Forensics

Question 1

How do items get into the SIEM

Answer 1

Sensors
Sensitivity
Trends
Alerts
Correlation
Log Files

Question 2

Describe the sensors that feed data into a SEIM

Answer 2

The endpoint being monitored feeds sata to the SEIM

Question 3

Describe sensitivity as it relates to a SEIM

Answer 3

How much or how little we are logging and how sensos are configured to determine how much data is passed

Question 4

Describe Trends as they relate to SEIM

Answer 4

SEIM identifies trends in the network as data is fed to the SIEM, for example, failed login attempts accross many user accounts may be brute force

Question 5

How are alerts created in a SIEM

Answer 5

Created in the SIEM based on certaim parameters, such as account lock outs, failed password attempts

Question 6

Describe correlation of SIEM data

Answer 6

Ensuring that endpoints are using standardized IP and hostname formatting, and devices are using UTC

Question 7

Describe log files as they related to SIEMS

Answer 7

Files that record etiehr events that occur in an OS or other software that is being run, or message between users for COMMS software

Question 8

What are the types of log files

Answer 8

System
Application
Security
web
DNS
Authentication
DumpFiles
VOIP

Question 9

Describe what system, application, and security log files provide

Answer 9

System - What is occuring on host or server
Application - what each app is doing
Security- monitor log in events

Question 10

Describe what web log files provide

Answer 10

Web - may be a proxy server that will detail what websites users are visiting, and if you host a web server, these logs will tell you what files and hosted items are being interacted with

Question 11

Describe what DNS, and authentication files provide

Answer 11

DNS - What requests have been made of the DNS server, see what host is asking for what address

Authentication - will show all authentication info across files, systems, resources

Question 12

Describe what DumpFiles and VOIP logs are used for

Answer 12

Dump Files are logged when things crash, memory contents are written to disk for later review

VOIP logs can be captured as VOIP metadata

Question 13

What are the three variations of SYSLOG

Answer 13

Syslog, rsyslog, syslog-ng

Question 14

Which versions of SYSLOG offer encryption

Answer 14

Syslog-NG

Question 15

What is JournalCTL

Answer 15

LInux CMD utility used for querying and displaying logs from JournalD, the systemD logging service in Linux

Question 16

What is NXLog

Answer 16

Multiplatform log management tool that helps to identify security risks and policy breaches and analyze operational problems in server, OS, and application Logs

Open source, cross platform tool similar to rsyslog and syslog-NG

Question 17

What is Netflow and what data does it collect/display

Answer 17

Network protocol developed by Cisco that collects active IP netweork traffice as it flow sin our out of an interface.

It can collect the point of origin, destination, volume and paths on the network that data has.

Question 18

What are some uses of Netflow and it’s limitation

Answer 18

It provides a summary of data going in and out of a network, and can display network spikes which can help admins determine who is using the most bandwidth and at which time.

Netflow CANNOT tell exactly what files are leaving or entering the network

Question 19

What is Sflow

Answer 19

Sampled Flow provides a means for exporting truncated packets with Interface counters for the purpose of network monitoring

It is an open source version of netflow
It will sample packets using X out of Y method

Question 20

What is IPfix

Answer 20

IP Flow info Export - Universal standard for export of IP flow information from network devices and mediation systems such as account/billing systems that facilitate measurement, accounting and billing.

Back end of service management, cell phone and ISPs can use this to determine how much data you have used in a given period, and bill you for what you use.

Question 21

Describe metadata

Answer 21

Data about data, could provide an underlying definition or description of underlying data that make finding or working with data easier.

Example:
Files > Created on, Created by
Email > email header

Question 22

Describe forensic procedures

Answer 22

Written procedures that ensure that personnel handle forensics properly, effectivity, and in compliance with regulations

Question 23

What are the four steps to forensics

Answer 23

Identifications
Collect
Analysis
Reporting

Question 24

Describe Identification and Collection of forensic evidence

Answer 24

Identification - Ensure scene is safe and secure to prevent contamination, and identify scope of what evidence is to be collected

Collection - Ensure authorization to collect evidence, document and prove the integrity of the evidence

Question 25

Describe the analysis step of forensics

Answer 25

A copy of the evidence is created for analysis and repeatable methods and tools are used to analyze the data

Question 26

Describe the Reporting step of forensics

Answer 26

A report is created that detais the methods and tools used in the investigation.

It presents detailed findings and conclusion based on the analysis.

Question 27

What is a legal hold

Answer 27

Process designed to preserve all relevant information when litigation is reasonably expected to occur .

A liaison who has legal knowledge and expertise should be appointed and act as a POC for LE

Question 28

What are the ethics that forensic analysts must abide

Answer 28

1. Analysis must be performed without bias
2. analysis must be repeatable by 3rd party
3. Evidence must not be changed or manipulated

Question 29

Describe a forensic timeline

Answer 29

A tool that shows the sequence of filesystem events within a source image using a graphical format

Question 30

What are some common questions to ask in the analysis stage of an incident response

Answer 30

How was access to the system obtained
What tools have been installed - RAT, NMAP
What changes to the files have been made
Was data exfiltrated
What was sensitivity of the data exfiltrated

Question 31

When a disk has been retrieved as evidence, how should the data be handled

Answer 31

A forensic disk image of the data should be taken, This will allow for any malware to be removed from the system.

Question 32

What are the first four steps that should be followed after a forensic image has been taken of digital evidence

Answer 32

1. Capture and Hash system images
2. Analyze data with forensic tools
3. Capture screenshots of the machine
4. Review network and traffic logs

Question 33

What are steps 5-9 when analyzing collected data

Answer 33

5. Capture video - CCTV?
6. Consider order of volatility of data on systems you are collecting data from
7. take statements
8. review licensing and documentation
9. Track man hours and expenses

Question 34

What is order of volatility

Answer 34

consideration when collecting digital evidence

1. CPU Registers and Cache
2. Contents of RAM, Routing Tables, ARP Cache, Process tables, and swap files
3. Data on persistent mass storage
4. remote logging and monitoring data
5. physical configuration and network topology
6. Archival Media - backups

Question 35

Define the process of data acquisition

Answer 35

The mehtod and tools used to create a forensically sound copy of data from a source device asuch as memory or disk

Question 36

What may complicate data acquisition

Answer 36

BYOD - Employees using their personal devices may not allow forensic copies of their personal data to be made and analyzed

Question 37

How does a PCs power state affect data acquistion

Answer 37

Some data may only be available while the PC is powered on, other data may require the PC to be turned off, or be collected during a reboot.

Question 38

Where are Windows Reg Keys stored

Answer 38

Most are stored on Disk, but HKLM/Hardware are stored in memory, and can be accessed via a memory dump.