forensics 2 Word Scramble

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

Normal Size Small Size show me how

Question	Answer
1st thing to collect on windows volatile data	system date and time

2nd thing to collect on windows volatile data	open tcp or udp ports
3th thing to collect on windows volatile data	which executables are opening tcp or udp ports
4th thing to collect on windows volatile data	cached NetBios name table
5th thing to collect on windows volatile data	users currently logged on
6th thing to collect on windows volatile data	internal routing table
7th thing to collect on windows volatile data	running processes
8th thing to collect on windows volatile data	running services
9th thing to collect on windows volatile data	scheduled jobs
10th thing to collect on windows volatile data	open files
11th thing to collect on windows volatile data	process memory dumps
commands to collect windows date and time	date time
What is network based evidence?	data collected that is being sent across the network
commands to collect windows open tcp and udp ports	netstat -an
commands to collect windows executables opening tcp adn udp ports	fport tcpview
commands to collect windows netbios name table	nbtstat -c
commands to collect windows users currently logged on	PsLoggedOn
commands to collect windows internal routing table	netstat -rn
commands to collect windows running processes	PsList
commands to collect windows running services	PsExecSvc
commands to collect windows scheduled jobs	at
commands to collect windows	PsFile
commands to collect windows process memory dumps	net use Z: \\ip_address\data userdump PID dumpchk dump_file
commands to collect windows full system memory dump	dd
What is the reason to perform Windows Live Response?	A lot of evidence is only stored in memory such as info about running processes (malware) and unencrypted versions of files.
What is volatile data?	data that will be lost when the computer is powered off
What is non-volatile data?	Data that will not be lost when the power is turned off
How to transfer live response data over network (to forensic workstation)?	using netcat nc -l -v -p 2222 command\|nc forensic_station_ip 2222
What is the purpose to calculate md5 on the file containing live response data?	To prove the authenticity of the file
How to collect which executables are opening TCP or UDP ports on Linux?	lsof
How to collect running processes on Linux?	ps aux
How to collect open files on Linux?	lsof
How to collect Loaded kernal modules on Linux?	lsmod
How to collect mounted file sytems on Linux?	mount or df
How to collect the system version and patch level?	uname -a and rpm -qa
How to collect a history of logins and users currently logged on?	last
What does lsof do?	It show us a list of all executables open ports and a list of all open files.
What is the /etc/syslog.conf and what log files do you need to pay attention to?	The config file /etc/syslog.conf specifies what information needs to be logged and we need to pay attention to these logs: /var/log/messages, /var/log/secure, /var/log/maillog, /var/log/cron, /var/log/spooler, /var/log/boot.log
What are full content data and session data?	Full content data consists of the actual network packets seen on the wire. session data shows aggregations of packets into flows of associated packets
What are alert data and statistical data?	Alert data is created by analyzing NBE for predefined items of interest Statistical show measurement
What tools do you use to collect full content data?	TcpDump, WinDump, WinPcap, Ethereal, Wireshark, Ngrep, Flowgrep
What tools do you use to collect session data?	Argus, Tcptrace, Tcpflow
What tools do you use to collect alert data?	Snort, Shoki, Bro
What tools do you use to collect statistical data?	Tspdstat, Tcpstat, Ntop, Trafshow

Created by: mareed274