Exam (elaborations)
FINAL Final - DFIR exam with complete solutions
- Course
- Institution
FINAL Final - DFIR exam with complete solutions
[Show more]
Content preview
FINAL Final - DFIR exam with completesolutions
DF team
This team responds after an attack
IR Team
This team responds during an attack
Find evidence
What responsibility does a Digital Forensics team have?
Reduce further damage
What does an Incident Response team do?
Find undetected threats
what does the Threat Hunting team do?
incident response policy
Most important responsibility an incident response team has to create THIS
a cyber event
The DFIR process begins when THIS occurs
Processes
these may indicate malicious activity, and identify _________ that are acting
erratically
Log Files
These enable an investigator to obtain a picture of what went on in a digital
system. THESE can be located in various directories and may have to be
searched for.
Cached Data
Semi-permanent files that are often used to optimize user experience but can also
be used to track user activity, such as web browser history, recently used or
accessed programs and files, DNS cache, and web browser cookies. Investigating
the contents of THIS can reveal step-by-step activity.
startup programs
can be evidence of persistent malware that is activated by a certain trigger.
, Autoruns
an example of a tool that can be used to identify possible startup locations
Dd (Data dump)
A Linux command line utility for cloning (duplicating) or restoration of secondary
storages, such as drives. The tool can be used on live drives.
FTK Imager
a GUI-based program with advanced features for capturing primary and
secondary storages, including memory and drives. It includes an option to clone
drives on virtual machines.
DumpIt
An acquisition tool often used in Windows systems to dump data from memory
and investigate processes that were running on the machine. It is a combination
of two tools: win32dd and win66dd.
Autopsy
an open-source tool that serves as a front-end GUI to The Sleuth Kit, which is a
collection of command line tools that can perform block device, volume and file
system analysis.
FTK
a proprietary set of utilities that includes an imager tool, and tools used to
inspect cloned drives
EnCase
A proprietary tool that includes many advanced features for image inspection. It
can collect data from block devices, decrypt encrypted data, create forensic block
device images, investigate data, and generate a report for the user.
Volatility
An open-source collection of Python-based tools that support both Linux and
Windows. It has an option to read different types of memory dumps and filter
them according to different parameters.
Rekall
An advanced forensics and incident response framework, developed by Google.
It leverages exact debugging information provided by operating system vendors
to precisely locate significant kernel data structures.
Bulk Extractor
A tool that attempts to rebuild and recover files without using a specific file
system structure. It is known for its speed and thoroughness. It ignores file
system structure; it can process different parts of a disk in parallel.
HxD
Although not a carving software, it is commonly used to view raw data. This tool
is a hex editor that edit a raw disk of any size, and modify RAM.
PhotoRec
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller tuition. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $10.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75057 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now