employee then sends this file via an instant chat message to an accomplice.
Which type of steganography did this employee use?
A Document
B Image
C Text
D Web
B
Which method is used when an investigator has access to the plaintext and an image file with the hidden information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message
C
Which method is used when an investigator takes a plaintext message, uses various tools against it, and finds the algorithm used to hide information?
A Stego-only
B Known-stego
C Known-message
D Chosen-message
D
Which operating system is targeted by the DaveGrohl password cracker?
A Linux
B OS X
C UNIX
D Windows
B
Which password cracker is used to recover passwords on an OS X operating system?
A Cain and Abel
B DaveGrohl
C L0phtCrack
D Ophcrack
B
Which tool allows a forensic investigator to process Transmission Control Protocol (TCP) streams for analysis of malicious traffic?
A Kibana
B OSSEC
C Syslog-ng
D Wireshark
D
Which tool allows an investigator to review or process information in a Windows environment but does not rely on the Windows API?
A EnCase
B netstat
C dd
D LogMeister
A
A computer forensic investigator finds an unauthorized wireless access point connected to an organization’s network switch. This access point’s wireless network has a random name with a hidden service set identifier (SSID).
What is this set-up designed to do?
A Create a backdoor that a perpetrator can use by connecting wirelessly to the network
B Jam the wireless signals to stop all legitimate traffic from using the wireless network
C Activate the wireless cards in the laptops of victims to gain access to their data and network
D Transmit high-power signals that force users to connect to the rogue wireless network
A
Which web-based application attack corrupts the execution stack of a web application?
A Buffer overflow
B Cookie poisoning
C SQL injection
D Denial-of-service
A
An employee is accused of sending a threatening email through Microsoft Exchange.
Which file extension should the investigator search for to find the archived message on the server?
A .DB
B .NSF
C .PST
D .EDB
D
Investigators do not have physical access to the computer of the victim of an email crime.
Which task should these investigators instruct the victim to perform in order to identify the sending email server?
A Provide the email body
B Provide the email header
C Run Aid4Mail Email Forensics
D Run Email Address Verifier
B
Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings?
A Wireshark
B OmniPeek
C ProDiscover
D Capsa
C
What is the purpose of hashing tools during data acquisition?
A Dumping the original RAM contents to a forensically sterile removable device
B Enabling write protection on the original media to preserve the original evidence
C Validating the collected digital evidence by comparing the original and copied file message digests
D Creating a replica of the original source to prevent the inadvertent alteration of the original
C
Which software-based tool is used to prevent writes to storage devices on a computer?
A CRU WiebeTech
B ILook Investigator
C SAFE Block
D USB WriteBlocker
C
Which tool should a forensic team use to research unauthorized changes in a database?
A ApexSQL DBA
B Gargoyle Investigator Forensic Pro
C LSASecretsView
D RSA NetWitness Investigator
A
Which graphical tool should investigators use to identify publicly available information about a public IP address?
A AWStats
B GoAccess
C SmartWhois
D NsLookup
C
Which tool is used to search and analyze PC messaging logs?
A Chat Stick
B File Viewer
C SnowBatch
D Zamzar
A
Which forensic tool allows an investigator to acquire database files for analysis from a mobile device?
A Andriller
B Volatility
C WinDump
D Tripwire
A
A first responder arrives at an active crime scene that has several mobile devices.
What should this first responder do while securing the crime scene?
A Leave the devices in the state they are in and put them in anti-static bags
B Turn on the devices and review recently accessed data
C Turn off the devices to preserve the volatile memory
D Leave the devices as found and fill out chain of custody paperwork
D
What is a responsibility of the first responder at a crime scene?
A Package and transport the evidence
B Identify the presence of rootkits on the evidence
C Decrypt the evidence by cracking passwords
D Detect malware present on the evidence
A
Which step preserves the forensic integrity of volatile evidence when a device is discovered in the powered-on state?
A Documenting the procedures for shutting down the system
B Collecting information with a secure command shell
C Using the built-in backup utility to gather information
D Copying the file with the keyboard shortcut Ctrl+C
B
Which action maintains the integrity of evidence when a forensic laptop is used to acquire data from a compromised computer?
A Connecting the machines with a straight through cable
B Connecting the machines with a crossover cable
C Enabling a hardware write blocker
D Enabling administrative control
C
What should an investigator do while collecting evidence from a device?
A Turn off the computer to protect the data
B Install antivirus software to protect information
C Begin documenting the chain of custody
D Close any open documents and applications
C
Why should investigators use the bit-stream disk-to-disk data acquisition method rather than the disk-to-image method?
A Ensures that integrity is not compromised
B Preserves the required chain of custody
C Addresses potential errors and incompatibilities
D Avoids the possibility of running out of space
C
Which anti-forensic defense technique allows a forensic investigator to determine if the system’s kernel is compromised?
A Performing a brute-force attack
B Conducting steganalysis
C Performing BIOS bypass
D Conducting rootkit detection
D
Which anti-forensic defense technique allows a forensic investigator to gain access to files protected with Encrypting File System (EFS)?
A Installing a recovery certificate
B Detecting hosts in promiscuous mode
C Performing BIOS bypass
D Conducting rootkit detection
A
Which anti-forensic defense technique allows a forensic investigator to reset the firmware in order to access the operating system?
A Install a recovery certificate
B Detect hosts in promiscuous mode
C Perform BIOS password bypass
D Conduct rootkit detection
C
A software company has a data breach and hires a forensic expert to examine event and intrusion detection logs on its Linux servers. The investigator finds a suspicious user ID and wants to track all events of that user.
Which command should this forensic expert use?
A ausearch
B dd
C readelf
D cron
A
A forensic investigator receives dozens of log-in failure events within a few minutes. A security attack event is generated.
What is the goal when performing event correlation?
A Data aggregation
B Content reduction
C Explorative data analysis
D Root cause identification
D
A computer forensic investigator is preparing an affidavit statement.
Which type of report should this investigator prepare?
A Formal verbal
B Informal verbal
C Formal written
D Informal written
C
A forensic investigator is preparing a report in response to a security breach. The report is augmented by documentation provided by a third party.
Which optional section in the report serves as a gesture of thanks for the third-party support?
A Acknowledgments
B References
C Conclusions
D Appendices
A
A network log from a remote system is entered into evidence, and the proper steps are taken to protect the integrity of the data. The log contains network intrusion data but does not contain any information about the log.
What must an investigator document about this log in the forensic report?
A Name of the server
B Number of records in the file
C Name of the server administrator
D Number of bytes in the file
A
What should an investigator do to ensure that creating a forensic hard drive image does not alter the drive?
A Make a duplicate using the dd command
B Make a duplicate using the cp command
C Copy each file to a new disk using copy and paste
D Copy each file to a new disk using File Explorer
A
A Mac computer that does not have removeable batteries is powered on.
Which action must a first responder take to preserve digital evidence from the computer once volatile information is collected?
A Place the computer in an anti-static bag
B Obtain the IP address of the computer
C Maintain the power with a portable charger
D Press the power switch for 30 seconds
D
What should an investigator do to ensure that a phone serving as evidence at a crime scene is properly isolated?
A Contact the service provider
B Turn the device off
C Remove the battery
D Use a Faraday bag
D
First responders arrive at a company and determine that a non-company Windows 7 computer was used to breach information systems. The computer is still powered on.
What is the correct procedure for powering off this computer once the volatile information has been collected?
A Shut down the device by clicking Special Shutdown
B Unplug the electrical cord from the wall socket
C Type Get-Service | Where {$_.status -eq ‘running’}
D Press down the Ctrl and L keys simultaneously
B
What is the minimum number of workstations a forensics lab needs?
A One
B Two
C Three
D Four
B
Which function does the BIOS parameter block (BPB) handle for the hard disk?
A Describes the physical layout and volume partitions
B Specifies the location of the operating system
C Initializes code that executes after powering the firmware interface
D Interprets the boot configuration data and selects boot policy
A
How does RAID 3 store information?
A Information is written on a minimum of two drives for quick reading and writing of data.
B Data is mirrored on two drives to improve the speed of retrieving information and resilience.
C Information is written at byte level across multiple drives, but only one is dedicated for parity.
D Information is stored on multiple drives, with floating parity for improved performance and resilience.
C
Which file system is on a system with MacOS installed?
A New Technology File System (NTFS)
B Hierarchical File System Plus (HFS+)
C Extended file system (EXT)
D Z File System (ZFS)
B
Where should an investigator search for details of activities that have taken place in an SQL database?
A Primary data files (MDF)
B Secondary data files (NDF)
C Data definition language (DDL) files
D Transaction log data files (LDF)
D
Which command line utility enables an investigator to analyze privileges assigned to database files?
A DBINFO
B SHOWFILESTATS
C mysqldump
D mysqlaccess
D
The following is the header from a threatening email:
Received: from Mailhost.big-isp.com(mailhost.big-isp.com [124.53.112.16]) by
Mailhost.gigantic-isp.com (8.8.5/8.7.2)
Received: from mail.biedburz.usa
(mail.biedburz.usa [124.211.3.88]) by
Mailhost.big-isp.com (10.5.2/10.4.1)
With ESMTP id LAA20869 for
timmy@gigantic-isp.com; Tue, Jan 26
2016 14:39:24 -0800 (PST)
What is the name of the server that sent the message?
A Mail.biedburz.usa
B Mailhost.big-isp.com
C Mailhost.gigantic-isp.com
D Timmy@gigantic-isp.com
A
Which header allows an investigator to determine if a message was sent to many recipients?
A In-Reply-To
B Content-Type
C X-Distribution
D X-Mailer
C
Which operating system contains PLIST files for forensic analysis?
A Android
B Windows
C Linux
D MacOS
D
Which operating system contains the authentication log at /var/log/auth.log?
A Android
B Linux
C iOS
D MacOS
B
Which of the following is true regarding computer forensics?
A deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
B deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them.
C deals with the process of finding evidence related to a digital crime to find the victims and prevent legal action against them.
D deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them.
A
Which of the following is NOT an objective of computer forensics?
A Identify, gather, and preserve the evidence of a cybercrime.
B Track and prosecute the perpetrators in a court of law.
C Interpret, document, and present the evidence to be admissible during prosecution.
D Mitigate vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
D
Which of the following is true regarding Enterprise Theory of Investigation (ETI)?
A It encourages reactive action on the structure of the criminal enterprise.
B It adopts an approach toward criminal activity as a criminal act.
C It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.
D It differs from traditional investigative methods, and it is less complex and less time-consuming.
C
Forensic readiness refers to:
A an organization’s ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs
B replacing the need to meet all regulatory requirements
C having no impact on prospects of successful legal action
D the establishment of specific incident response procedures and designated trained personnel to prevent a breach
A
Which of the following is NOT an element of cybercrime?
A anonymity through masquerading
B volatile evidence
C fast-paced speed
D evidence smaller in size
D
Which of the following is true of cybercrimes?
A The claimant is responsible for the collection and analysis of the evidence.
B The searching of the devices is based on mutual understanding and provides a wider time frame to hide the evidence.
C Investigators attempt to demonstrate information to the opposite party to support the claims and induce settlement.
D Investigators, with a warrant, have the authority to forcibly seize the computing devices.
D
Which of the following is true of civil crimes?
A The standards of proof need to be very high.
B The initial reporting of the evidence is generally informal.
C A formal investigation report is required.
D Law enforcement agencies are responsible for collecting and analyzing evidence.
B
Which of the following is NOT a consideration during a cybercrime investigation?
A collection of clues and forensic evidence
B analysis of digital evidence
C presentation of admissible evidence
D value or cost to the victim
D
Which of the following is a user-created source of potential evidence?
A printer spool
B log files
C address book
D cookies
C
Which of the following is a computer-created source of potential evidence?
A swap file
B steganography
C bookmarks
D spreadsheet
A
Which of the following is NOT where potential evidence may be located?
A digital camera
B thumb drive
C smart card
D processor
D
Under which of the following conditions will duplicate evidence NOT suffice?
A when original evidence is in possession of the originator
B when original evidence is destroyed in the normal course of business
C when original evidence is destroyed due to fire or flood
D when original evidence is in possession of a third party
A
Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States?
A Rule 105
B Rule 102
C Rule 103
D Rule 101
D
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?
A Rule 102
B Rule 103
C Rule 101
D Rule 105
A
Which of the following Federal Rules of Evidence contains Rulings on Evidence?
A Rule 101
B Rule 102
C Rule 105
D Rule 103
D
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?
A Rule 101
B Rule 102
C Rule 103
D Rule 105
D
Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law?
A disaster recovery
B incident handling
C computer forensics
D network analysis
C
Computer forensics deals with the process of finding __ related to a digital crime to find the culprits and initiate legal action against them.
A fraud
B insider threats
C evidence
D malware
C
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.
A False
B True
B
Cybercrimes can be classified into the following two types of attacks, based on the line of attack.
A fraud and spam
B internal and external
C phishing and malware
B
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?
A outsider attacks or secondary threats
B insider attacks or primary threats
C insider attacks or secondary threats
D outsider attacks or primary threats
B
External attacks occur when there are inadequate information-security policies and procedures.
A True
B False
A
Which type of cases involve disputes between two parties?
A investigative
B administrative
C criminal
D civil
D
A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows the appropriate processes.
A True
B False
B
__ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations.
A Both Enterprise Theory of Investigation (ETI) and Entrepreneur Theory of Investigation
B Enterprise Theory of Investigation (ETI)
C Entrepreneur Theory of Investigation
B
Digital devices store data about sessions such as user and type of connection.
A True
B False
A
Forensic readiness includes technical and non-technical actions that maximize an organization’s competence to use digital evidence.
A True
B False
A
Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network?
A forensic readiness planning
B security policy
C best evidence rule
D incident response
D
Codes of ethics are the principles stated to describe the expected behavior of an investigator while handling a case. Which of the following is NOT a principle that a computer forensic investigator must follow?
A Act in accordance with federal statutes, state statutes, and local laws and policies.
B Provide personal or prejudiced opinions.
C Ensure integrity of the evidence throughout the investigation process.
D Act with utmost ethical and moral principles.
B
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
A authorize the evidence
B obfuscate the evidence
C preserve the evidence
D prosecute the evidence
C
What is the role of an expert witness?
A to educate the public and court
B to testify against the plaintiff
C to support the defense
D to evaluate the court’s decisions
A
Which of the following is NOT a legitimate authorizer of a search warrant?
A court of law
B magistrate
C concerned authority
D first responder
D
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?
A Expediting the process of obtaining a warrant may lead to the timely prosecution of a perpetrator.
B Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
C Expediting the process of obtaining a warrant may lead to a delay in prosecution of a perpetrator.
D Delay in obtaining a warrant may lead to the preservation of evidence and expedite the investigation process.
B
Which of the following should be considered before planning and evaluating the budget for the forensic investigation case?
A past success rate as a measure of value
B use of outdated, but trusted, technologies
C current media coverage of high-profile computer crimes
D breakdown of costs into daily and annual expenditure
D
Which of the following should be physical location and structural design considerations for forensics labs?
A Computer systems should be visible from every angle.
B Room size should be compact with standard HVAC equipment.
C Lightweight construction materials need to be used.
D Lab exteriors should have no windows.
D
Which of the following should be work area considerations for forensics labs?
A Examiner station has an area of about 50-63 square feet.
B Physical computer examinations should take place in a separate workspace.
C Additional equipment such as notepads, printers, etc. should be stored elsewhere.
D Multiple examiners should share workspace for efficiency.
A
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
A data acquisition
B testify as an expert defendant
C testify as an expert witness
D data analysis
B
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
A Assess the evidence.
B Secure the evidence.
C Destroy the evidence.
D Collect the evidence.
C
Investigators can immediately take action after receiving a report of a security incident.
A False
B True
A
In forensics laws, “authenticating or identifying evidences” comes under which rule?
A Rule 901
B Rule 801
C Rule 608
D Rule 708
A
Courts call knowledgeable persons to testify to the accuracy of the investigative process.
These people who testify are known as the_________________:
A counselors
B expert witnesses
C judges
D character witnesses
B
A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling.
A False
B True
B
Identify the following project which was launched by the National Institute of Standards and Technology (NIST), that establishes a “methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.”
A Computer Forensic Hardware Project (CFHP)
B Computer Forensic Investigation Project (CFIP)
C Enterprise Theory of Investigation (ETI)
D Computer Forensic Tool Testing Project (CFTTP)
D
Which of the following is NOT a digital data storage type?
A quantum storage devices
B flash memory devices
C magnetic storage devices
D optical storage devices
A
Which of the following is NOT a common computer file system?
A NTFS
B FAT32
C EFX3
D EXT2
C
Which field type refers to the volume descriptor as a primary?
A Number 1
B Number 0
C Number 3
D Number 2
A
Which logical drive holds the information regarding the data and files that are stored in the disk?
A secondary partition
B extended partition
C tertiary partition
D primary partition
B
How large is the partition table structure that stores information about the partitions present on the hard disk?
A 64-byte
B 32-byte
C 64-bit
D 32-bit
A
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector?
A 64
B 128
C 32
D 256
C
In the GUID Partition Table, which Logical Block Address contains the Partition Entry Array?
A LBA 0
B LBA 1
C LBA 3
D LBA 2
D
Which of the following describes when the user restarts the system via the operating system?
A hard booting
B hot booting
C warm booting
D cold booting
C
Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
A Windows 7
B Windows 8
C Windows Vista
D Windows XP
B
Which item describes the following UEFI boot process phase?
The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors.
A RT (Run Time) Phase
B DXE (Driver Execution Environment) Phase
C PEI (Pre-EFI Initialization) Phase
D BDS (Boot Device Selection) Phase
C
Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS?
A Gparted
B Fdisk
C Disk Utility
D DiskPart
D
What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk?
A POST Stage
B Bootloader Stage
C BIOS Stage
D Kernel Stage
B
What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?
A Boot Sector
B FAT Area
C Reserved Area
D Data Area
A
Which component of the NTFS architecture is a computer system file driver for NTFS?
A Ntfs.sys
B boot sector
C Master Boot Record
D Ntldlr.dll
A
What is the name of the abstract layer that resides on top of a complete file system, allows client applications to access various file systems, and consists of a dispatching layer and numerous caches?
A Virtual File System (VFS)
B Kernel Space
C GNUC Library (glibc)
D User Space
A
Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system?
A magic number
B revision level
C mount count
D block size
B
Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system?
A Ext3
B Ext2
C Ext4
D Ext
A
How many bit values does HFS use to address allocation blocks?
A 32
B 64
C 16
D 8
C
What UFS file system part is composed of a few blocks in the partition reserved at the beginning?
A data groups
B boot blocks
C cylinder groups
D super block
B
What is a machine-readable language used in major digital operations, such as sending and receiving emails?
A .NET
B ASCII
C JAVA
D XML
B
What is JPEG an acronym of?
A Joint Photographic Exchange Group
B Joint Picture Exchange Group
C Joint Picture Experts Group
D Joint Photographic Experts Group
D
What is the proprietary Microsoft Office presentation file extension used in PowerPoint?
A TXT
B PDF
C PPT
D RTF
C
Which of the following is an example of optical media?
A CD/DVD
B Hard drive
C Flash media
D USB device
A
In Sector, addressing __ determines the address of the individual sector on the disk.
A Clusters, Series, and Heads (CSH)
B Clusters, Heads, and Series (CHS)
C Cylinders, Heads, and Sectors (CHS)
D Logical Block Address (LBA)
C
__ is a 128-bit unique reference number used as an identifier in computer software.
A BIOS Parameter Block (BPB)
B Unified Extensible Firmware Interface (UEFI)
C Global Unique Identifier (GUID)
D Master Boot Record (MBR)
C
Mac OS uses a hierarchical file system.
A True
B False
A
The main advantage of RAID is that if a single physical disk fails:
A The operating system will protect the remaining disks.
B The system will build another drive.
C The system will continue to function without loss of data.
D The system will isolate the defective disk.
C
The command “fsstat” displays the details associated with an image file.
A True
B False
B
What is the simplest RAID level that does not involve any redundancy, and fragments the file into the user-defined stripe size of the array?
A RAID 5
B RAID 1
C RAID 0
D RAID 10
C
An investigator may commit some common mistakes while collecting data from the system that result in the loss of critical evidence.
Which of the following is NOT a mistake that investigators commonly make?
A choosing wrong resolution for data acquisition
B use of correct cables and cabling techniques
C poor knowledge of the instrument
B
In Linux Standard Tools, forensic investigators use the following built-in Linux Commands to copy data from a disk drive:
A dc and dcfldd
B dd and dcfldd
C dd and ddfldc
D dc and ddfldc
B
Because they are always changing, the information in the registers or the processor cache are the most volatile data.
A True
B False
A
Forensic data duplication involves the creation of a file that has every bit of information from the source in a raw bit-stream format.
A False
B True
B
What document is used as a written record consisting of all processes involved in seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence?
A investigation of evidence document
B written report
C chain of custody document
D description document
C
What is the process of permanently deleting or destroying data from storage media?
A purge
B systems capture
C media sanitization
D disclosure
C
The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is:
A static data acquisition
B imaging data acquisition
C standard data acquisition
D live data acquisition
D
Which of the following refers to the data stored in the registries, cache, and RAM of digital devices?
A registries
B volatile information
C physical memory
D systems data
B
Where are deleted items stored on Windows Vista and later versions of Windows?
A Drive:\RECYCLER
B Drive:\RECYCLED
C Drive:\Recycle.Bin$
D Drive:\$Recycle.Bin
D
Where are deleted items stored on Windows 98 and earlier versions of Windows?
A Drive:\$Recycle.Bin
B Drive:\Recycle.Bin$
C Drive:\RECYCLER
D Drive:\RECYCLED
D
Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows?
A Drive:\Recycle.Bin$
B Drive:\$Recycle.Bin
C Drive:\RECYCLED
D Drive:\RECYCLER
D
What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista?
A None
B 3.99 MB
C 3.99 GB
D 0
C
Which of the following is NOT a feature of the Recover My Files tool?
A recovering files even if emptied from the recycle bin data
B performing disk recovery after a hard disk crash
C recovering files from a network drive
D recovering from a hard drive, camera card, USB, Zip, floppy disk, or other media
C
What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID?
A Quick Recovery
B DiskDigger
C FileSalvage
D EaseUS
D
Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives?
A EaseUS
B DiskDigger
C Quick Recovery
D Drive Genius
B
Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated?
A Quick Recovery
B Recover My Files
C EaseUS
D DiskDigger
A
Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB?
A Recover My Files
B Total Recall
C DiskDigger
D EaseUS
B
What tool scans the entire system for deleted files and folders and recovers them?
A Recover My Files
B DiskDigger
C EaseUS
D Advanced Disk Recovery
D
What tool for Mac recovers files from a crashed or virus-corrupted hard drive?
A DiskDigger
B EaseUS
C Data Rescue 4
D Recover My Files
C
Which of the following are frequently left by criminals, assisting investigators in understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it?
A fingerprints
B bread crumbs
C invitations
D files
A
In Detecting Rootkits, the following technique is used to compare characteristics of all system processes and executable files with a database of known rootkit fingerprints.
A Cross View-Based Detection
B Runtime Execution Path Profiling
C Signature-Based Detection
D Integrity-Based Detection
C
In Anti-Forensics Techniques, which of the following techniques is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data?
A encryption
B steganography
C decryption
D cryptography
B
Which of the following consists of volatile storage?
A RAM
B ROM
C compact disc
D hard drive
A
What is NOT a command used to determine logged-on users?
A net sessions
B LogonSessions
C LoggedSessions
D PsLoggedOn
C
What is NOT a command used to determine open files?
A PsFile
B Open files
C Net file
D Openfiles
B
What command is used to determine the NetBIOS name table cache in Windows?
A Netstat
B Ipconfig
C Nbtstat
D Ifconfig
C
Which tool helps collect information about network connections operative in a Windows system?
A Ipconfig
B Nbtstat
C Netstat
D Ifconfig
C
Which of the following is NOT a command used to determine running processes in Windows?
A Netstat
B Pslist
C Tasklist
D Listdlls
A
Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?
A Volatile Framework
B Volatility Extractor
C Volatility Framework
D Volatile Extractor
C
The information about the system users is stored in which file?
A PAT database file
B NTUSER.BAT
C SAM database file
D NTUSER.DAT
C
The value 0 associated with the registry entry EnablePrefetcher tells the system to use which prefetch?
A Boot prefetching is enabled.
B Prefetching is disabled.
C Both application and boot prefetching are enabled.
D Application prefetching is enabled.
B
What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use?
A Both application and boot prefetching are enabled.
B Boot prefetching is enabled.
C Application prefetching is enabled.
D Prefetching is disabled.
C
What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use?
A Prefetching is disabled.
B Both application and boot prefetching are enabled.
C Boot prefetching is enabled.
D Application prefetching is enabled.
C
What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use?
A Application prefetching is enabled.
B Both application and boot prefetching are enabled.
C Prefetching is disabled.
D Boot prefetching is enabled.
B
What tool enables you to retrieve information about event logs and publishers in Windows 10?
A Wevtutil
B EventViewer
C Regedit
D Msconfig
A
Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system.
A True
B False
A
__ command is used to display the network configuration of the NICs on the system.
A ipconfig \all
B ipconfig /all
C ipconfig \all
D ipconfig //all
B
Investigators can use Linux commands to gather necessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel.
A dmesg
B pstree
C Fsck
D Stat
A
What are the unique identification numbers assigned to Windows user accounts for granting user access to particular resources?
A Windows access number
B Microsoft security ID
C user access numbers
D security definitions
B
In Windows Event Log File Internals, the following file is used to store the Databases related to the system:
A Database.evtx
B Application.evtx
C System.evtx
D Security.evtx
C
Thumbnails of images remain on computers even after files are deleted.
A True
B False
A
What is NOT one of the three tiers a log management infrastructure typically comprises?
A log rotation
B log monitoring
C log analysis and storage
D log generation
A
Which is NOT a log management system function?
A log conversion
B log compression
C log generation
D log reduction
C
What is NOT one of the three major concerns regarding log management?
A log protection and availability
B log viewing
C log creation and storage
D log analysis
B
Which is a type of network-based attack?
A social engineering
B eavesdropping
C spamming
D phishing
B
Which attack does NOT directly lead to unauthorized access?
A man-in-the-middle
B spoofing
C sniffing
D denial-of-service
D
How can an attacker exploit a network?
A through wired or wireless connections
B through special cables
C through wired connections only
D through wireless connections only
A
What is the primary reason for forensic investigators to examine logs?
A to make notes of critical events because logs are not admissible as evidence
B to gain an insight into events that occurred in the affected devices/network
C to record their own access to the device
D to begin collecting information for a crime in progress
B
Which is true about the transport layer in the TCP/IP model?
A It is located between the network access layer and the internet layer.
B It includes protocols with HTTP, FTP, SMTP, and DNS.
C It is the backbone for data flow between two devices in a network.
D It is the lowest layer in the TCP/IP model.
C
What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately?
A postmortem
B past-time analysis
C real-time analysis
D premortem
C
Which of the following is an internal network vulnerability?
A enumeration
B bottleneck
C eavesdropping
D spoofing
B
Which attack is specific to wireless networks?
A denial-of-service
B man-in-the-middle attack
C password-based attacks
D jamming signal attack
D
Where can congressional security standards and guidelines be found, along with an emphasis for federal agencies to develop, document, and implement organization-wide programs for information security?
A FISMA
B GLBA
C HIPAA
D PCI DSS
A
What requires companies that offer financial products or services to protect customer information against security threats?
A FISMA
B PCI DSS
C GLBA
D HIPAA
C
Which of the following includes security standards for health information?
A PCI DSS
B GLBA
C FISMA
D HIPAA
D
What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
A PCI DSS
B GLBA
C FISMA
D SOX
A
In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is?
A systems
B postmortem
C real-time
D log file
B
Which are the most common network attacks launched against wireless networks?
A IP address spoofing
B AP MAC spoofing
C buffer overflow
D router attacks
B
In Event Correlation Approaches, which approach is used to monitor the computers’ and computer users’ behavior and provide an alert if something anomalous is found?
A route correlation
B role-based approach
C Bayesian correlation
D vulnerability-based approach
B
The investigator uses which of the following commands to view the ARP table in Windows?
A arp //
B arp .a
C arp /all
D arp -a
D
Which is NOT an indication of a web attack?
A web pages redirected to an unknown website
B network performance being unusually slow
C logs found to have no known anomalies
D access denied to normally available web services
C
Which is a threat to web applications?
A error handling
B cookie poisoning
C validated input
D secure storage
B
What layer of web application architecture includes all the web appliances, such as smartphones and PCs, where interaction with a web application deployed on a web server occurs?
A business layer
B client layer
C web server layer
D database layer
B
What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?
A client layer
B business layer
C database layer
D web server layer
D
What layer of web application architecture is responsible for the core functioning of the system and includes logic and applications, such as .NET, used by developers to build websites according to client requirements?
A web server layer
B database layer
C business layer
D client layer
C
What layer of web application architecture is composed of cloud services that hold all commercial transactions and a server that supplies an organization’s production data in a structured form?
A web server layer
B database layer
C client layer
D business layer
B
Which web application threat occurs when the application fails to guard memory properly and allows writing beyond maximum size?
A SQL injection
B information leakage
C buffer overflow
D cookie poisoning
C
Which web application threat refers to the modification of a website’s remnant data for bypassing security measures or gaining unauthorized information?
A SQL injection
B buffer overflow
C information leakage
D cookie poisoning
D
Which web application threat occurs when an attacker is allowed to gain access as a legitimate user to a web application or data such as account records, credit card numbers, passwords, or other authenticated information?
A information leakage
B cookie poisoning
C buffer overflow
D insecure storage
D
Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user?
A buffer overflow
B SQL injection
C information leakage
D cookie poisoning
C
Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces, and codes?
A improper error handling
B cookie poisoning
C SQL injection
D buffer overflow
A
Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords?
A cookie poisoning
B broken account management
C buffer overflow
D SQL injection
B
Which web application threat occurs when attackers exploit HTTP, gain access to unauthorized directories, and execute commands outside the web server’s root directory?
A cookie poisoning
B buffer overflow
C SQL injection
D directory traversal
D
Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data?
A cookie poisoning
B denial-of-service
C buffer overflow
D SQL injection
D
Which web application threat occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data?
A SQL injection
B cookie poisoning
C buffer overflow
D parameter tampering
D
Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients?
A SQL injection
B denial-of-service
C buffer overflow
D cookie poisoning
B
Which web application threat occurs when attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, or query strings?
A SQL injection
B cookie poisoning
C buffer overflow
D unvalidated input
D
Which web application threat occurs when attackers bypass the client’s ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages?
A buffer overflow
B SQL injection
C cookie poisoning
D cross-site scripting
D
Which web application threat occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input?
A buffer overflow
B cookie poisoning
C injection flaws
D SQL injection
C
Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker?
A cross-site request forgery
B cookie poisoning
C SQL injection
D buffer overflow
A
Which web application threat occurs when attackers identify a flaw, bypass authentication, and compromise the network?
A broken access control
B cookie poisoning
C SQL injection
D buffer overflow
A
Which supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP?
A Windows Server
B Internet Information Server (IIS)
C web server
D logs
B
On Windows Server 2012, by default, the IIS log files are stored at which of the following locations?
A %SystemDrive%\inetpub\LogFiles
B %SystemDrive%\PerfLogs\LogFiles
C %SystemDrive%\PerfLogs\Logs\LogFiles
D %SystemDrive%\inetpub\Logs\LogFiles
D
Which of the following is a web analytics solution for small and medium size websites?
A event appreciation, event formulation, event including, root cause analysis
B deep log analyzer
C forensic analyzer
D root cause analyzer
B
Which command is used to find if TCP and UDP ports have unusual listening?
A netstat -s
B netstat -n
C netstat -na
D netstat -ns
C
Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database?
A LDF
B NDF
C MDF
D PDF
A
Which of the three different files storing data and logs in SQL servers is optional?
A LDF
B MDF
C PDF
D NDF
D
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format?
A .txt
B EVTX
C TXTX
D .log
B
What type of forensics takes action when a security incident has occurred and both detection and analysis of the malicious activities performed by criminals over the SQL database file are required?
A data forensics
B MSSQL forensics
C primary data file
D data file forensics
B
For Forensic Analysis, which of the following MySQL Utility Programs is used to export metadata, data, or both from one or more databases?
A mysqldbmeta
B mysqldatabase
C mysqldbdata
D mysqldbexport
D
Which command line utility is used to take a backup of the database?
A mysqlbackup
B mysqldump
C mysqldbdump
D mysqldatabase
B
Which of the three different files storing data and logs in SQL servers is the starting point of a database and points to other files in the database?
A LDF
B NDF
C PDF
D MDF
D
What cloud service offers a platform for developing applications and services?
A PaaS
B SaaS
C IaaS
D AaaS
A
What cloud service enables subscribers to use fundamental IT resources—such as computing power, virtualization, data storage, network, etc.—on demand?
A IaaS
B PaaS
C SaaS
D AaaS
A
What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users?
A PaaS
B AaaS
C IaaS
D SaaS
D
Which of the following is also known as an internal or corporate cloud and is a cloud infrastructure that a single organization operates?
A private cloud
B public cloud
C community cloud
D hybrid cloud
A
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?
A hybrid cloud
B community cloud
C private cloud
D public cloud
A
Which cloud environment is a multi-tenant infrastructure shared among organizations with common computing concerns, such as security, regulatory compliance, performance requirements, and jurisdiction?
A private cloud
B community cloud
C hybrid cloud
D public cloud
B
Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet?
A hybrid cloud
B public cloud
C community cloud
D private cloud
B
Which of the following stakeholders includes professionals—such as cloud security architects, network administrators, security administrators, and ethical hackers—responsible for managing and maintaining all aspects of the cloud?
A investigators
B law advisors
C incident handlers
D IT professionals
D
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?
A IT professionals
B law advisors
C investigators
D incident handlers
C
Which of the following stakeholders are the first responders for all the security events or occurrences taking place on a cloud?
A law advisors
B incident handlers
C IT professionals
D investigators
B
Which of the following stakeholders are responsible to make sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements?
A IT professionals
B law advisors
C incident handlers
D investigators
B
What type of cloud testing should organizations perform regularly to monitor their security posture?
A pen testing
B installations
C cloning
D deployment
A
On-demand __ is a type of service rendered by cloud service providers that allow provisions for cloud resources such as computing power, storage, network, and so on—always on demand, without the need for human interaction with service providers.
A full service
B self-service
C catering
D a la carte
B
Identify the following Cloud computing services that enable subscribers to use fundamental IT resources such as computing power, virtualization, data storage, network, and so on—on demand.
A Software-as-a-Service (SaaS)
B Platform-as-a-Service (PaaS)
C Infrastructure-as-a-Service (IaaS)
C
On Windows 10 OS, by default, the Google Drive Client is installed at which of the following locations?
A C:\Google\Drive
B C:\Program Files (x86)\Google\Drive
C C:\ProgramData\Google\Drive
D C:\Program Files\Drive
B
Which of the following is a disadvantage of a private cloud?
A expense
B security is not guaranteed
C lack of control
D difficulty achieving data compliance
A
What is a common technique used to distribute malware on the web by injecting malware into legitimate looking websites to trick users into selecting them?
A click-jacking
B drive-by downloads
C malvertising
D Blackhat SEO
A
What is a common technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search-engine ranking for malware pages?
A malvertising
B click-jacking
C Blackhat SEO
D drive-by downloads
C
What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data?
A malvertising
B drive-by downloads
C Blackhat SEO
D spear phishing sites
D
What is a common technique used to distribute malware on the web by embedding malware-laden advertisements in authentic online advertising channels to spread onto systems of unsuspecting users?
A drive-by downloads
B Blackhat SEO
C compromised websites
D malvertising
D
What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by merely visiting a website?
A Blackhat SEO
B malvertising
C drive-by downloads
D click-jacking
C
When a reputable website is infected with malware that secretly installs itself on a visitor’s system and thereafter carries out malicious activities, it is an example of which common technique used by hackers to distribute malware?
A compromised legitimate websites
B social engineering
C malvertising
D spear phishing sites
A
Why is it safe to conduct static analysis?
A The process is necessary.
B The file used is a copy.
C The investigator does not install or execute the suspect file.
D Forensic analysts know software.
C
In Port Monitoring, the following command is used to look for connections established to unknown or suspicious IP addresses.
A netstat -ns
B netstat -sn
C netstat -an
D netstat -sL
C
What is NOT one of CAN-SPAM’s main requirements for senders?
A The email must have your valid physical postal address.
B Do not use false or misleading header information.
C Honor recipients’ opt-out request within 30 business days.
D The commercial email must be identified as an ad.
C
Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act?
A retransmitting spam messages through a computer to mislead others about the origin of the message
B taking advantage of open relays or open proxies with permission
C using legitimate information to register for multiple email accounts or domain names
D accessing someone else’s computer to send spam mails with permission
A
What is the first step an investigator should take to carry out the on-site examination of an email server?
A seize the computers and email accounts suspected to be involved.
B conduct a forensics test on the permitted equipment.
C obtain a search warrant application in the appropriate language.
D seize the email accounts by changing the existing password of the email account.
C
What is the primary information required for starting an email investigation?
A the unique message
B the unique IP address
C the date and time
D the SMTP log
B
What is NOT true of email crimes?
A Communication can occur without human intervention.
B Email crime is not limited by the email organization.
C Forging the email header can hide the attacker’s identity.
D Unsolicited commercial email is considered spam.
B
Which RFC defines normal email communication?
A RFC 2525
B RFC 5322
C RFC 5422
D RFC 2050
B
Which of the following is an internet protocol that’s designed for transmitting email over IP networks?
A Internet Message Access Protocol (IMAP) server
B Simple Mail Transfer Protocol (SMTP)
C Post Office Protocol Version 3 (POP3) Server
D TCP / IP
B
Where do email archives store received and sent emails?
A on the mail server
B in the cache file
C on the system hard drive
D on the internet
C
An email client connects with a POP3 server via which of the following?
A Port 101
B Port 111
C Port 011
D Port 110
D
What is considered the biggest threat to mobile devices?
A mobile malware
B social engineering attack
C data integrity threat
D data loss
D
Which architectural layer of mobile device environments represents any program that runs on the Android platform?
A GUI API
B communication API
C client application
D phone API
C
Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, internet, and SMS?
A phone API
B GUI API
C client application
D communication API
D
Which architectural layer of mobile device environments is responsible for creating menus and sub-menus in designing applications?
A client application
B communication API
C phone API
D GUI API
D
Which architectural layer of mobile device environments provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS?
A client application
B GUI API
C phone API
D communication API
C
Which architectural layer of mobile device environments offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation?
A client application
B communication API
C operating system
D GUI API
C
Which architectural layer of mobile device environments contains items that are responsible for mobile operations—such as a display device, keypad, RAM, flash, embedded processor, and media processor?
A communication API
B operating system
C hardware
D client application
C
Which architectural layer of mobile device environments allows a mobile device to communicate with the network?
A operating system
B GUI API
C network
D client application
C
What operating system was Android based on?
A Windows
B Mac
C Linux
D iOS
C
Identify which code can be used to obtain the International Mobile Equipment Identifier (IMEI) number on a mobile phone.
A #06
B #*06#
C *#06#
D *06#
C
Which of the following is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer?
A Electronic Serial Number (ESN)
B Subscriber Identity Module
C International Mobile Equipment Identifier (IMEI)
D Integrated Circuit Card Identification
A
The mobile forensics investigation team should consist of persons who have expertise in responding, seizing, collecting, and reporting the evidence from the mobile devices.
A True
B False
A
How should expert witnesses conduct themselves while presenting testimony to any court or attorney?
A Always be unenthusiastic while giving testimony.
B Never pay a compliment to the jury.
C Avoid leaning and develop self-confidence.
D Maintain a relaxed body expression.
C
Which statement is correct about who attends a trial or deposition?
A No attorneys are present in a trial.
B Only the judge is present in a deposition.
C Both jury and judge are present in a deposition.
D Both attorneys are present in a deposition.
D
Which of the following standards is a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?
A Frye Standard
B Both Frye Standard and Daubert Standard
C Daubert Standard
A
The main objective of a cybercrime investigation is to identify which of the following?
A evidence and facts
B malware
C IP addresses of criminals
D crimes
A
How many bytes each are the logical blocks that HFS divides the volume into?
A 128
B 512
C 256
D 64
B
How many bytes is each logical block in GPT?
A 256
B 128
C 512
D 1,024
C
How many tracks are typically contained on a platter of a 3.5″ HDD?
A 512
B 1,000
C 2,000
D 256
B
On Macintosh computers, which architecture utilizes EFI to initialize the hardware interfaces after the BootROM performs POST?
A PowerPC
B Intel
C SPARC
D ARM
B
What component of a typical FAT32 file system occupies the largest part of a partition and stores the actual files and directories?
A Boot Sector
B Data Area
C FAT Area
D Reserved Area
B
What is a computing standard developed along with the UCS standard for encoding, representation, and management of texts, and provides a unique number for every character irrespective of the platform, program, or language?
A UNICODE
B .NET
C XML
D JAVA
A
What is a technology that uses multiple smaller disks simultaneously that function as a single large volume?
A SSD
B RAID
C HDD
D DEET
B
What is an Adobe-developed file format from 1992 that helps users to easily view, save, and print a document—independent of any platform, operating system, hardware, or software?
A DOC
B PDF
C TXT
D RTF
B
What is the maximum file system size in ext3?
A 2 GB
B 32 TB
C 2 TB
D 32 GB
B
What is the maximum file system size in ext4?
A 1 TB
B 1 EiB
C 16 TB
D 1 GB
B
What is the proprietary Microsoft Office text file extension used in Word?
A TXT
B PDF
C DOC/DOCX
D RTF
C
What is the RAID level that is a combination of striping and mirroring to protect data and requires at least four drives to implement?
A RAID 0
B RAID 1
C RAID 10
D RAID 5
C
What replaces legacy BIOS firmware interfaces and uses a partition interfacing system to overcome the limitations of the MBR partitioning scheme?
A UEMR
B UEFI
C UEFO
D UHFI
B
What stage of the Linux boot process includes the task of loading the virtual root file system created by the initrd image and executes the Linuxrc program?
A BIOS Stage
B POST Stage
C Bootloader Stage
D Kernel Stage
D
What UFS file system part comprises a collection, including a header with statistics and free lists, a number of inodes containing file attributes, and a number of data blocks?
A super block
B boot blocks
C cylinder groups
D data groups
C
Which attribute ID does NTFS set as a flag after encrypting a file where the Data Decryption Field (DDF) and Data Recovery Field (DRF) are stored?
A Attribute ID = 0x010
B Attribute ID = 0x101
C Attribute ID = 0x001
D Attribute ID = 0x100
D
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?
A Get-BootSector
B Get-GPT
C Get-PartitionTable
D Get-MBR
B
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table to find the exact type of boot sector and display the partition object?
A Get-GPT
B Get-PartitionTable
C Get-MBR
D Get-BootSector
B
Which command from The Sleuth Kit (TSK) displays details of a metadata structure such as inode?
A img_stat
B istat
C fsstat
D fls
B
Which field type refers to the volume descriptor as a supplementary?
A Number 0
B Number 2
C Number 3
D Number 1
B
Which HFS volume structure is the starting block of the volume bitmap?
A logical block 1
B logical block 2
C logical block 4
D logical block 3
D
Which inode field determines what the inode describes and the permissions that users have to it?
A data blocks
B timestamp
C mode
D owner information
C
Which inode field enables the file system to correctly allow the right sort of access?
A owner information
B data blocks
C timestamp
D mode
A
Which item describes the following UEFI boot process phase?
The phase of EFI consisting of clearing the UEFI program from memory, transferring the UEFI program to the OS, and updating the OS calls for the run time service using a small part of the memory.
A RT (Run Time) Phase
B PEI (Pre-EFI Initialization) Phase
C BDS (Boot Device Selection) Phase
D DXE (Driver Execution Environment) Phase
A
Which of the following basic partitioning tools displays details about GPT partition tables in Linux OS?
A Fdisk
B GNU Parted
C Disk Utility
D DiskPart
B
Which of the following basic partitioning tools displays details about GPT partition tables in Macintosh OS?
A Gparted
B DiskPart
C Disk Utility
D Fdisk
C
Which of the following describes when a user plugs in a computer and starts it from a fully off condition?
A warm booting
B soft booting
C hot booting
D cold booting
D
Which of the following describes when the user restarts the system via the operating system?
A hot booting
B cold booting
C warm booting
D hard booting
C
Which of the following file systems was designed in 1976 for many operating systems, such as DOS and Windows, and for small hard disks, and has a simple folder structure that got its name from the way it organizes data?
A Journaling File System (JFS)
B File Allocation Table (FAT)
C New Technology File System (NTFS)
D Hierarchical File System (HFS)
B
Which of the following is a successor of HFS and is a primary file system in Macintosh?
A HFS+
B HFS2
C HPFS
D HTFS
A
Which of the following is one of the five UEFI boot process phases?
A PIE Phase
B BSD Phase
C SEC Phase
D PAI Phase
C
Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?
A Windows 8
B Windows 9
C Windows XP
D Windows 10
C
Which of the two parts of the Linux file system architecture has the memory space where the system supplies all services through an executed system call?
A User Space
B Kernel Space
C Virtual File System (VFS)
D GNUC Library (glibc)
B
Which position does the protective MBR occupy in the GPT at Logical Block Address 0?
A second
B first
C last
D third
B
Which of the following is one of the five UEFI boot process phases?
A BSD Phase
B DXE Phase
C PAI Phase
D PIE Phase
B
What are the essential Windows system files?
A Ntoskrnl.exe
B CoreServices
C boot.efi
D inittab
A
What do GPTs use instead of the addressing used in modern MBRs?
A Logical Block Addressing (LBA)
B Unified Extensible Firmware Interface (UEFI)
C Globally Unique Identifier (GUID)
D Cylinder-Head-Sector (CHS)
A
What is a lossless image format that is intended to replace older formats and is copyright- and license-free?
A BMP
B PNG
C JPEG
D GIF
B
What is the maximum single file size in the ext4 file system?
A 1 TB
B 16 TB
C 1 GB
D 16 GB
B
What is the meaning of the acronym POST?
A power-on self-test
B power-off system-test
C power-on system-test
D power-off self-test
A
What is the name of a numeral system with base 2?
A binary
B hexadecimal
C ASCII
D UNICODE
A
What is the process of recovering files from fragments and pieces of unallocated space on a hard disk in the absence of file system metadata?
A file carving
B file scraping
C file splicing
D file cleaving
A
What is the RAID level that uses byte level data striping across multiple drives and distributes the parity information among all member drives?
A RAID 0
B RAID 5
C RAID 1
D RAID 10
B
What is the RAID level which is the only level that does not implement one of the standard techniques of parity, mirroring, or striping, but uses a technique similar to striping with parity?
A RAID 2
B RAID 0
C RAID 1
D RAID 3
A
What sits between the two parts of the Linux file system architecture and provides the system call interface that connects the two parts?
A GNUC Library (glibc)
B Virtual File System (VFS)
C Kernel Space
D User Space
A
What stage of the Linux boot process initializes the system hardware and retrieves the information stored in the CMOS (Complementary Metal-Oxide Semiconductor) chip?
A POST Stage
B BIOS Stage
C Bootloader Stage
D Kernel Stage
B
What UFS file system part includes a magic number identifying the file system and vital numbers describing the file system’s geometry and statistics and behavioral tuning parameters?
A data groups
B boot blocks
C cylinder groups
D super block
D
What was developed by Remy Card as an extensible file system for Linux and is the basis for all currently shipping Linux distributions?
A Vfat
B FHS
C Ext2
D Minix
C
What was the first file system developed for Linux?
A Minix
B Ext
C FHS
D Vfat
B
Which command from The Sleuth Kit (TSK) displays general details of a file system?
A istat
B fls
C img_stat
D fsstat
D
Which command from The Sleuth Kit (TSK) lists the files and directory names in an image and can display file names of recently deleted files for the directory using the given inode?
A img_stat
B istat
C fls
D fsstat
C
Which component of the NTFS architecture is the processing mode that permits the executable code to have direct access to all the system components?
A boot sector
B kernel mode
C Master Boot Record
D user mode
B
Which field is the standard identifier set to CD001 for a CD-ROM compliant to the ISO 9660 standard?
A third
B fourth
C second
D first
C
Which field type refers to the volume descriptor as a partition descriptor?
A Number 2
B Number 0
C Number 3
D Number 1
C
Which field type refers to the volume descriptor as a set terminator?
A Number 2
B Number 1
C Number 255
D Number 3
C
Which file system for Linux transfers all tracks and boot images on a CD as normal files?
A CIFS
B NTFS
C CDFS
D VMFS
C
Which is a file system as well as a logical volume manager developed by Sun Microsystems?
A NTFS
B Ext
C ZFS
D HFS
C
Which item describes the following UEFI boot process phase?
The phase of EFI consisting of interpreting the boot configuration data, selecting the Boot Policy for later implementation, working with the prior phase to check if the device drivers require signature verification, loading either MBR boot code into memory for Legacy BIOS Boot or the Bootloader program from the EFI partition for UEFI Boot, and providing an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.
A PEI (Pre-EFI Initialization) Phase
B BDS (Boot Device Selection) Phase
C RT (Run Time) Phase
D DXE (Driver Execution Environment) Phase
B
Which item describes the following UEFI boot process phase?
The phase of EFI consisting of initialization code the system executes after powering the system on, manages platform reset events, and sets the system state.
A BDS (Boot Device Selection) Phase
B PEI (Pre-EFI Initialization) Phase
C DXE (Driver Execution Environment) Phase
D SEC (Security) Phase
D
Which LBA will be the first usable sector?
A LBA 36
B LBA 33
C LBA 35
D LBA 34
D
Which of the following is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, database entry, or user?
A Sequentially Unique Identifier (SQUID)
B Secondary Potential Identifier (SPUD)
C Globally Unique Identifier (GUID)
D Galaxy Unique Identifier (GUID)
C
Which of the following is a small piece of instruction in computer language, which the system loads into the BIOS and executes to initiate the system’s boot process?
A Master Boot Process
B Master BIOS Code
C Master Boot Code
D Master BIOS Process
C
Which of the following is NOT an advantage of SSDs over HDDs?
A non-volatile memory
B higher reliability
C faster data access
D less power usage
A
Which of the following is a consideration of HDDs but not SSDs?
A transfer time
B seek time
C access time
D RPM speed
D
Which of the following is one of the five UEFI boot process phases?
A RT Phase
B PIE Phase
C PAI Phase
D BSD Phase
A
Which of the following ISO 9660-compliant portions of a compact disc describes the location of the contiguous root directory similar to the super block of the UNIX file system?
A the primary track sector
B the secondary volume descriptor
C the primary volume descriptor
D the secondary track sector
C
What are the two main objects managed dynamically in the VFS in a cached manner to enhance file system access speed?
A glibc and VFS
B entry and dinode
C dentry and inode
D User and Kernel Space
C
Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?
A Windows 7
B Windows 8
C Windows 9
D Windows 10
A
Which partition type designates the protective MBR from legacy MBR?
A 0xFF
B 0x01
C 0x00
D 0xEE
D
Which statement is true of the Master File Table (MFT) in the NTFS architecture?
A NTFS volumes do not require an entry in the MFT.
B MFT is a relational database consisting of information regarding the files and file attributes.
C Defrag utilities for NTFS volumes on Windows 2000-based systems can move MFT entries.
D The file attributes stored within MFT are non-resident attributes.
B
On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?
A PowerPC
B Intel
C SPARC
D ARM
A
How many byte folder entries does the FAT file system have for every folder?
A 64
B 16
C 8
D 32
D
In MS-DOS and earlier versions of Microsoft Windows, which partition must be first and a primary partition?
A (C:)
B (B:)
C (A:)
D (D:)
A
MBR almost always refers to the partition sector of a disk also known as:
A Primary Boot Record (PBR)
B 512-byte boot sector
C 256-byte boot sector
D First Boot Record (FBR)
B
What is a standard Microsoft-developed graphics image file format used to store images on Windows operating systems?
A PNG
B BMP
C JPEG
D GIF
B
What is a standard partitioning scheme for hard disks and part of the Unified Extensible Firmware Interface?
A UEFI Partition Table (UPT)
B Universal Partition Table (UPT)
C General Partition Table (GPT)
D GUID Partition Table (GPT)
D
What is the maximum single file size in the ext3 file system?
A 16 TB
B 8 GB
C 2 GB
D 2 TB
D
What is the RAID level that executes mirroring as it duplicates drive data onto multiple drives?
A RAID 5
B RAID 0
C RAID 10
D RAID 1
D
What is the RAID level that uses byte-level stripping with a dedicated parity disk to store checksums?
A RAID 1
B RAID 2
C RAID 0
D RAID 3
D
What partition holds the information regarding the operating system, system area, and other information required for booting?
A extended partition
B tertiary partition
C primary partition
D secondary partition
C
What replacement file system did Apple develop in September 1985 to support the Mac OS in its proprietary Macintosh system?
A Apple File System (APFS)
B Macintosh File System (MFS)
C Hierarchical File System (HFS)
D Boot File System (BFS)
C
What stores information about the size and shape of the ext2 file system and enables the file system manager to use and manage the file system?
A superblock
B group descriptor
C block bit map
D data block
A
What typical bootloaders for Linux allow the user to select which OS kernel to load during boot time?
A Boot Camp and Darwin
B STICH and WORM
C LILO and GRUB
D NTLDR and BCD
C
What was the first file system developed for Linux, which was released in April 1992?
A FHS
B Vfat
C Ext
D Minix
C
Which architectural layer of mobile device environments allows a mobile device to communicate with the network operator?
A client application
B network
C operating system
D GUI API
B
Which cmdlet can investigators use in Windows PowerShell to parse GPTs of both types of hard disks, including the ones formatted with either UEFI or MBR?
A Get-GPT
B Get-MBR
C Get-BootSector
D Get-PartitionTable
C
Which component of the NTFS architecture contains executable master boot code that the system BIOS loads into memory?
A boot sector
B Master Boot Record
C Ntfs.sys
D Ntldlr.dll
B
Which component of the NTFS architecture is the processing mode where an executable program or code runs?
A boot sector
B Master Boot Record
C kernel mode
D user mode
D
Which component of the NTFS architecture reads the contents of the Boot.ini file?
A Ntfs.sys
B Ntldlr.dll
C Master Boot Record
D boot sector
B
Which file system is utilized by UNIX operating systems and derived from the Berkeley Fast File System?
A HPFS
B HTFS
C ZFS
D UFS
D
Which HFS volume structure contains the Master Directory Block (MDB), which defines a wide variety of data about the volume itself?
A logical block 3
B logical block 2
C logical block 1
D logical block 4
B
Which information held by the superblock allows the system to determine if the file system needs to be fully checked and increments each time the system places access to the file system?
A revision level
B block size
C mount count
D magic number
C
Which inode field contains the pointer stating what is described?
A data blocks
B timestamp
C owner information
D mode
A
Which inode field shows when the creation occurred and the last modification?
A data blocks
B owner information
C timestamp
D mode
C
Which is a required characteristic of digital evidence?
A systematic
B reproducible
C admissable
D diagnostic
C
Which is NOT a valid type of digital evidence?
A text file
B application data
C executable file
D DNA sample
D
Which item describes the UEFI boot process phase in which the majority of the initialization occurs?
A PEI (Pre-EFI Initialization) Phase
B DXE (Driver Execution Environment) Phase
C BDS (Boot Device Selection) Phase
D RT (Run Time) Phase
B
Which LBA contains the GPT header?
A LBA 2
B LBA 3
C LBA 0
D LBA 1
D
Which of the following file systems are used for adding more descriptors to a CD-ROM’s file system sequence?
A Romeo and MDF
B ISO 9660
C ISO 13490
D Joliet and UDF
D
Which of the following is an advantage of the GPT disk layout?
A GPT allows users to partition disks larger than 2 terabytes.
B GPT partition and boot data is more secure than MBR, as MBR stores data in multiple locations across the disk.
C GPT allows users to partition disks larger than 40 gigabytes.
D MBR partition and boot data is more secure than GPT, as GPT stores data in multiple locations across the disk.
A
Which of the following is either the start of a file or the start of a memory address, where its value is added to a base address to derive the actual address?
A OFFSET
B ASCII
C XML
D UNICODE
A
Which of the following is NOT a disk editor tool to help view file headers and important information about a file?
A Win Edit
B Disk Edit
C WinHex
D Hex Workshop
A
Which of the following is NOT one of the three Linux boot process stages?
A Kernel Stage
B Bootloader Stage
C BIOS Stage
D NTLDR Stage
D
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
A Secure the evidence.
B Collect the evidence.
C Destroy the evidence.
D Assess the evidence.
C
Which of the following is one of the features added to HFS Plus?
A supports files 16 bits in length
B permits file names of 256 characters
C uses 16-bit allocation for the mapping table
D uses B-tree to store the data
D
Which of the following is one of the five UEFI boot process phases?
A PAI Phase
B PEI Phase
C BSD Phase
D PIE Phase
B
Which of the following is unique to SSDs?
A spindle
B NAND chips
C read/write heads
D platters
B
Which of the following specifications is used as a standard to define the use of file systems on CD-ROM and DVD media?
A ISO 9431
B ISO 6990
C ISO 1349
D ISO 9660
D
Which of the two parts of the Linux file system architecture has the protected memory area where processes run?
A Virtual File System (VFS)
B User Space
C GNUC Library (glibc)
D Kernel Space
B
Which of the following Perl scripts will help an investigator to access the executable image of a process?
A Lspi.pl
B Lspd.pl
C Lspm.pl
D Lpsn.pl
A
An expert witness is a __ who is normally appointed by a party to assist in the formulation and preparation of a party’s claim or defense.
A subject matter specialist
B expert in criminal investigation
C witness present at the crime scene
D expert law graduate appointed by attorney
A
Which Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?
A graph-based approach
B rule-based approach
C field-based approach
D automated field correlation
D
An executive had leaked the company trade secrets through an external drive.
What process should the investigation team take if they could retrieve his system?
A postmortem analysis
B real-time analysis
C malware analysis
D packet analysis
A
A small law firm located in the Midwest has possibly been breached by a computer hacker who was looking to obtain information on their clientele. The law firm does not have any on-site IT employees but wants to search for evidence of the breach themselves to prevent any possible media attention.
Why would this not be recommended?
A Searching can change date/time stamps.
B Searching could possibly crash the machine or device.
C Searching creates cache files that would hinder the investigation.
D Searching for evidence themselves would not have any ill effects.
A
Adam, a forensic investigator, is investigating an attack on the Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content.
Which of the following files is he going to examine?
A PRIV.EDB
B PUB.EDB
C PRIV.STM
D gwcheck.db
C
Which of the following email headers specifies an address for mailer-generated errors, like “no such user” bounce messages (instead of the sender’s address)?
A Errors-To header
B Content-Transfer-Encoding header
C MIME-Version header
D Content-Type header
A
Jacob is a computer forensics investigator with over 10 years of experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud.
What is the term used for Jacob’s testimony in this case?
A authentication
B justification
C reiteration
D certification
A
Which among the following laws emphasizes the need for each federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets?
A FISMA
B GLBA
C HIPAA
D SOX
A
Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
A Physical
B Transport
C Network
D Session
A
Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?
A FISMA
B GLBA
C HIPAA
D SOX
D
Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?
A electronic storage device search warrant
B service provider search warrant
C citizen informant search warrant
D John Doe search warrant
A
Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following laws is related to fraud and related activity in connection with computers?
A 18 U.S.C. § 1029
B 18 U.S.C. § 1030
C 18 U.S.C. § 1361
D 18 U.S.C. § 1371
B
Which rule requires an original recording to be provided to prove the content of a recording?
A 1002
B 1003
C 1004
D 1005
A
Madison is on trial for allegedly breaking into her university’s internal network. The police raided her dorm room and seized all of her computer equipment. Madison’s lawyer is trying to convince the judge that the seizure was unfounded and baseless.
Which U.S. amendment is Madison’s lawyer trying to prove the police violated?
A the Fourth Amendment
B the Fifth Amendment
C the First Amendment
D the Tenth Amendment
A
The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks.
What is the size of each block?
A 256 bits
B 256 bytes
C 512 bits
D 512 bytes
D
Which MySQL log file contains information on server start and stop?
A error log file
B general query log files
C low query log file
D binary log
A
Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system.
Where should he look apart from the RAM and virtual memory?
A files and documents
B application data
C swap space
D slack space
C
Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1.
What is the file type of the image?
A JPEG
B PNG
C GIF
D BMP
A
Hard disk data addressing is a method of allotting addresses to each __ of data on a hard disk.
A physical block
B logical block
C operating system block
D hard disk block
A
In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?
A The images will always be identical because data is mirrored for redundancy.
B RAID 1
C RAID 0
D It will always be different.
C
NTFS uses less slack space than FAT, thus having reduced potential to hide data in the slack space. This is because:
A NTFS has lower cluster size space.
B FAT is an older and inefficient file system.
C NTFS is a journaling file system.
D FAT does not index files.
A
You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the internet to a PC in the computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive, and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments.
What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?
A bit-stream copy
B robust copy
C full backup copy
D incremental backup copy
A
When analyzing logs, it is important that the clocks on the devices on the network are synchronized.
Which protocol will help in synchronizing these clocks?
A NTP
B PTP
C Time Protocol
D UTC
A
Examination of a computer by a technically unauthorized person will almost always result in:
A rendering any evidence found inadmissible in a court of law
B rendering any evidence found admissible in a court of law
C the chain of custody being fully maintained
D completely accurate results of the examination
A
Which of the following is NOT a responsibility of the first responder?
A Share the collected information to determine the root cause.
B Determine the severity of the incident.
C Collect as much information about the incident as possible.
D Document the findings.
A
Which of the following is NOT a first response procedure?
A Crack passwords.
B Preserve volatile data.
C Take photos.
D Fill forms
A
Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?
A net sessions
B net stat
C net config
D net share
A
Which of the following is NOT a part of the pre-investigation phase?
A building forensics workstation
B gathering information about the incident
C gathering evidence data
D creating an investigation team
C
Which network attack is described by the following statement?
“At least five major Russian banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.”
A DDoS
B buffer overflow
C man-in-the-middle attack
D sniffer attack
A
A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded.
What can the investigator do to prove the violation? Choose the most feasible option.
A image the disk and try to recover deleted files
B seek the help of coworkers who are eyewitnesses
C check the Windows registry for connection data (you may or may not recover)
D approach the websites for evidence
A
Which of the following registry components includes offsets to other cells as well as the LastWrite time for the key?
A security descriptor cell
B value list cell
C key cell
D value cell
C
Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt to crack network passwords.
What is the most likely password-cracking technique used by this hacker to break the user passwords from the SAM files?
A brute-force attack
B dictionary attack
C syllable attack
D hybrid attack
A
The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin.
Which of the following files contains records that correspond to each deleted file in the Recycle Bin?
A INFO2
B INFO1
C LOGINFO2
D LOGINFO1
A
Rusty, a computer forensics apprentice, uses the command nbtstat -c while analyzing the network information in a suspect system.
What information is he looking for?
A network connections
B contents of the network routing table
C contents of the NetBIOS name cache
D status of the network carrier
C
Which of the following files stores information about a local Google Drive installation, such as user email ID, local sync root path, and client version installed?
A sync_config.db
B filecache.db
C sigstore.db
D config.db
A
Which password-cracking technique uses details such as length of the password, character sets used to construct the password, etc.?
A brute-force attack
B dictionary attack
C rule-based attack
D man-in-the-middle attack
C
What is the purpose of using Obfuscator in malware?
A avoid detection by security mechanisms
B execute malicious code in the system
C avoid encryption while passing through a VPN
D propagate malware to other connected devices
A
Which file is a sequence of bytes organized into blocks understandable by the system’s linker?
A object file
B executable file
C source file
D none of these
A
Which of the following tools creates a bit-by-bit image of an evidence media?
A Recuva
B AccessData FTK Imager
C FileMerlin
D Xplico
B
Which of the following tools enables a user to reset his or her lost admin password in a Windows system?
A SmartKey Password Recovery Bundle Standard
B Passware Kit Forensic
C Active@ Password Changer
D Advanced Office Password Recovery
C
Which of the following is a tool to reset a Windows admin password?
A TestDisk for Windows
B Windows Password Recovery Bootdisk
C R-Studio
D Windows Data Recovery Software
B
Which of the following Windows-based tools displays who is logged onto a computer, either locally or remotely?
A Tokenmon
B Process Monitor
C PSLoggedon
D TCPView
C
Which of the following application password cracking tools can discover all password-protected items on a computer and decrypts them?
A TestDisk for Windows
B Windows Password Recovery Bootdisk
C Passware Kit Forensic
D R-Studio
C
Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file, as it contains some of his crucial business secrets.
Which of the following tools will help Charles?
A Xplico
B FileSalvage
C Colasoft’s Capsa
D DriveSpy
B
Which of the following is an iOS jailbreaking tool?
A Towelroot
B Kingo Android ROOT
C One Click Root
D Redsn0w
D
Which of the following tools enables data acquisition and duplication?
A DriveSpy
B Wireshark
C Xplico
D Colasoft’s Capsa
A
Which of the following tools is used to locate IP addresses?
A Deep Log Analyzer
B SmartWhois
C Towelroot
D XRY LOGICAL
B
Which of the following tools can reverse machine code to assembly language?
A IDA Pro
B RAM Capturer
C PEiD
D Deep Log Analyzer
A
GUIDs are displayed as how many hexadecimal digits with groups separated by hyphens?
A 64
B 128
C 32
D 256
C
HFS restricts the number of allocation blocks to:
A 65,535
B 262,140
C 32,767
D 131,070
A
How many bytes does a directory entry have allotted for each file and directory in the FAT file system?
A 32
B 8
C 16
D 64
A
How many bytes is each partition entry in GPT?
A 512
B 128
C 1,024
D 256
B
The UEFI assigns how many bytes for the Partition Entry Array?
A 16,384
B 65,536
C 32,768
D 8,192
A
Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?
A Windows Vista
B Windows 9
C Windows 8
D Windows 10
A
What component of a typical FAT32 file system contains a Volume Boot Record that comprises the BIOS Parameter Block (BPB) including basic file system information, such as file system type, pointers to the position of the other sections, and the OS’s boot loader code?
A Boot Sector
B FAT Area
C Data Area
D Reserved Area
D
What component of a typical FAT32 file system contains duplicates of the File Allocation Table to help the system check for empty or idle spaces, and contains detailed information about clusters and their contents, including files and directories?
A FAT Area
B Reserved Area
C Boot Sector
D Data Area
A
What information held by the superblock allows the mounting software to verify the superblock for the EXT2 file system?
A magic number
B block size
C mount count
D revision level
A
What is a CompuServe-generated format from 1987 that uses lossless data compression techniques, maintaining the visual quality of the image?
A JPEG
B PNG
C GIF
D BMP
C
What is a digital forensics platform and graphical interface to TSK and other digital forensics tools?
A autofornscs
B autopsy
C autoinspct
D autospy
B
What is a form of error correcting code (ECC) used to help calculate the redundant bits in a RAID 2?
A hamming codes
B striping
C turking codes
D mirroring
A
What is a hard disk’s first sector that specifies the location of an operating system for the system to load into the main storage?
A Primary Boot Record (PBR)
B First Boot Record (FBR)
C Secondary Boot Record (SBR)
D Master Boot Record (MBR)
D
What is a method of lossy compression for digital images that allows users to adjust the degree of compression?
A PNG
B BMP
C GIF
D JPEG
D
What is an advantage FAT32 has over FAT16?
A denies disabling repetitions of the allocation table
B supports larger disks and has better storage
C utilizes space 50% more effectively
D restricts the quantity of root folder entries
B
What is NOT a benefit of the RAID array?
A maintains a large amount of data storage
B maintains a high cost due to the number of disks
C achieves greater reliability through data redundancy
D achieves a greater level of input/output performance
B
What is the basic building block in the ext2 file system?
A directory
B bitmap
C inode
D table
C
What is the last addressable block where negative addressing of the logical blocks starts from the end of the volume in GPT?
A -255
B -1
C 0
D 255
B
What is the name of a numeral system with base 10?
A binary
B hexadecimal
C decimal
D ASCII
C
What is the name of a numeral system with base 16?
A hexadecimal
B ASCII
C UNICODE
D binary
A
What is the proprietary Microsoft Office spreadsheet file extension used in Excel?
A PDF
B XLS/XLSX
C RTF
D TXT
B
Which answer best describes flash memory?
A Flash memory is a non-volatile electronically erasable and reprogrammable storage medium.
B Flash memory is a volatile electronically erasable and reprogrammable storage medium.
C Flash memory is more expensive and less efficient than other storage devices.
D Flash memory is used in all SCSI hard drives.
A
Which command from The Sleuth Kit (TSK) displays the details associated with an image file?
A img_stat
B fsstat
C fls
D istat
A
Which commands help create MBR in Windows and DOS operating systems?
A CD/DIR
B IP/IFCONFIG
C RARP/ARP
D FDISK/MBR
D
Which component of the NTFS architecture is a bootable partition that stores data related to the layout of the volume and the file system structures?
A Ntfs.sys
B Master Boot Record
C boot sector
D Ntldlr.dll
C
Which field type in a volume descriptor refers to a boot record?
A Number 2
B Number 3
C Number 0
D Number 1
C
Which HFS volume structure is one of the boot blocks, which includes system startup information?
A logical block 1
B logical block 2
C logical block 4
D logical block 3
A
Which LBA stores the protective MBR?
A LBA 2
B LBA 3
C LBA 0
D LBA 1
C
Which logical drive holds the information regarding the data and files that are stored in the disk?
A extended partition
B primary partition
C secondary partition
D tertiary partition
A
Which of the following is a data structure situated at sector 1 in the volume boot record of a hard disk to explain the physical layout of a disk volume?
A Boot Parameter Block (BPB)
B BIOS Parameter Block (BPB)
C Primary Sequential Sector (PSS)
D Primary Reserved Sector (PRS)
B
Which of the following is NOT used in the calculation of HDD density?
A area density
B bit density
C block density
D track density
C
Which of the following is one of the five UEFI boot process phases?
A PAI Phase
B PIE Phase
C BDS Phase
D BSD Phase
C
Which of the following is the correct number of bytes reserved at the beginning of a CD-ROM for booting a computer?
A 16,384
B 32,768
C 512
D 256
B
Which of the following items is used to describe the characteristics of the file system information present on a given CD-ROM?
A volume descriptor
B POSIX attribute
C track header
D boot sector
A
Which of the following UNIX/Linux commands can be used to help back up and restore the MBR?
A BB
B FDISK
C DD
D CP
C
Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
A Windows 10
B Windows 7
C Windows Vista
D Windows XP
A
Web Application Threats – 1
Most security breaches occur in web applications, rather than in web servers, as web applications might contain bugs due to coding issues in the development phase. Consequently, web applications are prone to various types of threats, some of which are outlined below:
▪ Injection Flaws Injection flaws are the most common application vulnerabilities that allow untrusted user-supplied data to be interpreted and executed as a command or query. The attackers inject malicious code, commands, or scripts into the input gates of flawed web applications in such a manner that the applications interpret and run with the newly supplied malicious input, which in turn allows the attackers to extract sensitive information. Such injection flaws are commonly found in in SQL, NoSQL, and LDAP queries as well as OS commands. Injection flaws have been regarded as the topmost security vulnerability in web applications in 2017 by the Open Web Application Security Project (OWASP).
▪ SQL Injection
In this type of attack, the attacker injects malicious SQL commands or queries as input data. This helps them bypass the security measures of the web application and retrieve sensitive content from the database server.
▪ Cross Site Scripting In this type of attack, the attackers bypass the client’s ID security mechanisms and gain access privileges. Subsequently, they inject the malicious scripts into specific fields in the web pages. These malicious XSS scripts can rewrite the HTML content of a website, hijack user sessions or redirect users to malicious websites, and deface website. XSS is one of OWASP’s top 10 web application security vulnerabilities for 2017.
▪ Cross Site Request Forgery In this attack method, an authenticated user is made to perform certain tasks on the web application that is chosen by an attacker. For example, an attacker can make a user click on a particular link sent via email or chat. ▪ Broken Access Control
This is a method in which an attacker identifies a flaw in access-control policies and exploits it to bypass the authentication mechanism. This enables the attacker to gain access to sensitive data, modify access rights, or operate accounts of other users. This is a part of 2017 OWASP top 10 security vulnerabilities.
▪ Broken Authentication
Attackers exploit implementation flaws in the authentication and session management functions of a web application to obtain administrative privileges or impersonate other users. Common vulnerable areas include timeouts, secret questions, and password management. Broken authentication is one of OWASP’s top 10 web application security vulnerabilities for 2017.
▪ Buffer Overflow
The buffer overflow of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites adjacent memory locations. There are multiple forms of buffer overflow, including heap buffer overflows and format string attacks. The purpose of these attacks is to corrupt the execution stack of the web application.
▪ Cookie Poisoning
Cookie poisoning refers to the modification of a cookie for bypassing security measures or gaining unauthorized access to information. In this type of attack, the attackers bypass the authentication process by altering the information present inside a cookie. Once the attackers gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from the users’ systems.
▪ Sensitive Data Exposure
Sensitive information, such as account records, credit-card numbers, passwords, or other authenticated information are generally stored by web applications either in a database or on a file system.
If the developers make any mistakes while enforcing encryption techniques on a web application or ignore the security aspects of some parts of the application, attackers can easily exploit those flaws to gain unauthorized access to sensitive information. Sensitive data can be exploited and misused by both insiders and outsiders to perform identity theft, credit-card fraud, and other cybercrimes. This threat is included in OWASP top 10 security vulnerabilities for 2017.
▪ Information Leakage
refers to a drawback in a web application where the application unintentionally reveals sensitive information to an unauthorized user. Such information leakage can cause great losses to a company.
Hence, the company needs to employ proper content filtering mechanisms to protect all its information or data sources, such as systems or other network resources, from information leakage.
▪ Improper Error Handling
This threat arises when a web application is unable to handle internal errors properly. In such cases, the website returns information, such as database dumps, stack traces, and error codes, in the form of errors.
▪ Insufficient Logging & Monitoring Log files keep records of the actions and events that occur while an application/service is running. This vulnerability occurs when the logs do not record security-critical events or provide unclear warnings or error messages. The lack of log monitoring or the maintenance of logs at insecure locations greatly increases the chance of a major security incident. Moreover, insufficient logging and monitoring practices leave no audit trail for forensic analysis, making the detection of any malicious behavior exceedingly difficult for forensic investigators. It is one of 2017 OWASP’s top 10 web application security vulnerabilities.
▪ Path/Directory Traversal
When attackers exploit HTTP by using directory traversal, they gain unauthorized access to directories, following which they may execute commands outside the web server’s root directory.
▪ Parameter/Form Tampering
This type of tampering attack aims at manipulating the communication parameters exchanged between a client and server to make changes in application data, such as user IDs and passwords with event logs or the cost and quantity of products.
In order to improve the functionality and control of the application, the system collects such information and stores it in hidden form fields, cookies, or URL query strings.
Hackers use tools such as WebScarab and Paros proxy to launch this type of attack. Successful exploitation might lead to other attacks such as file inclusion and XSS.
▪ Denial-of-Service (DoS) A denial of service (DoS) attack aims at terminating the operations of a website or server by making its resources unavailable to clients. For example, a DoS attack may shut down the functioning of a website related to banking or an email service for a few hours or even days, resulting in the loss of both time and money.
▪ Unvalidated Input In this type of attack, attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, query strings, etc. to bypass a security measures in a system. User login IDs and other related data get stored in cookies, which become a source of attacks. Examples of attacks that cause unvalidated input include SQL injection, cross-site scripting (XSS), and buffer overflows.
▪ Security Misconfiguration
The lack of a repeatable security-hardening process at any layer of the application stack, which includes web servers, databases, frameworks, host OSes, application servers, and storage devices, can lead to a security misconfiguration vulnerability.
The use of default configurations, passwords, or out-of-date software can increase the risk of an attack. This is included in OWASP 2017 top 10 security vulnerabilities.
▪ Log Tampering
Web applications maintain logs to track the usage patterns, such as admin login credentials and user login credentials. The attackers usually inject, delete or tamper the web application logs to engage in malicious activities or hide their identities
Computer forensics
refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document and present evidence from computing equipment that is acceptable in a court of Law
Cybercrime is defined
as any illegal act involving a computing device, network, its systems, or its applications. It is categorized into two types based on the line of attack: internal attacks and external attacks
Computer crimes
pose new challenges for investigators due to their speed, anonymity, volatile nature of evidence, global origin of the crimes and difference in laws, and limited legal understanding
Approaches to manage cybercrime investigations include
civil, criminal, and administrative approaches
Digital evidence is
“any information of probative value that is either stored or transmitted in a digital form”. It is of two types: volatile (Power off its lost) and non-volatile (now difference if off)
Forensic readiness refers to
an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs. Helps maintain Business Continuity. Practice Drills.
‘
Plan:
- Identify potential evidence required.
- Determine Source
- Define Policy
- establish Policy
- Identify if Full/formal investigation is required.
- create process for documenting procedure
- Legal advisory board
- Keep Incident response team ready.
includes technical and non-technical actions that maximize an organization’s competence to use digital evidence.
Organizations often include computer forensics as part of their
incident response plan to track and prosecute the perpetrators of an incident
Which of the following is true regarding computer forensics?
Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
Which of the following is not an objective of computer forensics?
Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
What is not an impact of cybercrime?
Huge financial gain
Which of the following is true of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Which of the following is true of civil crimes?
The initial reporting of the evidence is generally informal.
Which of the following is a user-created source of potential evidence?
Address book
Which of the following is a computer-created source of potential evidence?
Steganography
Under which of the following conditions will duplicate evidence not suffice?
When original evidence is in possession of the originator
Rules
Rule 101: Scope (in US)
Rule 102: Purpose (truth & Just)
Rule 103: Rulings on Evidence
Rule 104: Preliminary Questions
Rule 105: Limited Admissibility(proper scope)
Rule 502: Attorney-Client Privilege and Work Product; Limitations on Waiver
Rule 608: A Witness’s Character for Truthfulness or Untruthfulness
Rule 609: Impeachment by Evidence of a Criminal Conviction
Rule 614: Court’s Calling or Examining a Witness
Rule 701: Opinion Testimony by Lay Witnesses
Rule 705: Disclosing the Facts or Data Underlying an Expert’s Opinion
Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay
Rule 803: Exceptions to the Rule Against Hearsay–Regardless of Whether the Declarant is Available as a Witness
Rule 804: Exceptions to the Rule Against Hearsay–When the Declarant is Unavailable as a Witness
Rule 901: Authenticating or Identifying Evidence
Rule 1001: Definitions that apply to this article
Rule 1002: Requirement of the Original
Rule 1003. Admissibility of Duplicates
Rule 1004. Admissibility of Other Evidence of Content
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.
True
Cybercrimes can be classified into the following two types of attacks, based on the line of attack.
Internal and external
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?
Insider attacks or primary threats
External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when
there are inadequate information-security policies and procedures.
Which type of cases involve disputes between two parties?
Civil cases involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or one company versus another.
__ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations.
Enterprise Theory of Investigation (ETI)
Gramm-Leach-Bliley Act (GLBA)
requires companies that offer financial products or services to protect customer information against security threats
protects customers sensitive data by requiring financial institutions to inform their customers of their
information-sharing practices
Investigators can immediately take action after receiving a report of a security incident.
False
Investigators cannot jump into action immediately after receiving a complaint or report of a security incident, but they have to follow a specific protocol that includes gathering of plaintiff information, type of incident, and obtaining permission and warrants for taking further action.
Computer Forensics Tool Testing Program (CFTT)
methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware
(Digital Data Storage) The disk drive is a hardware device that reads data from a disk and writes onto another computer disk. Types of disk drives include:
magnetic storage devices, optical storage devices, and flash memory devices.
The logical structure of a hard disk is
the file system and software utilized to control access to the storage on the disk.
SSD is a data storage device that uses
solid-state flash memory to store data and provides access to the stored data in the same manner as an HDD; however, SSDs are significantly faster than HDDs.
Booting refers to
the process of starting or restarting OSes when the user turns on a system. It is of two types: Cold boot (Hard boot) and Warm boot (Soft boot).
A file system is a
set of data types employed for storage, hierarchical categorization, management, navigation, access, and data recovery.
Tools such as Autopsy and The Sleuth Kit can be used to
analyze files of various file systems.
RAID and JBOD storage systems contain
multiple hard disks and maintain large amounts of data; they help in decreasing the loss of data in case of the failure of a single disk.
hex editors
Files of different formats can be analyzed using tools such as hex editors to understand the original format of the file (in case the file has been tampered with).
first field in a volume descriptor
Number 0 indicates that the volume descriptor is a boot record
Number 1: indicates that the volume descriptor is a primary volume descriptor
Number 2: indicates that the volume descriptor is a supplementary volume descriptor
Number 3: indicates that the volume descriptor is a volume partition descriptor
Number 255: indicates that the volume descriptor is a volume descriptor set terminator
Disk Partitions
Primary partition: It is the drive that holds information regarding the OS, the system area, and other information required for booting.
Extended partition: It is the logical drive that holds information regarding the data and files stored on the disk.
Booting Process
▪ Cold booting: This process occurs when the user first turns on the computer. Also called as hard booting, this is required after the user completely cuts the power supply to the system.
▪ Warm booting: This process occurs when the user restarts the computer via the OS.
Windows XP, Vista, and 7 OSes power on and start up using the conventional BIOS-MBR method.
Windows 8 and later versions use the newer UEFI-GPT method
basic partitioning tools
DiskPart displays details about GPT partition tables in Windows OS
Mac systems use the OS X Disk utility
Linux uses the GNU Parted tool.
Linux Boot Process
▪ – initializes the system hardware, POST happens
▪ Bootloader stage – loading the Linux kernel and optional initial RAM disk
▪ Kernel stage
FAT Partition Boot Sector
- first sector (512 bytes) of a FAT file system
- holds data used by the file system to access the partition or volume
- consists of data that the document framework uses to access the volume.
- stack the working framework portion documents.
FAT12 – 1.5 Bytes per cluster, limit 4087 clusters.
FAT16 – 2 Bytes per cluster, limit 4087 – 65,256 clusters.
FAT32 – 4 Bytes per cluster, limit 65,526 – 268,435,456 clusters.
NTFS Architecture
▪ Hard disk: It is comprised of at least one partition ▪ Master Boot Record: It contains executable master boot code that the computer system BIOS loads into memory; this code is used to scan the Master Boot Record to locate the partition table to find out which partition is active/bootable
▪ Boot sector: Also known as volume boot record (VBR), it is a very first sector found in a NTFS filesystem which stores the boot code and other information, such as the type, location of size of data in NTFS filesystem
▪ Ntldlr.dll: As a boot loader, it accesses the NTFS filesystem and loads contents of the boot.ini file
▪ Ntfs.sys: It is a computer system file driver for NTFS ▪ Kernel mode: It is the processing mode that permits the executable code to have direct access to all the system components
▪ User mode: It is the processing mode in which an executable program or code runs
▪ Many system files are stored in the root directory of an NTFS volume; these files contain file-system metadata.
▪ Now the Standard File System – Improvements over FAT due to improvements in performance, reliability, and disk space utilization as s well as security access-control lists and file system journaling(resilience to errors).
superblockholds the following information:
▪ Magic number: It allows the mounting software to verify the Superblock for the ext2 file system. For the present ext2 version, it is 0xEF53.
▪ Revision level: The major and minor revision levels allow the mounting code to determine whether a file system supports features that are only available in particular revisions of the file system. There are also feature compatibility fields that help the mounting code in determining which new features can safely be used on the file system.
▪ Mount count and maximum mount count: Together, these allow the system to determine if it needs to fully check the file system. The mount count is incremented each time the system mounts the file system. When the mount count reaches the maximum mount count, the warning message “maximal mount count reached, running e2fsck is recommended” is displayed.
▪ Block group number: It is the block-group number containing the superblock copy
▪ Block size: It contains information on the size of a block for the file system in bytes
▪ Blocks per group: It is a fixed number equal to the number of blocks in a group
▪ Free blocks: It is the number of free blocks in the file system
▪ Free inodes: It is the number of free inodes in the file system
▪ First inode: It is the inode number of the first inode of the file system
Extended File System (ext)
– The ext file system provides a maximum partition size of 2 GB and a maximum filename length of 255 characters. The major limitation of this file system is that it does not offer support for separate access, inode modification, and data modification timestamps. It keeps an unsorted list of free blocks and inodes, and it fragmented the file system.
Second Extended File System (ext2)
- ext2 is a standard file system that uses improved algorithms compared to ext, which greatly enhances its speed; further, it maintains additional time stamps – It maintains a special field in the superblock that keeps track of the file system status and identifies it as either clean or dirty
- Its major shortcomings are the risk of file system corruption when writing to ext2, and the lack of journaling
- These files contain the list of directory entries with the following information: ^Directory inode ^Length of the ^filename Name of the directory
Third Extended File System (ext3)
Developed by Stephen Tweedie in 2001
- ext3 is a journaling version of the ext2 file system and is greatly used in the Linux OS
- It is an enhanced version of the ext2 file system
- It uses file system maintenance utilities (such as fsck) for maintenance and repair, as in the ext2 file system
- The following command converts ext2 to ext3 file system: # /sbin/tune2fs -j
Features of Ext3
▪ Data integrity: It provides stronger data integrity for events that occur because of computer-system shutdowns. It allows the user to choose the type and level of protection for the received data.
▪ Speed: As the ext3 file system is a journaling file system, it has a higher throughput in most cases than ext2. The user can choose the optimized speed from three different journaling modes.
▪ Easy transition: The user can easily change the file system from ext2 to ext3 and increase the performance of the system by using the journaling file system without reformatting
Hierarchical File System Plus (HFS+)
HFS Plus (HFS+) is the successor to HFS and is a primary file system in Macintosh.
- It is also called Mac OS Extended (HFS Extended) and is one of the formats used in the Apple iPod.
- It supports large files and uses Unicode for naming files and folders. The following are a few of the features added to HFS+:
▪ HFS+ uses B-tree to store data
▪ It supports files 64 bits in length
▪ It permits filenames 255 characters in length
▪ It uses a 32-bit allocation table for the mapping table, unlike the 16-bits allocation table in HFS
- HFS+ enables the following:
▪ Efficient use of hard disk space
▪ Use of only international-friendly filenames
▪ Easy booting on non-Mac OSes
- Also called Mac OS Extended (HFS Extended), HFS+ is the file system used in some Apple iPods as well
Mac OS X File Systems
UNIX File System:
A UFS file system is composed of the following parts:
▪ A few blocks at the beginning of the partition reserved for boot blocks, which must be initialized separately from the file system
▪ A superblock, including a magic number identifying the file system as UFS, and some other vital numbers describing this file system’s geometry, statistics, and behavioral tuning parameters
▪ A collection of cylinder groups, each of which has the following components: o A backup copy of the superblock o A cylinder group header with statistics, free lists, etc., which is similar to those in the superblock
o Numerous inodes, each containing file attributes o Numerous data blocks
Hierarchical File System
- Logical blocks 0 and 1 of the volume are the boot blocks, which include system startup information such as the names of the system and shell files, which are loaded at startup.
- Logical block 2 contains the Master Directory Block (MDB). The MDB contains a wide variety of data about the volume itself, such as the date and timestamps of creation of the volume; the location of other volume structures, such as the volume bitmap; and the size of logical structures, such as allocation blocks. A duplicate of the MDB called the Alternate Master Directory Block (Alternate MDB) is located at the opposite end of the volume in the second-to-last logical block. The Alternate MDB is mainly intended for use by disk utilities and is only updated when either the Catalog File or Extents Overflow File grows in size.
- Logical block 3 is the starting block of the volume bitmap, which keeps track of the allocation blocks in use and those that are free. A bit in the map represents each allocation block on the volume. If the bit is set, then the block is in use; else, the block is free.
- The Extents Overflow File is a B*-tree including extra extents that store information about the files and the allocation blocks allocated to them, after the system uses the initial three extents in the Catalog File. Later versions also added the ability for the Extents Overflow File to store extents that record bad blocks to prevent a machine from attempting to write to them.
- The Catalog File is another B*-tree that holds records for all the files and directories stored in the volume. It stores four types of records. Each file consists of a file thread record and a file record, while each directory contains a directory thread record and a directory record. A unique catalog node ID helps in finding the files and directories in the Catalog File.
JPEG
The JPEG (Joint Photographic Experts Group) is a commonly used method to compress photographic images It uses a compression algorithm to minimize the size of
BMP
the Bitmap (BMP) is a standard file format for a Windows Device Independent Bitmap (DIB) file The size and color of these images can vary from 1 bit per pixel (black and white) to 24-bit color (16.7 million colors)
Every bitmap file contains the following data structures: ▪ File header: The first part of a bitmap file is the header, which includes data about the type, size, and layout of the file
▪ Information header: It is a header component that contains the dimensions, compression type, and color format of the bitmap
▪ RGBQUAD array: It is a color table that comprises the array of elements equal to the colors present in the bitmap; this color table does not support bitmaps with 24-bit color, as each pixel is represented by 24-bit RGB values in the actual bitmap
▪ Image data: It is an array of bytes that contains bitmap image data; image data comprises color and shading information for each pixel
Optical storage
devices are electronic storage media that store and read the data in the form of binary values using a laser beam
The command “fsstat” displays the details associated with
a file system. The output of this command is file system specific.
Raw format (bit-by-bit copy)
refers to a bit-by-bit copy of the suspect drive. Images in this format are usually obtained by using the dd command
What are some RAW-format-support freeware tools?
dc3dd, dcfldd, dd
dcfldc is NOT ONE
Enable Write Protection on the Evidence Media
The following are some measures that provide defense mechanisms against alterations:
▪ Set a hardware jumper to make the disk read-only ▪ Use operating system and software that cannot write to the disk unless instructed ▪ Employ a hard disk write block tool to protect against disk writes
copy smaller RAID systems
Investigators can copy smaller RAID systems into a single large disk, provided large storage disks are available and can be used immediately.
Hashing algorithms
- CRC-32:
This is a 32-bit CRC code used as an error detection method during data transmission. If the computed CRC bits are identical to the original CRC bits, it means that no error occurred - MD5:
This is a cryptographic hash function with a 128-bit hash value. The hash value can be used to demonstrate integrity of data, and can be performed on various data types such as files, physical drives, partitions, etc. – SHA-1 and SHA-256: These are cryptographic hash functions that produce 160-bit and 256-bit message digests respectively
Anti-forensics Countermeasures
Investigators can overcome the anti-forensic techniques discussed in this module through improved monitoring of devices and using upgraded computer forensic tools (CFTs). Some of the important countermeasures against anti-forensic techniques are listed below:
▪ Train and educate the forensic investigators about anti-forensics
▪ Validate the results of examination using multiple tools
▪ Impose strict laws against illegal use of anti-forensics tools
▪ Understand the anti-forensic techniques and their weaknesses
▪ Use latest and updated CFTs and test them for vulnerabilities ▪ Save data in secure locations
▪ Use intelligent decompression libraries to defend against compression bombs
▪ Replace weak file identification techniques with stronger ones
Anti-forensics techniques include
file deletion, password protection, steganography, trail obfuscation, artifact wiping, overwriting data/metadata, encryption, program packers, rootkits, exploiting forensics tool bugs, etc.
Intruders may use anti-forensics tools such as
Privacy Eraser, QuickStego, and CryptaPix to hide their malicious activities from being caught
Forensic investigators use file carving tools such as
Autopsy, R-Studio, etc., to carve the deleted data from Windows, Linux and Mac file systems
Investigators have developed techniques to detect
steganography, file extension mismatch, hidden data streams, etc., to counter the anti-forensics techniques used by the perpetrators
non-volatile
Hard Disk Drive (HDD)
Strictly implementing countermeasures against anti-forensics may
enable an investigator to successfully deal with a case
To investigate any malware attack or any malicious activities performed on the machine, the investigator should
acquire RAM dumps to analyze them using forensic tools such as Redline and Volatility Framework, and extract evidence helpful for investigation
Analyze Windows Registry to extract important data such as
time zone information, login user activities, and mounted devices
The investigator should also examine
web browsers to see if any malicious activities are performed by the user
Windows ShellBags
contains information such as :
- Folders deleted by the user
- Timestamps and MAC times of the accessed folder
- Folders opened by user from a mounted external hard drive
Windows OS logs
every activity of the system using Windows event logs; hence, these logs can be useful during forensic investigation of the suspect machine
logged-on users commands
Net sessions
PsLoggedOn
LogonSessions
command is used to determine open files
Net file
command is used to determine the NetBIOS name table cache in Windows
Nbtstat -c
tool helps collect information about network connections operating in a Windows system
Netstat
important tools and commands used to collect detailed process information
▪ Tasklist ▪ Pslist
▪ Listdlls ▪ Handle
Volatility Framework
a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. Works on Windows/Linux
information about the system users is stored in
NTUSER.DAT
The data associated with value of EnablePrefetcher tells which form of prefetching the system uses:
0: Prefetching is disabled 1: Application prefetching is enabled
2: Boot prefetching is enabled
3: Both application and boot prefetching are enabled
tool enables you to retrieve information about event logs and publishers in Windows 10
wevtutil
__ command is used to display the network configuration of the NICs on the system.
ipconfig /all
Microsoft security ID
refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource.
Windows Event Log File Internals
- The Windows event log files are, essentially, databases with the records related to the system, security, and applications
- The databases related to the system are stored in a file named System.evtx
- The databases related to security are stored in a file named Security.evtx = The databases related to applications are stored in a file named Application.evtx .
- Windows event logs are stored in: C:\Windows\System32\winevt\Logs folder
thumbnails of deleted files
also remain in the thumbnail database files and can be extracted using tools such as Thumbcache Viewer and Thumbs Viewer.
In Windows, the default location of the spool folder located
C:\Windows\Systems32\spool\PRINTERS
By default, ___ and later create hidden administrative shares on a system
Windows Vista, 7, 8.1, and 10 create hidden administrative shares on a system
CustomDestinations jump list
is made of files that are created when a user pins a file or an application to a taskbar.
In Windows Event Log, what does the account management category of events record?
Changes to accounts and group membership
Windows Registry
▪ KEY_CLASSES_ROOT (HKCR) – file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data. Contains info relating to which applications is used to open files on system.
▪ KEY_CURRENT_USER (HKCU) – configuration information related to the user currently logged-on
▪ KEY_CURRENT_CONFIG (HKCC) – current hardware profile of the system
▪ HKEY_LOCAL_MACHINE (HKCC) – most of the configuration information for installed software and information about the physical state of the computer.
- SAM (Security Account Manager): It is a local
security database and subkeys in the SAM contains
settings of user data and work groups
- Security: It includes local security database in SAM
- Software: It contains information about the software applications and their configuration settings on the
system
- System: It contains configuration settings of the
hardware drivers and services
- Default: It includes default user settings but NTUSER.dat file pertaining to the currently logged-on user overrides the default user settings.
▪ HKEY_USERS – currently active user profiles on the computer
analyze the Windows registry in two methods:
Static Analysis: The investigator examines the registry files stored on the captured evidence file. These files are located in the C:\Windows\System32\config folder.
Live Analysis: The investigator can use built-in registry editor to examine registry and also use tools like FTK Imager to capture registry files from live system for analysis
Volume Shadow Copy Service-based backup (VSS)
allows Windows users to take backup copies of computer files or the logical drive even when the files are still in use. These backup copies are also referred to as shadow copies.
shadow copies will have the following information:
▪ a historical version of the registry hives
▪ databases such as SQLite
▪ several other artifacts
Jump Lists(shortcuts on start menu):
AutomaticDestinations: These files are created by Windows OS when any user accesses any program pinned to the taskbar.
CustomDestinations: These files are created when a user pins a file or an application to the taskbar.
The key artifacts to analyze during the forensic analysis of Jump Lists include:
App ID ,MAC times, NetBIOS Name, and MAC Address
Windows event logs
There are three major categories of Windows event logs:
▪ Application log This log stores details on events pertaining to programs that are installed on a system.
▪ Security log
In case security logging is enabled (by default, it is off) on a Windows system, this log stores details on events pertaining to security. The details stored in this log include information on events such as logon attempts and resource access. Information from this log can help investigators identify unauthorized activities on a system.
▪ System Log
This log stores details on events pertaining to Windows system components such as built-in interface elements and drivers.
volatile data
temporary and can be lost when the computer is powered off.
- RAM contents
- system files
- temporary cache files
- registers or the processor cache
- user information
- network related data
- login user data from the live system
- Command history
-Hostname - date & time
- time zone
- Uptime
- Open ports
- Open files
- Mounted filesystem
- information Loaded
- kernel modules
- User events
- Running processes
- Swap areas and Disk partition information
- Kernel messages
Performing memory forensics enables investigators to
trace the events that have occurred on the suspect machine.
tools: Beltasoft RAM Capturer(ram Dump), Redline(timeline, scope) and AccessData FTK Manager(ram Dump).
Netstat
-r displays the kernel IP routing table
-n displays the numerical addresses
-na To see TCP and UDP listening ports Ports
-ano to see active connections to identify if Tor browser used
Nmap
For TCP port connections: Syntax: nmap -sT localhost
For UDP port connections: Syntax: nmap -sU localhost
Linux Commands
dmesg – display the kernel ring buffer or information about device drivers loaded into the kernel
lsof – list the open files for the user currently logged into the system
cat /etc/passwd – view the user accountsonly usernames – cut –d: -f1 /etc/passwd
Linux File Locations
local user account information – /etc/passwd
/var/log/auth.log – System authorization information, including user logins and authentication mechanism
/var/log/kern.log – Initialization of kernels, kernel errors or informational messages sent from the kernel
/var/log/faillog – Failed user login attempts
/var/log/printer – Printer logs
/var/log/mail.* – All mail server message log
/var/log/mysql.* – All MySQL server logs
/var/log/apache2/* – All Apache web server logs
/var/log/apport.log – Application crash report/log
/var/log/lighttpd/* – Lighttpd web server log files directory
/var/log/daemon.log- Running services, such as squid and ntpd
/var/log/debug – Debugging log messages
/var/log/dpkg.log -Package installation or removal logs
/var/log/wtmp – maintains information about the user login history, system reboot time and system status
Digital files generally have a signature that can be found in the first
20 bytes of the file.
log files in a Linux system cannot be used by forensic investigators
/var/log/evtx.log
MacOS is a
Unix-based OS used by Apple in their Macintosh computing systems
macOS store user settings in the form of
A plist file
MAC OS Trash location
%%users.homedir%%/.Trash/
Spotlight on MacOS
allows users to search for files/folders by querying databases occupied with filesystem attributes, metadata, and indexed textual content. It creates an index of all files/folders on the system and stores the metadata of all files/folders on the disk. On MacOS, Spotlight can be accessed by pressing Command + Space bar keys.
Attacks Specific to Wired Networks
avesdropping is a technique used to intercept unsecured connections in order to steal personal information.
▪ Data Modification When an intruder obtains access to sensitive information, they might alter or delete the data as well. This is commonly referred to as a data modification attack.
▪ IP Address Spoofing
This technique is used by an attacker to access any computer without appropriate authorization. Here, the attacker sends messages to the computer with an IP address that indicates the messages are coming from a trusted host.
▪ Denial of Service (DoS)
In a DoS attack, the attacker floods the target with large amounts of invalid traffic, thereby exhausting the resources available on the target. The target then stops responding to further incoming requests, leading to a denial of service (DoS) for legitimate users.
▪ Man-in-the-Middle Attack It is a kind of eavesdropping attack where the attacker establishes an independent,
legitimate connection with the users and retrieves the messages being transferred among them while tricking them into assuming that their conversation is direct.
▪ Packet Sniffing
Sniffing refers to the process of capturing traffic flowing through a network, with the aim of obtaining sensitive information, such as usernames and passwords, and using them for illegitimate purposes. In a computer network, a packet sniffer captures the network packets. Software tools like Cain & Abel are used for this purpose.
▪ Enumeration Enumeration is the process of gathering information about a network, which may
subsequently be used to attack the network. Attackers usually perform enumeration over the internet. During enumeration, the following information is collected: o Topology of the network o List of live hosts o Architecture and the kind of traffic (for example, TCP, UDP, IPX) o Potential vulnerabilities in host systems
▪ Session Hijacking
A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security controls, such that the attacker can establish an unauthorized connection with a target server.
▪ Buffer Overflow Buffers have a certain data storage capacity. If the data count exceeds the original
capacity of a buffer, then buffer overflow occurs. To maintain finite data, it is necessary to develop buffers that can direct additional information when they need. The extra information may overflow into neighboring buffers, destroying or overwriting legitimate data.
▪ Email Infection
This attack uses emails as a means to attack a network. Email spamming and other means are used to flood a network and cause a DoS attack.
▪ Malware Attacks
Malware is a kind of malicious code or software designed to infect systems and affect their performance. Attackers attempt to deceive users into installing malware on their system. Once installed, the malware damages the system.
▪ Password-based attacks
A password-based attack is a process where the attacker performs numerous log-in attempts on a system or an application to duplicate a valid login and gain access to it.
▪ Router attacks In these attacks, an attacker attempts to compromise a router and gain access to it.
Attacks Specific to Wireless Networks
▪ Rogue Access Point Attack A wireless access point can be termed rogue if it has been installed within a WLAN without the authorization of the network administrator. Such APs are set up by both insiders and outsiders with malicious intent and can be used for data exfiltration or launching other types of attacks.
▪ Client Misassociation
A client misassociation attack begins when a client attaches to an access point that is not in their own network. Due to the manner in which wireless signals propagate through walls and other structures, a client system may detect an access point belonging to another network and attach to it, either accidently or intentionally. In either case, the client may attach to a network that is unsafe, perhaps while still being connected to a secure network. This last scenario can result in a malicious party gaining access into a protected network.
▪ Misconfigured Access Point Attack
This attack occurs due to the misconfiguration of a wireless access point. This is one of the easiest vulnerabilities that an attacker can exploit. Upon successful exploitation, the entire network could be open to vulnerabilities and attacks.
▪ Unauthorized Association
In this attack, an attacker exploits soft access points, which are WLAN radios present in some laptops. The attacker can activate these access points in the victim’s system through a malicious program and gain access to the network.
▪ Ad-Hoc Connection Attack
In an ad-hoc connection attack, the attacker conducts the attack using a USB adapter or wireless card. In this method, the host connects with an unsecured station to attack a particular station or evade access point security.
▪ Honeypot Access Point Attack
If multiple WLANs co-exist in the same area, a user can connect to any available network. Such WLANs are highly vulnerable to attacks. Normally, when a wireless client switches on, it probes nearby wireless networks for a specific SSID. An attacker exploits this behavior of wireless clients by deploying an unauthorized wireless network using a rogue AP. This AP has high-power (high gain) antennas and uses the same SSID of the target network. Users who regularly connect to multiple WLANs may connect to the rogue AP. These APs mounted by the attacker are referred to as “honeypot” APs. They transmit a stronger beacon signal than the legitimate APs. NICs searching for the strongest available signal may connect to the rogue AP. If an authorized user connects to a honeypot AP, it creates a security vulnerability and reveals sensitive user information, such as identity, username, and password, to the attacker.
▪ Access Point MAC Spoofing
Using the MAC spoofing technique, the attacker can reconfigure the MAC address so that it appears to be an authorized access point to a host on a trusted network. Tools such as changemac.sh and SMAC are used for conducting such attacks.
▪ Jamming Signal Attack
One particularly interesting method of attacking a WLAN is to resort to a plain-old DoS attack. Although there are many ways to do this, one of the easiest is to just jam the network, thus preventing it from being used. It is possible to use a specially designed jammer (radio transmitter) that will transmit signals that can overwhelm and deny the use of the access point by legitimate clients.
The OSI 7-layer model
- Physical
- Data Link
- Network
- Transport
- Session
- Presentation
- Application
TCP/IP 4-layer model
Layer 1: Network Access Layer(Routers and Switches).
This is the bottommost layer in the TCP/IP model. It defines how to use the network to transfer data. It includes protocols such as Frame Relay, SMDS, Fast Ethernet, SLIP, PPP, FDDI, ATM, Ethernet, and ARP. These enable the machine to deliver the desired data to other hosts in the same network
Layer 2: Internet Layer(Firewall, IDS/IPS, VPN)
This is the layer above network access layer. It handles the movement of a data packet over a network, from its source to its destination. This layer contains protocols such as the Internet Protocol (IP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Internet Group Management Protocol (IGMP). The Internet Protocol is the most widely used protocol used in this layer.
Layer 3: Transport Layer(Firewall, IDS/IPS)
The transport layer is the layer above the Internet layer. It serves as the backbone for data flow between two devices in a network. The transport layer enables peer entities on the source and destination devices to communicate. This layer uses many protocols, among which the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the most widely used TCP is preferable for reliable connections, while UDP can be used for non-reliable connections.
Layer 4: Application Layer(Servers/Desktops, Anti-virus, Business Applications, Database)
As the topmost layer of the TCP/IP model, the application layer uses multiple processes used by layer 3 (transport layer), especially TCP and UDP, to deliver data. This layer contains many protocols with HTTP, Telnet, FTP, SMTP, NFS, TFTP, SNMP, and DNS being the most widely used ones.
application layer, presentation layer, and session layer of the OSI model together form Application layer
Data Link Layer and Physical Layer of OSI model together form Network Access Layer
Event Correlation Approaches
Numerous methodologies can be applied to conduct event correlation based on log data. The following are some widely used approaches:
▪ Graph-Based Approach: In the graph-based approach, various dependencies between system components such as network devices, hosts, and services are first identified. After these dependencies are identified, a graph is constructed with the system components as nodes, and dependencies between them as edges. When an undesired event such as a fault or failure occurs, this graph is used to detect the possible root causes of the event.
▪ Neural Network-Based Approach: This approach uses a neural network to detect the anomalies in the event stream, root causes of fault events, and correlate other events related to faults and failures.
▪ Codebook-Based Approach: The codebook-based approach, which is similar to the rule-based approach described next, groups all events together. It uses a codebook to store a set of events and correlates them. This approach is executed faster than a rule-based system, as there are fewer comparisons for each event.
▪ Rule-Based Approach: The rule-based approach correlates events according to a specified set of rules (condition → action). Depending on each test result and the combination of system events, the rule processing engine analyzes the data until it reaches the final state.
▪ Field-Based Approach: This is a basic approach that compares specific events with single or multiple fields in the normalized data.
▪ Automated Field Correlation: This method checks and compares all the fields systematically for positive and negative correlation among them, to determine correlations across one or multiple fields.
▪ Packet Parameter/Payload Correlation for Network Management: This approach helps in correlating particular packets with other packets. It can also be used to produce a list of potential new attacks by comparing packets with attack signatures.
▪ Profile/Fingerprint-Based Approach: This method helps users to identify whether a system serves as a relay to a hacker, or is a formerly compromised host, and/or to detect the same hacker from different locations. The approach aids in the gathering of a series of data sets from forensic event data such as isolated OS fingerprints, isolated port scans, finger information, and banner snatching, in order to compare link attack data to attacker profiles.
▪ Vulnerability-Based Approach: This approach helps map IDS events that target a vulnerable host by using a vulnerability scanner. It deduces an attack on a specific host in advance and prioritizes attack data in order to respond to the affected points quickly.
▪ Open-Port-Based Correlation: The open-port correlation approach determines the chance of a successful attack by comparing the list of open ports available on the host with those that are under attack.
▪ Bayesian Correlation: This approach is an advanced correlation method based on statistics and probability theory, which uses prior probabilities of conditions to predict what a hacker might do next after an attack.
▪ Time (Clock Time) or Role-Based Approach: This approach leverages data on the behavior of computers and their users to trigger alerts when anomalies are found.
▪ Route Correlation: This approach helps in extracting information about the attack route and uses that information to identify further data pertaining to the attack.
Arp command
arp -a
Types of Network-based Evidence
▪ Full content data Full content data is gathered by capturing and storing all the packets flowing through a network without any filtration. It offers a significant amount of granularity and flexibility during network-based data analysis. It helps investigators to perform a postmortem analysis of a security incident and facilitates the reconstruction of events that occurred. Investigators can use tools like Tcpdump and Wireshark to analyze any subset of full content data.
▪ Session data
Session data provides the summary of a conversation between two network devices. Although it is not as detailed as full content data, it includes an aggregation of metadata of network traffic such as the destination IP and destination port, source IP and source port, start time of the session, and information exchanged during the session.
▪ Alert data
Alert data is triggered by tools like Snort IDS and Suricata that inspect the network traffic flow and report potential security events as alerts. However, investigators need to be careful while analyzing alert data. As these tools depend on signature-based detection, there might be false-positive alerts too, which means reporting an incident when there is none.
▪ Statistical data
This type of data provides an overall profile or summary of the network traffic, which can be of significant investigative value. Statistical data analysis can yield information such as timestamps related to network conversations, protocols and services being used, average packet size, and average packet rate.
SIEM is composed of
security information management (SIM) and the security event management (SEM)
Event Correlation
- Event aggregation Event aggregation is also called event de-duplication. It compiles the repeated events to a single event and avoids the duplication of the same event
- Event masking Event masking refers to missing events related to systems that are downstream of a failed system. It avoids the events that cause the system to crash or fail.
- Event filtering Through event filtering, the event correlator filters or discards irrelevant events.
- Root cause analysis Root cause analysis is the most complex part of event correlation. During a root cause analysis, the event correlator identifies all devices that became inaccessible due to network failures. Then, the event correlator categorizes the events into symptom events and root cause events. The system considers the events associated with the inaccessible devices as symptom events, and the other non-symptom events as root cause events.
Bayesian correlation
type of event correlation approach is an advanced correlation method based on statistics and probability theory that uses prior probabilities of conditions to predict what a hacker might do next after an attack
Rule 803, Federal Rules of Evidence
A record of an act, event, condition, opinion, or diagnosis if: ▪ the record was made at or near the time by — or from information transmitted by — someone with knowledge;
▪ the record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit;
▪ making the record was a regular practice of that activity; ▪ all these conditions are shown by the testimony of the custodian or another qualified witness, or by a certification that complies with Rule 902(11) or (12) or with a statute permitting certification; and
▪ the opponent does not show that the source of information or the method or circumstances of preparation indicate a lack of trustworthiness.
Web Application Threats – 2
Discussed below are a few more types of web application threats: ▪ Insecure Direct Object References An insecure direct object reference occurs when developers expose various internal implementation objects such as files, directories, database records, and key-through references. For example, if a bank account number is a primary key, there is a chance of attackers compromising the application and taking advantage of such references.
▪ Insufficient Transport Layer Protection
Developers need to enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) technology for website authentication. Failing to implement this technology enables attackers to access session cookies by monitoring the network flow. Various attacks such as phishing attacks, account theft, and privilege escalation may occur after attackers gain access to the cookies.
▪ Failure to Restrict URL Access An application often safeguards or protects sensitive functionality and prevents the display of links or URLs for protection. Failure to restrict URL access refers to a vulnerability in which a web application is unable to restrict a hacker from accessing a particular URL. Here, an attacker attempts to bypass website security by using techniques such as forced browsing and gains unauthorized access to specific web pages or other data files containing sensitive information.
▪ Insecure or Improper Cryptographic Storage
The sensitive data stored in a database should be properly encrypted using cryptography. However, some cryptographic encryption methods contain inherent vulnerabilities. Therefore, developers should use strong encryption methods to develop secure applications. In addition, they must securely store cryptographic keys so that attackers cannot easily obtain them and decrypt the sensitive data.
▪ Insecure Deserialization
Serialization and deserialization are effective processes that enable data structures to be stored or transmitted to other locations, such as networks or systems, while preserving the state of the object.
The insecure deserialization vulnerability arises when applications and application programming interfaces (APIs) allow the deserialization of untrusted user input. Attackers inject malicious code into a serialized form of data, and upon deserialization, the manipulated data as well as the malicious code get executed, enabling attackers to gain access to any system remotely and perform further malicious activities. This attack is one of OWASP’s 2017 top 10 web application security vulnerabilities.
▪ Cookie Snooping By using a local proxy, an attacker can decode or crack user credentials. Once the attacker
gains these plaintext credentials, they log into the system as a legitimate user and gain access to unauthorized information.
▪ XML External Entities
In this attack, the attacker provides a malicious XML input including an external entity reference to the target web application. When this malicious input is processed by a poorly configured XML parser, attackers can access sensitive data files and network resources from target web servers and connected networks. This attack is one of OWASP’s top 10 web application security vulnerabilities for 2017.
▪ Security Management Exploits Some attackers target security management systems, either on networks or on the application layer, to modify or disable security enforcement. An attacker who exploits security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources.
▪ Authentication Hijacking
All web applications rely on information such as passwords and user IDs for user identification. In this type of attack, the attackers attempt to hijack these credentials using various attack techniques such as sniffing and social engineering. Upon obtaining these credentials, they perform various malicious acts, including session hijacking, service theft, and user impersonation.
▪ Unvalidated Redirects and Forwards
In this type of attack, the attackers lure the victim and make them click on unvalidated links that appear legitimate. Such redirects may lead to the installation of malware or trick the victims into sharing their passwords or other sensitive information.
Such unsafe links may lead to access-control bypassing, which further results in the following:
o Session fixation attacks o Security management exploits o Failure to restrict URL access o Malicious file execution ▪ Session Fixation Attack
This type of attack assists the attacker in hijacking a valid user session. The attacker hijacks the user-validated session, with prior knowledge of the user ID for the session by authenticating with a known session ID.
In this type of attack, the attacker tricks the user into accessing a genuine web server using an explicit session ID value. Subsequently, the attacker assumes the identity of the victim and exploits those credentials at the server. The steps involved are as follows: 1. The attacker visits the bank website and logs in using his credentials 2. The web server sets a session ID on the attacker’s machine 3. The attacker sends an email to the victim that contains a link with a fixed session ID 4. The victim clicks the link and is redirected to the bank website 5. The victim logs into the server using their credentials and fixed session ID 6. The attacker logs into the server using the victim’s credentials with the same session ID
▪ CAPTCHA Attacks
Implementing CAPTCHAs prevents automated software from performing actions that degrade the quality of service of a given system through abuse or excessive resource expenditure. CAPTCHAs aim at ensuring that the users of applications are human and ultimately aid in preventing unauthorized access and abuse.
Each CAPTCHA implementation derives its strength by increasing the system’s complexity to perform segmentation, image preprocessing, and classification.
IIS Logs
On Windows Server OSes, the log files are stored by default in %SystemDrive%\inetpub\logs\LogFiles
Operators
▪ Operators: ”, $() These operators ask the command line to execute the command provided
▪ Logical operator: &&
The function of the AND operator (&&) is to execute a subsequent command if the execution of the previous command succeeds. Example: command1 && command2
Here, command2 will only be executed if command1 succeeds (which implies that its exit code will be 0)
▪ Logical operator: ||
Also known as the OR operator, || allows the execution of a subsequent command if the execution of the previous command fails. Example: command1 || command2 Here, command2 will be executed only if command1 fails.
▪ Pipe Operator: | The pipe operator (|) attaches the output of one command as the input for another. Example: command1 | command2 Here, the output of command1 will be passed as the input for command2.
▪ List Terminator: ; Via the semicolon operator (;), it is possible to execute several commands sequentially. Example: command1 ; command2 ; command3
Here, the command 1 will execute first, then command 2 and command 3 will run respectively.
▪ Redirection operators: <, >>, > o < operator provides input to a command Example: command1 < target_file Here, command1 will be executed on the contents of target_file. o > operator passes a command output into a file Example: command1 > target_file
Here, the output of command1 will be saved as target_file. If target_file already exists, the content of target_file will be overwritten with the output of command1.
o >> operator appends output of a command to a file Example: command1 >> target_file
Here, the output of command1 will be appended to the contents of target_file if it exists. If target_file does not exist, it will be created.
▪ Arithmetic operator: – The ‘-‘ operator allows attackers to add additional operations to the command
An attack vector is a
path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome
Web defacement occurs when
an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data
Log files
as generated by web servers, WAFs, and SIEM tools, contain information about the events occurring within a web server and can provide valuable information about who accessed the resources as well as when and how they were accessed
Intrusion detection
is the technique of detecting anomalous activity
The elements of the Apache core that address the basic functionalities of the server are http_protocol, http_main, http_request, http_core, alloc, and __.
http_config
Apache Log Types
- Access log: It generally records all the requests processed by the Apache web server
- Error log: It contains diagnostic information and errors that the server faced while processing requests
The exact location of these
Intrusion Detection System (IDS)
security software or hardware device is used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions
How IDS Detects an Intrusion
Signature recognition, also known as misuse detection, attempts to identify events that indicate an abuse of a system or network resource
Anomaly Detection
It detects an intrusion based on the fixed behavioral characteristics of the users and components in a computer system
Protocol Anomaly Detection
In this type of detection, models are built to explore anomalies in the way vendors deploy the TCP/IP specification
Web Application Firewall (WAF)
- Web application firewalls (WAFs) are deployed Act as a reverse proxy to inspect all HTTP traffic.
- WAF provides a security layer that protects web applications from malicious traffic
- WAF is either appliance-based or cloud-based, and is deployed through a proxy placed ahead of the web application
- It uses a rule-based filter that monitors and analyzes the traffic before it reaches the web application
WAFs are designed to protect web applications from a range of web exploits and attacks, which include the following:
▪ SQL injection
▪ Cross-site scripting (XSS)
▪ Local file inclusion (LFI)
▪ Directory traversal attack
▪ Remote code execution (RCE) ▪ Session fixation attack
a hacker can bypass a web application firewall (WAF) with the toggle case technique – By randomly capitalizing some of the characters
Dark Web
- Surface Web
As the topmost layer, the surface web stores content that can be accessed as well as indexed by search engines such as Google, Yahoo, and Bing. Public websites such as Wikipedia, eBay, Facebook and YouTube can be easily accessed from the surface web. The surface web comprises only 4% of the entire web. - Deep Web
This layer of the web cannot be accessed by normal users because its contents are not indexed by search engines. The contents of the deep web can be accessed only by a user with due authorization. Information contained in the deep web can include military data, confidential data of organizations, legal dossiers, financial records, medical records, records of governmental departments and subscription information - Dark Web
This is the third and the deepest layer of the web. It is used to carry out unlawful and antisocial activities. The dark web is not indexed by search engines and allows complete anonymity to its users through encryption. Cyber criminals use the dark web to perform nefarious activities such as drug trafficking, anti-social campaigns, and the use of cryptocurrency for illegal transactions. Accessing dark web involves the use of a specialized browser. The Tor browser is one of the browsers used to access the contents of the dark web.
Tor Relays
- Entry/Guard Relay
This relay provides an entry point to the Tor network. When attempting to connect via the entry relay, the IP address of the client can be read. The entry relay/guard node transmits the client’s data to the middle node.
- Middle Relay
The middle relay is used for the transmission of data in an encrypted format. It receives the client’s data from the entry relay and passes it to the exit relay.
- Exit Relay
As the final relay of the Tor circuit, the exit relay receives the client’s data from the middle relay and sends the data to the destination website’s server. The exit relay’s IP address is directly visible to the destination. Hence, in the event of transmission of malicious traffic, the exit relay is suspected to be the culprit, as it is perceived to be the origin of such malicious traffic. Hence, the exit relay faces the most exposure to legal issues, take-down notices, complaints, etc., even when it is not the origin of malicious traffic.
To Browser
Registry: HKEY_USERS\\SOFTWARE\Mozilla\Firefox\Launcher.
Port: it uses port 9150/9151 for establishing connection via Tor nodes.
Hidden Service Protocol: allows users to host websites anonymously with .BIT domains and these websites can only be accessed by users on the Tor network.
Tor Bridge Node: makes it difficult for governments, organizations, and ISPs to censor the usage of the Tor network.
executed File Path: \Tor Browser\Browser\TorBrowser\Data\Tor\
Prefetch Files: C:\WINDOWS\Prefetch
analyze the email artifacts of a Tor Browser session with a Memory dump
SQL Server file types
- The primary data file (MDF) is the starting point of a database; it points to other files in the database. Every database has a primary data file that stores all data in the database objects (tables, schema, indexes, etc.). The file name extension for the primary data files is .mdf.
holds the entire log information associated with the database.
- The secondary data files (NDF) are optional. A database contains only one primary data file, but it can contain zero/single/multiple secondary data files. The secondary data files can be stored on a hard disk, separate from the primary data file. The file name extension for the secondary data files is .ndf.
- The transaction log data files (LDF) hold the log information associated with a database. A transaction log file helps a forensic investigator in examining the transactions that occur in a database and recover the deleted data, if required. The file name extension for the transaction log date files is .ldf and each file is divided into multiple virtual log files.
SQL Database data pages
▪ Page Header: Presents the page ID, page type, etc.
▪ Data Rows: Store the actual data
▪ Offset Table: Points to the location of the actual da
SQL Database
▪ Database and log files \Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA*.MDF | *.LDF
▪ Trace files \Microsoft SQL Server\MSSQL14.MSSQLSERVER \MSSQL\ LOG\LOG_#.TRC
database files (.mdf) and log files (.ldf)
▪ SQL Server error logs \Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\LOG\ERRORLOG
▪ database files (.mdf) and transaction log files (.ldf) C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER \MSSQL\DATA
▪ Server Trace Files: trace files (.trc), navigate to C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\LOG
▪ SQL Server error logs: C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\LOG
Collecting Primary Data File and Active Transaction Logs Using SQLCMD
Loading the command line tool and establishing logging
To initialize the connection with the server (WIN-1BKS09O92OO is the server used here for demonstration), the following command is used in the application: sqlcmd -S WIN-1BKS09O92OO -e -s”,” -E
Parameters:
-e is used to echo the input
-s is used for column separation
-E is used for a trusted connection
MySQL Database
▪ Data Directory: t C:\ProgramData\MySQL\MySQL Server 8.0\data
Information schema – read-only tables and database-related data
Database forensics is
the examination of databases and related metadata in a forensically precise manner to make the findings presentable in the court of law
Windows event logs files
are simple text files in the XML format (EVTX) used by Windows Vista and later versions. Windows contains different types of logs, including administrative, operational, analytic, debug, and application logs.
MySQL Utility Programs for Forensic Analysis
▪ Mysqldump
o It allows you to dump a database or a collection of databases for backup purposes o It generates a .sql file with CREATE table, DROP table, and INSERT into the SQL statement of the source database
o It executes the .sql file on the destination database to restore the original database Syntax: mysqldump [options] [db_name [tbl_name …]]
▪ mysqlaccess
o Checks the access privileges defined for a hostname or username o Validates access using the user, db, and host tables o Syntax: mysqlaccess [host_name [user_name [db_name]]] [options]
▪ myisamlog
o Processes the contents of the MyISAM log file o Performs recovery operations o Displays the version information depending on the situation o The default operations of this utility include update(-u) and recovery(-r) Syntax: myisamlog [options] [logfile-name [tbl_name] …]
▪ myisamchk
Views the status of the MyISAM table or checks, repairs, and optimizes them Syntax: myisamchk [options] tbl_name …
▪ mysqlbinlog
o Reads the binary log files directly and displays them in the text format o Displays the content of bin logs (mysql-bin.nnnnnn) in the text format Syntax: mysqlbinlog [options] log-file …
▪ mysqldbexport
o Exports metadata/data definitions
o Produces outputs in various formats by making data extraction easier and suitable for external applications Syntax: mysqldbexport –server=user:pass@host:port:socket db1, db2, db3
Infrastructure as a Service (IaaS)
Offers computing infrastructure such as virtual machines (VMs), storage, servers and networking resources that customers can configure and manage over the internet Example: Amazon EC2, Azure Virtual Machines
Advantages
o Dynamic infrastructure scaling
o Guaranteed uptime
o Automation of administrative tasks
o Elastic load balancing o Policy-based services o Global accessibility
Disadvantages
o Software security is at high risk (third-party providers are more prone to attacks)
o Performance issues and slow connection speeds
Platform-as-a-Service (PaaS)
Offers development tools, configuration management, and deployment platforms on-demand that can be used by customers to develop custom applications Example: Google App Engine, AWS Elastic BeanStalk, AWS Lambda, SAP Cloud Platform etc
Advantages
o Simplified deployment o Prebuilt business functionality
o Lower risk o Instant community
o Pay-per-use model
o Scalability Disadvantages
o Vendor lock-in
o Data privacy
o Integration with other system applications
Software-as-a-Service (SaaS)
Offers on-demand cloud-based applications to customers over the Internet Example: Web-based office applications such as Google Docs or Microsoft Office 365 and web-based email applications such as Gmail and Outlook.
Advantages
o Low cost
o Easier administration
o Global accessibility
o Compatible (requires no special hardware or software)
Disadvantages
o Security and latency issue
o Total dependency on the internet
o Switching between SaaS vendors is difficult
Private Cloud
Cloud infrastructure operates solely for a single organization(also known as an internal or corporate cloud)
Advantages
o Enhance security (services are dedicated to a single organization) o More control over resources (organization is in charge)
o Better performance (deployed within the firewall; therefore, data transfer rates are high)
o Customizable hardware, network, and storage performances (as private cloud is owned by the organization)
o Sarbanes-Oxley, PCI DSS, and HIPAA compliance data are significantly easier to attain
Disadvantages
o Expensive
o On-site maintenance
Community Cloud
Infrastructure shared among various organizations belonging to a specific community with common concerns (security, compliance, jurisdiction, etc.)
Advantages
o Less expensive compared to private cloud
o Flexibility to meet the community requirements o Compliance with legal regulations
o High scalability
o Organizations can share a pool of resources from anywhere via the internet Disadvantages
o Competition between consumers in the usage of resources
o No accurate prediction regarding the required resources
o Moderate security (other tenants may be able to access the data) o Trust and security concerns between the tenants
Hybrid Cloud
Cloud infrastructure with the attributes of two or more types of cloud (i.e. private, community, or public), offering the benefits of multiple deployment models
Advantages
o More scalable (contains both public and private clouds)
o Offers secure resources and scalable public resources
o High level of security (comprises private cloud)
o Enables the reduction and management of costs based on the requirements
Disadvantages
o Communication at the network level may differ because this model uses both public and private clouds
o Difficult to achieve data compliance
o Organizations rely on the internal IT infrastructure for support to handle any outages (maintain redundancy across data centers to overcome)
o Complex Service Level Agreements (SLAs)
Public Cloud
Services are distributed across a network for public use. allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet
Advantages
o Low cost
o Reduced time
o No maintenance (public cloud service is hosted off-site)
o No contracts (no long-term commitments) Disadvantages
o Security is not guaranteed
o Lack of control (third-party providers are in charge)
o Slow speed (relies on internet connections; thus, the data transfer rate is limited)
How to Check the Windows Registry for Malware?
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cloud Crimes
▪ Cloud as a subject
It refers to a crime in which the attackers attempt to compromise the security of a cloud environment to steal data or inject malware.
Example: Stealing the identity of a cloud user, unauthorized modification or deletion of stored data, and installation of malware on the cloud.
▪ Cloud as an object
In this type of crime, attackers use a cloud system to commit a crime against the CSP; here, the cloud behaves like an object. In this case, the main objective of the attacker is to impact the CSP instead of the cloud environment.
Example: DDoS attacks over the cloud that can cause failure in the entire cloud environment.
▪ Cloud as a tool
The cloud becomes a tool when the attacker uses a compromised cloud account to attack other accounts. In such cases, both the source and target cloud can store the evidence data.
Example: Using a cloud to perform an attack on other clouds or when a crime-related evidence is saved and shared in the cloud
According to the NIST, cloud forensics challenges can be categorized into
nine major groups:
- architecture
- data collection
- analysis
- legal
- training
- anti-forensics
- incident first
- responders
- role management
- standards
Locard’s Exchange Principle
Anyone entering a crime scene takes something with them and leaves something
behind. (hair, fiber, footprint, scenewwwwwwwwwwwwwwwwwwwwwwwwwwwwww disturbance)
Dynamic analysis
executing the process of testing and evaluating a program — while software is running.
Ex: running an application in a sandbox
environment.
Document Full Path and location of file being executed prior.
Static Analysis
is a method of debugging by examining source code without executing the code or instructions.
Which situation leads to a civil investigation?
Disputes between two parties that relate to a contract violation
Enterprise Theory of Investigation (ETI)
A standard investigative tool of the FBI that focuses on criminal enterprise and attacks the structure of the criminal enterprise rather than criminal acts viewed as isolated incidents.
What allows for a lawful search to be conducted without a warrant or probable cause?
Consent of person with authority
When can a forensic investigator collect evidence without formal consent?
When properly worded banners are displayed on the computer screen
What do some states require before beginning a forensic investigation?
License
Who determines whether a forensic investigation should take place if a situation is undocumented in the standard
operating procedures?
Decision maker
Which type of information can a forensic investigator find in a common metadata field for a file?
Network name
User password
MAC address
Email recipients
Network name
OpenSaveMRU
is a Windows registry key that tracks files that have been accessed by any application through the “Open” or “Save As” Windows shell dialog box.
RunMRU
contains the commands that I use in my run box.
BagMRU
The Bags key stores the view preferences such as the window size, location and view mode.
stores recently accessed a specific folder on a network
Non-Volatile Data
- data stored on hard drives, USB drives, CDs, DVDs, or any storage media. These data remains intact even when the computer is powered off.
- hidden partitions on the disk
- thumbnail cache data
hexadecimal notation for file types
42 4D = BMP
89 50 4e = PNG
47 49 46 = GIF
maximum compression ratio for JPEG files?
90%
Slack space
- Space on a disk between the end-of-file marker and the end of the cluster.
- A full cluster is assigned, what ever is not used is “Slack Space”.
- Slack Space is not empty. For example, wiped drive, pointers are gone, old files are in slack space.
Encase Tool useful for slack space.
“SAFE Block” software tool
- designed strictly for maintaining the integrity of evidence during data acquisition.
- A full cluster is assigned, what ever is not used is “Slack Space”.
- Slack Space is not empty. For example, wiped drive, pointers are gone, old files are in slack space.
NIST SP 800-88
“Guidelines for Media Sanitization”
Clear – is a sanitization method that involves using software or hardware products to overwrite all user-addressable storage space. The goal of clearing is to replace written data and potentially sensitive information with random data.
Purge – provides more comprehensive sanitization than clearing, as purging protects information against laboratory attacks that use advanced methods and tools to recover data. Media can be reused. RECOMENDED BY NIST TO MAKE RECOVERU INFEASABLE BUT REUSE MEDIA.
Destroy – Destroying, like purging, protects data from being recovered by state-of-the-art laboratory techniques. A key difference, however, is that after destroying media the device is no longer able to store data.
Recycle Bin Locations
Windows 95 and 98
C:\RECYCLED
- Win 98 – deleted file stored in “INFO2” file.
Windows 2000 , NT, XP C:\RECYCLER\
Prior to Windows Vista, a file in the Recycle Bin was stored
in its physical location and renamed using the syntax:
D<#>.
- “D” denotes that a file has been deleted.
Example:
De7.doc = (File is deleted from E: drive, it is the “eighth” file
received by recycle bin, and is a “doc” file)
Windows Vista and later C:\$Recycle.Bin\
- deleted file is renamed using the syntax:
$R<#>., where <#> represents a set of random letters and numbers
At the same time, a corresponding metadata file is created which is named as:
$I<#>., where <#> represents a set of random letters and numbers the same as used for $R.
The $R and $I files are located at C:\$Recycle.Bin\\
$I file contains following metadata:
Original file name
Original file size
The date and time the file was deleted
The original files pertaining to the $I files are not visible in
the Recycle Bin folder when,
- $I file is corrupted or damaged
- The attacker/insider deletes $I files from the Recycle Bin
- During forensic investigation, the investigator should check
for the $R files in the Recycle Bin directory to counter the
anti-forensic technique used by the attacker.
If the metadata files related to the original files are not
present in the folder, then the investigator can use
‘copy’ command to recover the deleted files ($R files)
Command:
copy <$R*(or File name)>
Logs In AWS
S3 Server Access Logs – When enabled, these logs record detailed information regarding the access requests made to any S3 bucket, including PUT, GET and DELETE action
VPC Flow Logs – Flow logs record information regarding the inbound and outbound IP traffic on various network interfaces within a VPC environment
Amazon CloudWatch allows the inspection, access and storage of log files from various AWS sources such as AWS CloudTrail, EC2 instances, and Route 53
Forensic Acquisition of Amazon EC2 Instance: Methodology
- Isolating the compromised EC2 instance from the production environment 2. Taking a snapshot of the EC2 instance
- Provisioning and launching a forensic workstation
- Creating evidence volume from the snapshot
- Attaching evidence volume to the forensic workstation
- Mounting the evidence volume onto the forensic workstation
Logs in Azure
- Azure Activity Logs
These logs record the write operations (POST, UPDATE, PUT, DELETE) performed on Azure resources within a particular subscription from outside.
Log analysis can reveal the operations that were performed on the resources, their timestamps, status of the operations, and the user who performed these operations.
Audit logs can be viewed on the Monitor option from the Azure portal
- Azure Resource Logs
Previously known as diagnostic logs, these logs record the operations performed within a resource.
These logs might vary as per the Azure resource/service type.
Administrators must create a diagnostic setting for each Azure resource to collect their resource logs
- Azure Active Directory Reports
Security reports: Two types of security reports are generated by Azure AD:
a. Users flagged for risk: It provides a comprehensive idea on user accounts that might have been compromised
b. Risky Sign-ins: It records sign-in attempts from unauthorized users (if any)
Activity reports: Two types of activity reports are generated by Azure AD:
a. Audit logs: It records all system activities and tasks being performed within an organization. Audit activity logs might take an hour to get recorded.
b. Sign-ins: It records the sign-in patterns of users and their status
- Network Security Group Flow Logs
These logs record information related to the inbound and outbound IP traffic flowing through Azure resources within a Network Security Group (NSG).
These logs are recorded in the JSON format on a per rule basis.
NSG flow logs can be enabled via Azure Network Watcher on the Azure portal, stored and downloaded from a configured Azure storage account, or exported to any SIEM or IDS tool for better visualization.
- VM Log Data
Data from event logs in Windows VM and Syslog in Linux VM can be collected and analyzed in a specific Log Analytics Workspace via Azure Monitor.
Enabling the Log Analytics VM extension option makes this log collection process easier and configures the log agent to send data to the specified Log Analytics Workspace automatically
- Azure Storage Analytics Logs
These log entries record information about the authenticated and anonymous requests made to specific storage services, such as Azure blob, queue, and table.
When enabled for a storage account, these logs are automatically placed in block blobs in a container called $logs
Challenges of Performing Forensics on Containers
They have a very short lifecycle.
Email systems are based on a
client-server architecture
Mail User Agent (MUA)
Also known as email client, MUA is an application that enables users read, compose and send emails from their configured email addresses
There are two commonly used email clients:
Standalone: Microsoft Outlook and Mozilla Thunderbird
Web-based: Gmail, Yahoo! mail, AOL mail, etc.
Mail Transfer Agent (MTA
MTA is also known as a mail server that accepts the email messages from the sender and routes them to their destination
Examples include Sendmail, Exim and Postfix
Mail Delivery Agent (MDA)
MDA is an application responsible for receiving an email message from the MTA and storing it in the mailbox of the recipient
Example includes Dovecot
SMTP Server
SMTP (Simple Mail Transfer Protocol) is an outgoing mail server that allows a user to send emails to a valid email address
When a user sends an email, the sender’s host SMTP server interacts with the receiver’s host SMTP server
The SMTP servers listen on the port 25
POP3 Server
POP3 (Post Office Protocol version 3) is an Internet protocol that is used to retrieve e-mails from a mail server
It handles incoming mails and listens on port 110
POP3 automatically downloads the emails to the user’s hard disk and removes them from the mail server
IMAP Server
Internet Message Access Protocol (IMAP) is an internet protocol designed for accessing e-mail on a mail server
By default, the IMAP server listens on port 143, and the IMAPS (IMAP over SSL) listens on port 993
This protocol keeps e-mails on the server even after the user has already downloaded them, thus enabling the user to use multiple devices to check the email
Steps to Investigate Email Crimes
- Seizing the computer and email accounts (a search warrant)
- Acquiring the email data
- Examining email messages
- Retrieving email headers (information on the email’s origin)
- Analyzing email headers
- Recovering deleted email messages
RFC 5322 – defines the internet email message format
Outlook
Personal Storage Table (.pst) – Certain kinds of POP accounts use the .pst file to save mailbox information on the local computer By default, .pst files are stored at C:\Users\%USERNAME%\Documents\Outlook Files
Offline Storage Table (.ost) Account –
types such as Microsoft
Exchange, Office 365 and IMAP accounts store a copy of the mailbox components in an .ost file
By default, .ost files are located at C:\Users\%USERNAME%\AppData\Local \Microsoft\Outlook
Thunderbird
Location: C:\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles
Email laws
CAN-SPAMAct (Controlling the Assault of Non-Solicited Pornography and Marketing Act) – is a law that sets the rules for sending e-mails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of e-mails the right to ask the senders to stop e-mailing them, and spells out the penalties in case the mentioned rules are violated.
CAN-SPAM’s main requirements for senders:
- Do not use false or misleading header information
- Do not use deceptive subject lines
- The commercial e-mail must be identified as an ad
- The email must have your valid physical postal address
- The email must contain necessary information regarding how to stop receiving e-mails from the sender in future
- Honor recipients’ opt-out request within 10 business days.
- Both the company whose product is promoted in the message and the e-mailer hired on contract to send messages must comply with the law.
Components of Malware
▪ Crypter It refers to a software program that can conceal the existence of a malware. Attackers use this software to elude antivirus detection. The crypter encrypts the malicious file in a malware or the entire malware itself to avoid detection.
▪ Downloader
It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet on to the PC. Usually, attackers install a downloader when they first gain access to a system.
▪ Dropper
Attackers need to install the malware program or code on the system to make it run, and this program can do the installation task covertly. The dropper can contain unidentifiable malware code that antivirus scanners cannot detect and can download additional files needed to execute the malware on a target system.
▪ Exploit It is a part of the malware that contains a code or sequence of commands to take advantage of a bug or vulnerability in a digital system or device. Attackers use this code to breach the system’s security through software vulnerabilities to access information or install malware. Based on the type of vulnerabilities they abuse, the exploits have different categories, including local exploits and remote exploits.
▪ Injector
It is a program that injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal.
▪ Obfuscator It is a program that conceals the malicious code of a malware via various techniques, making it hard for security mechanisms to detect or remove it.
▪ Packer
It is a software that compresses the malware file to convert the code and data of malware into an unreadable format. Packers utilize compression techniques to pack the malware.
▪ Payload
It is a part of the malware that performs a desired activity when activated. Payload can have the tendency of deleting or modifying files, thereby affecting system performance, opening ports, changing settings, etc. as a part of compromising the security.
▪ Malicious Code
It is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. It can take various forms like:
o Java Applets
o ActiveX Controls
o Browser plugins
o Pushed content
▪ Fileless Malware
As the name suggests, this kind of malware do not use any file to infect a system. There are different variants of this malware group. Some fileless malware might come packaged as device firmware and live in the memory, which help them run even after disk formatting, OS reinstallation, and system reboot.
Attackers also use built-in Windows features and authorized applications, such as PowerShell, command prompt, and Windows Management Instrumentation, to install and execute such malware on any system. Thus, such a fileless malicious attack can easily bypass application whitelisting processes as it uses only approved applications. The absence of any physical file also enables attackers to evade security programs and continue the attack.
Common Techniques Attackers Use to Distribute Malware across Web
▪ Blackhat Search Engine Optimization (SEO) Blackhat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get a higher search engine ranking for their malware pages.
▪ Social Engineered Clickjacking
Attackers inject malware into legitimate-looking websites to trick users into clicking them. When clicked, the malware embedded in the link executes without the user’s knowledge or consent.
▪ Spear Phishing Sites The technique helps attacker mimic legitimate institutions such as banks, to steal passwords, credit card and bank account data, and other sensitive information.
▪ Malvertising
It involves embedding malware-laden advertisements in authentic online advertising channels to spread malware onto the systems of unsuspecting users.
▪ Compromised Legitimate Websites
Often, attackers use compromised websites to infect systems with malware. When a non – suspecting user visits the compromised website, the malware secretly installs itself on the user’s system and thereafter carries out malicious activities.
▪ Drive-by Downloads
This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits the flaws in a browser software to install malware merely by visiting a web page.
▪ Domain Shadowing
This refers to a technique in which attackers gain access to domain account credentials via phishing and create multiple tiers of subdomains to perform malicious activities, such as redirecting users to landing pages that serve exploits. These subdomains, which direct traffic to malicious servers, are associated with trustworthy domains and do not affect the working of their parent domains in any manner. Besides, subdomains linked to a single domain are rapidly rotated by the attackers, which makes their detection quite difficult.
▪ Mouse Hovering
This is a relatively new and unique technique used by attackers to infect systems with malware. Attackers send spam emails to target users along with a Microsoft PowerPoint file attachment with .PPSX or.PPS extension. When the users download and open the malicious file, they unknowingly enable the malware to run on their systems. The malware gets automatically executed with the simple action of users hovering their mouse pointers over any hyperlinked text or photo within the malicious file.
Malware investigative SW – Pestudio
The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response (CERT) teams, Security Operations Centers (SOC) and Labs worldwide.
Features:
▪ Retrieves metadata and spot anomalies within a malicious file
▪ Detects embedded files and collect import, exports, strings, etc.
▪ Provides hints and indicators
▪ Transforms RAW data into information
▪ Runs static analysis in batch mode as well as in interactive mode
▪ Consumes XML configurations files and create XML report
▪ Provides MITRE attack indicators and retrieve scores from @Virustotal
windows startup Folders
▪C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup ▪ C:\Users(UserName)\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Sta rtup
Windows Event Log
Windows event logs are stored in C:\Windows\System32\winevt\Logs folder with a .etvx extension
Windows Event IDs
▪ Event ID 4688 Malicious programs often include an.exe file into the filesystem to compromise a machine. Event ID 4688, which is generated whenever a new process is initiated, can help forensic investigators look for suspicious process names or process paths upon malware execution.
Malicious process names are often misspelled, such as “scvhost.exe” instead of “svchost.exe,” or “iexplorer.exe” instead of “explorer.exe.” Any Windows process running from an unusual path should also be investigated, such as C:\Windows\svchost.exe instead of C:\Windows\System32\svchost.exe
▪ Event ID 5156 This event is generated when Windows Filtering Platform allows a connection between a program and another process on the same or any other remote computer via UDP or TCP ports. During dynamic malware analysis, this event ID can be the key to detecting the origin of attack. Investigators can use the event description to identify the following details: o Name of Application The name of full path of the malicious executable used to communicate with external or internal IPo Direction It specifies whether the allowed connection is inbound or outbound
o Destination Address It shows the IP address the connection was received from
o Destination Port Port number used to start the connection from any remote machine
▪ Event ID 7045 and 4657
Installation of any new service is generally a planned event. An attacker might try to maintain control over the infected system by creating a persistent malicious service that remains even after the system is rebooted.
The attacker can also create a persistent malware mechanism by modifying certain registry keys, which enables him/her to insert the malicious payload into the list of programs that are executed on system reboot, such as Windows startup programs. Hence, if any unexpected service installation or anomalous registry key modifications are identified via event ID 4697 and 4657, it should be considered suspicious and investigated further.
Note: In case of Windows Server 2016 and 2019 operating systems, enabling Security System Extensions in Advanced Audit Policy Configuration will generate event ID 4697, which is same as event 7045.
▪ Event ID 4660 and 4663
Once executed, a malware might attempt to access, modify, or delete any files and folders from the compromised system. Investigators, therefore, should monitor event ID 4660, which is generated on the deletion of any object, which can be a kernel, file system, or registry object.
As this event ID does not contain the name of the deleted object, investigators need to track event 4663, which confirms whether access right was actually exercised along with the name and type of the object, account name, and process name that accessed the object. Tracking event IDs 4663 is also useful for tracking other access request information, such as ReadAttributes, WriteAttributes, READ_CONTROL, etc.
▪ Event ID 7036 and 7040
Any malicious program might also disable vital Windows protection services, such as Windows Defender, Windows Firewall, or antivirus solution, to maintain persistence on the target system. Monitoring events 7036 and 7040 would enable an investigator to look for any such suspicious activities.
Malware Analysis: Dynamic
Two approaches to dynamic malware analysis:
Monitoring Host Integrity:
It involves taking snapshots of the system state using the same tools before and after the analysis to detect changes made to the entities residing in the system.
Observing Runtime Behavior:
It involves live monitoring the behavior of the chosen malware as it runs on the system
Process Monitor
tool for Windows shows real-time file system, registry, and process/thread activity and combines the features of two Sysinternals utilities, Filemon and Regmon
In Port Monitoring, the following command is used to look for connections established to unknown or suspicious IP addresses
netstat -an
SIM File System
Master File (MF) The MF is the root of the file system; it contains one or more DFs. It may contain one or more EFs. A 2-byte file identifier of 3F00 identifies the MF, which is completely reserved for MF.
- Dedicated File (DF)
DFs or directories are available next to the MF in the hierarchy; they only contain the header that holds information related to the file structure and security. Similar to the MF, a 2-byte identifier is used in DFs to identify them.
- Elementary File (EF)
EFs are next to the DF in the hierarchy; they contain both the header and body, which store the actual data in different forms, including the transparent, linear fixed, and cyclic forms.
Jailbreaking
Tethered Jailbreak:
cannot be rebooted without a computer. To restart the tethered device, it must be re-jailbroken.
Untethered Jailbreak:
Can reboot the device, gets jailbroken automatically.
Semi-tethered Jailbreak:
Can be rebooted. Jailbreak features need reloaded.
Semi-untethered Jailbreak:
Needs Jailbroken again on reboot.
Application Framework
o Package Manager: It tracks the apks installed in a mobile device
o Activity Manager: It controls the life cycle of the applications running in a device
o Window Manager: The window manager is responsible for managing functions like which windows should be displayed and how they should be displayed on screen
o Content Providers: Content providers allow applications to share data between each other
o Telephony Manager: This application framework block controls/manages the calls made from the device
o Location Manager: It manages the location of an Android device using GPS or cell tower
o Resource Manager: It manages the various types of resources used in applications such as strings, color settings, and user interface layouts
o Notification Manager: This block allows mobile device applications to display alerts and notifications on the screen
Get IMEI on Android
*#06#
Cellebrite UFED Logical Analyzer
The Cellebrite UFED Logical Analyzer extracts and analyzes data from mobile devices. It has a built-in SIM reader that allows the device to obtain data such as call logs, phonebooks, SMS, IMSI, and ICCID. The device also supports SIM card cloning.
XRY LOGICAL
XRY Logical is a software-based solution comprising the hardware required for the forensic
investigation of mobile devices. It analyzes a wide range of mobile phones using a secure examination process to recover data in a forensically secure manner. It enables investigators to perform logical data acquisition on mobile phones.
Paraben’s E3 DS
Paraben’s E3 DS is a mobile forensic acquisition and analysis tool for cell phones, smartphones, tablets, and GPS devices which supports both logical and physical acquisition of data. It also allows one to perform cloud data acquisition from mobile devices.
IoT Architecture
▪ Edge Technology Layer This layer consists of all hardware parts, such as sensors, RFID tags, readers or other soft sensors, and the device itself. These entities are the primary part of the data sensors that are deployed in the field for monitoring or sensing various phenomena. This layer plays an important role in data collection, along with connecting devices within the network, and with the server.
▪ Access Gateway Layer This layer helps bridge the gap between two end points, such as a device and a client. The very first data handling also takes place in this layer. It carries out message routing, message identification, and subscription.
▪ Internet Layer
This is one of the crucial layers within the IoT architecture, as it serves as the main component in communicating between two end points. The communication can be between two devices, or any device connected to a cloud, or between a device and any local gateway service; it may also involve backend data sharing.
▪ Middleware Layer
This is one of the most critical layers in the two-way mode. As the name suggests, this layer sits in the middle of the application layer and the hardware layer, thus behaving as an interface between these two layers. It is responsible for important functions such as data management, device management, and various issues such as data analysis, data aggregation, data filtering, device information discovery, and access control.
▪ Application Layer
This layer, placed at the top of the stack, is responsible for the delivery of services to the respective users from different sectors such as building, industrial, manufacturing, automobile, security, and healthcare
- Weak or Guessable Passwords Attackers can use easy-to-guess or publicly available passwords to gain access to the systems. Using backdoors in device firmware or client software also grants unauthorized access to the deployed systems.
- Insecure Network Services
Vulnerable network services on any Internet-powered device can compromise the confidentiality, integrity/authenticity, or availability of information, and/or allow unauthorized remote control to any attacker
- Insecure Ecosystem Interfaces
Components lying out of the device ecosystem, such as backend API, cloud, or mobile interfaces, might compromise the device if proper security controls are not in place. Common issues include a lack of authentication/authorization, a lack of or a weak encryption, and a lack of input and output filtering.
- Lack of Secure Update Mechanism.
This includes vulnerabilities such as lack of firmware validation on the device, lack of secure delivery, lack of anti-rollback mechanisms, and lack of notifications on security changes because of updates
- Use of Insecure or Outdated Components The use of insecure software components/libraries, such as insecure customization of operating system platforms and use of third-party software or hardware components, could allow the device to be compromised
- Insufficient Privacy Protection
Personal data or confidential data stored on the systems could be used insecurely if they are not protected using encryption or any other protection mechanisms
- Insecure Data Transfer and Storage .
The sensitive data on a system or being transferred over the network should be encrypted properly
- Lack of Device Management
When no proper security mechanisms are applied to devices deployed in a production environment makes them more vulnerable to attacks
- Insecure Default Settings
Devices with default configurations are exposed to attack. Moreover, allowing users to modify the configuration of devices might pose security risks.
- Lack of Physical Hardening
With no physical hardening measures in place, attackers can gain unauthorized access to sensitive information stored on a device
Exploiting HVAC
Attackers exploit heating, ventilation, and air conditioning (HVAC) system vulnerabilities to steal confidential information such as user credentials and perform further attacks on the target network
Rolling Code
An attacker jams and sniffs the signal to obtain the code transferred to the vehicle’s receiver and uses it to unlock and steal the vehicle
DDoS Attack
An attacker converts the devices into an army of botnets to target a specific system or server, making them unavailable to provide services
BlueBorne Attack
Attackers connect to nearby devices and exploit the Bluetooth protocol vulnerabilities to compromise the devic
Sybil Attack
An attacker uses multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and network
Exploit Kits
A malicious script used by the attackers to exploit poorly patched vulnerabilities in an IoT device
Forged Malicious Device
Attackers replace authentic IoT devices with malicious devices if they have physical access to the network
Side Channel Attack
Attackers perform side channel attacks by extracting information about encryption keys by observing the emission of signals, that is, “side channels” from IoT device
Techniques to bypass WAF
Combine upper and lower case characters for creating efficient payloads.
ETI investigation can be used to show that individuals commit crimes in furtherance of the criminal enterprise. What does ETI stands for?
Enterprise Theory of Investigation
Ethical Trading Initiative
Ethical Theory of Investigation
Enterprise Technical Investigation
Enterprise Theory of Investigation
A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media is referred as computer forensics. The person who is responsible for authorization of a policy or procedure for the investigation process is referred as:
Expert Witness
Evidence Manager
Decision Maker
Incident Analyzer
Decision Maker
It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process. Identify Rule 901 of forensic laws:
Prohibits malicious mischief
Relevant evidence generally admissible; Irrelevant evidence inadmissible
Requirement of authentication or identification
Evidence of character and conduct of witness
Requirement of authentication or identification
Which of the following is a legal document that demonstrates the progression of evidence as it travels from original evidence location to the forensic laboratory?
Chain of Custody
Origin of Custody
Evidence Document
Evidence Examine
Chain of Custody
John is a Forensic Investigator working for Rodridge Corp. He started investigating a forensic case and has collected some evidence. Now John wants to use this evidence for further analysis. What should John do?
He should use the original evidence he has collected and proceed with the analysis process
He should not use the original evidence he has collected
He should send the report for further analysis
He should not use the evidence he has collected and use some other’s evidence report
He should use the original evidence he has collected and proceed with the analysis process
The digital evidence must have some characteristics to be disclosed in the court of law. The statement “Evidence must be related to the fact being proved”, defines which characteristic?
Believable
Reliable
Admissible
Authentic
Admissible
Digital evidence is circumstantial, which makes it difficult for a forensics investigator to trace the system’s activity. Identify the nature of digital evidence:
Sturdy
Unbreakable
Strong
Fragile
Fragile
Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”. Which type of digital data contains system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history?
Volatile Data
Non-volatile Data
Transient Data
Active Data
Volatile Data
Which type of the digital data is used for the secondary storage and is long-term persisting?
Non-volatile Data
Volatile Data
Transient Data
Temporarily Accessible Data
Non-volatile Data
Which type of digital data stores a document file on a computer when it is deleted and helps in the process of retrieving the file until that file space is reused?
Metadata
Residual Data
Archival Data
Transient Data
Residual Data
Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration. In Federal Rules of Evidence, which rule if for Admissibility of Duplicates?
Rule 1002
Rule 1004
Rule 1003
Rule 1001
Rule 1003
Scientific Working Group on Digital Evidence (SWGDE) has defined standards and criteria for the Exchange of Digital Evidence. Which of this SWGDE standards and criteria states that “Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner”?
Standards and Criteria 1.3
Standards and Criteria 1.1
Standards and Criteria 1.2
Standards and Criteria 1.4
Standards and Criteria 1.3
Different types of electronic devices are used for collecting potential evidence to investigate a forensic case. In which of this electronic device evidence is found through Address book, Notes, Appointment calendars, Phone numbers and Email?
Digital Watches
Global Positioning Systems (GPS)
Copiers
Scanner
Digital Watches
Analysis is the process of interpreting the extracted data to determine their significance to the case. The result of which analysis may indicate the additional steps that needs to be taken in the extraction and analysis processes?
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession Analysis
Application and File Analysis
“Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information”.The above statement is valid for which of the following rule:
First response rule
Second response rule
Evidence response rule
Forensic response rule
First response rule
When collecting evidence, the collection should proceed from the most volatile to the least volatile. From the given list, identify which one of the following is least volatile:
Registers, cache
Archival media
Temporary file systems
Disk or other storage media
Archival media
Mike is a Computer Forensic Investigator. He got a task from an organization to investigate a forensic case. When Mike reached the organization to investigate the place, he found that the computer at the crime scene was switched off. In this scenario, what do you think Mike should do?
He should turn on the computer
He should leave the computer off
He should turn on the computer and extract the data
He should turn on the computer and should start analyzing it
He should leave the computer off
In Forensic Investigation all evidence collected should be marked as exhibits using the exhibit numbering format. The format of exhibit numbering is aaa/ddmmyy/nnnn/zz. Identify what is zz in the exhibit number format:
Initials of the Forensic Analyst or Law Enforcement Officer seizing the equipment
The sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ – the Monitor, ‘C’ – the keyboard etc.)
The date of the seizure
Sequential number of the exhibits seized by aaa- starting with 001 and going to nnnn
The sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ – the Monitor, ‘C’ – the keyboard etc.)
A Computer Forensics Lab (CFL) is a designated location for conducting computer based investigation on the collected evidence. Identify which one of the following is not a good consideration for the structural design of a forensic lab:
It must be a secure place
It must be constructed with heavy materials
It must have windows in the lab’s exterior
It must not have any openings in the walls, ceilings, and floors
It must have windows in the lab’s exterior
The study of equipment to meet the human requirements of comfort without affecting the efficiency is defined as:
Ergonomics
Economics
Erlonomics
Erdynamics
Ergonomics
Platters are the round flat magnetic metal or ceramic disks in the hard disk that hold the actual data. A concentric circular ring on both sides of each platter is known as a track. Track numbering starts from which number?
-1
0
1
6
0
Which one of the following is the smallest allocation unit of a hard disk, which contains a set of tracks and sectors ranging from 2 to 32, or more, depending on the formatting scheme?
Sector
Cluster
Track
Platter
Cluster
Booting refers to the process of starting or resetting operating systems when the user turns on a computer system. Cold boot is a type of booting, and is defined as the process of starting a computer from a powered-down or off state. Cold boot is also referred as:
Hard boot
Soft boot
Warm boot
None of the above
Hard boot
File system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovering the data. Which type of file system is the one in which a number of systems (servers) have access to the same external disk subsystem?
Shared Disk File Systems
Special Purpose File Systems
Tape File Systems
Network File Systems
Shared Disk File Systems
Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc. Identify the correct statement for FAT file system:
Supports large storage media
Supports file system recovery
Does not support file system recovery
Supports large file names
Does not support file system
Redundant Array of Inexpensive Disks (RAID) is a technology that uses multiple smaller disks simultaneously which functions as a single large volume. In which RAID level disk mirroring is done?
RAID Level 3
RAID Level 0
RAID Level 1
RAID Level 5
RAID Level 1
Which information can be easily modified or lost when the system is shut down or rebooted?
Volatile information
Non-volatile information
Both a and b
Neither a nor b
Volatile information
You can use the Windows inbuilt command line utility nbtstat to view NetBIOS name table cache. Which switch with nbtstat command switch shows the NetBIOS name table cache?
Nbtstat –ano
Nbtstat –r
Nbtstat –c
Nbtstat –s
Nbtstat –c
During live response, you can retrieve and analyze much of the information in the Registry, and the complete data during post-mortem investigation. Which of this registry Hive contains configuration information relating to which application is used to open various files on the system?
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
A system’s audit policy is maintained in the Security hive, below the PolicyPolAdtEv key. Its default value is REG_NONE data type and contains binary information into which the audit policy is encoded. The first 4 bytes (DWORD) of the binary data gives the information about whether auditing was enabled. The value of DWORD explains the status of the audit policy. The value 02 means:
There is no auditing
Success events are audited
Failure events are audited
Both success and failure events are audited
Failure events are audited
Registry keys that track user’s activities can be found in the NTUSER.DAT file. When a user performs a particular action, the registry keys Lastwrite time is updated. These registry keys track the user’s activity and add or modify timestamp information associated with the Registry values, this timestamp information is maintained in the value data. Important dates are available in the contents of the binary data for the F value such as time/date stamps, represented as 64-bit FILETIME objects. Which of the following statement is correct for Bytes 24-31?
Represent the last login date for the account
Represent the date that the password was last reset
Represent the account expiration date
Represent the date of the last failed login attempt
Represent the date that the password was last reset
FTP stands for File Transfer Protocol and an FTP server sends and receives files using FTP. What description does the FTP sc-status Error Code 1xx gives?
Service ready in nnn minutes
Data connection already open-transfer starting
Positive Preliminary Replies
Positive Completion Replies
Positive Preliminary Replies
In Linux validation methods Dcfldd is designed for forensic data acquisition and has validation options integrated i.e.; hash and hashlog. What is the command used command at the shell prompt to create an MD5 hash output file during dcfldd data acquisition?
dcfldd if=/dev/sdk join=2M of=usbimg hash=md5 hashlog=usbhash.log
dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log
dcfldd if=/dev/sda split=5M of=ldpimg hash=md5 hashlog=usbhash.log
dcfldd if=/dev/sdb | join –b 650m – image_sdb
dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log
Forensic investigators use the built- in Linux command dd to copy data from a disk drive. The “dd” command can copy the data from any disk that Linux can mount and access. what is the syntax for copying one hard disk partition to another hard disk?
dd if=/dev/hda of=/dev/case5img1
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
dd if=/dev/hdc of=/home/sam/mycd. iso bs=2048 conv=notrunc
dd if=/dev/mem of=/home /sam /mem.bin bs=1024
dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror
File deletion is a way of removing a file from a computers file system. The below are the series of events which occur when a file is deleted in windows. Identify which of the following event does not occur when the file is deleted:
The first letter of a file name is replaced by a hex byte code E5h
Clusters in FAT are marked as used
Index field in MFT is marked with a special code in NTFS
The operating system marks the file’s name in the MFT with a special character that indicates that the file has been deleted
Clusters in FAT are marked as used
Hex searching allows you to search for repeating instances of data in Hex-format, and to save Hex-format data search strings to an XML file and reuse it in this or other cases. Hexadecimal (Hex) format includes pairs of characters in a base 16 numeric scheme. Identify the correct Hex format:
1-9 and a-f
0-9 and a-f
1-10 and a-e
0-8 and a-g
0-9 and a-f
A case is associated with a specific role, which is established by the administrator. The New Case wizard captures role and case settings. The New Case wizard displays the Role dialog box and the Case Options dialog box.“Once you select a role, you can change the role if needed”. Identify whether the above statement is true or false:
True
False
False
Source Processor automates and streamlines common investigative tasks that collect, analyze, and report on evidence. Which of this source processor module obtains drives and memory from a target machine?
Personal Information Module
Internet Artifacts Module
Acquisition Module
File Processor Module
Acquisition Module
Which of this attack technique is the combination of both a brute-force attack and a dictionary attack to crack a password?
Hybrid Attack
Rule-based Attack
Syllable Attack
Fusion Attack
Syllable Attack
Wireless communication is the transfer of information between two or more points that are not physically connected. Which of this wireless standard has the Bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz?
802.11a
802.11b
Bluetooth
802.11n
802.11a
Scientific Working Group on Digital Evidence (SWGDE
Principle 1 “In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system.”
Standards and Criteria 1.1 All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported by data gathered and recorded scientifically.
Standards and Criteria 1.4 The agency must maintain written copies of appropriate technical procedures.
Standards and Criteria 1.5
The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure.
Standards and Criteria 1.6
All activity related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and Available for review and Testimony.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Rules of Evidence
- Understandable (clear)
- Admissible (related)
- Authentic.
- Reliable
- Complete.
Best Evidence Rule
The requirement that the original copy of a written agreement be submitted into evidence
First response rule
“Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information”.
The Association of Chief Police Officers (ACPO) Principles of Digital Evidence
▪ Principle 1
“No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data, which may subsequently be relied upon in court.
▪ Principle 2
In circumstances where a person finds it necessary to access original data held on a computer, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
▪ Principle 3
An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
▪ Principle 4
The person in charge of the investigation(case officer) has overall responsibility for ensuring that the law and these principles are adhered to.”
GLBA (Gramm-Leach-Bliley Act)
A U.S. law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information.
FISMA (Federal Information Security Modernization Act)
framework that companies have security controls in place.
ECPA (Electronic Communications Privacy Act)
Restricts the interception or monitoring of oral and wire communications unless the interception or monitoring is undertaken for a business purpose or by consent
Employers may monitor employees’ emails and communications with some exemptions
GDPR (General Data Protection Regulation)
New European Union law on data protection and privacy for individuals.
data protection act of 2018
This law regulates how personal information is used and protects against misuse of personal details.
Spinning HD Size (Physical)
Smallest to largest:
- sectors (fixed size)
- Clusters
- Tracks (rings around platter – access one at a time – begins at 0)
Data Density on a Hard Disk
Zone bit recording (or multiple zone recording)
CHS(Cylinder-Head-Sector) data addressing
CHS addressing method addresses each physical block of data on a hard disk by specifying the cylinder(radius), head(platter side), and sector (angular position).
disk performance
Data rate – ratio of the number of bytes per second the disk sends to the CPU
Seek Time – Amount of time required to send the first byte to the file to the CPU when requested.
Logical HD
Cluster:
- SMALLEST LOGICAL STORAGE UNIT
- Set of sectors of 2-32
- in FAT, Clusters linked with file keep to keep track of data.
Cluster Size:
- can be altered
- Size depends on disk partition size.
- Larger size = lost space
Lost
Lost Cluster:
- FAT File system error, marks used but not allocated.
- mainly result of interrupted flee activities (PC shut off)
CHKDSK
- Windows tool tat can repair LOGICAL file system errors(not physical)
MBR (Master Boot Record)
- first sector (sector zero) of data storage device (hard disk)
- Info, location, size, and more stored in the MBR file
- almost always refers to 512-byte boot sector(or partition sector) of a disk
- MBR is used for:
-holding partition table
- Bootstrapping(boot) an OS
- Recognizing individual media with 32 bit signature.
Structure of MBR:
- Master boot code or Boot Strap – executable code for loading OS. Data is 446 bytes.
- Partition table – Maintains data of all HD partitions and consists of a data structure . 64 bytes. Hex = 01BE
- Disk Signature – located at end of MBR and contains only 2 bytes – required by BIOS during booting.
BIOS Parameter Block (BPB)
The data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume.
- Defines Filesystem structure
- Can use BPB to locate file table on hard drive.
- First cluster number of the MFT(master File T able) is 0x030.
globally unique identifier (GUID)
- 128-bit unique reference number
-Displayed as 32 hexadecimal digits - In registry, used to identify COM(Component Object Model), DLLs (Dynamic-Link Libraries)
- in databases, GUIDs are primary key values
- sometimes websites use GUID to record and track a user session
- GUID assigned to a username to identify user accounts.
GUID Partition Table (GPT)
- UEFI (Unified Extensible firmware Interface replaces legacy BIOS firmware
- UEFI uses GPT to replace MBR
- Supports 128 partitions and uses 64-bit logical Block Addresses(LBAs)
- supports max partition size from 2 TIB to 8 ZIB.
- Provides primary and backup partition tables for redundancy.
RAID
- RAID 0 (striping) two or more hard drives (no redundancy, no recovery)
- RAID 1 (mirroring) two or more hard drives(
- RAID 5 (striping with parity) three or more hard drives
- RAID 10 four hard drives to create a combination of RAID levels 0 and 1 by forming a RAID 0 array from two RAID 1 arrays.
Trojan horse attack
An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric
Platter track numbering
Tracks are numbered, starting at 0 (the outermost edge of the disk), and going up to the highest numbered track, typically 1023, (close to the center)
A cluster
is a set of track sectors, ranging from 2 to 32 or more, depending on the formatting scheme in use.
Audit Policy
1 – Success events are audited
2 – Failure events are audited
3 – Both success and failure events are audited
4 – There is no auditing
List of FTP server return codes
1xx = Positive Preliminary reply
2xx = Positive Completion reply
3xx = Positive Intermediate reply
4xx = Transient Negative Completion reply
5xx = Permanent Negative Completion reply
6xx = Protected reply
Types of Data Acquisition
Dead Acquisition (Static Acquisition) – The type of data acquisition which is defined as acquiring data that remains unaltered when the system is powered off or shutdown.
Dead acquisition usually involves acquiring data from storage devices such hard drives, DVDROMs,
USB drives, flash cards,
and smart phones.
Examples of static data: emails,
word documents, web activity,
spreadsheets, slack space,
unallocated drive space, and
various deleted files
Live Acquisition – It involves collecting data from a system that is powered ON.
When collecting evidence, an investigator needs to evaluate the order of volatility of data depending on the suspect machine and the situation.
- Registers, processor cache: The information in the registers or the processor cache on
the computer exists for nanoseconds. It is constantly changing and can be classified as the most volatile data.
- Routing table, process table, kernel statistics, and memory: The routing table, ARP
cache, and kernel statistics reside in the ordinary memory of the computer. These are
slightly less volatile than the information in the registers, with a life span of about ten
nanoseconds.
- Temporary system files: Temporary system files tend to persist for a longer time on the
computer compared to routing tables and ARP caches. These systems are eventually
overwritten or changed, sometimes in seconds or minutes later.
- Disk or other storage media: Anything stored on a disk stays for a while. However,
sometimes due to unforeseen events, these data can be erased or overwritten.
Therefore, disk data may also be considered somewhat volatile, with a lifespan of some
minutes.
- Remote logging and monitoring data related to the target system: Data that pass
through a firewall cause a router or switch to generate logs. The system might store
these logs elsewhere. These logs may overwrite themselves within an hour, a day, or a
week. However, these are generally less volatile data.
- Physical configuration and network topology: Physical configuration and network
topology are less volatile and have a longer life span than some other logs
- Archival media: A DVD-ROM, a CD-ROM, or a tape contains the least volatile data
because the digital information does not.
Hexadecimal Notation
Hexadecimal numeral system, also known as hex, is a numeral system with base 16.
In hexadecimal notation, 0-9 represent the values zero to nine, and English alphabets A, B, C, D, E, and F represent the values ten to fifteen
Example: 2BA in hexadecimal is the same as 0010 1011 1010 in binary.
Hexadecimal notation allows the easy use of powers of 2, instead of writing the whole value in binary
EnCase software
Tree Pane – represents a structured view of all gathered evidence in a Windows-like folder hierarchy(cyclical in nature).
Physical Disk Emulator (PDE) – allows investigators to mount computer evidence as a local drive for examination through Windows Explorer.
Bookmarks get created – If more than one file is selected in the Entries table
DOES NOT – have built-in capabilities to view all file types.
Raw Images Files – collection of files, but lack the integration of metadata and compression hash values that the EnCase evidence file provides.
a backup copy of the case file is saved every 10 minutes. Selecting which option you can disable the autosave function – 0
On a new case once a role is selected – YOU CANNOT CHANGE IT.
Doc tab(a tab on the View pane) – provides native views of formats supported by Oracle outside in technology.
designed strictly for maintaining the integrity of evidence during data acquisition.
802.11a – 54 Mbps – 5 GHz
802.11b – 11 Mbps, 2.4 GHz, 140 meters
802.11g – 54 Mbps, 2.4 GHz
600 Mbps – 5GHz and 2.4GHz
Bluetooth – 3-300 FT depending on power
Evidence on routers
- Configuration files
Unicode UTF-32
characteristic of Unicode UTF-32 is that its Fixed-width encoding.
Russian standard for media Stanitizing
GOST P50739-95
Host integrity monitoring
the process of studying the changes that have taken place across a system or machine after a series of actions or incidents.
Python-biased tool “oleid”
Analyzing Suspicious MS Office Document in linux
The Sleuth Kit (TSK) (a MAC OS Tool)
The Sleuth Kit (Examine file systems)(allows investigators to investigate volumes and file system data) (command to extract when directories were created and modified – fsstat).
- The Sleuth Kit (TSK) is a library and a collection of command-line tools that allow the investigation of volume
and file system data in a non-intrusive fashion.
- It supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents),
and GPT disks.
- It analyzes raw (i.e. dd), Expert Witness (i.e. EnCase), and AFF file systems and disk images
- It supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, ext2, ext3, ext4, HFS, ISO 9660, and YAFFS2 file systems
The output of this command is filesystem-specific and consists of several information
such as the file system type, volume ID, last mounted timestamps, and last mounted directory.
Command:
fsstat -i
Run the fls command to list the files and directories
available in an image file
This command is also useful to view recently deleted
files
Command:
fls -i
Use istat command that displays the metadata of a
file, such as MAC times, file size, and file access
permissions, by specifying a particular inode number
Command:
istat -f -i
MAC OS Tools
- R-Studio (Recovering Deleted Partitions)
- Data Rescue 4
- EaseUS Data Recovery (Recovering Deleted Partitions, Data)
Which type of log-on event is created when a user logs on to a computer locally?
Interactive
QEMU disk image utility
convert the dd image into a bootable VM
Acronis True Image utility and Active@ Disk Image utility and AOMEI Backupper utility
Creates a full image backup
During a recent scan of a network, a network administrator sent ICMP echo 8 packets to each IP address being used in the network. The ICMP echo 8 packets contained an invalid media access control (MAC) address. Logs showed that one device replied with ICMP echo 0 packets.
What does the reply from the single device indicate?
The machine is in promiscuous mode.
Other computers are blocking ping packets.
Which web server log entry alerts a forensic investigator that a SQL injection attack occurred?
HEAD GET /login.asp?username=blah’ or exec master..xp_cmdshell
Which web server log entry alerts a forensic investigator that a directory traversal attack occurred?
http://company_website.php/?file=../../../../etc/meanhackers
Components of Cellular Network
- Mobile Switching Center (MSC): It is the switching system for the cellular networks ( can monitor information about calls and messages sent between wireless networks and landlines in a cellular network)
- Base Transceiver Station (BTS): It is the radio transceiver equipment that communicates with mobile phones Base – Station Controller (BSC): It manages the transceiver equipment and performs channel assignment
- Base Station Subsystem (BSS): It is responsible for managing the radio network and is controlled by the Mobile – Service Switching Center (MSC). It consists of the elements Base Station controller (BSC), Base Transceiver Station (BTS), and Transcoder (TC).
- Home Location Register (HLR): It is the database at the MSC. It is the central repository system for subscriber data and service information.
- Visitor Location Register (VLR): It is the database used in conjunction with the HLR for mobile phones roaming outside their service area
A forensic investigator is investigating an attack on a WordPress database. The investigator has already made a backup of the database from the MySQL server and needs to restore the data on the forensic investigator’s laptop.
Which command creates a database named wordpress?
Create database wordpress;
SysTools MailPro+
used to acquire Mozilla Thunderbird data
CloudTrail
collect the API call history for Amazon Web Service (AWS) accounts
extract the device activity from an Amazon Alexa while using the investigator’s laptop
adb pull
Forensic Investigation Process
A Methodological approach to investigate, seize and analyze digital evidence and manage the case.
- ensures the integrity
- comply with local laws and established precedents.
- Must follow a repeatable and well-documented set of steps.
Lab: building, funding, manpower, physical security, certification, ect.
Team: Small with necessary clearance. Some roles can be combined.
- Photographer
- Incident Responder: responsible for measures taken when incident occurs.
- Incident analyzer: analyzes the incident based on occurrence
- Evidence Examiner/Investigator: Acquires/sorts evidence.
- Evidence Documenter
- Evidence Manager: Manages the evidence in such a way that its admissible in court of law
- Evidence Witness: offers formal opinion in the form of testimony in court.
- Attorney: Provides legal advice.
Search and Seizure:
- Get consent, witness signatures, warrant.
Hard disk drive (HDD)
If you format a HDD or delete a file, its still there and all you do is remove the pointers. Over time saving will overwrite the data again.
Tracks:
- Concentric circles on platters where info is stored
- can be accessed one position at a time.
- numbered for ID purposes
- Read write is performed by rolling headers from the inner to outer most part of the disk.
- Numbering starts AT 0.
- Track location, typically referred to by a “Cylinder number” rather than a track number
- Cylinder is group of all tracks that start at the same had position on the disk.
Sectors:
- Physical Storage unit on the platter.
- Each sector holds 512 bytes (for hdd’s), 2048 bytes (for CD’s/DVD’s). Some of the latest HDDs can use 4096(4KB) sectors
- Each sector is labeled using the factory track positioning data.
- Optimal method is Contiguous series (next to each other)
- 4K Sectors on new HDD’s: Merges eight 512 byte sectors in to a single sector by removing the gap, sync and Address marks on each 512 sector.
Sector Addressing:
- Cylinders, heads, and sectors (CHS) determine the address of the individual sectors on the disk
- When a disk is formatted, it is divided into tracks and sectors: For example, the formatted disk might contain 50 tracks, each of which is divided into 10 sectors
-Track and sector numbers are used by the OS and disk drive to identify the stored information.
- Disk Capacity Calculation -> Total Size of disk = # of cylinders * # of Heads * # of sectors per track * 512 per sector.
Density on a HDD:
- Data is recorded using “zoned bit recordings” AKA “Multiple zone recordings”
- With this, tracks are combined together in zones depending on their distance from the Center of the disk.
- Each “Zone” is assigned a number of sectors per track.
- Types of densities: Track(space between tracks), Areal (bits per square inch), Bit (bit per unit length).
HDD performance:
Data rate – ratio of the number of bytes per seconds that the HD sends to the CPU.
Seek Time – Amount of time required to send the first byte of the file to the CPU when requested.
Solid State Drives:
- NAND Flash memory: floating gate transistors that are Non-Volatile storage
- Controller: processer acting as a bridge.
- DRAM: Volatile-Memory for faster read-write
- Host Interface: used to connect to host machine.
fun fact
Nearly all computer numbering STARTS WITH 0
Essential Windows System Files
Ntoskrnl.exe – Executive and kernel
Ntkrnlpa.exe – Executive and kernel with support for Physical Address Extension (PAE)
Hal.dll – Hardware abstraction layer
Win32k.sys – Kernel-mode part of the Win32 subsystem
Ntdll.dll – Internal support functions and system service dispatch stubs to
executive functions
Kernel32.dll, Advapi32.dll, User32.dll, Gdi32.dll –
Win32 subsystem DLL files
NTFS System Files
Filename Description
$attrdef Contains definitions of all system-and user-defined
attributes of the volume
$badclus Contains all the bad clusters
$bitmap Contains bitmap for the entire volume
$boot Contains the volume’s bootstrap
$logfile Used for recovery purposes
$mft Contains a record for every file
$mftmirr Mirror of the MFT used for recovering files
$quota Indicates disk quota for each user
$upcase Converts characters into uppercase Unicode
$volume Contains volume name and version number
Encrypting File System (EFS)
as a built-in feature. Encryption in file systems uses symmetric key encryption technology with public key technology for encryption.
The user obtains a digital certificate with a pair of keys consisting of a public key and a private key.
A private key is not applicable for users logged in to local systems; instead, the system uses EFS to set a key for local users
Linux File System Architecture
Kernel Space – Highly protected due to direct access to Physical hardware.
Sparse File (NTFS)
In a sparse NFTS file, clusters are assigned for the data that an
application defines; in the case of non-defined data, the file system marks the space as
unallocated.
Filesystem Hierarchy Standard (FHS)
Defines the directory structure and directory contents in Linux distributions.
In FHS, all files and directories are present under the root directory (represented by /)
Linux journaling
- Ensure data integrity
- Records all updates on system
- Prevents data corruption by restoring data as it existed before the occurrence.
- ext3, ext4, ZFS, and XFS are some of the examples of journaling file systems in Linux. Because of its
stability, ext4 is the most commonly implemented file system on Linux systems.
Fourth Extended File System (ext4)
- It supports Linux Kernel v2.6.19 onwards.
- Newest file system, upgrade to EX3.
Apple File System (APFS)
Two layers:
Container layer – organizes system layer and stores higher-level info.
The File System Layer – Made up of structures that sore info such as file metadata, file content and directory structures.
File System Analysis Using Autopsy
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit (TSK)
and other digital forensics tools.
It can be used to investigate activities on a computer
Recovering Deleted Files from Hard Disks using WinHex
WinHex is a hexadecimal editor,
used for computer forensics, data recovery, low-level data processing, and IT security.
It is mainly used to inspect and
edit all types of files and to
recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras.
Data Acquisition
Logical Acquisition:
- Logical acquisition allows an
investigator to capture only selected files or files types of interest to the case.
- Examples of logical acquisition include:
- Email investigation that requires collection of Outlook .pst or .ost files
- Collecting specific records from a large RAID server.
Sparse Acquisition
- Sparse acquisition is similar to
logical acquisition, which in addition collects fragments of unallocated data, allowing investigators to acquire deleted files.
- Use this method when inspection of the entire drive is not required.
Bit-stream disk-to-image file
- It is the most common method used by forensic investigators
- The created image file is a bit-by-bit replica of the suspect
drive
- Tools used: ProDiscover, EnCase, FTK, The Sleuth Kit, X-Ways Forensics, etc.
Bit-stream disk-to-disk
- Disk-to-image copying is not possible in situations where
—- The suspect drive is very old and incompatible with the
imaging software
—– Investigator needs to recover credentials used for websites and user accounts.
- To overcome this situation, investigators can create a diskto-disk bit-stream copy of the target media
- While creating a disk-to-disk copy, investigators can adjust
the target disk’s geometry (its head, cylinder, and track
configuration) to align with the suspect drive. This results in
smooth data acquisition process.
- Tools used: Encase, Tableau Forensic Imager, etc.
Raw Format
- Raw format creates a bit-by-bit copy of the suspect drive. Images in this format were are usually obtained by using the dd command ( dd = carbon copy).
Advantage:
-Fast data transfer
- minor read errors
- read by most forensic tools
Disadvantages:
- Requires same amount of storage as original.
- some tools (mostly open source) might fail to recognize/collect marginal(bad) sectors form suspect drive.
Proprietary Format
- Commercial forensics tools acquire data from the suspect
drive and save the image files in their own formats.
- can compress
- split image in to segments
- ability to incorporate metadata in to the image file that includes date and time acquisition, hash and case details.
Advanced Forensics
Format (AFF)
Advanced Forensics Format is an open source acquisition format with the following
design goals
- No size limitation for disk-to-image files
- Option to compress the image files
- Allocates space to record metadata of the
image files or segmented files
- Simple design and customizable
- Accessible through multiple computing platforms and OSes
- Internal consistency checks for self-authentication
- File extensions include .afm for AFF metadata and .afd for segmented image files.
Advanced Forensic Framework 4 (AFF4)
- redesign to use large amounts of disk images
- basic types objects: volumes, streams, and graphs,
- allows storage of disk-image data
- more kinds of info in file
- offers unified data model.
Data Acquisition Methodology
- Determining the data acquisition method
- Determining the data acquisition tool
- Sanitizing the target media.
The following are some standards for sanitizing media:
- Russian Standard, GOST P50739-95 (6 passes): It is a wiping method that writes zeros in the first pass and then random bytes in the next pass
- (German) VSITR (7 passes): This method overwrites in 6 passes with alternate
sequences of 0x00 and 0xFF, and with 00xAA in the last (7th) pass
- (American) NAVSO P-5239-26 (MFM) (3 passes): This is a three-pass overwriting
algorithm that verifies in the last pass
(American) DoD 5220.22-M (7 passes): This standard destroys the data on the drive’s
required area by overwriting with 010101 in the first pass, 101010 in the second pass
and repeating this process thrice. This method then overwrites that area with random characters which is the 7th pass.
- (American) NAVSO P-5239-26 (RLL) (3 passes): This is a three-pass overwriting algorithm that verifies in the last pass
NIST SP 800-88: The proposed NIST SP 800-88 guidance explains three sanitization methods-
- Clear:, purge, destroy
- Acquiring volatile data
- Enabling write protection on the evidence media – Can use HW or SW to do this.
- Acquiring non-volatile data
- Planning for contingency (multiple copies of suspect drive, multiple imaging tools(software), drive decryption)..
- Validating data acquisition( Hash value)
AccessData FTK Imager
data preview and imaging tool. It can also create perfect copies (forensic images) of computer data without making changes to the original evidence.
When deleting files in FAT and NTFS
FAT:
When deleted – first letter of a deleted file name with hex byte code E5h and file is marked as unused.
Files are there until overwritten.
NTFS:
File marked as unallocated. Clusters made as free in the $BitMap file.
Deleted file can be recovered if space is not allocated to another file.
File Carving
- It is a technique to recover files and fragments of files from the hard disk in the absence of file system metadata
- In this technique, file identification and extraction is based on certain characteristics such as file header or footer
rather than the file extension or metadata
- A file header is a signature (also known as a magic number), which is a constant numeric or text value that determines a file format
Example:
- A suspect may try to hide an image from being detected by investigators by changing the file extension from .jpg to .dll
- However, changing the file extension does not change the file header, and analysis tells the actual file format
Example:
- A file format is confirmed as .jpg if it shows “JFIF” in the file header and hex signature as “4A 46 49 46“
-file headers to verify the file format using tools such as 010 Editor, CI Hex Viewer,
Hexinator, Hex Editor Neo, Qiew, WinHex, etc.
PhotoRec is an open-source
tool that uses data carving
techniques to recover deleted
files/lost data from a drive or
an image file
Alternate Data Streams (ADS)
allows attacker to hide any number of streams into one single file without modifying the file size,
functionality, etc., except the file date. However, the file date can be modified using antiforensics
tools like TimeStomp.
Trail Obfuscation
Anti-forensic technique used to confuse, disorient, and divert the forensic examination process.
- Log tampering
- false email header
- false timestamps
- VPN
TimeStomp
allow deletion or modification of timestamp-related information on files.
Artifact Wiping
Artifact wiping methods:
- Disk Wiping Utilities
- Disk wiping involves erasing
data from the disk by deleting
its links to memory blocks and
overwriting the memory
contents.
- Some of the commonly used
disk wiping utilities include
BCWipe Total WipeOut,
CyberScrub cyberCide,
DriveScrubber, ShredIt, etc.
- File Wiping Utilities
- Deletes individual files and
file table entries from an OS.
- Some of the commonly used
file wiping utilities include
BCWipe, R-Wipe & Clean,
CyberScrub Privacy Suite, etc.
- Disk Degaussing/Destruction
- Disk degaussing is a process by which a strong magnetic field is applied to storage device, resulting in an entirely clean device of any previously stored data
- NIST recommends a variety of methods to accomplish physical destruction of the digital
media, which includes disintegration, incineration, pulverizing, shredding, and melting
- Intruders use disk degaussing/destruction
techniques to make the evidentiary data unavailable to forensics investigators.
- Disk Formatting
- Formatting of a hard drive does not erase the data present on the disk but wipes its address tables and unlinks all the files in the
file system.
Windows commands
System time – date /t & time /t
nbtstat -c – Shoes name/cache tables
nbtstat – a ipaddress
netstat -ano – Shows listening TCP/UDP Connections
tasklist /v – shows running processes.
plist.exe – shows running processes
dir /o:d – The time and date of the OS installation
- The service packs, patches, and subdirectories
that automatically
update themselves often.
For e.g.: drivers, etc.
TCP 3-way handshake
Sender sends a SYN, Receiver sends a SYNACK, Sender sends an ACK
ESE Database File
a data storing technology used by various Microsoft-managed software such as Active Directory, Windows Mail, Windows Search, and Windows Update Client.
The ESE is also referred to as JET Blue. ESE database files are denoted by the .edb extension.
ESEDatabaseView tool to extract valuable evidence from .edb files. The tool displays the data stored in .edb files in a well-structured format that is easy to read
and analyze.
Registry Analysis
Non-volatile:
HKEY_LOCAL_MACHINE – Config for system including HW and SW
HKEY_USERS – active loaded users.
Volatile:
HKEY_CLASSES_ROOT – config info for system applications.
HKEY_CURRENT_USER – Current logged on
HKEY_CURRENT_CONFIG – Hardware profile for startup.
Registry “cells”:
Key cell: It contains
Registry key information
and includes offsets to other
cells as well as the LastWrite
time for the key
Value cell: It holds a value
and its data.
Subkey list cell:
It is made up of
a series of indexes pointing
to key cells, these all are sub
keys to the parent key cell
Value list cell:
It is made up of a series of
indexes pointing to value cells,
these all are values of a
common key cell.
Security descriptor cell:
It contains security
descriptor information for
a key cell.
Examine Cache, Cookie, and History Recorded in Web Browsers
Google Chrome:
History, downloads, and cookies location
C:\Users{username}\AppData\Local\Google\Chrome\User Data\Default
Cache location
C:\Users{username}\AppData\Local\Google\Chrome\User
Data\Default\Cache
Analysis Tool: ChromeCacheView, ChromeCookiesView,
ChromeHistoryView
Mozilla Firefox:
Cache Location:
C:\Users\\AppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\cache2
Cookies Location: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\cookies.sqlite
History Location: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite
Analysis Tools:
MZCacheView
MZCookiesView
MZHistoryView
Microsoft Edge:
Cookies Location: C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_
xxxxxxxxxx\AC\MicrosoftEdge\Cookies
Cache Location: C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache
History Location: C:\Users\Admin\AppData\Local\Microsoft\Windows\History
Analysis Tools:
IECacheView
EdgeCookiesView
BrowsingHistoryView
Examine Windows Files and Metadata
Forensic examination of restore point log files and prefetch files provide information such as MAC timestamps, file name, file size, number of times the application has been run, process name, etc., related to the installed/uninstalled applications
Prefetch Files
File extension is .pf
speed up system boot process
When reviewed, can help determine last program’s executed
Located at C:\Windows\Prefetch
DWORD value at the offset 144, number of times the application is launched
DWORD value at the offset 120
last time of the application run, this value is stored in UTC
format.
Prefetching is controlled by the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0
0x\Control\SessionManager\MemoryManag
ement\PrefetchParameters
The data associated with value of EnablePrefetcher
tells which form of prefetching the system uses:
0: Prefetching is disabled
1: Application prefetching is enabled
2: Boot prefetching is enabled
3: Both application and boot prefetching are enabled
Image Files
You can use tools such as Exiv2, IrfanView, and the Image::MetaData::JPEG Perl
module to view, retrieve, and in some cases modify the metadata embedded in
JPEG image files
Tools such as ExifReader, EXIF Library, and ExifTool display EXIF data found in
a JPEG image
Metadata
data about data; describes how and when and by whom a particular set of data was collected, and how data is formatted.
The investigator can use tools such as Metadata Assistant, Paraben P2 Commander, and Metashield Analyzer to analyze metadata.
Windows:
MAC times = MAC stands for modified, accessed, and created. (time stamps)
FAT = local time
NTFS = Coordinated Universal Time (UTC)
PDF Files:
- Portable document format (PDF) files can also contain metadata such as name of the author, the date when file was created, and the application used to create the PDF file.
- the metadata can show that the PDF file was created on a Mac or that the PDF file was
created by converting a Word document to PDF format.
- You can use the Perl scripts pdfmeta.pl and pdfdmp.pl to extract metadata from PDF files.
Word Documents:
- Word documents are compound documents, based on Object Linking and
Embedding (OLE) technology that defines the file structure
- Word documents can maintain not only past
revisions but also a list of up to the last 10 authors to edit the file.
- You can use the Perl scripts wmd.pl and oledmp.pl to list the OLE streams embedded
in a Word document
- To view metadata in Word 2010, click on the
File tab -> Info option
- Click Check for Issues
-> Inspect Document
- Select the content to view and click the Inspect button
Metadata Analysis Tool: Metashield Analyzer
Linux Forensics
Identify the computer name using the hostname command
Command:
hostname
Check the date and time of the machine to build a proper timeline of events.
Command:
date
cat /etc/timezone
Alternately, you can calculate the epoch time (count of the number of seconds from the Unix OS starting point) of the system and convert it
w.r.t your time zone
Command:
date +%s
Converter:
www.epochconverter.com
Device uptime
Command:
uptime
The following syntax displays all Network Interface Controllers (NICs) and associated IP addresses associated with them
Command:
ip addr show
To identify promiscuous mode, use the following command:
Command:
ifconfig
To disable promiscuous mode on the network devices
Command:
ifconfig -promisc
To view list of network interfaces on the system
Command:
netstat -i
The netstat command can also be used to print routing tables
Command:
netstat -rn
-r displays the kernel IP routing table
-n displays the numerical addresses
In Linux, the routing table provides information on
the process of forwarding TCP/IP data packets
Command:
ip r
For TCP port connections:
Syntax:
nmap –sT localhost
For UDP port connections:
Syntax:
nmap –sU localhost
Syntax:
nmap –sU localhost
Open Ports:
Command:
netstat –tulpn
processes running on open
ports
Command:
lsof -i -P -n | grep LISTEN
You can run lsof command to list all open files as well as the active processes that opened
them on the system
Command:
lsof
To list the open files for the user currently logged into the system
Command:
lsof -u
Non-Volatile Data:
cat /proc/cpuinfo – Info on CPU
cat = print to screen
cat /proc/self/mounts command to view mount points and mounted external devices
check the Linux kernel version
on a system:
uname -r
(or)
cat /proc/version
(or)
hostnamectl | grep Kernel
The cat /etc/passwd file running on a Linux system stores local user account information.
Command given to list only usernames in the output
cut –d: -f1 /etc/passwd
currently logged in user in the system
Command:
w
The log file /var/log/wtmp maintains information about the user login history,
system reboot time and system status.
The last command pulls the login history from
the wtmp log file
Command:
last -f /var/log/wtmp
The /var/log/auth.log file logs information related to the user’s authentication and
authorization events, user remote logins, sudo logins, SSH logins, etc.
Command:
cat /var/log/auth.log
The following command filters out sudo commands
grep sudo /var/log/auth.log
system logs are located in the directory
/var/log/syslog
The syslog configuration file stores system messages from logging facility and collects data logs of various programs and services, including the kernel
Command:
cat /var/log/syslog
Analyzing Linux kernel logs located at
/var/log/kern.log can be helpful for troubleshooting
custom kernels
Command:
cat /var/log/kern.log
The pslist plugin lists all the processes that were
running on the machine when the memory dump
was captured
Command:
python vol.py –file= —
profile= linux_pslist
Use the netstat plugin to search for malicious
network communication on the machine
Command:
python vol.py –file= —
profile=
linux_netstat
The pstree plugin displays the parent and associated child
processes generated using a malicious backdoor
Command:
python vol.py –file= —
profile= linux_pstree
Basic Security Module (BSM)
The token represents specific
data, such as program
arguments, return value, text
data, socket, execution, and
action in a file
Data stored in BSM helps
determine the file type, creator,
and usage data
Biskus APFS Capture tool
designed to retrieve information from APFS formatted disks (MAC OS)
- It identifies all the available partitions on the connected disks and image files
- The report file in CSV format allows you to examine the metadata of every file/folder in the filesystem