CIS 4385 Exam 2

What is opacity in windows?

sometimes we have to guess what Microsoft's system designers were thinking

What is fracturing in windows?

Every windows flavor has different quirks

T/F: WFA usefully categorizes state by its volatility

True

T/F: Information stored in RAM is most volatile

True

T/F: *PROM is probably the least volatile

True

What is a popular approach for live forensics?

running programs from some sort of removable media

How do you make a USB stick non-modifiable?

explicit hardware switch or by using a "write-blocker"

What is Perl like?

Easy to write, but less easy to read than Python.

Handles system-level information gracefully for a large amount of systems and their structures

What does signalfd(2) do?

It is a kernel-level mechanism that will give Perl the ability to interact with recondite bits of the operating systems

How would you get the same results for a date and time in a windows machine, as a linux machine?

date /t & time /t

T/F: It is a good idea to copy memory early on

True

What are some possibilities for system identification?

hostname, whoami, and ver

more currently, psinfo and systeminfo

What are some ways to look for logins?

psloggedon and logonsessions

quser

T/F: if backdoors have been set up, then those logins will not show up using regular tools

True

What can you use to see what files are open?

net file

openfiles

Does windows natively support scheduling? if so, what is it?

Yes, schtasks

How do hackers use NetBIOS?

They can see configuration inforamtion about remote machines using nbtstat -c and nbtstat -A ADDRESS for addresses listed by the -c option

What is one of the most useful tools?

netstat -ano, which lets you see which PID created a connection

T/F: It is a good idea to make a copy of the ARP table

True

What will help you avoid the problems of using internal structures that might be manipulated or obscured by malware by instead taking an outside view?

nmap

What can you use to get the given "system prompt" keyboard history?

doskey /history, but it isn't likely to occur in practice

T/F: Another volatile information source are Windows shares

True

How do you achieve non-volatile information in windows?

Looking in the registry: autoruns[c]

Security configuration: winupdateslist from nirsoft

Static network configuration: hosts, networks, and lmhosts

Events: eldump

T/F: PowerShell is going to make a difference in the future for Digital Forensics

True

What does thunderbolt make a machine vulnerable to?

Rampant memory scanning

What is virtualization?

Gets a snapshot of a virtual machine

Why look into memory?

Metadata that malware or other malefactors might have associated with a process

Executable code

Real data

Basically, trying to learn what a malefactor had done and how it was done

What is the Exchange Principle?

if you start a process on the machine, you are changing the state of the machine

What does ptfinder.p1 do?

Walks through memory trying to enumerate processes and threads from memory dumps

What can be used to perform "fuzzy matching"?

ssdeep

What is the tool, volatility, used for?

attempts to analyze memory, but also sometimes able to find old data from processes that have already been terminated

What are hibernation files?

Hibernation files hold enough state to accurately reload memory

To search the heapstack, what tools should you use?

pslist: to find pids

userdump -p: can list processes with their pids

pmdump -list: another choice

T/F: userdump only works on older Microsoft operating systems and need to use other tools to acquire useful information

True

What is pmdump useful for?

Lets you easily create text dumps suitable for string searching

What does pd -p do?

It allows you to list processes and can be used with Memory Parser

What is TSK?

A Linux memory analysis tool that has been historically useful

What is the Linux equivalent of a shortcut?

Symbolic Link or Soft Link

What file system does Windows 7 use?

NTFS

What file system does OS X use?

HFS+

Why can you undelete files in Windows 7?

Nothing is deleted; it is just removed from MFT

What is the file format .edb used with?

Microsoft Exchange

T/F: IMAP uses port 143

True

Which of the following types of mass e-mails are covered by the CAN-SPAM Act?

Emails advertising: products, legal services, and stock prices

What is the .ost file format used for?

Microsoft Outlook offline storage

Lotus Notes uses the _ file format.

.nsf

__ was the first Windows operating system to support FAT32

Windows 95

How many hives are in the windows Registry?

5

T/F: Stack memory is stored in a first-in last-out format.

False

What is a concern for capturing live data that is caused by data being changed as it is being captured?

Slurred image

In Windows 7, the swap file ends with what extension?

.sys

What is the most common Linux file system?

ext

What is an inode?

a data structure in the file system that stores all the information about a file except its name and its actual data

What are two techniques common for recovering data after logical damage?

Consistency checking and zero-knowledge analysis

T/F: All email uses the same format, regardless of the operating system they run on.

True

What is one of the most fundamental tasks a forensic examiner will conduct?

Retrieving deleted data

Because even criminals know to delete data, and evidence is frequently deleted from examined computers

How do Hard Drives store and view data?

As sectors

What is a sector?

An area of one of the disk platters defined by 2 radii

512 bytes

They are contiguous

What is a cluster?

How file systems look at data

1-128 sectors

Need not consist of contiguous sectors

File systems view cluster as entirely utilized if even 1 bit is used

What tools are used for recovering deleted files on Windows?

-DiskDigger

-WinUndelete

-FreeUndelete

-OSForensics

What is FAT?

File Allocation Table

Named after table used to store cluster/file info

Each entry records 1 of 5 things:

1.If cluster # of next cluster is recorded

2.If this cluster is end of the chain

3.Bad clusters w/ special entry in table

4. Reserved clusters w/ special entry in table

5.Open/available clusters also marked

How is data recovered on FAT?

Data not actually removed when deleted

Updated to reflect clusters no longer in use

If new info is saved, saved to clusters & data overwritten