Forensics Lab Practise

Questions and Answers

What is the maximum number of primary partitions supported by the MBR system?

• 8
• 2
• 4 (correct)
• 16

In the context of secondary storage media, what is the purpose of partitioning a hard drive?

• Allocating sectors and clusters to files or partitions (correct)
• Handling hard drive formatting
• Creating a master boot record
• Overwriting existing data

Which system has a storage limit that can handle disks larger than 2TB?

• GUID Partition Table (GPT) (correct)
• Legacy System (MBR)
• UEFI Specification
• BIOS-based systems

What is the significance of understanding the physical size of storage media in forensic examination?

To consider potential data recovery (A)

What property must a hash algorithm have to be considered secure?

Collision resistance (D)

What is the main purpose of hashing in data security?

Ensuring data integrity and security (D)

What is the role of acquired computer memory in forensic examination?

Storing detailed information related to the computer's recent activities (B)

Why is RAM considered a good evidence source in forensic examination?

It is harder for a suspect to deny responsibility for the information found (C)

In little-endian order of storage, where is the least significant byte of a word stored?

At the smallest memory address (C)

Which operating system architecture typically runs on little-endian systems?

Windows (D)

Which CPU architecture is widely used in smartphones, tablets, and personal computers and can operate in both big-endian and little-endian mode?

ARM (D)

Which forensic tool can be used to extract and analyze Windows registry hives?

Exterro/FTK Reg Viewer (D)

Which part of the Windows registry contains user-specific information such as browser settings and application data?

NTUSER.dat Hive (HKEY_CURRENT_USER) (B)

Which cryptographic technique involves the use of same key to transform data into ciphertext and vice-versa?

Symmetric Encryption (B)

What does hashing employ one-way functions for?

To produce hash values from plaintext (C)

What is important about a hash function's property of being one-way?

It makes it impossible to derive plain text from ciphertext (D)

Which HW architecture pairs both use big-endian architecture?

SPARC, PowerPC (B)

What kind of network byte order is commonly used in TCP/IP networks?

Big-endian (B)

What does the 'trim' technology do, particularly in SSDs?

It overwrites unallocated clusters,enhancing data deletion and allowing faster direct write operations in the future. (B)

Where is the Master File Table (MFT) located?

In the partition boot sector (B)

What happens when a file is deleted?

Its MFT record is removed, but the data in the clusters remains until overwritten (C)

What does big-endian format refer to in terms of data ordering?

The most significant byte of a word is stored at the smallest memory address (C)

What defines resident files in NTFS?

Files contained directly in the Master File Table (MFT) (B)

What distinguishes non-resident files in NTFS from resident files?

Non-resident files are stored in allocated clusters and their addresses are mentioned in the MFT (D)

What is significant about compound files when it comes to forensic examination?

They cannot be fully examined when they are in their 'packed' state (C)

What does the hexadecimal representation of data signify?

Data represented in groups of bits for storage on storage media (A)

Which is true for the GUID partitioning when it comes to compatibility?

It works with UEFI-based systems and has limited compatibility with older BIOS systems (C)

What makes hard drives potentially recoverable even after being reformatted?

Only the partition table is removed, leaving data recoverable until overwritten (C)

What type of information does EXIF data NOT provide for forensic examiners?

File last access and last modification details (C)

What type of information is included in file system metadata?

File creation date and last modification details (B)

What type of event is tracked by Event ID 4624?

User logons (C)

Where can log files from applications be found for forensic examination?

ProgramData folder (B)

What type of information can log files from applications provide for forensic examination?

User activities, messages and history (C)

Which event tracks time changes and describes the name of the user account that changed the time settings?

Event ID 4116 (D)

Where are the log files located for Event Viewer on a computer used for analysis?

[SystemRoot]\Windows\System32\winevt\Logs (D)

Where can USB device connection events be found apart from registry and event logs?

[SystemRoot]\Windows\INF (D)

What is the purpose of examining the Windows registry key called 'MountedDevices'?

To reveal information about any connected USB devices (C)

Which folder contains the log file setupapi.dev.log?

[SystemRoot]\Windows\INF (B)

What type of event does Event ID 4634 track?

User logoffs (C)

In which folder can log files from applications (that do not use the Windows event management system) be found?

[SystemRoot]\users\[user profile name]\AppData (A)

Where is the prefetch data stored?

C:/Windows/Prefetch (D)

Which tool is often used for inspecting Windows shellbags?

Shellbags explorer by Eric Zimmerman (C)

What do .lnk files contain details about?

Location of the target file and time of access (D)

What can MRU keys provide insights into?

User activities and events on the computer (A)

Where are shellbags stored?

/AppData/Local/Microsoft/Windows (D)

Which area does prefetching aim to enhance?

Application performance (D)

What purpose do Prefetch files serve from a forensics perspective?

Identifying how many times an executable was run and when it was last run. (C)

What can shellbags serve as evidence of?

Deleted folders and network shares information (D)

Besides criminal forensics, where can shellbags be useful?

Intrusion detection and revealing user account compromise (B)

What is the significance of .lnk files in forensic analysis?

Providing details about the location of the target file and time of access (B)

What kind of information does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU' key track?

Most recent network drives that were mapped (D)

What does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU' key record?

Recently opened files using file explorer (B)

What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU' key track?

Recently used applications and folder paths used by these applications to open files (D)

What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' key track?

Most recent stuff typed into the 'Run' dialogue (A)

What is the primary functionality of Thumbcache in Windows folders?

Stores thumbnails of pictures to enable quicker previewing of images (B)

What happens to Thumbcache entries when the actual images are deleted from the system?

They are not deleted (C)

'MRUList' and 'MRUListEx' in MRU keys describe what aspect of the events?

The order in which the events first occurred (C)

How are events recorded in 'MRUListEx' keys different from those in regular 'MRUList' keys?

They use hexadecimal data format and store numbers in DWORD format (C)

What is the purpose of hashing in forensic examination?

To validate data integrity (D)

What is the main focus of decryption attacks in forensic examination?

Targeting encryption or hashing algorithms' weaknesses (C)

What is the purpose of creating a text index in digital forensics?

To allow for efficient searching using keywords or regular expressions (A)

What is the primary advantage of live searches in digital forensics?

They provide flexibility without constraints by a precomputed index (B)

What is the main challenge associated with index searches in digital forensics?

It may be challenging to find strings containing signs not considered letters during indexing (B)

What role does the indexing and searching techniques play in digital forensic investigations?

They facilitate rapid keyword searches and utility in password cracking (B)

What is the purpose of IOMMU and VT-d technologies?

To isolate virtual machines for better security and device control (C)

How do cold boot attacks differ from other memory collection techniques?

They offer the potential to obtain the full contents of memory but require restarting the victim computer (A)

What is the physical property of RAM modules that allows data remanence in cold boot attacks?

Their ability to retain data even after power is turned off (B)

What is the function of the Inception FPGA?

To emulate hardware for DMA attacks (D)

What are the limitations of most DMA attacks?

Inability to access modern computers with larger memory capacities (D)

What does cooling RAM modules achieve in cold boot attacks?

It slows down the degradation of data held in memory cells (B)

What is the purpose of GPUs in password cracking?

To quickly compare a large number of password candidates against a given hash (A)

What is the purpose of Uncovering Patterns and Behaviors in Password Creation?

To categorize passwords based on strategies used for their creation, enabling easier guessing (C)

What is the significance of Collecting Volatile Memory (RAM) Dumps?

It provides access to encryption keys and decrypted data for forensic analysis (A)

What is the goal of DMA Attacks?

To gain Read/Write access to the computer's RAM using interfaces like Firewire and Thunderbolt (C)

What is file carving in the context of computer forensics?

The process of extracting data from storage media without relying on the file system used in the creation of the file (B)

What do JPEG files start with and end with, based on their file type characteristics?

Start with binary value Oxffd8 and end with binary value Oxffd9 (A)

What are the key components of a JPEG file's structure?

Sequence of data chunks and marker value in big endian byte format (C)

What does the term 'JPEG' stand for?

Joint Photographic Experts Group (B)

What is the primary purpose of the BMP file format?

To store images on Windows operating systems (D)

Which version of the GIF format supports features like background transparency and delay times?

GIF 89a (D)

What do PNG files support in terms of color and transparency?

24-bit true color with transparency in both normal and alpha channels (A)

What is the main advantage of PDF files in terms of device independence?

They enable users to view, save, and print documents across different platforms and operating systems (B)

Where does the hex value of a GIF image file start?

'47 49 46' (B)

What type of compression does JPEG use?

Lossy compression for digital images (A)

What is the purpose of the RGBQUAD array in BMP files?

To support bitmaps with 24 color bits (D)

What do GIF files contain?

'Header', 'image data', 'optional metadata', and 'footer' (D)

What does PNG stand for?

Portable Network Graphics (C)

Which organization created the JPEG standard?

Joint Photographic Experts Group (D)

What do BMP files always have as the first characters in a hexadecimal representation?

'42 4d' (D)

What hexadecimal values represent the signature for a PDF file?

25 50 44 46 (D)

What does the xref table in a PDF file allow?

Random access to objects (C)

What is the signature format for old MS Office document formats (1997-2003)?

D0 CF 11 E0 A1 B1 1A E1 (D)

What is the structure of the new MS Office document formats (2007-present)?

ZIP-compressed XML files (C)

What does the hex signature starting with 50 4B 03 04 indicate in MS Office document formats?

ZIP file format (C)

What does the old MS Office Excel Spreadsheet format (.xls) have in common with Word Document (.doc) and PowerPoint Presentation (.ppt) formats?

Similar hex signature D0 CF 11 E0 A1 B1 1A E1 (C)

Study Notes

Partitioning and Storage Systems

• MBR system supports a maximum of four primary partitions.
• Partitioning a hard drive enables better organization, data management, and partition separation for different operating systems or data types.
• GPT system can handle disks larger than 2TB.
• Understanding the physical size of storage media is vital for forensic examination as it influences data integrity, retrieval, and potential evidence.

Cryptography and Hashing

• A secure hash algorithm must exhibit pre-image resistance, meaning it's infeasible to reverse the hash to find the original input.
• Hashing serves to ensure data integrity and create fixed-size representation of variable-length input.
• In forensic examination, acquired computer memory provides critical evidence, including data that has not yet been written to disk.

RAM and Evidence

• RAM is a reliable evidence source as it can contain user activities, transient data, and information not saved on disk.
• In little-endian order, the least significant byte of a word is stored at the lowest memory address.

System Architecture

• x86 architecture typically runs on little-endian systems.
• ARM architecture operates in both big-endian and little-endian modes, widely used across smartphones, tablets, and personal computers.

Forensic Tools and Windows Registry

• Registry analysis tools are utilized to extract and inspect Windows registry hives.
• The 'Software' hive contains user-specific information such as browser settings and application data.
• Symmetric cryptography uses the same key for encryption and decryption of data.
• Hashing functions employ one-way algorithms, ensuring data cannot be reverted.

File Systems and Storage Techniques

• Resident files in NTFS are stored within the Master File Table (MFT), while non-resident files point to disk blocks for storage.
• Compound files can be significant in forensic examination as they encapsulate multiple data types in a single file.
• Hexadecimal representation of data is crucial in digital forensics for interpreting binary information.

File Recovery and Evidence

• GUID partitioning supports compatibility across various operating systems.
• Hard drives may be recoverable even after reformatting due to residual data left on the disk.
• EXIF data does not include information on the actual content of files, focusing instead on metadata relating to image files.

Log Files and Events

• Event ID 4624 tracks successful user logins.
• Application log files store information valuable for forensic analysis and can be found within the Event Viewer.
• Event ID 4634 monitors user logoff activities.
• The 'MountedDevices' registry key helps examine USB device connectivity.

Prefetching and Shellbags

• Prefetch technology in Windows enhances system performance by storing data for quick access.
• Shellbags serve as evidence by tracking folder access and modifications in user navigation.
• .lnk files detail shortcuts to files and programs, aiding in understanding user interaction with the system.

MRU Lists and Key Tracking

• MRUList and MRUListEx in MRU keys catalog the most recently used items, assisting in user behavior analysis.
• Hashing plays a role in forensic examination by confirming data integrity and detecting unauthorized changes.

Digital Forensics Techniques

• IOMMU and VT-d technologies ensure effective memory management and security in virtualized environments.
• Cold boot attacks exploit data remanence in frozen RAM to recover sensitive information.
• File carving retrieves files based on their structure without relying on file system metadata.

Graphical File Formats and Signatures

• JPEG files begin with hex values 0xFF D8 and end with 0xFF D9, compressed using lossy techniques.
• PNG format supports transparency and is designed for high-quality images and graphics.
• PDF offers device-independent file presentation, enhancing cross-platform usability.
• Old MS Office document formats share similar hex signatures with Excel, Word, and PowerPoint, indicating competitive compatibility.

Conclusion

• Understanding various storage techniques, file properties, and forensic methodologies is essential for effective data recovery and legal evidence gathering.
• Knowledge of data structures and signatures assists forensic analysts in identifying and interpreting file types and their origins.