Forensics Lab Practise

Questions and Answers

What is the maximum number of primary partitions supported by the MBR system?

8

2

4 (correct)

16

In the context of secondary storage media, what is the purpose of partitioning a hard drive?

Allocating sectors and clusters to files or partitions (correct)

Handling hard drive formatting

Creating a master boot record

Overwriting existing data

Which system has a storage limit that can handle disks larger than 2TB?

GUID Partition Table (GPT) (correct)

Legacy System (MBR)

UEFI Specification

BIOS-based systems

What is the significance of understanding the physical size of storage media in forensic examination?

To consider potential data recovery

What property must a hash algorithm have to be considered secure?

Collision resistance

What is the main purpose of hashing in data security?

Ensuring data integrity and security

What is the role of acquired computer memory in forensic examination?

Storing detailed information related to the computer's recent activities

Why is RAM considered a good evidence source in forensic examination?

It is harder for a suspect to deny responsibility for the information found

In little-endian order of storage, where is the least significant byte of a word stored?

At the smallest memory address

Which operating system architecture typically runs on little-endian systems?

Windows

Which CPU architecture is widely used in smartphones, tablets, and personal computers and can operate in both big-endian and little-endian mode?

ARM

Which forensic tool can be used to extract and analyze Windows registry hives?

Exterro/FTK Reg Viewer

Which part of the Windows registry contains user-specific information such as browser settings and application data?

NTUSER.dat Hive (HKEY_CURRENT_USER)

Which cryptographic technique involves the use of same key to transform data into ciphertext and vice-versa?

Symmetric Encryption

What does hashing employ one-way functions for?

To produce hash values from plaintext

What is important about a hash function's property of being one-way?

It makes it impossible to derive plain text from ciphertext

Which HW architecture pairs both use big-endian architecture?

SPARC, PowerPC

What kind of network byte order is commonly used in TCP/IP networks?

Big-endian

What does the 'trim' technology do, particularly in SSDs?

It overwrites unallocated clusters,enhancing data deletion and allowing faster direct write operations in the future.

Where is the Master File Table (MFT) located?

In the partition boot sector

What happens when a file is deleted?

Its MFT record is removed, but the data in the clusters remains until overwritten

What does big-endian format refer to in terms of data ordering?

The most significant byte of a word is stored at the smallest memory address

What defines resident files in NTFS?

Files contained directly in the Master File Table (MFT)

What distinguishes non-resident files in NTFS from resident files?

Non-resident files are stored in allocated clusters and their addresses are mentioned in the MFT

What is significant about compound files when it comes to forensic examination?

They cannot be fully examined when they are in their 'packed' state

What does the hexadecimal representation of data signify?

Data represented in groups of bits for storage on storage media

Which is true for the GUID partitioning when it comes to compatibility?

It works with UEFI-based systems and has limited compatibility with older BIOS systems

What makes hard drives potentially recoverable even after being reformatted?

Only the partition table is removed, leaving data recoverable until overwritten

What type of information does EXIF data NOT provide for forensic examiners?

File last access and last modification details

What type of information is included in file system metadata?

File creation date and last modification details

What type of event is tracked by Event ID 4624?

User logons

Where can log files from applications be found for forensic examination?

ProgramData folder

What type of information can log files from applications provide for forensic examination?

User activities, messages and history

Which event tracks time changes and describes the name of the user account that changed the time settings?

Event ID 4116

Where are the log files located for Event Viewer on a computer used for analysis?

[SystemRoot]\Windows\System32\winevt\Logs

Where can USB device connection events be found apart from registry and event logs?

[SystemRoot]\Windows\INF

What is the purpose of examining the Windows registry key called 'MountedDevices'?

To reveal information about any connected USB devices

Which folder contains the log file setupapi.dev.log?

[SystemRoot]\Windows\INF

What type of event does Event ID 4634 track?

User logoffs

In which folder can log files from applications (that do not use the Windows event management system) be found?

[SystemRoot]\users\[user profile name]\AppData

Where is the prefetch data stored?

C:/Windows/Prefetch

Which tool is often used for inspecting Windows shellbags?

Shellbags explorer by Eric Zimmerman

What do .lnk files contain details about?

Location of the target file and time of access

What can MRU keys provide insights into?

User activities and events on the computer

Where are shellbags stored?

/AppData/Local/Microsoft/Windows

Which area does prefetching aim to enhance?

Application performance

What purpose do Prefetch files serve from a forensics perspective?

Identifying how many times an executable was run and when it was last run.

What can shellbags serve as evidence of?

Deleted folders and network shares information

Besides criminal forensics, where can shellbags be useful?

Intrusion detection and revealing user account compromise

What is the significance of .lnk files in forensic analysis?

Providing details about the location of the target file and time of access

What kind of information does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU' key track?

Most recent network drives that were mapped

What does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU' key record?

Recently opened files using file explorer

What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU' key track?

Recently used applications and folder paths used by these applications to open files

What type of data does the 'Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' key track?

Most recent stuff typed into the 'Run' dialogue

What is the primary functionality of Thumbcache in Windows folders?

Stores thumbnails of pictures to enable quicker previewing of images

What happens to Thumbcache entries when the actual images are deleted from the system?

They are not deleted

'MRUList' and 'MRUListEx' in MRU keys describe what aspect of the events?

The order in which the events first occurred

How are events recorded in 'MRUListEx' keys different from those in regular 'MRUList' keys?

They use hexadecimal data format and store numbers in DWORD format

What is the purpose of hashing in forensic examination?

To validate data integrity

What is the main focus of decryption attacks in forensic examination?

Targeting encryption or hashing algorithms' weaknesses

What is the purpose of creating a text index in digital forensics?

To allow for efficient searching using keywords or regular expressions

What is the primary advantage of live searches in digital forensics?

They provide flexibility without constraints by a precomputed index

What is the main challenge associated with index searches in digital forensics?

It may be challenging to find strings containing signs not considered letters during indexing

What role does the indexing and searching techniques play in digital forensic investigations?

They facilitate rapid keyword searches and utility in password cracking

What is the purpose of IOMMU and VT-d technologies?

To isolate virtual machines for better security and device control

How do cold boot attacks differ from other memory collection techniques?

They offer the potential to obtain the full contents of memory but require restarting the victim computer

What is the physical property of RAM modules that allows data remanence in cold boot attacks?

Their ability to retain data even after power is turned off

What is the function of the Inception FPGA?

To emulate hardware for DMA attacks

What are the limitations of most DMA attacks?

Inability to access modern computers with larger memory capacities

What does cooling RAM modules achieve in cold boot attacks?

It slows down the degradation of data held in memory cells

What is the purpose of GPUs in password cracking?

To quickly compare a large number of password candidates against a given hash

What is the purpose of Uncovering Patterns and Behaviors in Password Creation?

To categorize passwords based on strategies used for their creation, enabling easier guessing

What is the significance of Collecting Volatile Memory (RAM) Dumps?

It provides access to encryption keys and decrypted data for forensic analysis

What is the goal of DMA Attacks?

To gain Read/Write access to the computer's RAM using interfaces like Firewire and Thunderbolt

What is file carving in the context of computer forensics?

The process of extracting data from storage media without relying on the file system used in the creation of the file

What do JPEG files start with and end with, based on their file type characteristics?

Start with binary value Oxffd8 and end with binary value Oxffd9

What are the key components of a JPEG file's structure?

Sequence of data chunks and marker value in big endian byte format

What does the term 'JPEG' stand for?

Joint Photographic Experts Group

What is the primary purpose of the BMP file format?

To store images on Windows operating systems

Which version of the GIF format supports features like background transparency and delay times?

GIF 89a

What do PNG files support in terms of color and transparency?

24-bit true color with transparency in both normal and alpha channels

What is the main advantage of PDF files in terms of device independence?

They enable users to view, save, and print documents across different platforms and operating systems

Where does the hex value of a GIF image file start?

'47 49 46'

What type of compression does JPEG use?

Lossy compression for digital images

What is the purpose of the RGBQUAD array in BMP files?

To support bitmaps with 24 color bits

What do GIF files contain?

'Header', 'image data', 'optional metadata', and 'footer'

What does PNG stand for?

Portable Network Graphics

Which organization created the JPEG standard?

Joint Photographic Experts Group

What do BMP files always have as the first characters in a hexadecimal representation?

'42 4d'

What hexadecimal values represent the signature for a PDF file?

25 50 44 46

What does the xref table in a PDF file allow?

Random access to objects

What is the signature format for old MS Office document formats (1997-2003)?

D0 CF 11 E0 A1 B1 1A E1

What is the structure of the new MS Office document formats (2007-present)?

ZIP-compressed XML files

What does the hex signature starting with 50 4B 03 04 indicate in MS Office document formats?

ZIP file format

What does the old MS Office Excel Spreadsheet format (.xls) have in common with Word Document (.doc) and PowerPoint Presentation (.ppt) formats?

Similar hex signature D0 CF 11 E0 A1 B1 1A E1

Study Notes

Partitioning and Storage Systems

• MBR system supports a maximum of four primary partitions.
• Partitioning a hard drive enables better organization, data management, and partition separation for different operating systems or data types.
• GPT system can handle disks larger than 2TB.
• Understanding the physical size of storage media is vital for forensic examination as it influences data integrity, retrieval, and potential evidence.

Cryptography and Hashing

• A secure hash algorithm must exhibit pre-image resistance, meaning it's infeasible to reverse the hash to find the original input.
• Hashing serves to ensure data integrity and create fixed-size representation of variable-length input.
• In forensic examination, acquired computer memory provides critical evidence, including data that has not yet been written to disk.

RAM and Evidence

• RAM is a reliable evidence source as it can contain user activities, transient data, and information not saved on disk.
• In little-endian order, the least significant byte of a word is stored at the lowest memory address.

System Architecture

• x86 architecture typically runs on little-endian systems.
• ARM architecture operates in both big-endian and little-endian modes, widely used across smartphones, tablets, and personal computers.

Forensic Tools and Windows Registry

• Registry analysis tools are utilized to extract and inspect Windows registry hives.
• The 'Software' hive contains user-specific information such as browser settings and application data.
• Symmetric cryptography uses the same key for encryption and decryption of data.
• Hashing functions employ one-way algorithms, ensuring data cannot be reverted.

File Systems and Storage Techniques

• Resident files in NTFS are stored within the Master File Table (MFT), while non-resident files point to disk blocks for storage.
• Compound files can be significant in forensic examination as they encapsulate multiple data types in a single file.
• Hexadecimal representation of data is crucial in digital forensics for interpreting binary information.

File Recovery and Evidence

• GUID partitioning supports compatibility across various operating systems.
• Hard drives may be recoverable even after reformatting due to residual data left on the disk.
• EXIF data does not include information on the actual content of files, focusing instead on metadata relating to image files.

Log Files and Events

• Event ID 4624 tracks successful user logins.
• Application log files store information valuable for forensic analysis and can be found within the Event Viewer.
• Event ID 4634 monitors user logoff activities.
• The 'MountedDevices' registry key helps examine USB device connectivity.

Prefetching and Shellbags

• Prefetch technology in Windows enhances system performance by storing data for quick access.
• Shellbags serve as evidence by tracking folder access and modifications in user navigation.
• .lnk files detail shortcuts to files and programs, aiding in understanding user interaction with the system.

MRU Lists and Key Tracking

• MRUList and MRUListEx in MRU keys catalog the most recently used items, assisting in user behavior analysis.
• Hashing plays a role in forensic examination by confirming data integrity and detecting unauthorized changes.

Digital Forensics Techniques

• IOMMU and VT-d technologies ensure effective memory management and security in virtualized environments.
• Cold boot attacks exploit data remanence in frozen RAM to recover sensitive information.
• File carving retrieves files based on their structure without relying on file system metadata.

Graphical File Formats and Signatures

• JPEG files begin with hex values 0xFF D8 and end with 0xFF D9, compressed using lossy techniques.
• PNG format supports transparency and is designed for high-quality images and graphics.
• PDF offers device-independent file presentation, enhancing cross-platform usability.
• Old MS Office document formats share similar hex signatures with Excel, Word, and PowerPoint, indicating competitive compatibility.

Conclusion

• Understanding various storage techniques, file properties, and forensic methodologies is essential for effective data recovery and legal evidence gathering.
• Knowledge of data structures and signatures assists forensic analysts in identifying and interpreting file types and their origins.