Digital Forensics and Reverse Engineering Lecture 10

Question-and-Answer flashcards covering fundamental ideas, tools, and processes from the lecture on Digital Forensics and Reverse Engineering.

What does the acronym DFIR stand for and what is its primary focus?

Digital Forensics and Incident Response; it focuses on identifying, investigating, and remediating cyber-attacks.

Why has DFIR become a central capability for organisations?

Because of the proliferation of endpoints and an escalation in cybersecurity attacks.

What is a Cyber Incident Response Team (CIRT)?

A group responsible for responding to security breaches, viruses, and other potentially catastrophic incidents, relying on digital forensics for evidence.

According to NIST SP-800-86, what is forensics?

The application of scientific principles to evidence to test hypotheses or apply scientific tests in an investigation.

Name the four phases of the NIST 800-86 forensic process.

Collection, Examination, Analysis, Reporting.

List at least four specialised areas of digital forensic practice.

File-system forensics, Memory forensics, Network forensics, Mobile forensics, Cloud forensics, Log analysis, IoT forensics, Malware analysis.

In CTF forensics challenges, what is typically analysed?

Static data such as file formats, steganography, memory dumps, and packet captures to find hidden information.

In real-world forensics, what kind of evidence is often sought?

Indirect evidence of maliciousness—traces of attackers or insider threats in logs, memory, registries, filesystems, and network data.

What is the primary difference between a packet trace and a network log?

Packet traces contain the actual data transmitted, whereas network logs record only that something happened (source, destination, protocol) without the payload.

Give two examples of tools or commands used for basic file forensic tasks.

libmagic/file for file-type identification, dd for file carving, strings for plaintext search, hexdump for hex view, exiftool for metadata.

What file format stores captured network traffic and which tools commonly create it?

PCAP files, created by tools such as tcpdump and Wireshark (both use libpcap).

Name three common methods for capturing network traffic.

Network tap, Port mirroring, Wireless sniffing.

Why is triage and filtering crucial when analysing packet traces in Wireshark?

Because clues of interest are usually buried in large volumes of unrelated traffic.

Define steganography.

The art and science of communicating so that the very existence of the message is hidden within a carrier such as an image, text, or audio.

How does steganography differ from encryption and watermarking?

Steganography hides the existence of a message without altering the carrier noticeably, whereas encryption scrambles content and watermarking adds identifiable marks.

Give two modern motivations for using steganography in cybersecurity.

Covert malware distribution (e.g., hiding code in a JPEG) and covert data exfiltration (e.g., uploading innocent-looking images with embedded data).

Describe Least Significant Bit (LSB) image steganography.

Data are hidden by altering the least significant bits of pixel values so changes are visually imperceptible.

What is steganalysis?

The art of detecting and extracting covert steganographic messages by analysing the carrier file for size, statistical, or visual anomalies.

Provide a concise definition of reverse engineering.

The process of deconstructing a product, system, or software to understand how it works, often for learning, vulnerability discovery, or improvement.

Under Australian law, list three legitimate purposes that allow reverse engineering.

Interoperability, error correction, and security testing (malware, vulnerability research).

What are the four main stages of compiling C code into an executable?

Preprocessing, Compilation, Assembly, Linking.

What does a disassembler do?

Converts binary machine code into assembly language to allow low-level inspection without source code.

How does a decompiler differ from a disassembler?

A decompiler converts low-level machine or assembly code into a higher-level representation (e.g., C), making logic easier to understand.

Contrast static analysis and dynamic analysis in reverse engineering.

Static analysis examines code without executing it (e.g., reading disassembly), whereas dynamic analysis runs the code to observe behaviour (e.g., debugging, tracing).

What is Ghidra and who developed it?

An open-source, Java-based reverse-engineering suite developed by the U.S. National Security Agency, mainly for static analysis.

Name two other popular reverse-engineering tools similar to Ghidra.

IDA Pro and Binary Ninja.

Why is learning assembly compared to learning a new language?

It requires understanding vocabulary (instructions), grammar (syntax), idioms (compiler patterns), and conventions (calling, ABI, addressing modes).

Identify the three special x86 registers critical to control flow and stack management.

EIP (instruction pointer), ESP (stack pointer), EBP (base/frame pointer).

Explain the main syntax difference between Intel and AT&T assembly.

Intel lists destination first (mov eax, 0x5) with no prefixes, while AT&T lists destination last and uses prefixes $ for immediates and % for registers (movl $0x5, %eax).

What does the ‘call’ instruction do in x86 assembly?

Pushes the return address onto the stack and jumps to the target function.

What is the purpose of a function prologue in assembly?

To save the previous frame pointer, set up a new stack frame, and allocate space for local variables.

What does the ‘ret’ instruction accomplish?

Pops the return address from the stack and transfers control back to the caller.

During compilation, what file extension typically represents assembly output and object code?

Assembly output: .s (or .asm); Object code: .o (or .obj).

Which log type records successful and failed user logins?

Authentication logs.

What is file ‘carving’ in digital forensics?

Extracting embedded or deleted files from larger data blobs by copying raw byte ranges, often with tools like dd.

Give two examples of mathematical instructions in x86 and their functions.

add eax, 0x5 (adds 5 to EAX); sub eax, 0x5 (subtracts 5 from EAX).

Why might lossy image compression threaten some steganographic techniques?

Lossy compression targets the same least perceptible bits often used to embed hidden data, potentially destroying the covert message.

What advantage does dynamic analysis have over static analysis?

It provides fast, accurate insights by observing real execution behaviour, including interactions with the OS and network, which static analysis might miss.