Digital Forensics Overview

Questions and Answers

What is the purpose of creating a copy of evidence for analysis?

• To maintain the integrity of the original evidence during analysis (correct)
• To allow for multiple analyses on the same evidence
• To ensure that the analysis can relate to the primary evidence source (correct)
• To enhance the quality of the evidence

Which aspect is NOT crucial for maintaining the integrity of collected evidence?

• Collecting evidence without prior authorization (correct)
• Using tamper-evident packaging for storage
• Proving the integrity as evidence is collected
• Documenting the collection process

What does a legal hold imply for information relevant to a court case?

• It must be shared with all parties involved
• It must be deleted after the case is resolved
• It can be altered to enhance the case
• It should be preserved regardless of source (correct)

Which of the following is a requirement for ethical forensics analysis?

The process must be repeatable by independent investigators (B)

What is a consequence of failing to properly manage data acquisition from a non-owned device?

The evidence may be deemed inadmissible in court (D)

Which factor is important during the collection of evidence to withstand legal scrutiny?

Ensuring the collection process is well-documented (B)

In the context of forensics, what should be done if evidence needs to be manipulated for analysis?

The reasons and process for manipulation must be clearly recorded (A)

What is the main objective of documenting methods and tools used in forensics reporting?

To establish credibility and allow for peer review (B)

What are attackers likely to exploit when setting up accounts on social media platforms like LinkedIn?

Employment status and history (B)

Which cloud service was mentioned as being used by attackers for command and control operations?

Google's App Engine (C)

How do attackers typically embed control messages in media files?

Within media metadata (C)

What is a rogue device in a network context?

An unauthorized device connected to the network (D)

Which of the following can be considered a type of rogue system detection?

Identifying unauthorized machines on the network (B)

Why might attackers prefer to use cloud services for command and control operations?

They offer free, scalable infrastructure (B)

What is one of the common methods for a rogue device to siphon sensitive data?

Attaching a USB thumb drive to a web server (B)

What is the primary concern that rogue devices introduce to a network?

Exposure to malware or data theft (D)

What is the primary purpose of a 'lessons learned' review in incident response?

To discuss improvements that could have mitigated the incident (A)

What is the primary role of the Red team in war game exercises?

To act as the adversary attempting to penetrate the security system (C)

Why are scheduled reviews particularly important for organizations with few incidents?

They provide an opportunity for regular evaluation of security measures (D)

Which team in the war game exercise is responsible for operating the security system?

Blue team (B)

What is continuous security monitoring (CSM) designed to achieve?

Obtain information vital for managing risk (D)

What distinguishes prescriptive frameworks in enterprise security architecture?

They require specific controls to be deployed to ensure compliance. (B)

Which of the following is an example of a detective control?

Intrusion Detection Systems (IDS) (B)

What is one of the primary purposes of an enterprise security architecture (ESA) framework?

To guide organizations in mitigating risks through structured activities (B)

What does Continuous Security Monitoring (CSM) continuously assess?

Risk across key assets and areas (C)

What is the goal of the Common Vulnerability Scoring System (CVSS)?

To communicate characteristics and impacts of security vulnerabilities (A)

Who is primarily responsible for reporting outcomes and diagnosing lessons learned in a war game exercise?

White team (D)

What kind of information is typically included in a report prepared for a scheduled review?

Trends and analysis of threat intelligence (D)

What advantage does the use of a cybersecurity framework provide to an organization?

It allows for a structured approach to internal risk management. (B)

What is a key function of the White team during war game exercises?

To define objectives and halt the exercise if necessary (B)

Which statement is true about detective controls?

They analyze events that have already occurred. (B)

Which aspect is emphasized as critical in information security according to established frameworks?

Compliance is a significant part of the process (A)

What level of privileges does an attacker need to exploit the vulnerability based on the provided metric?

High (C)

What does the 'UI' metric represent in the CVSS score?

User Interaction (C)

What does the 'S' metric imply if it is marked as 'U' in the score?

Under the same security authority (A), Unchanged impact on managed resources (C)

Which aspect of the CIA triad has a high impact according to the provided metrics?

Availability (A)

What is the significance of the 'PR' metric in the CVSS score?

It defines the required privileges for exploitation (D)

Which of the following options correctly indicates the user interaction requirement?

R (Required) (A)

If a vulnerability affects confidentiality and integrity but not availability, which ratings would appropriately represent this?

C:L, I:L, A:H (C)

What does 'AV' denote in the CVSS score?

Access Vector (A)

What aspect of bandwidth consumption can be measured in a DRDoS attack?

Percentage of link utilization (A)

What is the primary technique for mitigating a sustained DDoS attack?

Real-time analysis of log files (C)

In the context of botnets, what is the purpose of beaconing?

To verify if bots are still operational (A)

What challenge is posed by legitimate applications performing beaconing?

They can lead to false positives in identifying malicious activity (D)

Which statement correctly describes command and control (C&C) infrastructure?

It helps coordinate the activities of malware using a botnet. (D)

How do adversaries consume the victim server's bandwidth in a DRDoS attack?

By spoofing the victim's IP to open connections with multiple servers (B)

Which of the following is an indicator of potential beaconing activity in a network?

Irregular peer-to-peer traffic (B)

What is a major limitation of using load balancers and IP filters as DDoS attack prevention methods?

They can be overwhelmed by distributed attacks. (B)

Flashcards

Data Acquisition

The process of obtaining a forensically sound copy of data from an evidence device.

Legal Hold

Ensures that information relevant to a legal case is preserved.

Forensics Analyst Ethics

The principle that forensics analysis should be performed without bias and with repeatable methods.

Repeatability in Forensics

The ability to repeat the same analysis with the same evidence and get the same results.

Scope of Evidence

This refers to the scope and extent of evidence that is being collected. It's vital to understand what evidence is relevant to the case.

Evidence Integrity

The process of documenting and ensuring the integrity of evidence from the moment it's collected until it's presented in court.

Evidence Analysis

The process of examining and analyzing collected evidence to identify patterns, connections, and insights.

Digital Forensics Report

A detailed report that summarizes the findings of a digital forensic investigation. It includes the methods used, tools employed, and the conclusions drawn.

DRDoS (Distributed Reflection Denial of Service)

A technique used by attackers to overwhelm a target's bandwidth by sending a flood of requests from multiple sources.

Botnet

A network of compromised computers (zombies) controlled by an attacker to launch attacks.

Beaconing

A process used by bots to communicate with the C&C (Command and Control) server and receive instructions.

C&C (Command and Control)

A system of hosts used by attackers to direct, distribute, and control malware.

Real-time log analysis

A technique used to analyze network traffic and identify malicious activity.

Blackhole/Sinkhole

A method of mitigating DDoS attacks by redirecting malicious traffic to a blackhole or sinkhole.

Beaconing detection

A process of detecting suspicious beaconing activity by analyzing network sessions for patterns of malicious behavior.

IP Filtering

A technique for blocking malicious traffic at the network level, often used as a mitigation strategy for DDoS attacks.

Media Metadata as a C&C Channel

Attackers can embed commands within the metadata of media files like images, audio, and video, allowing them to control bots. This can be difficult to detect because security systems often overlook metadata.

Cloud Services as a C&C Vector

Attackers can take advantage of cloud platforms, like Google App Engine, to host their command and control servers. This allows them to use the cloud provider's infrastructure for free or at low cost, making it easier to manage their botnet operations.

Social Media for C&C

Attackers can use social media platforms like Twitter or LinkedIn for command and control, disguising commands as seemingly normal activities, like posting messages or hashtags.

Rogue Devices on a Network

Any unauthorized device connected to a network can be a security risk, potentially allowing attackers to gain access to sensitive information. Examples include USB drives, extra network adapters, or personal phones connected to the network.

Rogue System Detection

The process of identifying and removing unauthorized devices from a network. This is crucial for network security and can help prevent attacks.

Network Taps

A physical device attached to network cables to intercept and record data packets passing through a specific network segment. This can be used for legitimate monitoring but can also be exploited by attackers to eavesdrop on network traffic.

Data Hiding Techniques

The method of disguising malicious commands as legitimate data within regular network traffic, making it harder to detect attacks.

C&C Techniques

Attackers can use various techniques to conceal their command and control activities, including data hiding, social engineering, and exploiting vulnerabilities in software or hardware.

IT service frameworks

A set of best practices and guidelines for implementing IT and cybersecurity. They provide structure and a standard for organizations to achieve better cybersecurity posture.

Compliance

A key component of information security that involves adhering to rules, regulations, and standards set by external bodies.

Cybersecurity Capability Statement

A document outlining an organization's current cybersecurity capabilities, desired goals, and prioritized investments. It helps in establishing a clear roadmap for cybersecurity improvements.

Enterprise Security Architecture (ESA)

A framework that outlines activities and objectives undertaken to reduce cybersecurity risks. It aims to provide a structured approach to risk management.

Prescriptive Frameworks

ESA frameworks that prescribe specific controls and measures that must be implemented by organizations. Compliance with these frameworks is often mandatory.

Red Team

A team in security exercises that attempts to penetrate the network or exploit vulnerabilities as a potential attacker.

Blue Team

A team in security exercises that operates the security system and defends against the Red Team's attacks.

White Team

A team in security exercises that sets the rules and objectives for the exercise. They ensure the exercise stays within safe and acceptable boundaries.

Scheduled Reviews

A systematic approach to regularly reviewing security posture and identifying areas for improvement. It involves analyzing incidents, threat intelligence, security controls, and compliance progress, and creating reports for continuous improvement.

Continuous Security Monitoring (CSM)

An ongoing process of continuously monitoring and assessing security risks to prevent incidents before they occur.

Detective Controls

The ability to detect security incidents after they have occurred. Examples include intrusion detection systems (IDS) and security logs.

Common Vulnerability Scoring System (CVSS)

A standardized framework for measuring and communicating the severity of software and hardware vulnerabilities. It assigns a numerical score based on factors like impact and exploitability.

Continual Improvement

The practice of identifying and implementing changes to improve security posture. This can include adding new controls, updating existing systems, or adopting new security frameworks.

Threat Intelligence Analysis

The systematic process of analyzing and interpreting security events to identify patterns, trends, and potential threats. This information is used to improve security and prevent future incidents.

Continuous Security Surveillance

The process of ensuring all critical assets and risk areas are under constant surveillance. It utilizes various systems and tools to detect a wide range of security issues.

Security Review Report

A detailed report that summarizes the findings of a security review or incident investigation. It includes analysis of threats, vulnerabilities, and recommendations for improvement.

User Interaction (UI) in CVSS

Specifies whether a user must interact with something for the vulnerability to be exploited. 'N' means no interaction is required, while 'R' means user interaction is required.

Scope (S) in CVSS

Indicates whether an exploited vulnerability affects resources beyond the scope managed by the vulnerable component's security authority. 'U' means the impact is limited to the same authority, while 'C' means the impact extends beyond.

Privilege Required (PR) in CVSS

Describes the attacker's required privileges to exploit the vulnerability. 'N' means no privileges needed, 'L' means low privileges, and 'H' means high privileges.

Impact (C, I, A) in CVSS

Indicates the level of impact on Confidentiality, Integrity, and Availability (CIA) due to a vulnerability. 'N' means no impact, 'L' means low impact, and 'H' means high impact.

CVSS 3.1 Calculator

The CVSS 3.1 calculator is an online tool that helps you assess the severity of vulnerabilities based on their measured characteristics.

Attack Complexity (AC) in CVSS

This metric assesses the complexity of exploiting a vulnerability. 'L' indicates low complexity, meaning the exploitation is fairly easy.

Attack Vector (AV) in CVSS

In the context of CVSS, this refers to how a vulnerability is accessed or exploited.

What is CVSS?

CVSS stands for Common Vulnerability Scoring System and is a standardized way to measure the severity of vulnerabilities.

Study Notes

Digital Forensics

• Digital forensics analysts identify digital forensics techniques, analyze network-related IOCs (indicators of compromise), host-related IOCs, application-related IOCs, and lateral movement/pivot IOCs.
• Digital forensics is a scientific method of collecting evidence from computer systems, aiming for legal admissibility.
• Digital evidence, like DNA or fingerprint evidence, are often latent, requiring interpretation by machines.
• Cybersecurity analysts often work closely with forensic analysts following an incident.
• A forensic analyst may investigate incident causes, identify crimes, ensure evidence protection, and verify compliance.

Digital Forensics Procedures

• Organizations often have legal obligations that impact cybersecurity incident investigation.
• Procedures should ensure that forensic investigations are handled properly, effectively, and legally.
• Forensic investigations involve four phases: identification, collection, analysis, and reporting.

Digital Forensics Procedures (Identification)

• Ensure scene safety by documenting the security of the scene and recording it by taking videos.
• Identify witnesses to be interviewed.

Digital Forensics Procedures (Collection)

• Ensure authorization to collect evidence.
• Document and preserve the integrity of the evidence by storing it securely, using tamper-evident packaging.

Digital Forensics Procedures (Analysis)

• Make a copy of the evidence for analysis, connecting it directly to the primary source.
• Utilize repeatable tools for evidence analysis.

Digital Forensics Procedures (Reporting)

• Report the analysis methods, findings, and conclusions.

Legal Hold

• Legal hold is crucial when information might be relevant in court cases; this includes information preserved by regulators, litigation notifications from law enforcement, or any other relevant legal information.
• This can disrupt regular network operations.

Forensics Analyst Ethics

• Analysis should be impartial based only on direct evidence.
• The methods used must be replicable.
• Evidence should not be manipulated, but any changes made to evidence must be documented appropriately.

Data Acquisition (Live Acquisition, Crash Dump, Hibernation, Page File)

• Live acquisition captures system memory in real time.
• Crash dumps occur when encountering an unrecoverable kernel error in Windows.
• Hibernation files are created when the system enters sleep state.
• Page files store extra memory when RAM is full(virtual memory).

Disk Image Acquisition

• Disk image acquisition creates a copy/snapshot of the data from the target device, preserving evidence.
• Live Acquisition - Copies data while running.
• Static acquisition - Copying data by shutting the computer down.
• Static Acquisition by pulling the plug- a way to stop data corruption and risk of anti-forensics.

Hashing

• Hashing creates unique fingerprints from data, preventing data manipulation.
• Digital evidence requires cryptographic hash creation.
• Hash algorithms like SHA and MD5 are used to generate unique fingerprints.

Carving

• Carving software reconstructs deleted files, recovers data fragments, and does this by working at a sector, page level, and works to piece together data.
• Carving tools (Encase, FTK, Autopsy) help in recovery of deleted files.
• Slack space is used with deleted files.

Chain of Custody

• Records of evidence handling from collection to presentation in court.
• The integrity of evidence is preserved by the chain of custody.

Incident Response Phases

• Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity.
• Preparing systems, detecting incidents, containing spread, eradicating threats/malware, and post-incident activities is key to minimizing harm and preserving data.
• Includes preparing for attacks, detecting attacks, containing incidents (limiting scope), eradicating threats, and post-incident activities (such as lessons learned).

Data Criticality and Prioritization

• Analyzing the severity of incidents is crucial.
• Assessing the severity and prioritization of affected systems involves considering factors such as PII, SPI, PHI, financial information, intellectual property, etc.