click below
click below
Normal Size Small Size show me how
C702
C702 Network Forensics
Term | Definition |
---|---|
Hybrid Cloud | 2 or more clouds |
Community Cloud | 2 or more organizations using a cloud |
Private Cloud | An organization using its own cloud |
Public Cloud | One cloud many organizations |
Rainbow Tables | Used to crack hashed passwords. A password hash table. a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext. |
Cain and Abel | A password recovery tool for Microsoft OSs. Allows the recovery of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks. |
ophcrack | A free Windows password cracker based on Rainbow Tables. It comes with a GUI and runs on multiple platforms |
L0phCrack | L0phtCrack is a password auditing and recovery software. It is packed with features such as scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and network monitoring and decoding. administrative |
THC Hydra | It is a network logon cracker tool that uses dictionary or brute-force attacks to try various passwords and login combinations against a login page. This tool supports Linux, BSD, Solaris, Mac OS X and any unix and Windows (Cygwin) OSs. |
Brute Force | need more processing power compared to other attacks |
Dictionary Attack | The program runs every word present in the dictionary to find the password. This does not work on systems that use passphrase or passwords not contained in a dictionary used |
Message Header | Consist of fields like From, To, Cc, Subject, and Date, etc. contains information regarding the sender and receiver address, subject, time of creation, delivery stamps, message author, CC, and BCC |
Email Body | Message and Signature block |
Netstat | Tool that collects information about network connections operative in a Windows system. Provides a simple view of TCP and UDP connection, their stat and network traffic statistics |
Nbstat | Helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses |
fsstat | Displays the details associated with a file system. The out of this command is file system specific. At a minimum, the range of meta-data values (inode number) and content units (blocks or clusters) are given. Mount times and features |
Xplico | Extracts the applications data contained from an internet traffic capture |
Oxygen Forensic Kit | Ready to use and customizable mobile forensic solution for field and in-lab usage. It allows not only extraction of data from the device but also created reports and analyzes data in the field |
LSAsecretsView | A small utility that displays a list of all LSA secrets stored in the Registry on a computer. Located under HKEY_LOCAL_MAcHINE/Security/Policy/Secrets. It may contain VPN/RAS passwords, Autologon passwords |
Gargoyle | Steganography Detection Tool. Conducts quick searches on a given computer or machine for known contraband and malicious programs. Finds remnants in a removed program. its signature contains botnets, Trojans, steganography, encryption and keyloggers |
Recover my Files | Data Recovery Software. Recovers deleted files emptied from the Windows Recycle Bin or lost because of formatting or corruption of a hard drive, virus, or Trojan infection, and unexpected system shutdown or software failure. Previews data "on-the-fly" |
Ontrack Easy recover | It is a data recovery software ready to retrieve missing files. It recovers data and protects it |
.EDB | A database file created by teh Windows search feature included with MS Windows. MS exchange file. Server Storage archive |
.NSF | Can be recovered and extracted by Lotus Notes Forensics Tool. can be found on IBM notes. Server stroage archive |
.PST | Found on the local Archive. Any archive that has an archive format independent of a mail server. Outlook extension. Outlook Data File |
.OST | Offline Outlook data file. Syncs a copy of your mailbox when offline and then back to online |
.NST | Outlook Group Storage File |
Master Boot Record | MBR. Specifies the location of an OS for the system to load into the main storage. Refers to the 512 byte boot sector or partition sector of a disk |
HTTP 500 error message | Indicate the occurrence of a SQL injection attack. |
"An internal server error" or "Problem processing your request" | Indicates a web attack. Also known as HTTP 500 error message |
Tracks | Concentric rings on the platters that store data; each trach has smaller partitions called disk blocks or sectors. Track numbering starts at 0 and goes to 1023 |
IIS | Centralized binary logging is a process where most of the websites transmit binary and scattered log data to a single log file |
ISS file path on a server | %Systemdrive%/inetpub/logs/LogFiles |
Writer Blocker Tool | Tableau T8-R2 Forensic USB Bridge |
Tableau's new T8-R2 Forensic USB Bridge | offers secure, hardware-based write blocking of USB mass storage devices |
File Salvage | Recovers lost files and scratched CD's. Mac |
OnTrack Easy Recovery | Recovers and protects data |
Advanced Disk Recovery | Scans system for deleted files and tries to recover them |
MAC Log Updates | /var/log/install.log install date of system and software updates |
Azazel | A userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features and focuses heavily on anti-debugging and anti-detection |
Splunk | A software platform to search, analyze and visualize the machine-generated data gathered from the websites |
File Carving | A technique to recover files and fragments of files from unallocated space of the hard disk in the absence of file metadata |
Admissible Evidence | relevant to case, act in support of the client presenting it, and be well communicated |
Volatile Data | Temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. system time, logged-on users, network information, process information etc |
Non-Volatile Data | Permanent data stored on secondary storage devices, such as hard disks and memory cards. Information stored in non-volatile form includes hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions etc |
When is it okay to not have a search warrant? | When evidence is about to destroyed |
When can you enter premise? | When an authority figure allows you inside |
Evidence locker recommendations | Place these containers in restricted areas, which are only accessible to lab officers. Protected from unauthorized access by using high-quality padlocks and perform routine inspections |
RAID 0 | No fault tolerance. Disk Striping. Provides overall performance |
RAID 1 | Mirroring. Duplicates or copies that derive data on to two different drives |
RAID 2 | Does not NOT implement any standard technique. It is like striping with parity |
RAID 3 | It is like striping with parity. Stores checksums |
RAID 5 | Striping with Parity. Uses 3 or more disks with the equivalent of one disk holding parity information |
RAID 10 | Stripe of Mirrors |
JPEG Hex value | FF D8 FF |
BMP Hex value | 42 4d |
GIF Hex value | 47 49 46 38 |
PNG Hex value | 89 50 4e 47 |
PDF Hex value | 25 50 44 46 |
TSK fsstat- | Displays general details of a file system. Details associated with a file system. The output command of this command is file system specific |
TSK istat- | Display details of a meta-data structure (i.e inode). Displays the uid, gid, mode, size, link number, modified, accessed changed times and all the disk units a structure has alloacted |
TSK fls- | List file and directory names in a disk image and display file names of recently deleted files for the directory using the given inode |
TSK img_stat- | Displays details of an image file. Displays the details associated with an image file. |
dcfldd Command | The dd command is a data management tool and not specifically designed for forensics, therefore it has a few drawbacks. Dcfldd includes several features to supports forensics acquisition. Linux acquiring data |
Netstat | Tool that helps collect infomration about network connections in a Windows system. provides a simple view of TCP and UDP connection. their stat and network traffic statistics |
Nbtstat | Helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses |
fsstat | Displays the details associated with a file system. The output of this command is file system specific |
.EDB | A database file created by the Windows search feature. It contains indexed information about files that have been searched for in the Windows search feature. MS exchange file. Server storage archive |
.NSF | Can be recovered and extracted by Lotus Notes Forensics Tool. Can be found on IBM notes. Server storage archive |
.PST | Can be found on a Local Archive. Any archive that has an archival format independent of a mail server. Outlook extension. Outlook Data File |
.OST | Offline Outlook data file. Syncs copy of your mailbox when offline and then back to online |
.NST | Outlook Group Storage file |