Computer and Network Forensics Quiz #3

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/26

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

27 Terms

1
New cards

Why Acquire Memory?

Vital Evidence Source: Memory (RAM) holds dynamic information such as running processes, network connections, open files, registry keys, and even encryption keys or passwords. This volatile data can be crucial for investigations.

2
New cards

1. Memory Acquisition: Live System Forensics:

Involves capturing data from an active, running system.

3
New cards

1. Memory Acquisition: Dead System Forensics:

Involves analyzing systems that are powered off, using stored snapshots.

4
New cards

1. Memory Acquisition: Live System Tools:

  • FTK Imager: Provides a non-intrusive way to capture live memory snapshots.

  • MagnetForensics RamCapture: Specializes in capturing live RAM.

  • Belkasoft Live RAM Capturer: Another tool designed for acquiring live memory.

  • DumpIt: A widely used utility that creates a physical memory dump.

5
New cards

1. Memory Acquisition: Dead System Artifacts:

  • Hibernation File (hiberfil.sys): Stores a compressed snapshot of RAM when the system hibernates.

  • Volume Shadow Copies: Snapshots of volumes that might include memory-related data.

  • Pagefile (pagefile.sys): Used by Windows for memory management, can be imaged.

  • Memory Dump (MEMORY.DMP): Created during a system crash (BSOD), offering insights into system state at the time of failure.

6
New cards

1. Memory Acquisition: Dynamic Nature of RAM:

Hashing memory before and after acquisition isn’t possible because RAM is constantly changing.

7
New cards

1. Memory Acquisition: Encryption Key Recovery:

Tools like the Passware Kit can extract encryption keys from a memory dump, which may help unlock encrypted drives.

8
New cards

2. Disk Encryption Detection: Importance of Detecting Encryption

  • Prevent Data Loss: Knowing whether a disk is encrypted is critical. If an encrypted drive is powered off, the data might become inaccessible.

  • Guiding Acquisition Methods: If encryption is detected, live logical imaging is preferred over static acquisition.

9
New cards

2. Disk Encryption Detection: Tools and Techniques

Magnet Forensics Encrypted Disk Detector (EDD):

  • Detects various encrypted volumes (e.g., TrueCrypt, BitLocker, PGP®) on local physical drives.

  • Should be run as an Administrator to ensure complete detection.

10
New cards

2. Disk Encryption Detection: BitLocker Specifics

  • Encryption Algorithms: Uses AES-CBC with 128-bit or 256-bit keys.

  • Key Management: Utilizes a 512-bit Full Volume Encryption Key (FVEK), though only part of this key is used for encryption.

  • Brute Force Resistance: The effective security is based on the AES algorithm, making brute force attacks impractical

11
New cards

3. Creating a Triage Image: Purpose of Triage Imaging

  • Rapid Evidence Identification: Quickly identifies investigative leads by capturing critical data immediately.

  • Efficient Data Collection: Enables the quick duplication and distribution of evidence to expedite the investigation.

12
New cards

3. Creating a Triage Image: What to Capture in a Triage Image

  • Registry Files: SAM, SYSTEM, SOFTWARE, DEFAULT, NTUSER.DAT, USRCLASS.DAT (including backups)

  • Log Files: Event logs (.evtx), Prefetch files (.pf), and shortcut files (*.lnk)

  • System Files: Pagefile.sys, hiberfil.sys

  • User Data: Recent folder contents, APPDATA files (including cache, history, and cookies)

13
New cards

3. Creating a Triage Image: Tools and Techniques

  • FTK Imager Custom Content Image: Allows for a custom triage image from both live and dead systems.

14
New cards

4. Disk Imaging Methods: Imaging Techniques: Full Disk Imaging (Physical Drive Level Copy):

  • Captures every bit of the disk, including all partitions and unallocated space.

  • Essential for a complete forensic analysis.

  • Tools: FTK Imager, EnCase, Guymager, dd.

15
New cards

4. Disk Imaging Methods: Imaging Techniques: Logical Imaging (Logical Partition Level Copy):

  • Captures only the data within specific partitions, excluding unallocated space.

  • More efficient when targeting specific file systems (e.g., the C: drive).

  • Tools: Robocopy, xcopy, tar.

16
New cards

4. Disk Imaging Methods: Imaging Techniques: Sparse Data Copy:

  • Selectively collects only specific files or folders, useful when only certain evidence is required.

17
New cards

4. Disk Imaging Methods: Storage Formats for Digital Evidence: Raw Format:

  • Advantages: Fast transfer, compatibility with most forensic tools.

  • Disadvantages: Requires storage equal to the original disk size.

18
New cards

4. Disk Imaging Methods: Storage Formats for Digital Evidence: Proprietary Formats:

  • Developed by various forensic tool vendors, allowing features like compression and metadata integration.

  • Disadvantages: May not be interoperable across different forensic tools.

19
New cards

4. Disk Imaging Methods: Storage Formats for Digital Evidence: Advanced Forensics Format (AFF):

  • Open-source, allows for flexible storage options including compression and metadata integration.

20
New cards

4. Disk Imaging Methods: Validation of Disk Imaging

  • Hashing Techniques:

    • Tools typically use CRC-32, MD5, or SHA algorithms (from SHA-1 to SHA-512) to validate the integrity of the acquired image.

  • Importance: Ensures that the copied image is a bit-for-bit replica of the original evidence.

21
New cards

5. RAID Systems and Their Impact on Acquisition - Understanding RAID: RAID 0 (Striping):

    • Purpose: Enhanced performance and increased storage.

    • Disadvantage: No redundancy; failure of one drive leads to complete data loss.

22
New cards

5. RAID Systems and Their Impact on Acquisition - Understanding RAID: RAID 1 (Mirroring):

  • Purpose: Data redundancy through duplication.

  • Disadvantage: Higher cost due to the need for duplicate storage.

23
New cards

5. RAID Systems and Their Impact on Acquisition - Understanding RAID: RAID 3, 5, and 6 (Parity-based):

  • RAID 3: Uses a dedicated parity disk; recovery possible but with performance limitations.

  • RAID 5: Distributes parity information across disks; requires at least three disks.

  • RAID 6: Double parity for extra redundancy; supports two disk failures.

24
New cards

5. RAID Systems and Their Impact on Acquisition - Understanding RAID: RAID 10 (1+0):

  • Combination: Combines RAID 1 mirroring with RAID 0 striping for performance and redundancy.

25
New cards

5. RAID Systems and Their Impact on Acquisition Understanding RAID: Acquisition Challenges

  • Size and Configuration:

    • RAID systems can have massive capacities (exabytes), and the acquisition method must account for the configuration and potential data distribution across drives.

26
New cards

6. Methods of Data Acquisition: Write Blockers

  • Purpose: Prevent any accidental writes to the evidence drive during the acquisition process.

  • Process:

    1. Boot to the operating system (e.g., Windows).

    2. Connect the evidence drive to a hardware write blocker.

    3. Connect a target disk for the imaging process.

    4. Power on the write blocker before starting any forensic software.

  • Tools: FTK Imager Lite is commonly used in conjunction with write blockers.

27
New cards

6. Methods of Data Acquisition: Live CD for Acquisition

  • Benefits:

    • Forensic Linux Live CDs (such as CAINE, SIFT, or Kali Linux) are designed not to auto-mount drives, which helps prevent any modification.

  • Alternatives:

    • Mini-WinFE can be used to create a Windows forensic boot CD/DVD/USB, ensuring that connected drives are mounted as read-only.