Save
Upgrade to remove ads
Busy. Please wait.
Log in with Clever
or
show password
Forgot Password?
Don't have an account?  Sign up 
Sign up using Clever
or
Username is available taken
show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account. Your email address is only used to allow you to reset your password. See our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.
focusNode
Didn't know it?
click below
 
Knew it?
click below
Don't Know
Remaining cards (0)
Know
0:00
edit
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

forensics 2

QuestionAnswer
1st thing to collect on windows volatile data system date and time
2nd thing to collect on windows volatile data open tcp or udp ports
3th thing to collect on windows volatile data which executables are opening tcp or udp ports
4th thing to collect on windows volatile data cached NetBios name table
5th thing to collect on windows volatile data users currently logged on
6th thing to collect on windows volatile data internal routing table
7th thing to collect on windows volatile data running processes
8th thing to collect on windows volatile data running services
9th thing to collect on windows volatile data scheduled jobs
10th thing to collect on windows volatile data open files
11th thing to collect on windows volatile data process memory dumps
commands to collect windows date and time date time
What is network based evidence? data collected that is being sent across the network
commands to collect windows open tcp and udp ports netstat -an
commands to collect windows executables opening tcp adn udp ports fport tcpview
commands to collect windows netbios name table nbtstat -c
commands to collect windows users currently logged on PsLoggedOn
commands to collect windows internal routing table netstat -rn
commands to collect windows running processes PsList
commands to collect windows running services PsExecSvc
commands to collect windows scheduled jobs at
commands to collect windows PsFile
commands to collect windows process memory dumps net use Z: \\ip_address\data userdump PID dumpchk dump_file
commands to collect windows full system memory dump dd
What is the reason to perform Windows Live Response? A lot of evidence is only stored in memory such as info about running processes (malware) and unencrypted versions of files.
What is volatile data? data that will be lost when the computer is powered off
What is non-volatile data? Data that will not be lost when the power is turned off
How to transfer live response data over network (to forensic workstation)? using netcat nc -l -v -p 2222 command|nc forensic_station_ip 2222
What is the purpose to calculate md5 on the file containing live response data? To prove the authenticity of the file
How to collect which executables are opening TCP or UDP ports on Linux? lsof
How to collect running processes on Linux? ps aux
How to collect open files on Linux? lsof
How to collect Loaded kernal modules on Linux? lsmod
How to collect mounted file sytems on Linux? mount or df
How to collect the system version and patch level? uname -a and rpm -qa
How to collect a history of logins and users currently logged on? last
What does lsof do? It show us a list of all executables open ports and a list of all open files.
What is the /etc/syslog.conf and what log files do you need to pay attention to? The config file /etc/syslog.conf specifies what information needs to be logged and we need to pay attention to these logs: /var/log/messages, /var/log/secure, /var/log/maillog, /var/log/cron, /var/log/spooler, /var/log/boot.log
What are full content data and session data? Full content data consists of the actual network packets seen on the wire. session data shows aggregations of packets into flows of associated packets
What are alert data and statistical data? Alert data is created by analyzing NBE for predefined items of interest Statistical show measurement
What tools do you use to collect full content data? TcpDump, WinDump, WinPcap, Ethereal, Wireshark, Ngrep, Flowgrep
What tools do you use to collect session data? Argus, Tcptrace, Tcpflow
What tools do you use to collect alert data? Snort, Shoki, Bro
What tools do you use to collect statistical data? Tspdstat, Tcpstat, Ntop, Trafshow
Created by: mareed274
 

 



Voices

Use these flashcards to help memorize information. Look at the large card and try to recall what is on the other side. Then click the card to flip it. If you knew the answer, click the green Know box. Otherwise, click the red Don't know box.

When you've placed seven or more cards in the Don't know box, click "retry" to try those cards again.

If you've accidentally put the card in the wrong box, just click on the card to take it out of the box.

You can also use your keyboard to move the cards as follows:

If you are logged in to your account, this website will remember which cards you know and don't know so that they are in the same box the next time you log in.

When you need a break, try one of the other activities listed below the flashcards like Matching, Snowman, or Hungry Bug. Although it may feel like you're playing a game, your brain is still making more connections with the information to help you out.

To see how well you know the information, try the Quiz or Test activity.

Pass complete!
"Know" box contains:
Time elapsed:
Retries:
restart all cards