Operating System Forensics Flashcards

Question

What can you do with Slack Space?

Answer 1

Virtual (or logical) memory is a concept that, when implemented by a computer and its OS, allows programmers to use a large range of memory addresses for stored data. Virtual memory can be scanned to find out the hidden running processes. Use X-Ways Forensics tool to scan virtual memory.

Answer 2

Use X-Ways Forensics tool to scan virtual memory.

Answer 3

Finding Drive Slack Space

Answer 4

Linux operating system allocates a certain amount of storage space on a hard disk called Swap Space. OS uses as the virtual memory extension of a computer’s real memory (RAM).

Answer 5

Sleep Mode | Hibernate mode

Answer 6

completely writes the memory as a hiberfil.sys file in HDD. the hiberfil.sys file is a crucial source of evidence, as it consists of the crucial information of all programs, applications, files, and processes that were running on the RAM at a given time.

Answer 7

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power

Answer 8

keeps the system running in a low power state so that the user can quickly resume where he/she has paused working.

Answer 9

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Answer 10

a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system. To increase the RAM performance, the system moves the least used “pages” of memory into pagefile.sys file to free the RAM space and pools in the running applications.

Answer 11

supports indexing for over 200 common file types by maintaining a record of all the documents. It also allows the users to quickly access any document such as messages, calendar events, contacts, and media files.

Answer 12

Partition Logic is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another.

Answer 13

Partition Find & Mount implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten.

Answer 14

The web browser cache allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache.

Answer 15

ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.

Answer 16

Cookies are small packages of data made to track, validate, and maintain specific user information. Cookies may have an expiration date, after which the browser deletes it. The system can also delete the cookies without the need of an expiration date at the end of a user session. The users may also delete cookie data directly from the browser.

Answer 17

Programs and processes create temporary files when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind. These files contain information about all the system processes which can be useful to gather evidences in any forensic investigation

Answer 18

Thumbcache Viewer Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_*.db and iconcache_*.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface.

Answer 19

Memory of a system refers to the storage space, where the system saves important data required for processing, such as application files, virtual memory, etc. This space contains files and metadata required for functioning of the in-built and external applications. Investigators can analyze this space to find the installed application, recent events, and other related data.

Answer 20

Memory dump or crash dump is a storage space, where the system stores a memory backup, in case of a system failure. aka BSOD Dumpchk is a tool that can be used

Answer 21

Automatic Complete Kernal- created by default in the %systemroot% folder as a memory dump file whenever a machine has kernel faults. Small- a 64 KB dump containing the stop code and a list of all the loaded drivers and parameters.

Answer 22

1. PPEB_LDR_DATA (pointer to the loader data) structure that includes pointers or references to DLLs used by the process 2. A pointer to the image base address, where the beginning of the executable image file can be found 3. A pointer to the process parameters structure, which maintains the DLL path, the path to the executable image, and the command line used to launch the process

Answer 23

Microsoft debug toolset or LiveKD

Answer 24

Lsproc.pl Lsproc (short for list processes) locates processes but not threads. It takes single argument, the path, and name, to a RAM dump file:

Answer 25

Lspd.pl is a Perl script that will allow the user to list the details of the process. Like the other tools, lspd.pl is a command-line Perl script that relies on the output of lsproc.pl to obtain its information. Specifically, lspd.pl takes two arguments: the path and name of the dump file and the offset from the lsproc.pl output of the process that the investigators are interested in.

Answer 26

takes the same arguments as lspd.pl and lspm.pl It locates the beginning of the executable image for the process. If the Image Base Address Offset leads to an executable image file, Lspi.pl parses the values contained in the PE header to locate the pages that make up the rest of the executable image file.

Answer 27

takes the same arguments as lspd.pl (the name and path of the dump file, and the physical offset within the file of the process structure) and extracts the available pages from the dump file, and writes them to a file within the current working directory. To run lspm.pl against the ITPROtv.exe process, use the following command line:

Answer 28

pmdump.exe tool- allows dumping the contents of process memory without stopping the process. Process Dumper - It dumps the entire process space along with additional metadata and the process environment to the console (STDOUT), so that the output can be redirected to a file or a socket. Userdump.exe - allows dumping of any process, without attaching a debugger and without terminating the process once the dump has been completed.

Answer 29

Get-Process | Sort-Object WorkingSet64 | Select-Object Name,@{Name='WorkingSet';

Answer 30

is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offers visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Answer 31

HKEY_CLASSES_ROOT - Config info f/which application is used to open what HKEY_CURRENT_USER - Current logged on user HKEY_LOCAL_MACHINE - System Config Info HKEY_USERS - All active loaded user profiles HKEY_CURRENT_CONFIG - h/w profile used during startup

Answer 32

HKU Each registry key under HKU hive relates to a user on the computer, which is named after the user's security identifier (SID). The registry keys and registry values under each SID control the user specific mapped drives, installed printers, environmental variables and so on.

Answer 33

HKCR A subkey of HKEY_LOCAL_MACHINE\Software. It contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data. This hive stores the necessary information which makes sure that the correct program opens when the user opens a file through the windows explorer

Answer 34

HKCU Contains the configuration information related to the user currently logged on. This hive controls the user level settings associated with user profile such as desktop wall paper, screen colors, display settings etc.

Answer 35

HKCC Stores information about the current hardware profile of the system. The information stored under this hive explains the differences between the current hardware configuration and the standard configuration. The HKEY_CURRENT_CONFIG is simply a pointer to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current registry key, which contains the information about the standard hardware configuration that is stored under the Software and System keys.

Answer 36

HKLM contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives

Answer 37

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Windows\Shutdowntime

Answer 38

ProDiscover - a self-managed tool for the examination of the user’s hard disk security. RegRipper - a flexible open source tool that facilitates registry analysis with ease. It contains pre-written Perl scripts for the purpose of fetching frequently needed information during an investigation involving a Windows box.

Answer 39

asically the system information is stored in the System and Software database files, and partially in the Security hive file. The information about the system users is stored in the Security Account Manager (SAM) database file. Each user’s registry settings for their specific account is stored in the NTUSER.DAT registry file.

Answer 40

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses

Answer 41

HKEY_LOCAL_MACHINE\System\MountedDevice

Answer 42

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnc

Answer 43

HKLM\SOFTWARE\Classes\exefile\shell\open\command | HKCR\exefile\shell\open\Commad

Answer 44

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo

Answer 45

Process Monitor - is an advanced monitoring tool for windows that shows real-time file system, registry and process/thread activity. It monitors and records all activities performed against the Microsoft Windows Registry. compatible with Windows Vista and higher

Answer 46

Plug and Play (PnP) Manager | USBDeview

Answer 47

ROT-13 Encryptor & Decryptor. ROT-13 is basically a ceaser cipher

Answer 48

Most Recently Used List are the lists of recently visited webpages, opened documents, etc., maintained by the Windows operating system in the Windows Registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\RecentDocs

Answer 49

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRe stor

Answer 50

``` 2 = automatic 3 = manual and starts on demand for service 4 = disabled ```

Answer 51

HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folders HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folder

Answer 52

C:\Users\\AppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX. defaul\cache2

Answer 53

C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\cookies.sqlite

Answer 54

C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\places.sqlite

Answer 55

C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default

Answer 56

C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Cache

Answer 57

C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

Answer 58

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache

Answer 59

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8weky b3d8bbwe\AC\MicrosoftEdge\Cookies

Answer 60

C:\Users\Admin\AppData\Local\Microsoft\Windows\History

Answer 61

MZCacheView MZCookiesView MZHistoryView

Answer 62

ChromeCacheView ChromeCookiesView ChromeHistoryView

Answer 63

IECacheView IECookiesView BrowsingHistoryView

Answer 64

Rp.log Files 1. Includes value indicating the type of the restore point; a descriptive name for the restore point creation event, and the 64-bit FILETIME object indicating when the restore point was created 2. Description of the restore point can be useful for information regarding the installation or removal of an application

Answer 65

1. Once the data is processed, it is written to a .pf file in the Windows\Prefetch directory 2. DWORD value at the offset 144 within the file corresponds to the number of times the application is launched 3. DWORD value at the offset 120 within the file corresponds to the last time of the application run, this value is stored in UTC format 4. Information from .pf file can be correlated with Registry or Event Log information to determine who was logged on to the system, who was running which applications, etc.

Answer 66

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Session Manager\Memory Management\PrefetchParameters

Answer 67

0: Prefetching is disabled 1: Application prefetching is enabled 2: Boot prefetching is enabled 3: Both application and boot prefetching are enabled

Answer 68

It is important to collect the data, as it provides information about: Hidden data about the document Who tried to hide, delete, or obscure the data Correlated documents from different sources

Answer 69

Descriptive Structural Administrative

Answer 70

MAC = modified, accessed, and created The MAC times are timestamps that refer to the time at which the file was last modified in some way (data was either added to the file or removed from it), the time when it was last accessed (when the file was last opened), and when the file was originally created.

Answer 71

Coordinated Universal Time

Answer 72

Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time. Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates. Copy myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time. Move myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification and creation dates

Answer 73

Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time. Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates.

Answer 74

Portable Document Format (PDF) files can contain metadata such as the name of the author, the date that the file was created, and the application used to create that file. The metadata shows that the PDF file was created on Mac or it was created by converting a Word document to PDF format. The pdfmeta.pl and pdfdmp.pl scripts can be used to extract metadata from PDF files. Another way to retrieve metadata is to open the file in Adobe Reader and click File  Properties. The Description tab of the Properties dialog box contains all the available metadata

Answer 75

Metashield Analyzer

Answer 76

Fixed Size Header (ELF_LOGFILE_HEADER) Variable number of event records End of file record (ELF_EOF_RECORD)

Answer 77

Non-Wrapping | Wrapping

Answer 78

In non-wrapping event record organization, the oldest record exists after event log header and the new record is placed last. This method is implemented for maximum log sizes. This size depends on the configured size value or number of system resources. Wrapping method is applied when the log size limit is crossed.

Answer 79

In wrapping event record organization, the oldest record is 102 instead of 1. The oldest record and ELF_EOF_RECORD have some empty space between them, in order to make a place for the new records. The event log file size has a limit and when this file size exceeds, the file records are wrapped. When wrapping begins the last record of the file will be divided into tw

Answer 80

Error: It denotes an issue or problem like data loss Warning: It is an indication of future occurrence of error Information: This event gives details of the occurrence of a successful operation Success Audit: This event records a successful audited security access attempt Failure Audit: This event records a failed audited security access attempt

Answer 81

wevtutil command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface

Answer 82

.xml format

Answer 83

Changes to the OS Changes to hardware configuration Device Driver installation Starting and Stopping of services

Answer 84

Can be used to parse windows event logs by means of an EnScript. Investigators often opt to use EnCase for examining log traffic.

Answer 85

OS Forensics - information gathering software, which extracts forensic data from computers and uncovers everything hidden inside a PC Belkasoft Evidence Center - search, analyze, and store digital evidences found in Instant Messenger histories, Internet browser histories, and Outlook mailboxes. RegScanner - scans the registry MultiMon - displays highly detailed output of a very wide range of system activities in real time. Process Explorer - shows the information about which handles and DLLs processes have been opened or loaded. Security Task Manager - detects unknown malware and rootkits hidden from anti-virus software. Proc Heap Viewer - enumerates process heaps on Windows Memory Viewer - View your system memory configuration Word Extractor - converts binary files to text files Belkasoft Browser Analyzer - Allows you to search and analyze various internet browser histories Metadata Assistant - analyzes Word/Excel/PowerPoint (2000 and higher) files to determine the type and amount of metadata (hidden information) that exists within HstEx - Windows-based, advanced professional forensic data recovery solution designed to recover browser artifacts and Internet history from a number of different source evidence types. XpoLog Log Management - turns your Data into actionable insights, with in-depth analytics. Event Log Explorer - a software solution for viewing, monitoring, and analyzing events recorded in security, system, application, and other logs of Microsoft Windows operating systems. LogMeister - monitors virtually any log your systems and applications can generate, including event logs, text logs and RSS. System Explorer - is free software for exploration and management of system internals. Helix3 Pro - is the cyber security solution providing incident response, computer forensics and e-discovery ThumbsDisplay - is a tool for examining and reporting on the contents of Thumbs.db files used by Windows. Registry Viewer - allows you to view the contents of Windows operating system registries. Unlike the Windows Registry Editor, which displays only the current system’s registry, Registry Viewer lets you view registry files from any Windows system. Windows Forensic Toolchest (WFT) - is designed to provide a structured and repeatable automated live forensic response, incident response, or audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell, capable of running other security tools and producing HTML-based reports in a forensically sound manner.

Answer 86

Managed through the IIS Console

Answer 87

%WinDir%\System32\LogFiles\MSFTPSVC1\exyymm dd.log

Answer 88

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall WithAdvanced Security%4Firewall.evtx

Answer 89

Display Message or Driver Message The command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. These messages are helpful in resolving the restoring the device’s driver issues

Answer 90

File System Consistency Check

Answer 91

displays file or file system status

Answer 92

checks and lists the bash shell commands used/ helps the user for auditing purposes.

Answer 93

mounts a file system or device to the directory structure.

Answer 94

Searches for presence of text or an expression or pattern in files

Answer 95

/var/log/auth.log - System authorization information, including user logins and authentication mechanism /var/log/kern.log - Initialization of kernels, kernel errors or informational messages sent from kernel /var/log/faillog - Failed user login attempts /var/log/lpr.log - Stores printer logs /var/log/mail.* - All mail server message logs /var/log/my.sql.* - MySQL server logs /var/log/apache2/* - Apache web server logs /var/log/apport.log - Application crash report / log /var/log/lighttpd/* - Lighttpd web server log files directory /var/log/daemon.log - Running services such as squid, ntpd, etc. /var/log/debug - Debugging log messages /var/log/dpkg.log - Package installation or removal logs

Answer 96

In a web based attack the investigator primarily focuses on network related logs. Investigators use the command netstat to view the network logs. The command collects and displays the information about the network connections, routing tables, network interfaces and network protocol stats.

Answer 97

The command last –F displays the activities of each user in detail such as number of login and logout attempts along with dates of the syste

Answer 98

displays the hostname of the system

Answer 99

Used to view the config of all network, both up and down interfaces on the system.

Answer 100

short for list open files. Command is used to list all the open files and the active processes that opened them.

Answer 101

displays information about the loaded modules

Answer 102

command line interface, enabling the users to directly interact with the x clipboard instead of using a mouse to copy paste. To output the contents to the clipboard use xclip -o

Answer 103

used to produce summery reports of the audit system logs.

Answer 104

determines the specified user ID and the group information for a specified user.

Answer 105

the short notion for "Read Executable and Linking Format". The command is used to analyze the file headers and section of the ELF Files.

Answer 106

Often used for scheduling tasks (backdoors) to run at specific points of time. nvestigators collect the contents in /var/spool/cron/ and /etc/cron.daily to identify the presence of the scheduled tasks in a compromised system

Answer 107

The .bash_history file stores the command history. These file helps the investigator to analyze the commands used in the terminal by the malicious user.

Answer 108

The /proc/ directory is also known as proc file system. The directory comprises of the order of special files that represent the current state of a kernel. Investigators can find the information of the systems hardware and the processes running them. The proc file system acts as interface for the internal data structures within the kernel.

Answer 109

Short for "process status" and used to view the list of processes running in the system.

Answer 110

short for address resolution protocol. Used to clear, add to or extract the kernals ARP cache.

Answer 111

Used to check if a particular process running on the system is suspicious.

Answer 112

Run cat /proc/sys/kernel/domainname command to know the domain name

Answer 113

Run cat /proc/swaps command to see total and used swap size

Answer 114

Run cat /proc/partitions command to see the list of disk partitions

Answer 115

Run cat /proc/cpuinfo command to see details about the CPU on a machine

Answer 116

Run cat /proc/self/mounts to view the count points and mounted external devices

Answer 117

Run cat /proc/uptime to measure the computers working time

Answer 118

View the swap space

Answer 119

Identify the system version by viewing the SystemVersion.plist file located at /System/Library/CoreServices/SystemVersion.plist

Answer 120

Provides important info such as creation, access and modification times of any file Use the command stat to see the timestamp of any file Usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]

Answer 121

``` OS X Auditor-Mac Forensics Tool MacForensicLab Macintosh Forensic Software Memoryze for the Mac Mac Marshal F-Response Mac OS X Memory Analysis Toolkit Volatility 2.5 Avast Free Mac Security OS X Rootkit Hunter for Mac ```