Introduction to Digital Forensics

Question 1

What is Digital Forensics?

Answer 1

A specialized branch of cybersecurity that involves the collection, preservation, analysis, & presentation of digital evidence to investigate cyber incidents, criminal activities, and security breaches. It applies forensic techniques to digital artifacts to uncover the truth behind cyber-related events.

Question 2

What is the aim of digital forensics?

Answer 2

To reconstruct timelines, identify malicious activities, assess the impact of incidents, and provide evidence for legal or regulatory proceedings.

Question 3

Where is electronic evidence collected from and what is collected?

Answer 3

Electronic evidence is collected from computers, mobile devices, servers, cloud services, and other digital sources. And the evidence can include files, emails, logs, databases, network traffic, and more.

Question 4

Preservation of Evidence

Answer 4

Ensuring the integrity and authenticity of digital evidence is crucial.

Question 5

Stages in the Forensic Process

Answer 5

• Identification
• Collection
• Examination
• Analysis
• Presentation

Question 6

Forensic Process: Identification

Answer 6

Determining potential sources of evidence

Question 7

Forensic Process: Collection

Answer 7

Gathering data using forensically sound methods

Question 8

Forensic Process: Examination

Answer 8

Analyzing the collected data for relevant information

Question 9

Forensic Process: Analysis

Answer 9

Interpreting the data to draw conclusions about the incident

Question 10

Forensic Process: Presentation

Answer 10

Presenting findings in a clear and comprehensible manner

Question 11

Types of Cases

Answer 11

• Cybercrime investigations (hacking, fraud, data theft)
• Intellectual property theft
• Employee misconduct investigations
• Data breaches and incidents affecting organizations
• Litigation support in legal proceedings

Question 12

Basic steps for performing a forensic investigation

Answer 12

1. Create a Forensic Image
2. Document the System’s State
3. Identify and Preserve Evidence
4. Analyze the Evidence
5. Timeline Analysis
6. Identify Indicators of Compromise (IOCs)
7. Report and Documentation

Question 13

New Technology File System (NTFS)

Answer 13

A proprietary file system developed by Microsoft

Question 14

Predecessor of NTFS

Answer 14

File Allocation Table (FAT)

Question 15

What File Metada is stored in NTFS

Answer 15

Creation time, modification time, & attribute information

Question 16

Master File Table (MFT)

Answer 16

A crucial component of NTFS that stores metadata for all files and directories on a volume. When files are deleted, their MFT entries are marked as available, but the data may remain on the disk untiil overwritten.

Question 17

What do MFT Entries provide during examination?

Answer 17

Insights into file names, sizes, timestamps, and data storage locations

Question 18

Unallocated Space on an NTFS volume

Answer 18

May contain remnants of deleted files or fragments of data

Question 19

File slack

Answer 19

The unused portion of a cluster that may contain data from a previous file

Question 20

File Signatures

Answer 20

Useful, along with file headers, in identifying file types.

Question 21

Update Sequence Number (USN) Journal

Answer 21

A log maintained by NTFS to record changes made to files and directories

Question 22

LNK Files

Answer 22

Windows shortcut files (LNK files) contain information about the target file or program, as well as timestamps and metdata

Question 23

Prefetch Files

Answer 23

Generated by Windows to improve the startup performance of applications. Can indicate which programs have been run on the system & when they were last executed

Question 24

Registry Hives

Answer 24

Contain important configuration and system information. Malicious activities or unauthorized changes can leave traces in the registry. Not directly related to the file system

Question 25

Shellbags

Answer 25

Registry entries that store folder view settings. Can reveal user navigation patterns and potentially identify accessed folders

Question 26

Thumbnail Cache

Answer 26

Store miniature previews of images & documents. Can reveal files that were recently viewed, even if the original files have been deleted

Question 27

Recycle Bin

Answer 27

Contains files that have been deleted from the file system

Question 28

Alternate Data Streams (ADS)

Answer 28

Additional streams of data associated with files. Malicious actors may use ADS to hide data

Question 29

Volume Shadow Copies

Answer 29

Snapshots of the file system at different points in time. Supported by NTFS

Question 30

Secruity Descriptors and Access Control Lists (ACLs)

Answer 30

Determine file & folder permissions. Analyzing artifacts helps understand user access rights and potential security breaches

Question 31

Default File Path for Log Storage

Answer 31

C:\Windows\System32\winevt\logs

Question 32

Windows execution artifacts

Answer 32

Traces & evidence left behind on a Windows OS when programs & processes are executed.

Question 33

Windows Execution Artifact: Prefetch Files

Answer 33

Windows maintains prefetch folder that contains metadat about the execution of various applications. Prefetch files can reveal a history of executed programs & the order in which they were run C:\Windows\Prefetch

Question 34

Windows Execution Artifact: Shimcache

Answer 34

Windows mechanism that logs information about program execution to assist with compatibility and performance optimizations. Can help identify recently executed programs & their associated files. Registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Question 35

Windows Execution Artifact: Amcache

Answer 35

A database introduced in Windows 8 that stores info about installed applications and executables. Can provide insights into program execution history & identify potentially suspicious or unauthorized software C:\Windows\AppCompat\Programs\Amcache.hve (Binary Registry Hive)

Question 36

Windows Execution Artifact: UserAssist

Answer 36

A registry key that maintains info about programs executed by users Registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurentVersion\Explorer\UserAssist

Question 37

Windows Execution Artifact: RunMRU Lists

Answer 37

RunMRU (Most Recently Used) lists in Windows Registry store info about recently executed programs from various locations. Can indicate which programs were run, when they were executed, & potentially reveal user activity Registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Question 38

Windows Execution Artifact: Jump Lists

Answer 38

Store info about recently accessed files, folders, & tasks associated with specific applications. User-specific folders (e.g., %AppData%\Microsoft\Windows\Recent)

Question 39

Windows Execution Artifact: Shortcut (LNK) Files

Answer 39

Can contain info about the target executable, file paths, timestamps, & user interactions Various locations (e.g., Desktop, Start Menu)

Question 40

Windows Execution Artifact: Recent Items

Answer 40

Folder that maintains a list of recently opened files User-specific folders (e.g., %AppData%\Microsoft\Windows\Recent)

Question 41

Windows Execution Artifact: Windows Event Logs

Answer 41

Record events related to program execution, application crashes, & more C:\Windows\System32\winevt\Logs

Question 42

Windows Persistence

Answer 42

The techniques & mechanisms used by attackers to ensure their unauthorized presence & control over a compromised system, allowing them to maintain access & control even after initial intrusion

Question 43

Windows Registry

Answer 43

Acts as a crucial database, storing critical system settings for the Windows OS

Question 44

What are some Autorun keys used for persistence?

Answer 44

- Run/RunOnce Keys - Keys used by WinLogon Process - Startup Keys

Question 45

Scheduled Tasks (Schtasks)

Answer 45

- saved as XML file, details creator, task's timing/trigger, & path to command/program set to run - C:\Windows\System32\Tasks

Question 46

Services in Windows

Answer 46

Pivotal for maintaining processes on a system, enabling software components to operate in background w/o user intervention HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Question 47

Web Browser: Cookies

Answer 47

Small data files stored by websites on a user's device, containing info such as session details, preferences, & authentication tokens

Question 48

Web Browser: Cache

Answer 48

Cached copies of web pages, images, & other content visited by the user. Can reveal websites even if the history is cleared

Question 49

Web Browser: Session Data

Answer 49

Info about active browsing sessions, tabs, & windows

Question 50

Web Browser: Typed URLs

Answer 50

URLs entered directly into the address bar

Question 51

Web Browser: Favicons

Answer 51

Small icons associated w/ websites, which can reveal visited sites

Question 52

System Resource Usage Monitor (SRUM)

Answer 52

Meticulously tracks resource utilization and application usage patterns. Data is housed in database file sru.db in C:\Windows\System32\sru. Can help reconstruct application & resource usage over specific durations

Question 53

SRUM: Application Profiling

Answer 53

Provides comprehensive view of applications & processes that have been executed on a Windows system. Crucial for understanding software landscape on a system, identifying potentially malicious or unauthorized applications, & reconstructing user activities

Question 54

SRUM: Resource Consumption

Answer 54

Captures data on CPU time, network usage, & memory consumption for each application & process.

Question 55

SRUM: Timeline Reconstruction

Answer 55

Can create timelines of application & process execution, resource usage, & system activities by analyzing SRUM data

Question 56

SRUM: User & System Context

Answer 56

Includes user identifiers, helps attribute activities to specific users

Question 57

SRUM: Malware Analysis & Detection

Answer 57

Used to identify unusual or unauthorized applications taht may be indicative of malware or malicious activities