Lemma Final Flashcards

What is Computer Forensics?

The use of analytical and investigative techniques to identify, collect, examine, and preserve evidence/information which is magnetically stored or encoded.

What is the role of first responders in computer forensics?

First responders play a critical role; improper handling of evidence can render it unusable for prosecution.

What are the five principles outlined in the Council of Europe’s Electronic Evidence Guide?

Data integrity, Audit trail, Specialist support, Appropriate training, and Legality.

What are the four steps of examination according to the Scientific Working Group on Digital Evidence (SWGDE)?

Visual inspection, Forensic duplication, Media examination, and Evidence return.

What are the initial steps in the U.S. Secret Service Forensics Guidelines?

Secure the scene and make it safe, take immediate steps to preserve evidence, and determine whether you have a legal basis to seize the computer.

According to U.S Secret Service Forensics Guidelines, what action should be taken if a computer is believed to be destroying evidence?

Shut down the computer by pulling the power cord.

List three evidence gathering principles.

Touch as little as possible, leave a document trail, and secure the evidence.

What elements should be included in the chain of custody?

Discovery of the evidence, collection location, date and time of collection, names of everyone who had access, and names of everyone who “owned” the evidence.

What does the FBI recommend regarding the preservation of a computer's state by the first responder?

Making a backup copy of any logs, damaged or altered files, and files left by the intruder.

Name four locations where evidence can be found on a PC.

Browser history, index.dat file, system logs, and Windows Registry.

Name some examples of computer evidence beyond PCs and laptops.

Logs, portable storage devices, e-mails, and devices capable of storing data like iPods, iPads, and cell phones.

What information can be found in the Windows Registry regarding USB devices?

HKEYLOCALMACHINE\SYSTEM\ControlSet\Enum\USBSTOR lists USB devices that have been connected to the machine; MountPoints2 will indicate what user was logged onto the system when the USB device was connected.

What type of information can be gathered from a cell phone for forensics?

Photos, videos, text messages, call times and durations, and contact names and phone numbers.

What are some general rules for gathering evidence from a cell phone?

Document the cell phone make, model, and condition and photograph the initial screen of the phone. The SIM card will be the location of most of what you need to find.

What is Logical Acquisition of a cell phone?

Copying the active file system from the device into another file.

What is Physical Acquisition of a cell phone?

Creating a physical bit-by-bit copy of the phone's memory.

What is Chip-off Forensics?

The practice of removing a memory chip, or any chip, from a circuit board and reading it.

How is JTAG used for cell phone forensics?

Joint Test Action Group is a less extreme method where JTAG ports can be used to retrieve a physical image of the data without removing the chip.

Name four common cellular network technologies.

GSM (2G), EDGE (Pre-3G), UMTS (3G), and LTE (4G).

What does SIM stand for in cell phone terminology?

Subscriber Identity Module.

What is an IMEI?

International Mobile Equipment Identity; unique ID for GSM, UMTS, LTE, and satellite phones; can be “blacklisted” even if the user changes the SIM card.

List four forensic tools.

AccessData Forensic Toolkit, EnCase, The Sleuth Kit, OSForensics.

What is the Daubert Standard?

Any scientific evidence presented in a trial must have been reviewed and tested by the relevant scientific community.

What is the initial step in the scientific method?

Formulating a hypothesis which is a question that can be tested.

Give three examples of Computer Forensics Certifications.

Computer Hacking Forensic Investigator (CHFI), Certified Forensic Computer Examiner (CFCE), SANS certifications.

What is a growing concern as networks connect through the Internet?

Cyber terrorism

List three reasons why people engage in espionage.

Economic gain, grudge, and ideology

What approach should be used for information access to defend against espionage?

A need-to-know approach

What should be done with old disks/tape backups/CDs to defend against espionage?

They should be melted.

What should be done with terminated employees' PCs to defend against espionage?

They should be scanned carefully.

What should employees with access to sensitive data sign?

A nondisclosure statement

Give four examples of potential harm from terrorist attacks.

Direct economic damage, economic disruption, compromising sensitive/military data, and disrupting mass communications

What can result from an out-of-service e-commerce site?

Lost revenue from sales

What is the focus of general attacks in cyber terrorism?

Economic chaos

What is one defense strategy at the state and national level to prevent cyberterrorism?

Greater law enforcement attention to computer crimes

What is involved in propaganda, in the context of cyber terrorism?

Putting an undisclosed political spin on what claims to be objective news

How is public perception affected in information control?

By the amount and type of information available and the language used

What is the function of a packet sniffer?

It intercepts packets on a network or the Internet and copies their contents for analysis

Name one reason for using a packet sniffer.

To ensure packets are encrypted.

What is CommView?

Basic packet sniffing software that provides statistics regarding captured packets

What is EtherDetect?

A tool to study specific packets, simpler than CommView but without statistics or graphs

What is WireShark?

A free, easy-to-use packet analyzer with a GUI and filters to drill down on data

List four pieces of information provided by packet sniffers.

Source IP address, destination IP address, protocol of the packet, contents of the packet

What is a white hat hacker?

A white hat hacker, also known as a pen-tester, hacks with the permission of the target system owners.

What is a black hat hacker?

A black hat hacker gains unauthorized access to a system with malicious intent, often referred to as a cracker.

What is a gray hat hacker?

A gray hat hacker typically abides by the law but may occasionally engage in illegal activities.

What does passively searching for information involve?

Gathering information without directly connecting to the target system, such as using tools like www.netcraft.com or http://archive.org.

What is active scanning?

Actively probing a target network to discover open ports, services, and vulnerabilities.

What activities are included in active scanning?

Port scanning (Ping, Connect, SYN, FIN scans) and Enumerating (finding computers, shared folders, and users).

What are some useful tools for identifying vulnerabilities?

Shodan.io, NSAuditor, FreeNetEnumerator, and Nmap.

VERY DUMB FLASHCARD

VERY DUMB FLASHCARD

What is involved in physical access attacks?

Bypassing the password using tools like OphCrack or tricking tech support.

ANOTHER DUMB ONE

ANOTHER DUMB ONE

What is SQL injection?

An attack that exploits vulnerabilities in a database by injecting malicious SQL code.

What is Cross-Site Scripting (XSS)?

An attack that injects client-side scripts into web pages viewed by other users.

How does bypassing the password work?

Boot to a Linux disc, access the Windows volume, backup the magnify application, replace Magnify.exe with cmd.exe, and reboot in Windows.

What is OphCrack?

A tool used to crack Windows passwords by booting the system in Linux and using rainbow tables to crack the SAM file.

How does SQL injection work?

By adding 'OR X=X' to the end of a password to bypass authentication if code is not well written.

What are some Wi-Fi hacking techniques?

Jamming, de-authentication, Wi-Fi Protected Setup (WPS) attacks, and cracking the password.

What is de-authentication in Wi-Fi hacking?

Sending a logoff packet to the WAP, spoofing the user’s IP address to trick them into logging back in through a rogue access point.

What are some typical actions Trojan Horses take?

Delete files, spread other malware, launch DDoS attacks, search for personal information, install back doors.

Name some notorious Trojan Horses.

Back Orifice, Anti-Spyware 2011, Sheldun, Brain Test, FinFisher, NetBus, FlashBack, GameOver Zeus, Linux Trojan Horses, Portal of Doom.

How does Back Orifice work?

Allows control over TCP/IP, is self-installing, can be attached to legitimate applications, doesn't appear in the task list, and is best removed through the registry.

How does NetBus work?

Similar to Back Orifice, only works on port 20034, simple to check for infection, removal through the registry, and has an easy-to-use GUI.

What are some capabilities of the Portal of Doom Trojan Horse?

Open/close CD tray, shut down system, open files/programs, access drives, change passwords, log keystrokes, take screenshots.

What are some symptoms of a Trojan Horse infection?

Home page changes without user action, password/username/account changes, screen saver changes, mouse setting changes, and devices working on their own.

What technological measures can be taken to prevent Trojan Horses?

Use antivirus software, firewalls, and intrusion detection systems.

What policy measures can be taken to prevent Trojan Horses?

Never download unsafe/unexpected attachments, close unused ports, avoid downloading browser skins/toolbars/screen savers/animations, scan downloads before use, be cautious of hidden file extensions.

What are the two methods to remove Gator (Adware)?

Add/remove programs and the registry.

What are some concerns regarding RedSheriff (Spyware)?

Uncertainty about what data is collected and negative reactions to website monitoring.

What are two popular antispyware applications?

Spy Sweeper and Zero Spyware.

What are some antispyware policies that can be implemented?

Avoid downloading unsafe attachments, configure browser to block cookies (especially third-party), block scripts without user awareness, utilize pop-up blockers.

What types of downloads should be avoided if their safety is uncertain?

Applications, browser skins, screen savers, and utilities.

What ports are used by Back Orifice?

31337 and 31338

What is the best way to protect against Trojan Horses and Spyware?

Virus scanners and appropiate policies

Why is adware more of a nuisance than a real security threat?

There is a threshold of adware that can make a system unusable

What is the role of policies in technology usage?

Policies designate how technology can be used, by whom, and for what purpose.

What areas should effective user policies cover?

Passwords, Internet use, e-mail attachments, software installation/removal, IM, and desktop configuration.

What are the key aspects of password policies?

Never write down or share passwords; contact admin if compromised; trace login attempts on old passwords.

Give examples of legitimate Internet use for businesses.

Checking competitor websites, checking business ratings, and checking weather conditions for business travel.

Give examples of inappropriate Internet use on a company network.

Searching for a job, pornographic use, violating laws, conducting personal business.

Give examples of 'gray' areas in Internet use policies.

Online shopping or reading news during breaks.

Under what conditions is it acceptable to open an e-mail attachment?

If expected, or if from a known source and appears legitimate.

List scenarios when you should never open an e-mail attachment.

From unknown source, active code/executable, animation/movie, or illegitimate-looking e-mail.

What are some software installation and removal policies businesses can enforce?

Limit user privileges, scan and approve installations, and optionally remove optical drives.

What are the key aspects of instant messaging policies?

Prohibit if not necessary; if necessary, restrict to business issues; no confidential information.

Why should desktop personalization be controlled through policies?

Potential virus risks and the ability to configure harmful system settings.

What are best practices for implementing user policies?

Require sign-off, clearly define policies, and clearly define consequences.

What events may require different system administration policies?

New employees, leaving employees, change requests, and security breaches.

What policies should be in place for new employees regarding system access?

Document access granting, require a signed RTA from an authorized manager, and file the request.

What steps should be taken when an employee leaves the company?

Disable accounts, return keys, shut off access, cancel mainframe accounts, and search workstation hard drive.

What steps should be included in a change control process?

Manager approval, IT verification, security issue identification, implementation plan, and scheduled notification.

List some examples of security breaches.

Virus infection, denial of service attacks, and intrusion by a hacker.

What steps should be taken in response to a virus infection?

Quarantine files, scan and clean machines, log incident, bring online in stages, notify leaders, and meet with IT.

What steps should be taken in response to a denial of service attack?

Utilize firewall/IDS, deny access from originating IP, find the owner of the IP and inform them, log activities, and inform leaders.

What steps should be taken in response to an intrusion by a hacker?

Copy logs, scan for Trojans and changes, document everything, change passwords, and inform leaders.

What access control concepts should be followed?

Following the concept of 'least privileges'.

What is true about defining access control?

The need for trade-offs.

What are important aspects of developmental policies?

Check code for malware, implement error handling, follow secure communication guidelines, document port usage, and require vendors to disclose security flaws.

What areas should security policies cover?

New employees, outgoing employees, access control, emergency response, and application/website security.