CHFI Flashcards

Question

What are the best practices for dealing with networked computers?

Answer 1

1. Unplug network cable 2. Photograph all devices connected to the victim computer, such as router, modem, printer, etc. 3. If computer is off, leave it off 4. If computer is on, photograph screen and follow powered-on procedures

Answer 2

1. Photograph screen's display 2. Do no turn device on if it is off 3. Leave device as is if it is on and keep it charged

Answer 3

when an OS marks clusters of a disk as used but does not allocate them to a file

Answer 4

the storage area of a disk between the end of a file and teh end of a cluster

Answer 5

Master Boot Record. The first sector (sector 0) of a disk. Contains information regarding files on the disk

Answer 6

creation of logical divisions on a storage device, allowing for OS-specific logical formatting

Answer 7

BIOS parameter block. Describes the physical layout of the data storage volume. May also define filesystem structure. Can help investigators locate the file table on the hard drive

Answer 8

Globally unique identifier. A 128-bit unique reference number used in computer software

Answer 9

OS is loaded from the hard disk to the RAM

Answer 10

Striping only, no redundancy. Min 2 drives

Answer 11

Mirroring only. Requires even number of drives

Answer 12

Bit-level striping. Better data-integrity, but slower than RAID 0

Answer 13

Byte-level striping and dedicated parity disk. Requires at least 3 drives

Answer 14

Byte-level striping and distributed parity among drives. Data writing is slow. Min 3 drives

Answer 15

Combo of 0 and 1. Min 4 drives. Includes fault tolerance of RAID 1 and includes redundancy through mirroring

Answer 16

Double parity RAID. Data striped across multiple drives and uses dual parity for better redundancy than RAID 5. Min 4 drives.

Answer 17

Combining multiple disks into one large logical drive (JBOD, used when disks don't support RAID)

Answer 18

Base 16 numeral system. 0-9 represents 0-9, and A-F represents 10-15

Answer 19

take each digit in the hex and make it into a 4-digit binary

Answer 20

each digit from right to left is the represented number * 16^the digit's position, starting w/ 0

Answer 21

each digit from right to left is the number * 2^ the digit's position, starting w/ 0

Answer 22

Live: collect data from system powered ON Dead: collect data from system powered OFF

Answer 23

collection from volatile sources

Answer 24

1. Registers and cache 2. Routing table, process table, memory 3. Temporary system files 4. Disk 5. Remote logging and monitoring data 6. Physical configuration and network topology 7. Archival media

Answer 25

1. Do not work on the original digital evidence 2. Produce 2 or more copies of the original media 3. Use clean media to store the copies 4. Verify integrity of copies with the original

Answer 26

Capturing only selected files or file types of interest for the case

Answer 27

similar to logical acquisition, but additionally collects fragments of unallocated data, allowing the acquisition of deleted files

Answer 28

1. Determine data acquisition method 2. Select the acquisition tool 3. Sanitize target media 4. If computer is on, acquire volatile data and turn off computer 5. Remove hard disk 6. Write protect the device 7. Acquire non-volatile data 8. Plan for contingency 9. Validate data acquisition

Answer 29

1. Should not change original content 2. should log I/O errors 3. Should pass scientific and peer review 4. Should alert if source is larger than destination 5. Should create a bit-stream copy of content 6. Should create qualified bit-stream copy if I/O errors occur 7. should document content of destination that is not part of the copy 8. Should contain correct documentation

Answer 30

``` GOST P50739-95 (russian) VSITR (german) NAVSO P-5239-26 (US) DoD 5220.22-M (US) NIST SP 800-88 (US) ```

Answer 31

counter forensics. techniques aimed at complicating or preventing proper forensics investigation

Answer 32

``` data/file deletion password protection steganography data hiding in file systems trail obfuscation artifact wiping overwriting data/metadata encryption program packers minimizing footprint ```

Answer 33

alternate data stream. allows data to be hidden in windows NTFS and cannot be revealed using command line or windows explorer. Does not change file size, functionality, etc. except file date

Answer 34

Collect system time - exact date and time an incident happened in UTC

Answer 35

NetworkOpenedFiles

Answer 36

netstat -a -n -o

Answer 37

doskey /history

Answer 38

pd.exe, Userdump.exe, or adplus.vbs

Answer 39

security tool to identify malicious activity through memory and helps establish the timeline and scope of an incident

Answer 40

HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG

Answer 41

HKEY_LOCAL_MACHINE, | HKEY_USERS

Answer 42

HKEY_LOCAL_MACHINE

Answer 43

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\GUID

Answer 44

Autoruns utility

Answer 45

``` Exiv2, IrfanView, or Image::MetaData::JEPG Perl module Metashield Analyzer (online) ```

Answer 46

set of registry keys which record viewing preferences of folders for a users. provides evidence related to folders accessed by a user. Includes directories which have been removed, such as previously mounted drives, deleted files, etc

Answer 47

a Windows shortcut file that points to an application or an executable file and has the .lnk extension. stored in C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent Can provide metadata on when files are accessed

Answer 48

2: Interactive (user logged on) 3: Network (logged on from network) 4: Batch 5: Service (service started by service control manager) 7: Unlock 8: NetworkCleartext (logged on from network, PW passed unhashed) 9: NewCredentials (cloned current token and specified new credentials for outbound connections 10: RemoteInteractive (User logged on remotely) 11: CachedInteractive (user logged on with cached network credentials

Answer 49

Unusual outbound network traffic Uniform Resource Locators (URLs): Malicious URLs User-agent strings Log-in anomalies Increased number of requests for same file Network traffic traversing unusual ports

Answer 50

Full Content Data: actual packets collected. can be analyzed with tcpdump or Wireshark Session Data: A summary of conversation between two network entities. Includes destination IP/port, source IP/port, convo times, and amount of info exchanged Alert Data: Triggered by tools like Snort IDS and Suricata. Must be careful to avoid false positives Statistical Data: Overall profile or summaries of network traffic. Includes timestamps, protocols and services being used, average packet size, and packet rate

Answer 51

1. Logs must be created consistently with event under investigation 2. Logs must be stored in secure location 3. Logs must be maintained as routine business practice 4. Random compilations of data are not permissible 5. Logs instituted after commencement of incident do not qualify under business records exception 6. Maintain logs regularly to use them as evidence later 7. Custodian must testify accuracy and integrity of logs 8. Custodian must testify as to reliability and integrity of hardware and software platform used, including logging software 9. A record of failure/security breach on machine making logs leads to log impeachment 10. If investigator claims machine is penetrated, logs are inherently suspect

Answer 52

1. Log everything 2. Synchronze Time 3. Use Multiple Sensors 4. Missing Logs (continuously monitor for missing logs) 5. Ensure System's Integrity 6. Control access to the log

Answer 53

- Ensure logging is enabled on all devices - Admin able to xfer authorization to security personnel - Consult legal dept when developing policies - Ensure safe transmission/storage of logs - Collect appropriate logs - Data must be readily accessible when investigating - Authentication/security must not be compromised in making data available - Maintain consistent structure for logs - Set severity levels for alerts - Indexing and storing of incident logs must be considered mandatory

Answer 54

Same-platform correlation: used when one common OS is used throughout the network Cross-platform correlation: used when different OS and network hardware platforms are used in the network

Answer 55

Transmission of data: securely transmitting data to a consolidation point Normalization: after gathering data, it must be formatting to a single consistent format for the database Data Reduction: remove unnecessary data, such as repeated data

Answer 56

Construct a graph with the system components as nodes and dependencies between these components as edges

Answer 57

use neural network to detect anomalies in the event stream, root causes of fault events, etc.

Answer 58

Use a codebook to store a set of events and correlate them

Answer 59

Events correlated according to a set of rules

Answer 60

Basic approach where specific events are compared with single or multiple fields in normalized data

Answer 61

Checks and compares all fields systematically for positive and negative correlation

Answer 62

Used for correlating particular packets with other packets. Can produce a list of potential new attacks by comparing packets with attack signatures

Answer 63

Series of data sets gathered from forensic event data is used to ID whether a system serves as a relay to a hacker or is a formerly compromised host, and to detect the same hacker from different locations

Answer 64

Used to map IDS events that target a particular vulnerable host. Also used to deduce an attack on a particular host in advance and prioritize attack data so you can respond to trouble spots quickly

Answer 65

Determine the rate of successful attacks by comparing the list of open ports available on the host with those under attack

Answer 66

advanced correlation approach that predicts what an attacker can do next after the attack by studying the stats and probability theory, using only 2 variables

Answer 67

Used to monitor the behaviour of computers and their users and trigger alerts wen anomalies are found

Answer 68

Used to extract information on the attack route and use it to single out other attack data

Answer 69

1. Customers being unable to access services 2. Suspicious activities in user accounts 3. Leakage of sensitive data 4. URLs redirecting to incorrect sites 5. Web page defacements 6. Unusually slow network performance 7. Frequent rebooting of the server 8. Anomalies in log files 9. Error messages

Answer 70

open-source network IDS capable of performing real-time traffic analysis and packet logging on IP networks used to detect a variety of web app attacks and probes

Answer 71

secures web apps acts as reverse proxy between client and web server real-time alerting and logging provides cookie protection

Answer 72

not a replacement for proper app security such as input validation and user auth WAF inspects traffic based on a particular protocol only cannot read database commands does not ensure security from false positives

Answer 73

``` free, cross-platform WAF module supported by Nginx, Apache, and IIS allows real-time HTTP traffic monitoring, logging, and analysis ```

Answer 74

IDS log files Web server log files WAF log files SIEM-triggered alerts

Answer 75

In-line comments: attackers use in-line comments in the middle of attack strings "/* */" for comments Char encoding/double encoding Toggle case: alternating case such as "UnIoN/**/SeLecT" Replaced Keywords: "UNunionION+SEselectLECT" White space manipulation: using %0b to eliminate white space "uni%0bon+se%0blect"

Answer 76

%2e%2e%2f (URI encoded) %252e%252e%252f (URI double encoded) ..%c0%af (unicode/UTF-8 encoded)

Answer 77

user login sessions, user transactions

Answer 78

Mysqlaccess

Answer 79

Mysqlbinlog

Answer 80

mysqldbexport

Answer 81

Primary data files (MDF) secondary data files (NDF) transaction log data files (LDF)

Answer 82

Cloud as a subject: crime committed within the cloud environment Cloud as an object: cloud provider is target of the crime Cloud as tool: cloud is used to plan and commit the crime

Answer 83

Deletion in the cloud: limited number of backups, and retrieval may not be implemented for IaaS or PaaS models Recovering overwritten data: When data is deleted, other shared users may overwrite the data Interoperability issues: lack of interoperability between CSPs and lack of control from consumer Single point of failure: cloud ecosystem has single points of failure, impacting evidence acquisition

Answer 84

Decreased access and data control: investigator has limited access and control of forensic data Chain of dependencies: CSPs often rely on other CSPs, so cloud investigation may depend on examining each link in the chain Locating evidence: locating/collecting is difficult as data may be quickly altered or lost with limited knowledge regarding where or how it is stored Data location: data may be stored in different data centers or geographic regions Imaging and isolating data: difficult due to cloud elasticity, automatic provisioning, redundancy, and multi-tenancy

Answer 85

Decentralization of logs: logs not stored in any single log server Evaporation of logs: some cloud logs are volatile, as in with VMs Multiple layers/tiers: logs generated for each tier in cloud architecture, making collection difficult Less evidentiary value: not all logs provide crucial information

Answer 86

Missing terms in contract or SLA: can prevent generation and collection of existing data Limited investigative power: investigators often provided with limited power in civil cases Reliance on cloud providers: cooperation from CSPs may be limited by the number of employees and other resources Physical data location: hard to specify physical location of data on a subpoena Port protection: scanning ports is difficult because CSPs do not provide access to physical infrastructure Transfer protocol: dumping TCP/IP network traffic is challenging--CSPs do not provide access to physical infrastructure E-discover: response time is challenging due to ambiguity of data location and uncertainty of relevant data

Answer 87

Evidence correlation: correlation across multiple CSPs is challenging Reconstructing virtual storage Timestamp synchronization: timestamps may be inconsistent between different sources Log format unification: unification/conversion is difficult due to different formats/amount of resources, may also result in loss of critical data. may also have to deal with proprietary formats Use of metadata: using metadata as authentication may cause common fields (creation date, modified date, etc.) to change when data is xfered from cloud or during collection Log capture: log data collection methods differ for each CSP

Answer 88

1. Isolate the compromised EC2 instance 2. Take a snapshot of the instance 3. Provision and launch a forensic workstation 4. Create evidence volume from the snapshot 5. Attach the evidence volume to the forensic workstation 6. Mount the evidence volume onto the workstation

Answer 89

Locally redundant storage (LRS): copies storage data 3 times in a single physical location in the primary region Zone-redundant storage (ZRS): copies data in 3 availability zones within a primary region Geo-redundant storage (GRS): replicates data 3 times synchronously within a single physical location, then copies it asynchronously to a single location in a secondary region Geo-zone-redundant storage (GZRS) copies data in 3 availability zones in primary region synchronously, then copies asynchronously to single location in secondary region

Answer 90

1. Create a snapshot of the SO disk of suspect VM via Azure portal 2. Copy the snapshot to a storage account under different resource group 3. Delete snapshot from source resource group and create backup copy 4 .Mount snapshot on forensic workstation

Answer 91

piece of software bundled with app code and all dependencies that helps the app run on any computing environment/infrastructure Can run as isolated, independent processes by sharing the OS kernel

Answer 92

architectural framework in app development in which all core functions in an app are built and deployed independently as a service

Answer 93

Highly dynamic Microservices: security team must look into multiple containers with multiple microservices, making process complex Ephemeral in nature: lightweight and short lifecycle. data written to filesystem of containers gets deleted as soon as it's stopped No snapshot feature: cannot snapshot containers

Answer 94

1. Seize the computer and email accounts 2. Acquire email data. 3. Examine email messages. 4. Retrieve email headers. 5. Analyze email headers. 6. Recover deleted email messages.

Answer 95

obtain search warrant including permission for on-site examination of suspect's computer and email server used seize all computers and email accounts suspected can seize email account by changing existing password

Answer 96

Email Dossier Email Address Verifier Email Checker G-Lock Software Email Verifier

Answer 97

1. Email message: inspect body thoroughly looking for suspicious links or attachments. Also may have false sense of urgency. 2. Links: Run links through forensic machines (or mouse over to see link BUT DON'T CLICK) to find suspect links 3. Received header entries: find email ID and IP address of attacker 4. Originating IP address: find general geographic area 5. Received-SPF field: validation failure can indicate spoofing (sender does not permit the server to send mail on its behalf) 6. Sender's email validity 7. Message ID (FQDN should typically be something like gmail or outlook.com, not localhost or other...) 8. Return path: should match sender's email

Answer 98

Paraben's Electronic Evidence Examiner

Answer 99

CAN-SPAM Act | Penalties up to $16,000

Answer 100

Software that disguises malware as legitimate product through encryption or obfuscation

Answer 101

type of trojan that downloads other malware

Answer 102

Type of trojan that installs other malware files either from a malware package or the internet

Answer 103

malicious code that breaches the system security via software vulnerabilities

Answer 104

program that injects its code into other vulnerable running processes and changes the way of execution to hide

Answer 105

program that conceals its code and intended purpose

Answer 106

program that allows to bundle all files together into a single executable file to bypass security detection

Answer 107

piece of software that allows control of computer system after exploit

Answer 108

command that defines malware's basic functionalities such as stealing data or creating back door

Answer 109

group of malware that do not write any file to the disk and use only approved Windows tools for installation and execution, thus circumventing security and whitelisting processes

Answer 110

accuracy of analysis process Detection of malware pieces and traits amount of data to analyze changing technologies and dynamics of malware anti-analysis procedures such as encryption, obfuscation, deletion, etc

Answer 111

balbuzard and cryptam malware document detection suite

Answer 112

isolate system from network by setting NIC card to "host only" mode disable "shared folders" and "guest isolation" generate hash value of each OS and tool

Answer 113

Genie backup manager pro macrium reflect server R-Drive Image O&O DiskImage 16

Answer 114

NetSim ns-3 Riverbed Modeler QualNet

Answer 115

``` Virtual Box (Windows, Linux, Mac, Solaris) Parallels Desktop (Mac) WMware vSphere (Bare metal) ```

Answer 116

``` Any.Run Hybrid Analysis Kaspersky Threat Intelligence Portal Valkyrie Virus Total ```

Answer 117

A new process has been created

Answer 118

Windows Filtering Platform has allowed connection (outbound network connection)

Answer 119

Service was installed in the system

Answer 120

Registry value was modified

Answer 121

Object was deleted (such as account name, domain, process ID, etc.)

Answer 122

An attempt was made to access an object

Answer 123

Windows Protection Service has entered the stopped state

Answer 124

The start of Windows Protection Service was changed from autostart to demand start/auto start disabled

Answer 125

API Monitor

Answer 126

FastSum - computes checksums according to MD5 checksum algorithm

Answer 127

WinMD5 - fingerprints can be used to ensure file is uncorrupted

Answer 128

TCPView (all TCP/UDP endpoints and state of TCP connections) | Currports (all currently open TCP/IP and UDP ports)

Answer 129

Normal Direct Firmware Upgrade (DFU): allows investigators to obtain device info w/o entering passcode or bypassing USB restriction mode Recovery mode: used to upgrade the device to a signed firmware version using iTunes by invoking the iBoot process

Answer 130

1. Connect iPhone to computer with USB cable 2. Press and hold Home and Lock buttons (A9), press and hold Side and Volume Down buttons (A10), or quick press and release volume up then quick press volume down (A11+) 3. Continue to hold for 8 seconds then release Lock or Side button (A9/10), OR press and hold side button until screen goes black (A11+) 4 (only A11+) continue holding side button and press volume down for 5s then release side button 5 (only A11+). release volume down after 10 seconds 6. screen remains black in DFU mode

Answer 131

volatile AND nonvolatile

Answer 132

tethered: cannot be rebooted w/o a computer. must re-jailbreak every time untethered: can reboot w/o computer, jailbreak is automatic semi-tethered: can reboot device, but jailbreak features are not loaded semi-untethered: boots into non-jailbroken state but can be re-jailbroken using an app vs computer

Answer 133

Cellebrite, MOBILedit, Elcomsoft

Answer 134

Test Access Ports. Testing ports on devices that allow manufacturers to test devices. Can be used to instruct the processor to transfer all data stored in the memory chips

Answer 135

physically removing the flash memory of a device for analysis. useful for locked devices or damaged/dismantled devices

Answer 136

OS: Mobile devices use various OSes that are all handled differently Security: security features protect the data and privacy making acquisition difficult Cloud Data: acquiring cloud data often has legal constraints and is difficult Data Preservation: device needs to be isolated from all communications to prevent remote wiping Anti-forensics: data hiding, forgery, and secure wiping complicate the investigation process

Answer 137

Application: validation of input strings, AuthN, AuthZ, no auto-security updates, default passwords Network: firewall, improper comm encryption, services, lack of auto update Mobile: insecure API, lack of comm encryption, authentication, lack of storage security Cloud: improper authentication, no storage/comm encryption, insecure web interface

Answer 138

1. Weak or guessable passwords 2. Insecure network services 3. Insecure ecosystem interfaces 4. lack of secure update mechanism 5. Use of insecure or outdated components 6. Insufficient privacy protection 7. Insecure data xfer or storage 8. Lack of device management 9. Insecure default settings 10. Lack of physical hardening

Answer 139

sybil attack: multiple forged identities used to create strong illusion of traffic congestion (used in vehicular ad hoc networks) forged malicious device: replace authentic IoT device with malicious device side channel attack: extract information about encryption keys by observing emission signals

Answer 140

ID, collection, and preservation of evidence: most devices work autonomously, so identification can be difficiult. Analysis of evidence: most data is cloud based autonomous nature: due to this function, it may be difficult to identify whether human intervention or design flaw caused the malfunction

Answer 141

character positions. | detected by looking for text patterns or disturbances, blank spaces, etc.

Answer 142

changes in size, file format, metadata, and color palette | detected through statistical analysis

Answer 143

inaudible frequencies or odd distortions and patterns in audio graph

Answer 144

combo of image and audio

Answer 145

technique to recover files and fragments of files from a hard disk in the absence of file system metadata

Answer 146

``` 010 Editor CI Hex Viewer Hexinator Hex Editor Neo Qiew WinHex ```

Answer 147

Search warrant: written order authorizing search for particular evidence in particular location. include particulars of the object and devices being searched as well as the strategy used to investigate Electronic storage search warrant: allows team to search and seize components including hardware, software, storage devices, documents Service provider search warrant: allows investigators to consult w/ service provider to get: service records, billing records, subscriber info

Answer 148

when destruction of evidence is imminent

Answer 149

%SystemDrive%\inetpub\logs\LogFiles

Answer 150

.ost - used by non-POP accounts - cached storage | .pst - used by POP accounts - actual storage

Answer 151

Apache Core: basic functionalities such as allocation of requests and connection maintenance Apache Modules: Add-ons used for extending core functionality

Answer 152

http_protocol: responsible for managing routines http_main: handles server startup and timeouts as well as main server loop http_request: controls stepwise procedure followed among modules to complete client request as well as error handling http_core: Includes a header file thaht is not required by the app module Alloc.c: handles allocation of resource pools http_config: reads and handles configuration files and arranges the modules

Answer 153

Access log: records all requests processed by server | error log: diagnostic information and errors the server faced during requests

Answer 154

RHEL/Red Hat/CentOS/Fedora Linux: /usr/local/etc/apache22/httpd.conf Debian/Ubuntu Linux: /etc/apache2/apache2.conf FreeBSD: /etc/httpd/conf/httpd.conf

Answer 155

EC AF C1 00

Answer 156

``` FD FF FF FF nn 00 or FD FF FF FF nn 02 or 09 08 10 00 00 06 05 00 ```

Answer 157

``` A0 46 1D F0 or 00 6E 1E F0 or 0F oo E8 03 or FD FF FF FF nn nn 00 00 ```

Answer 158

50 4B 03 04 14 00 06 00

Answer 159

89 50 4E 47 0D 0A 1A 0A

Answer 160

25 50 44 46

Answer 161

50 4B 03 04

Answer 162

21 42 44 4E

Answer 163

only the stego object is available for analysis

Answer 164

have access to the stego algorithm and both cover medium and stego-object

Answer 165

have access to hidden message and stego object

Answer 166

compare stego-object and cover medium to ID hidden message

Answer 167

generate stego objects from known message using specific tools to ID the stego algorithm

Answer 168

have access to the stego-object and stego-algorithm

Answer 169

perform probability analysis to test whether the object and original are the same or not

Answer 170

analyze the embedded algorithm used to detect distinguishing statistical changes along the length of the embedded data

Answer 171

blind detector is fed original or unmodified data to learn resemblance of original data from multiple perspectives

Answer 172

when a person with authority has provided consent

CHFI Flashcards

(212 cards)