Digital Forensics and Incident Response

Questions and Answers

What is the primary purpose of restoring data after an incident of malicious deletion?

• To ensure data integrity and availability. (correct)
• To prevent future attacks.
• To monitor the system more effectively.
• To increase server performance.

Which step is critical when restoring a system after a DDoS attack?

• Patch the operating system immediately.
• Upgrade the web server software.
• Manually reboot and check the system health. (correct)
• Reconfigure firewall settings.

What action should be taken if malware persists after initial remediation efforts?

• Ignore it and monitor the system.
• Invest in new antivirus software.
• Run a system check to find vulnerabilities.
• Wipe the entire drive and reinstall the operating system. (correct)

What is essential for ensuring a system is not vulnerable after a security incident?

Patch any software or firmware vulnerabilities. (A)

Why might some systems fail to automatically install patches?

There may be a misconfiguration or human error. (B)

What is a necessary action following an incident that might affect logging systems?

Verify that scanning and monitoring functions are operational. (B)

What does system hardening primarily focus on?

Reducing the attack surface. (D)

What should be done to review permissions after a security incident?

Check for permission elevation and enforce proper authorization. (C)

What is a major drawback of using a sleep state during forensic analysis?

It may alert malware, enabling anti-forensics. (D)

What happens during virtual memory usage when physical memory is low?

The OS writes inactive memory pages to disk. (C)

Which method of disk image acquisition poses the least risk of altering data?

Static acquisition by pulling the power plug. (B)

What is the primary function of write blockers in digital forensics?

To prevent the tampering of data on the source disk. (D)

Which statement about static acquisition by shutting down the computer is true?

It risks malware performing anti-forensics during the shutdown. (C)

What may happen if the image acquisition is performed live?

It may change data on the disks, affecting legal admissibility. (A)

Why is a page file not easily interpretable by analysis tools?

It stores data in a non-structured way. (A)

What should always be done regardless of the method used for image acquisition?

Document the steps taken and create a timeline. (A)

What is one possible outcome for a company if they discover significant security vulnerabilities in a software application they are selling?

They may withdraw the software from sale due to the cost of maintaining security. (A)

What does risk transference involve?

Assigning risks to a third party, such as an insurance company. (C)

In risk acceptance, what should a company do regarding identified risks?

Continue to monitor the risk without implementing countermeasures. (C)

What is essential for communicating risk factors to business stakeholders?

Articulating the risks in a manner that defines cause and effect clearly. (C)

What does a risk register typically document?

The results of risk assessments in a structured format. (C)

What should be included in a risk register aside from risk descriptions?

Impacts, likelihood ratings, and countermeasures. (C)

When might an organization choose to stop using a software application?

When its use introduces major security vulnerabilities after they are discovered. (B)

What is a major component of effectively communicating a DoS risk?

Providing clear explanations of how the risk affects business operations. (B)

Which method is considered to be on the decline for Command and Control communications?

Internet Relay Chat (IRC) (D)

What should be done with vulnerabilities that fit within an organization's risk appetite?

They can be marked as exceptions. (C)

What advantage does DNS have for Command and Control channels?

It allows evading detection through unfiltered traffic. (B)

What technique can be used to mitigate malicious HTTP and HTTPS traffic in a network?

Implementing an intercepting proxy at the network edge. (C)

What is a common characteristic of compliance scans compared to standard vulnerability scans?

They measure systems against best-practice frameworks. (A)

When analyzing vulnerability scan results, what should one primarily rely on to draw conclusions?

Personal judgement and experience. (A)

How can attackers utilize social media for Command and Control operations?

By issuing commands via messaging functionality or profiles. (D)

What is the overall goal of remediation or risk mitigation?

To reduce exposure to risk factors. (C)

What is a key characteristic of HTTP and HTTPS as C2 channels?

Malicious traffic can be difficult to distinguish from legitimate traffic. (A)

What is a required condition for a bot to utilize DNS for receiving control messages?

It only needs to connect to a local DNS resolver. (B)

What factor is often overlooked in scanner reports that is important for remediation prioritization?

The unique contextual factors of an environment. (A)

What potential risk is associated with blocking HTTP and HTTPS protocols?

It may cause significant disruption to organizational productivity. (C)

What example illustrates a common vulnerability that might be accepted despite its risks?

Keeping port 80 open on a webserver. (A)

Why are command communications through IRC becoming less common?

Due to their high detectability and blocking by organizations. (C)

Which term refers to the methods that can reduce the likelihood or impact of a risk incident?

Risk deterrence. (C)

What do vulnerability assessments provide suggestions for?

Fixing detected security issues. (D)

What does an RPO of 24 hours imply about data recovery?

Data can be recovered to a point not more than 24 hours before the database was affected. (A)

Which of the following scenarios might require a higher RPO than standard backup solutions?

An order processing system where immediate capture of orders is critical. (B)

How does risk deterrence differ from risk reduction?

Deterrence prevents risks from happening while reduction lessens their impact. (D)

Which risk response strategy involves stopping a risk-bearing activity entirely?

Risk Avoidance (C)

What would be a suitable risk countermeasure if your RPO is measured in minutes?

An automatic server cluster backup and redundancy solution. (D)

What is the function of maximum tolerable downtime (MTD) in relation to business functions?

To determine the maximum time a function can be offline without recovery. (D)

Which example illustrates risk impact reduction in a physical safety context?

Implementing a fire suppression system and alarms. (A)

Which of the following is an example of a risk mitigation strategy?

Installing antivirus software to manage malware threats. (D)

Flashcards

Data Recovery

Restoring data from backups after a malicious deletion incident.

DDoS Recovery

Bringing down web servers affected by a DDoS attack and performing health checks before bringing them back online.

Malware Removal

Using antimalware software to remove malware introduced by an employee.

Patching

Applying patches to fix vulnerabilities exploited by an attacker.

Vulnerability Mitigation

Ensuring the system is not vulnerable to the same attack again by patching and hardening it.

Permission Restoration

Checking and restoring permissions after an incident to ensure access is properly controlled.

Logging Verification

Verifying the functionality of logging systems after an incident to ensure they are not compromised.

System Hardening

Reducing the attack surface by hardening the system to minimize vulnerabilities.

What is IRC?

A group communication protocol where clients communicate through channels.

How do attackers use HTTP/HTTPS for C&C?

Commands can be sent to bots through encoded messages embedded in HTML.

Why is DNS a good C&C channel?

Attackers can use DNS requests to send control messages to bots.

What is "Live off the land" in social media C&C?

Attackers can send commands using the messaging features and account profiles of social media platforms.

Why is IRC not a popular C&C channel anymore?

IRC is no longer widely used because it's easy to detect and block.

Why is HTTP/HTTPS difficult to block for C&C?

Blocking HTTP/HTTPS completely might disrupt normal business operations, so attackers can easily use it as a C&C channel.

What makes DNS attractive for C&C?

DNS messages aren't generally inspected, making it attractive for C&C because bots don't need direct external connections.

Why are social media platforms used for C&C?

Attackers can leverage social media platforms for C&C operations due to their widespread use and messaging capabilities.

Recovery Point Objective (RPO)

The maximum amount of data loss that an organization can tolerate before experiencing significant business disruption. It specifies the point in time to which data can be recovered from a backup.

Maximum Tolerable Downtime (MTD)

The maximum amount of time that an organization can afford to be without access to its critical systems or data. It defines how long a system can be down before causing significant disruption.

Risk Prioritization

A process that helps organizations identify and prioritize risks, understand the potential impact of those risks, and then develop strategies to mitigate those risks.

Risk Mitigation

A response strategy that aims to reduce the possibility or impact of a risk by implementing controls and measures.

Risk Deterrence

A risk mitigation technique that aims to reduce the likelihood of a risk event by implementing measures that deter or discourage the threat.

Risk Reduction

A risk mitigation technique that aims to reduce the impact of a risk event by implementing measures that minimize the damage or consequences.

Risk Avoidance

A risk response strategy that involves completely avoiding or eliminating any activity or process that is associated with a particular risk.

Risk Acceptance

A risk response strategy where an organization accepts the possibility of a risk event occurring and decides to take no action to mitigate it, often due to the cost of mitigation exceeding the potential loss.

Page File

A file on the hard drive that stores pages of memory when the computer's RAM is full. It allows the operating system to use disk space as virtual memory, extending the available memory.

Disk Image Acquisition

The process of copying data from a storage device, creating a forensically sound image, preserving the original data for investigation. It involves preserving data integrity, ensuring that no changes are made to the original.

Live Acquisition

Disk image acquisition method where the data is copied while the computer is running. It might capture more data but can introduce changes to the data, potentially affecting its legal admissibility.

Static Acquisition (Shutdown)

Disk image acquisition method where the computer is shut down before copying data. This can potentially preserve the data in a cleaner state, but there's the risk of malware wiping traces during shutdown.

Static Acquisition (Pulling the Plug)

Disk image acquisition method where the computer is abruptly disconnected from power, potentially preserving data, but risky due to the chance of data corruption.

Write Blocker

Hardware or software devices that block write operations to a storage device during image acquisition, ensuring the original data remains unaltered. They are crucial for forensic investigations to maintain data integrity.

Read-Only Mounting is Not Enough

A common misconception that mounting a drive as read-only within a host OS effectively protects data. However, this is not sufficient for forensic purposes. Write blockers are essential, as they operate at a lower firmware level.

Hardware/Software Write Blockers

A hardware or software-based write blocker can be used to prevent modifications to a storage device during forensics.

Risk Transference

Transferring responsibility for potential risks to a third party, such as an insurance company or external vendor, through contracts or agreements.

Communication of Risk Factors

Communicating the potential impact of a risk in a way that is easily understood by stakeholders, including the cause of the risk, its potential consequences, and the affected parties.

Risk Register

A document summarizing the results of risk assessments, including likelihood and impact ratings, countermeasures, and responsible parties.

Compliance Scan

Comparing vulnerability scan results to best-practice frameworks helps ensure compliance with regulations and industry standards. These scans can identify potential vulnerabilities that may not be considered high priority or risk, allowing for informed decision-making.

Vulnerability Exception

Exceptions are situations where a vulnerability is acknowledged but accepted due to its importance for system functionality or a conscious risk acceptance decision. It allows for reasonable exclusions from remediation strategies.

Vulnerability Prioritization

The process of determining the priority of vulnerabilities to address based on their severity and impact. This involves considering the system context, existing risk assessments, and vulnerability scores to create a plan for remediation.

Remediation

This involves reducing the exposure to the effects of risk factors. It can be achieved through implementing countermeasures, reducing the likelihood of attacks, or mitigating the impact if an attack does occur.

Vulnerability Assessment

A risk assessment that identifies and evaluates potential vulnerabilities to a system's security. It aims to understand the probability of an attack and the potential impact if successful. It helps organizations prioritize remediation efforts.

Study Notes

Digital Forensics Techniques

• Identify and analyze network, host, and application-related Indicators of Compromise (IOCs).
• Analyze lateral movement and pivot techniques.
• Digital forensics is the science of collecting and presenting evidence from computer systems to meet legal standards.
• Digital evidence is often latent, meaning it's not visible without analysis.
• Cybersecurity analysts may be involved in incident response, including reconstructing events and ensuring evidence is protected.

Digital Forensics Procedures

• Important to have written procedures for handling cybersecurity incidents, adhering to regulations and organizational obligations.
• Forensic investigations follow phases: Identification, Collection, Analysis, Reporting.
• Identification phase focuses on securing the scene to prevent contamination and documenting evidence.

Digital Forensics Procedures (Collection)

• Methods for collecting evidence must withstand legal scrutiny.
• Securely store evidence in tamper-evident packaging.

Digital Forensics Procedures (Analysis)

• Create a copy of the evidence for analysis, relating it to the original source.
• Use repeatable methods and tools to analyze the evidence.

Digital Forensics Procedures (Reporting)

• Present findings and conclusions using the methods and tools used.
• Legal holds are important for preserving relevant information in court cases.
• Security audits ensure process and tool adherence, and data protection.

Forensic Analyst Ethics

• Analysts must act without bias, using repeatable analysis methods.
• Evidence should not be altered, and any necessary manipulation must be documented.
• Defense might try to dismiss findings based on ethical or professional deviations.

Data Acquisition

• Data acquisition creates a forensic copy of non-volatile storage (HDDs, SSDs, flash drives).
• Ensure nothing alters the data or metadata (properties) during acquisition.
• Live acquisition copies data while the system runs; static acquisition involves shutting down the system.
• Critical to document the steps and timeline for any actions taken.

Hashing

• Creates a cryptographic hash (fingerprint) for disk contents or images.
• Ensure the same algorithm is used. Important for verifying data integrity.

File Carving

• A process for extracting data from images when no associated file system metadata exists.

Chain of Custody

• Records evidence handling for presentation in court. Documents evidence handling.

Incident Response

• Cybersecurity Incident response involves these phases:
  • Preparation
  • Detection and Analysis
  • Containment
  • Eradication and Recovery
  • Post-Incident Activity
• Procedures are guidelines for response actions.

Incident Response: Preparation

• Make systems resilient to attacks before they occur.
• Establish policies, procedures, and confidential communication channels.

Incident Response: Detection and Analysis

• Detect incidents, analyze the scope and magnitude of the damage.

Incident Response: Containment

• Limit the scope and impact of the incident.
• Protect data from additional breaches.

Incident Response: Eradication and Recovery

• Remove problems, return the system to normal operation.

Incident Response: Post-Incident Activity

• Document all details of the incident and lessons learned.
• Report findings.

Data Criticality and Prioritization

• Assess asset severity, prioritize affected systems.
• Critical data types: Personally Identifiable Information (PII), Sensitive Personal Information (SPI), Protected Health Information (PHI), and financial information.

Risk Assessment

• Identify, measure, and mitigate risks that affect business operations.
• Establish a risk management framework.
• Assess potential risks through risk analysis and evaluation.

Risk Calculation

• Probability and magnitude form the product of the risk.
• Risk calculation processes often involve quantifying elements of risk: asset value, exposure factor.
• Use quantitative risk approaches for assigning numeric values to risk factors.

Vulnerability Management

• Vulnerability scanning identifies vulnerabilities in systems.
• Tools often color-code vulnerabilities by criticality.
• Report validation and analysis are critical parts of the process to ensure the accuracy of the findings.
• Reconcile findings with existing systems' knowledge of the environment.
• Compare results to best practices. Identify exceptions to best practices.