Forensics Flashcards
(10 cards)
State the 4 types of forensics
Disk
Log file
Network
Memory
What are 3 important things to remember when doing disk forensics?
Document the state of the system before doing anything
Use a hardware write blocker
Do not change anything on the disk
What metadata does encrypted network traffic still leak?
Who was communicating with who
Time and duration of communication
Amount of data exchanged
Protocol parameters (e.g. TLS handshake)
Describe step by step how to perform forensics on a hard drive
Document state of system, peripherals, serial numbers, location,
date/time, internal connection of disks
Shut the powered system down
Remove the drive
Use a hardware write blocker
Use second system to image with dedicated software
Take an image of each disk separately
Store hash of the image, write it down
Run your full analysis only on the images you took, reassemble RAID or similar storage in software
State 6 things you can do with a disk image
Recover partition tables
Identify file systems
Determine content of file systems
Use logfiles to create a timeline of events
Check for possibly deleted files
Check for abnormalities
What would partition tables with alignment not used by the OS installer suggest?
Maybe the partition was fabricated with another tool
What would unusual ordering of data on a drive suggest?
The data may have been copied there in one go
What would no fragments of old data in the free space of a drive suggest?
Drive may have been cleaned or cloned from another system
State 4 advantages of remote logging
One central place for all events (correlate events from different machines)
Local attacker cannot modify/delete
Diskless systems are possible
Last messages from a system that died
State 3 disadvantages of remote logging
Some protocols are unencrypted:
data might be exposed
Some don’t support authentication: attacker might add new messages
Messages might be lost when network is down
