Section 5: Anti-Forensics & Advanced Recovery

What is the purpose of VSS (Volume Shadow Copy Service) in forensics?

It creates automatic snapshots of the disk, allowing analysts to recover older versions of files or deleted evidence.

What tool from the Shadow Brokers leak can surgically remove event log entries?

DanderSpritz (via its eventlogedit feature).

What are the two primary NTFS journaling files?

$LogFile (records metadata changes for resiliency) and $UsnJrnl (records a high-level log of all file and directory changes).

What does an Alternate Data Stream (ADS) with a Zone.Identifier of 3 indicate?

The file was downloaded from the Internet.

What defensive countermeasure is highly recommended for the USN Journal?

Increase its default size (e.g., from 32MB to 256MB) to extend the historical runway of file system activity it retains.

Why can SSDs be harder for forensic data recovery than HDDs?

Wear-leveling and TRIM features actively clear deleted data blocks, reducing the chance of recovering deleted files.

What is MFT Carving?

Extracting deleted NTFS records from raw space when the standard file system metadata is missing or damaged.

Name common tools used by attackers for file wiping (anti-forensics).

SDelete, BCWipe, Eraser, and cipher.exe.

What is the core purpose of the Stark Research Labs capstone scenario?

To apply all course skills to reconstruct a multi-stage intrusion end-to-end using MITRE ATT&CK.