Vous êtes sur la page 1sur 8

Images Jpegs use DCT compression Images vector images experience no quality loss when resized Attacks SYN

SYN Flood involves spoofing the sources IP address Incident Handling First step is Identification. Last step is to Report Events Sexual Harassment must be finally reported to Company Decision Makers File Forensics the File Header must be examined to determine the if the correct ext is used or hidden Email ref pda # FF DOScopy imaging will not detect Fileslack or deleted files BB PasswordKeeper uses AES encryption CP Acts of CP must be reported to the ACPO NF It is important to use the NTP to ensure all devices times are synchronized Law legal sequential numbering is used in Legal Pleadings Law 18USC 2252 Lab forensic workstations must be scanned before beginning investigations Inv each case must be handled professionally and managed with utmost importance Att Fraggle attack is similar to a Smurf attack but uses UDP FF the Boot Loader loads the OS Inv- Primary goal of a forensic investigator is to preserve the Evidence Integrity Tool Visual TimeAnalysis Tool is used to determine how long each user used a program Inv Prepare system for acquisition, connect devices, copy evidence, secure evidence Inv When inspecting a machine with the HDD in, check the Date and Time in the CMOS Net POP3 (receiving email) uses port 110 Net Info obtained from DHCP logs in WIFI networks can be MAC addresses Law 4th Amendment Tool Encase searches the MFT to recover files in NTFS partitions

Tool fdisk /dev/had creates Linux partitions Tool dd if=/dev/xxx of-mbr.backup bs=512 count=1 - Backs up the MBR BB uses SHA-1 for hashing Inv (nnnn/zzz) nnnn = evidence number eg. 0001. Zzz= exhibit number eg 01a FF When acquiring images, 2 Bit Stream Copies must be made FF Deleting a dynamic partition can corrupt the disk Image When the quality of image is lost this is due to Lossy Compression FF Each Sector in a HDD is made up of 512 bytes FF When deleting a FAT file in Windows, only the file reference is removed, not the file. Net DHCP log files contain the specific time that IPs are given out / leased Tool: Evidor used to find Slackspace Net IIS uses the UTC time Standard Inv Multievidence forms go in the report. Single evidence and chain-of-custody forms go in a Secure Container FF Floppy disks use the FAT 12 format Net Apache log files are located at usr/local/apache_ Tool var/bin/files/file.txt Tool Before doing a search in EnCase, Keywords must be added Tool Encase searches MSWIN 4.1 in FAT Inv Never appropriate to use a formal checklist in a final report Inv If a crime is detected in an investigation it should be reported to Law Enforcement Net In routers, the configuration and startup files are stored in NVRAM Law- USPTO (United States Patent and Trademark Office) responsible for trademarks and services Francis Galton was responsible for the first set of forensics and fingerprinting Net Gateway will show the IP address of a proxy Net 0.0.0.0 shows that ports are in listening mode

CP In Austrailia, a person can serve up to 10 years imprisonment for CP Tool Encase verifies its bytes with a 32-bit CRC FF In acquiring images, a BitStream copy must be done first Inv End-to-End concept shows the entire forensic trail from start to finish Law - IINI stands for Innocent Images National Initiative (Federal Bureau of Investigation's Cyber Crimes Program Email Header Email RCPT TO shows SMTP connection to recipient FF When files are created / printed and may not be saved, search the SwapFile Images JPEG images are identified by the hex value FF D8 FF E0 00 10 Law FBI and NSA share jurisdiction in regional crimes Inv Low Level Incident Response meanse it must be responded to in One Working Day. Net Passwords in Active directory are located in the SAM file Tool An MD5 for verification should be made before and after acquisition FF Microsoft Outlook files have a .pst extension Tools The ARP s command is used to adda staric IP entry to the ARP table FF A Cluster is the smallest unit of storage Law Copyright lasts 70 years + the life of the author Media CF memory comes in Type I and II and use only 5% power Law If applying for a brand of clothing, Trademark will apply Law Netspionage is corporate network spying FF In Linux, the Secondary, slave device is recognized as hdd Computer Forensics is used when Mod 1 slide 36 Law For copyright and anti-piracy, USB Dongles are usually used Tool MD5s should always be compared with the original to maintain integrity. Tool A Write-Blocker should be used to prevent contamination of data.

Images Visual Semagrams are symbols that are left around depicting sensitive info Tool Isolation Envelope should be used in containing a Wifi enabled PDA Tool Parabens Lockdown tool is used in Windows Tool SetFile a V startup.txt = will make txt a hidden file FF/Tool The offset hexadecimal location is the 0x at the Beginning of a file Inv Clients / non-forensic personnel should never do forensic searching themselves in the even that they contaminate the data Law The is qualified to address the behaviors and characteristics of the defendant

FF The file header is usually the first few bytes of the file Tool Parabens Decryption Collection is popular for it ability to distribute password analysis to 16 machines or less. Media If an IPod is used on a Windows machine, it uses the FAT32 system. Net When the routing table of a router is updated, the Metric Value increases by 1 Tool MD5 hash is a 32 character long hex figure and is 128 bits in strength Net Web The CNAME value in the DNS record maps the host name to IP FF Virtual Memory should be scanned to find hidden processes FF - FAT recycle bin = c:/Recycled. NTFS recycle bin = c:/Recycler Att A ping of Death sends 65,535 bytes Media If a PDA has peripherals attached to it, photograph and document all peripherals before acquiring. FF Outlook archive can be restored using the Outlook.bak file FF Lost Cluster is one which is used but not allocated SH For cases involving sexual Harassment, 4 investigators are needed Tools NIST is the organization that validates Forensic tools and their usage. Inv Discovery is the initial step of demanding documents before the case goes to trial Inv Temporal Analysis is the identification of the Timing and Sequence of events Inv Investigators must always guard against Scope Creep

Inv/Rep The final repot should be in pdf format if requested in hardcopy Inv When asked to comment on an ongoing case, refer the reporter to the case attorney. Law/Inv Warning banners alert the user to their right of privacy FF BitStream copies are used because they are robust and not simple copies Lab Forensic labs uaually have one entrance FF The colon ( : ) in the MFT represents a Data Stream File Att Bruteforce and Dictionary attacks are commomly used to crack password protected files Law- A search warrant must be obtained first before searching premises and seizing specific items. Law/Inv In the event that an investigator needs an ISPs assistance on a crime, Law Enforcement will have to first be contacted because the ISP must preserve the privacy of its customers. Att - Buffer offerflow attempt on the firewall 126 FF Capacity of a HDD CxHxSpt x512 (CHS values) Media Dual layer bluray can store up to 50GB. Single layer is 27 Att Fraggle attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network Law - how long would a copyright last if established after 1977 70 years + authors life

Email - SMTP command used to manually enter the recipient of an email = RCPT TO:

FF - One way to identify the presence of hidden partitions on a suspect's hard drive is to Add up the total size of all known partitions and compare it to the total size of the hard Drive

Tools- C:\>arp -s 10.120.10.23 00-19-A5-D2-BC-31 adds static IP address and MAC address to the ARP table

Inv If a firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended? Searching create cache files which would hinder the investigation

BB - When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server are used, where would investigator need to search to find email sent from a Blackberry device Microsoft Exchange server

FF - The longer a disk is in use, the less likely it is that deleted files will be overwritten

Net When using CIDR 255.0.0.0 = /8

FF/Linux - disadvantage of using Linux when forensically analyzing a hard drive Linux cannot identify the last sector when the drive has an odd number of sectors

Tools/Linux - dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync = Fill the disk with zeros

Net - what layer of the OSI model are you monitoring while watching traffic to and from router = Network

Att Phreaking is an attack on a phone system eg. Companys PBX system

Inv - As a technical or scientific witness, you are only providing the facts as you have found them in your investigation. As an expert, you state OPINIONS about what you observed.

Media DeviceInfo stores the computer names and usernames used to connect to an iPod

FF E5h indicates that the files have been marked for deletion FF LSASS.exe is processed at the end of a Windows XP boot to initialized the logon dialog box FF Slack Space will usually contain recently deleted files Tools- Paraben's Lockdown device Windows to write hard drive data Media When a PDA is seized in an investigation while the device is turned on Keep the device powered on Inv - When discussing the chain of custody in an investigation, a "link" refers to Someone that takes possession of a piece of evidence Net - Sniffers place NICs in promiscuous mode work at the Network layer???? Att -Why would you need to find out the gateway of a device when investigating a wireless attack - The gateway will be the IP used to manage the access point

Inv The incident team run the disk on an isolated system and found that the system disk was accidentally erased. They tampered with the evidence by using it

Att - From the log, it appears that the user was manually typing in different user ID numbers. Thist technique was is called Parameter Tampering

Inv - Packaging the electronic evidence is the first step taken in an investigation for laboratory forensic staff members

Computer Forensics focuses on three categories of data Passive Data, Archival Data And Latent Data

Law Lay witnesses are not considered experts in any particular field Tools/Linux - Linux command that can be used to create bit-stream images is DD

Tools - Forensic Sorter considered faster at processing files and easier to manage Because it Classifies data into 14 categories Law - What prompted the US Patriot Act to be created Trade Centres attack 1993 Images - Grill Cipher - using a cipher to send secret messages in between each other.

FF It is possible to recover files that have been emptied from the Recycle Bin on a Windows computer because The data is still present until the original location of the file is used