Digital Forensics Overview

Questions and Answers

What is the purpose of creating a copy of evidence for analysis?

To maintain the integrity of the original evidence during analysis (correct)

To allow for multiple analyses on the same evidence

To ensure that the analysis can relate to the primary evidence source (correct)

To enhance the quality of the evidence

Which aspect is NOT crucial for maintaining the integrity of collected evidence?

Collecting evidence without prior authorization (correct)

Using tamper-evident packaging for storage

Proving the integrity as evidence is collected

Documenting the collection process

What does a legal hold imply for information relevant to a court case?

It must be shared with all parties involved

It must be deleted after the case is resolved

It can be altered to enhance the case

It should be preserved regardless of source (correct)

Which of the following is a requirement for ethical forensics analysis?

The process must be repeatable by independent investigators

What is a consequence of failing to properly manage data acquisition from a non-owned device?

The evidence may be deemed inadmissible in court

Which factor is important during the collection of evidence to withstand legal scrutiny?

Ensuring the collection process is well-documented

In the context of forensics, what should be done if evidence needs to be manipulated for analysis?

The reasons and process for manipulation must be clearly recorded

What is the main objective of documenting methods and tools used in forensics reporting?

To establish credibility and allow for peer review

What are attackers likely to exploit when setting up accounts on social media platforms like LinkedIn?

Employment status and history

Which cloud service was mentioned as being used by attackers for command and control operations?

Google's App Engine

How do attackers typically embed control messages in media files?

Within media metadata

What is a rogue device in a network context?

An unauthorized device connected to the network

Which of the following can be considered a type of rogue system detection?

Identifying unauthorized machines on the network

Why might attackers prefer to use cloud services for command and control operations?

They offer free, scalable infrastructure

What is one of the common methods for a rogue device to siphon sensitive data?

Attaching a USB thumb drive to a web server

What is the primary concern that rogue devices introduce to a network?

Exposure to malware or data theft

What is the primary purpose of a 'lessons learned' review in incident response?

To discuss improvements that could have mitigated the incident

What is the primary role of the Red team in war game exercises?

To act as the adversary attempting to penetrate the security system

Why are scheduled reviews particularly important for organizations with few incidents?

They provide an opportunity for regular evaluation of security measures

Which team in the war game exercise is responsible for operating the security system?

Blue team

What is continuous security monitoring (CSM) designed to achieve?

Obtain information vital for managing risk

What distinguishes prescriptive frameworks in enterprise security architecture?

They require specific controls to be deployed to ensure compliance.

Which of the following is an example of a detective control?

Intrusion Detection Systems (IDS)

What is one of the primary purposes of an enterprise security architecture (ESA) framework?

To guide organizations in mitigating risks through structured activities

What does Continuous Security Monitoring (CSM) continuously assess?

Risk across key assets and areas

What is the goal of the Common Vulnerability Scoring System (CVSS)?

To communicate characteristics and impacts of security vulnerabilities

Who is primarily responsible for reporting outcomes and diagnosing lessons learned in a war game exercise?

White team

What kind of information is typically included in a report prepared for a scheduled review?

Trends and analysis of threat intelligence

What advantage does the use of a cybersecurity framework provide to an organization?

It allows for a structured approach to internal risk management.

What is a key function of the White team during war game exercises?

To define objectives and halt the exercise if necessary

Which statement is true about detective controls?

They analyze events that have already occurred.

Which aspect is emphasized as critical in information security according to established frameworks?

Compliance is a significant part of the process

What level of privileges does an attacker need to exploit the vulnerability based on the provided metric?

High

What does the 'UI' metric represent in the CVSS score?

User Interaction

What does the 'S' metric imply if it is marked as 'U' in the score?

Under the same security authority

Which aspect of the CIA triad has a high impact according to the provided metrics?

Availability

What is the significance of the 'PR' metric in the CVSS score?

It defines the required privileges for exploitation

Which of the following options correctly indicates the user interaction requirement?

R (Required)

If a vulnerability affects confidentiality and integrity but not availability, which ratings would appropriately represent this?

C:L, I:L, A:H

What does 'AV' denote in the CVSS score?

Access Vector

What aspect of bandwidth consumption can be measured in a DRDoS attack?

Percentage of link utilization

What is the primary technique for mitigating a sustained DDoS attack?

Real-time analysis of log files

In the context of botnets, what is the purpose of beaconing?

To verify if bots are still operational

What challenge is posed by legitimate applications performing beaconing?

They can lead to false positives in identifying malicious activity

Which statement correctly describes command and control (C&C) infrastructure?

It helps coordinate the activities of malware using a botnet.

How do adversaries consume the victim server's bandwidth in a DRDoS attack?

By spoofing the victim's IP to open connections with multiple servers

Which of the following is an indicator of potential beaconing activity in a network?

Irregular peer-to-peer traffic

What is a major limitation of using load balancers and IP filters as DDoS attack prevention methods?

They can be overwhelmed by distributed attacks.

Study Notes

Digital Forensics

• Digital forensics analysts identify digital forensics techniques, analyze network-related IOCs (indicators of compromise), host-related IOCs, application-related IOCs, and lateral movement/pivot IOCs.
• Digital forensics is a scientific method of collecting evidence from computer systems, aiming for legal admissibility.
• Digital evidence, like DNA or fingerprint evidence, are often latent, requiring interpretation by machines.
• Cybersecurity analysts often work closely with forensic analysts following an incident.
• A forensic analyst may investigate incident causes, identify crimes, ensure evidence protection, and verify compliance.

Digital Forensics Procedures

• Organizations often have legal obligations that impact cybersecurity incident investigation.
• Procedures should ensure that forensic investigations are handled properly, effectively, and legally.
• Forensic investigations involve four phases: identification, collection, analysis, and reporting.

Digital Forensics Procedures (Identification)

• Ensure scene safety by documenting the security of the scene and recording it by taking videos.
• Identify witnesses to be interviewed.

Digital Forensics Procedures (Collection)

• Ensure authorization to collect evidence.
• Document and preserve the integrity of the evidence by storing it securely, using tamper-evident packaging.

Digital Forensics Procedures (Analysis)

• Make a copy of the evidence for analysis, connecting it directly to the primary source.
• Utilize repeatable tools for evidence analysis.

Digital Forensics Procedures (Reporting)

• Report the analysis methods, findings, and conclusions.

Legal Hold

• Legal hold is crucial when information might be relevant in court cases; this includes information preserved by regulators, litigation notifications from law enforcement, or any other relevant legal information.
• This can disrupt regular network operations.

Forensics Analyst Ethics

• Analysis should be impartial based only on direct evidence.
• The methods used must be replicable.
• Evidence should not be manipulated, but any changes made to evidence must be documented appropriately.

Data Acquisition (Live Acquisition, Crash Dump, Hibernation, Page File)

• Live acquisition captures system memory in real time.
• Crash dumps occur when encountering an unrecoverable kernel error in Windows.
• Hibernation files are created when the system enters sleep state.
• Page files store extra memory when RAM is full(virtual memory).

Disk Image Acquisition

• Disk image acquisition creates a copy/snapshot of the data from the target device, preserving evidence.
• Live Acquisition - Copies data while running.
• Static acquisition - Copying data by shutting the computer down.
• Static Acquisition by pulling the plug- a way to stop data corruption and risk of anti-forensics.

Hashing

• Hashing creates unique fingerprints from data, preventing data manipulation.
• Digital evidence requires cryptographic hash creation.
• Hash algorithms like SHA and MD5 are used to generate unique fingerprints.

Carving

• Carving software reconstructs deleted files, recovers data fragments, and does this by working at a sector, page level, and works to piece together data.
• Carving tools (Encase, FTK, Autopsy) help in recovery of deleted files.
• Slack space is used with deleted files.

Chain of Custody

• Records of evidence handling from collection to presentation in court.
• The integrity of evidence is preserved by the chain of custody.

Incident Response Phases

• Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-Incident Activity.
• Preparing systems, detecting incidents, containing spread, eradicating threats/malware, and post-incident activities is key to minimizing harm and preserving data.
• Includes preparing for attacks, detecting attacks, containing incidents (limiting scope), eradicating threats, and post-incident activities (such as lessons learned).

Data Criticality and Prioritization

• Analyzing the severity of incidents is crucial.
• Assessing the severity and prioritization of affected systems involves considering factors such as PII, SPI, PHI, financial information, intellectual property, etc.

Description

Test your understanding of key concepts in digital forensics, including the integrity of collected evidence, ethical analysis requirements, and the implications of legal holds. This quiz covers essential topics relevant to forensic investigations and data management.