Toriality's Blog

COMPUTER FORENSICS STUDY - 13 SOURCES: INFOSECINSTITUTE.COM

COMPUTER FORENSICS INTERVIEW QUESTIONS

INTERVIEW QUESTIONS:

Below are 25 interview questions to help you prepare for next computer forensic interview.

WHAT IS MD5 CHECKSUM?

    MD5 checksum is a 128 bit value that helps identify the uniqueness of a file. You can have two file names, but each will have a different checksum. You use these checksums to compare two different files to identify if they are the same.
    
NAME SOME COMMON ENCRYPTION ALGORITHMS USED TO ENCRYPT DATA

    

Triple DES, RSA, Blowfish, Twofish, AES.

    
WHAT IS AN .ISO FILE?

    

An ISO file contains an application or CD image of several files and executables. Most app software can be made into an ISO that you then mount as a virtual drive and can browse files within the ISO. New Windows version come with internal ISO mounting capatibilities.

    
WHAT IS A SAM FILE?

    

A SAM, or Security Accounts Manager fle is a file specifically used in Windows computers to store user passwords. It's used to authenticate both remote and local Windows users, and can be used to gain access to a user's computer.

    
WHAT IS DATA MINING?

    

Data Mining is the process of recording as much data as possible to create reports and analysis on user input. For instance, you can mine data from various websites and then log user interactions with this data to evaluated which areas of a website are accesded by users when they are logged in.

    
WHAT IS DATA CARVING?

    

Data carving is defferent than data mining in that data carving searches through raw data on a hard drive without using ga file system. Data carving is essential for computer forensics investigators to find data when a hard drive is corrupted.

    
WHAT OPERATING SYSTEMS DO YOU USE?

    

Most computer forensic experts know at least one operating system well. Be honest with this question, but you should know either Windows, Linux or Mac operating systems well. Your interviewer will probably go into more detailed questions based on your answer.

    
WHAT TYPE  OF EMAIL ANALYSIS EXPERIENCE DO YOU HAVE?

    

Computer forensics relies on email analysis. You should be experienced with email such as MS Exchange and free web-based platforms such as Gmail and Yahoo.

    
WHAT IS STEGANOGRAPHY?

    

Steganography conceals a message within a message. In other words, someone can send an email message with content that says one thing, but every third word comprises a second message that makes sense to a recipient.

    
WHAT ARE SOME COMMON PORT NUMBERS?

    

TCP port numbers are the virtual connections created by computers and applicaitons. Common port numbers are 21 for FTP, 80 for web services, 25 for SMTP and 55 for DNS.

    
DESCRIBE THE SHA-1 HASH

    

The secure hash algorithm 1 is a hash algorithm that creates a 160-bit or 20-byte message digest.

    
DESCRIBE YOUR EXPERIENCE WITH VIRTUALIZATION

    

Do not lie here. Be honest about your experience with virtualizations, but be sure to describe the virtual infraestructure you are familiar with, i.e. VirtualBox, VMWare etc. Make sure you identify the types of operating systems you have dealt with. You do not have to prove you were a system administrator, but you need to at least understand virtual storage, partitioning, how to log into a virtual box and the benefits -- as well as the security issues -- with virtualization. It can save a company money by combining the use of resources and minimizing the anmount of hardware a company has to purchase. But if there are issues with VM sprawl, which is when a admin duplicates a machine and forgets about it, it creates a vulnerability because those machines are not patched or hardened. This is a prevalent issue.

    
HOW WOULD YOU HANDLE RETRIEVING DATA FROM AN ENCRYPTED HARD DRIVE?

    

First determine the encryption method used. For simple encryption types, try finding the configuration file. Use tools such as EaseUS Data Recovery, Advanced EFS Data Recovery or Elcomsoft Forensic Disk Decryptor. You can also use brute for methods.

    
WHAT PORT DOES DNS RUN OVER

    

Port 55

    
WHAT ARE SOME SECURITY ISSUES RELATED TO THE CLOUD?

    

The biggest issue is the increased potential for data breaches or exfiltration as well as the potential for account hijacking. The Man in the Cloud Attack is a new threat specific for Cloud usage. It is similar to the MitM attack, where an attacker steals the user token which is used to verify devices without requiring additional logins. Cloud computing introduces insecure API usage, which is discussed on the OWASP Top 10 Vulnerabilities List.

    
DESCRIBE SOME OF THE VULNERABILITIES LISTED ON THE OWASP TOP10 VULNERABILITIES LIST

    

This list is updated yearly with the current top10 application security risks: Cross-site scripting is one item that has been on the list year after year. But others on the most current list include injecitons such as SQL, OS and LDAP, security misconfiguration, sensitive data exposure and under-protected API.

    
WHAT IS AN ACL?

    

An access control list. It is a list used to grant users and proccesses acces to system resources.

    
HOW WOULD YOU BE ABLE TO TELL AT HE HEX LEVEL THAT A FILE HAS BEEN DELETED IN FAT32?
    
    Run fstat against the FAT partition to gather details. Run fls to get information about the image files. This will return information about deleted files and metadata information.
    
WHAT ARE SOME TOOLS USED TO RECOVER DELETED FILES?

    

Recuva, Pandora Recovery, ADRC data recovery, FreeUndelete, Active UNDELETE, Active partition or file recovery and more.

    
WHAT IS A FORM OF SIMPLE ENCRYPTION OFTEN USED BY AN INTRUDER OR CRIMINAL?

    

XOR (exclusive or)

    
HOW DO YOU STAY UP TO DATE ON CURRENT CYBERSECURITY TRENDS?

    

This is a personal question, make sure you can share newsletters aand websites you visit often. These could include Infosec, Cyberwire, IT whitepapers, and podcasts or webinars given by companies like Nessus, Metasploit and SANS.

    
HOW DO YOU HANDLE CONFLICTING DIRECTION FROM DIFFERENT STAKEHOLDERS?

    

This question is to se how you handle conflict. The best way to answer is you would first consult your direct supervisor, explain the conflict and ask for guidance on how to proceed.

    
IF YOU NEEDED TO ENCRYPT AND COMPRESS DATA FOR TRANSMISSION, WHICH WOULD YOU DO FIRST AND WHY?

    

Compress then encrypt. Because encryption takes up resources and can be cumbersome to perform, it makes sense to compress the data first.

    
WHAT IS THE DIFFERENCE BETWEEN THREAT, VULNERABILITY AND RISK?

    

• A threat is the possibility of an attack.

• A vulnerability is a weakness in the system

• Risks are items that may cause harm to the system or the organization

  DESCRIBE YOUR HOME NETWORK

  In cybersecurity-related position, interviewers often want to know your interest in security spills over into your personal life as well. Make sure you know the security features of your router of your specific ISP. Be sure to mention any additional security measures you have added to your home network.

PEN SOURCE COMPUTER FORENSIC TOOLS

FORENSIC TOOLKITS:

SANS INVESTIGATIVE FORENSIC TOOLKIT (SIFT)

    Based on Ubuntu, SIFT has all the important tools needed to carry out a detailed forensic analysis or incident response study. It supports analysis in advanced forensic format (AFF), expert witness foramt (EO1) and RAW evidence (DD) format. It comes with tools to carve data files, generate timeline from system logs, examine recycle bin and much more.
    
    SIFT provides user documentation that allows you to get accustomed to the available tools and their usage. it also explains where evidence can be found on a system. Tools can be opened manually from the terminal window or with the help of top menu bar.
    
SLEUTH KIT AUTOPSY

    Autopsy is a digital forensic platfrom that efficiently analyzes smartphones and hard disks. It is used worldwide by a large number or users, including law enforcement agencies, the military and corporation to carry out investigation on a computer system. It has an easy-to-use interface, processes data fast, and is cost-effective. Sleuth Kit is a collection that consist of command line tools and a C library allowing the analysis of disk images and file recovery. It is used at the back end in the Autopsy tool.
    
    KEY FEATURES INCLUDE:
    
        Timeline analysis: advanced interface for graphical event viewing.
        
        Hash filtering: Flags known bad files and overlooks knwon good files.
        
        Keyword Search: indexed keyword search makes file search easier.
        
        Web Artifacts: extracting bookmarks, history and cookies from web browsers.
        
        Data Carving: recovering deleted files from unallocated space by using PhotoRec.
        
        Multimedia: Extracting EXIF from pictures and watching videos.
        
        Compromise Indicators: scamming a computer using STX.
        
    Pros: good documentation and support.
    
    Cons: It requires special user skills because it is baased on Unix.
    
OXYGEN FORENSIC SUITE:

    Available in  free and professional versions, this forensic tool helps you to collect evidence from a mobile phone. It collects all device information such as serial number, IMEI, OS, etc and recovers messages, contacts and call logs. Its file browser feature enables you to have access to and analyze photo, documents, video and device database.
    
    SOME FEATURES:
        
        Built-in cloud data recovery
        
        Contact aggregation helps to identify linked profiles from all sources including app accounts.
        
        Social graph features identify most frequently communicated contacts, making it easier to conduct the investigation.
        
        Map feature locate all check-ins, map lookups, visited websites and messages containg geolocation metadata of all the devices being studied under the case.
        
        Timeline features reveals the most active user hours and most common ways in which the device is operated.
        
        Allows importing messages from three other mobile forensic tools, JTAG/ISP, RAW/DD and chip-off dumps.
        
    Pros: it provides several ways to extract data including Bluetooth, USB cable, iTunes backups, other forensic software backups, and android backups. Also, the main interfaace is straightfoward and easy to use. It provides sophisticated data analysis and has several useful data analysis software.
    
    Cons: Unlike its competitors, XRY and UFED, its free version does not provide advanced features such as cracking Android backups or locked iPhone.
    
DEFT ZERO:

    Digital Evidence and Forensic Toolk is a Linux-based distribution that allows professional and non-experts to gather and preserve forensic data and digital evidence. The free and open source operating system has some of the best computer forensic open source applicaitons, DEFT Zero is a lightweight version released in 2017.
    
    SOME FEATURES:
    
        Supports 32 and 64 bit hardware with UEFI secure boot.
        
        Supports NVMExpress memories and eMMC memories
        
        DEFT Zero Linux 2017 can be operated in three booting modes. GUI mode, RAWA preload, GUI mode and text mode.

NETWORK FORENSIC TOOLS:

WIRESHARK:

    

WireShark is one of the most commonly used network protocol analyzers. It allows you to investigate your network activity at the microscopic level. Wireshark is widely used by goverment agencies, corporations and educational institutes.

    
    FEATURES:
    
        Allows deep investigation into many protocols, with the number of protocol being added constantly.
        
        Offline and Online analysis.
        
        Supports multiple platforms that include Windows, Solaris, Linux, FreeBSD, Mac OS, NetBSD, and others.
        
        Network data can by browsed through TTY mode (Tshark utility) or a graphical user interface.
        
        Powerful display filters
        
        Strong VoIP analysis.
        
        Reading/writing enabled in multiple file formats, such as tcpdump (libpcap), Cisco Secure IDS iplog, Network General Sniffer (compressed and uncompressed). Novell LANalyzer, to name a few.
        
        Data can be read live from IEEE 802.11, Ethernet, FDDI, Token Ring and others
        
        Supports decryption for various protocols, including Kerbaros, ISAKMP, IPsec, SSL/TLS, WPA/WPA2, and WEP.
        
        Supports the export of output to CSV, XML or plain text.
        
    Pros: digs deep to uncover minor details in the network data.
    
    Cons: Does not exactly pinpoint the solution you are looking for and dumps raw data into large files for you to figure out.
    
NETWORK MINER:

    

This is a network analysis tool (NFAT) for Windows, MacOS, Linux and FreeBSD. These tools come in a free edition as well as a professional paid edition. Network Miner's free edition can:

    
    Work as a passive network sniffer that cptures packets to detect hostnames, sessions, open ports and operating systems without generating traffic on network.
    
    Allows for offline analysis by parsing gPCAP files.
    
    Regenerate transmitted certificates and files from PCAP files.
    
    Save time of forensic analysts by presenting extracted data with a user friendly interface.

XPLICO:

    Open source NFAT that extract app data from internet traffic. For instance, Xplico can extract email, HTTP contents, VoIP call, FTP, TFTP, etc. from a pcap file.
    
    FEATURES:
    
        Supports HTTP, IMAP, POP, SIP, SMTP, UDP, TCP, Ipv6
        
        Multithreading
        
        Port-independent protocol identification for application protocol
        
        Outputs data and information as a MySQL or SQLite database
        
        Associates an XML file with each reassembled data set.
        
        Reverse DNS lookup
        
        No size limit on number of files or data size
        
        Supports IPv4 and IPv6
        
        Modular ocmponents i.e. input interface, output interface and protocol decoder
        
    Pros: there is no limit of size on number of files. Its command line shows more details and its geo-map feature can be used in web interface as well as console mode.
    
    Cons: It is not possible to copy packets and send them to two separate dissectors, instead, there  is the possibility of losing the packet as the average processing time for a packet is higher than the average number of packets per seconds in Xplico
    

FORENSIC IMAGING TOOLS:

FTK IMAGER:

    

This is data preview and imaging tool with which one can study files and folders on a hard drive, network drive, and CDs/DVDs. It allows you to:

    
    - Review forensic memory dumps or images;
    
    - Create MD5 or SHA1 file hashes that are already deleted from the recycle bin, if their data blocks have not already been overwritten
    
    - Mount forensic images to view their content in browser
    
    Pros: creates bit-by-bit image and creates exact replica of the drive, thus allowing the investigator to view dleted or irretrievable files. It also create a keyword index for every image, which makes future searches easier.
    
    Cons: it doesn't carve files and lacks recursive export capatibilities.
    
LINUX "DD":

    

Linux dd is a powerful tool that is installed by default in most Linux distros (Fedora, Ubuntu). It can be used for conducting a number of forensic tasks like creating raw image of a folder, file or drive.

    
    On the negative side, it can be quite destructive if not used properly, thus earning the name Data Destroyed from some users. It is therefore advisable to test the command in a safe envoriment first and then apply it to the real data.
    
IXIMAGER:

    

This comes with a small and fast-booting forensic image analysis in a microkernel that runs from portable media. It physically boots the device, captures and authenticates a computer system and reconstructs the filesystem.

    
    FEATURES:
    
        Securely accounts for data corruption.
        
        Documents and records data tampering 
        
        Uses high-speed data compression RW
        
        Has the capatibility for data to span different file system, media types and output devices
        
        Creates detailed data acquisition logs
        
        Creates encrypted authentication log file for user actions and locks it to prevent it from being tampered
        

MEMORY FORENSICS:

MAGNET RAM CAPTURE:

    

Is one of the many tools provided by Magnet Forensics. It is a free tool that captures the physical memory of a computer. This can help forensic investigators recover and analyze useful artifacts in the computer's memory.

    
MEMORYZE:

    

Helps discover malicious activity in live memory. It can acquire and analyze images from memory.

    
    FEATURES:
    
        Creating an image of entire system memory.
        
        Creating an image of a specific driver of all drivers in memory to the disk
        
        Creating an image of complete address space of a process to disk
        
        Counting all running processes and listing them
        
        Identifying drivers that are loaded in memory
        

WEBSITE FORENSICS:

FAW (FORENSIC ACQUISTION OF WEBSITES):

    

This is the first browser that can acquire web pages from websites available online to conduct forensic investigation.

    
    FEATURES:
    
        Viewing and editing host files.
        
        Audio/video capture
        
        Acquiring code for iFrames on the webpage
        
        Acquiring IP address and hostname of the page
        
        Support for English, French, Italian and Polish languages.
        
        Improved performance and stability
        

REMOVABLE MEDIA FORENSICS:

USB HISTORIAN:

    

This tool can parse all your USB history information from your windows plug and play registry. This can give you a complete record of the USB drives that were inserted into the machine. The tool is originally intended to conduct forensic investigations related to stealing, movement or unauthorized access to data.

DATA CAPTURE AND DISK TOOLS:

NMAP:

    

Nmap is a free and open source tool for network discovery and security auditing. This is a useful piece of software designed for tasks such as network inventory, managing service, upgrade schedules and monitoring host or service uptime.

    
    FEATURES:
    
        Flexible and supports dozens of advanced techniques for mapping out networks
        
        Used for huge network and thousand of machines
        
        Most operating systems supported
        
FIDDLER:

    

Helps you debug web applications by capturing network traffic between the internet andtest computers.

    
VOLATILITY:

    

Tool for extraction of digital artifacts from volatile memory (RAM) samples.

    
    FEATURES:
    
        Supports memory dumps for Windows, Linux, Mac OS X, and Android
        
        Open Source GPLv2 and written in Python
        
        Extensible and scriptable API
        
        Unparalleled feature sets based on reverse engineering and specialized research
        
        Fast and efficient algorithms let you investigate RAM dumps from large systems
        
HXD

    

Is a fast hex editor which allows editing and modifying of main memory (RAM) and handling files of any size.

    
    FEAUTES:
    
        Available as a portable and installable edition
        
        Flexible and fast searching/replaing for several data types
        
        File compare incorporated
        
        Basic statistic data analysis
        
        Easy to use and modern interface
        
        Clipboard support for other hex editors
        

EMAIL ANALYSIS:

EDB VIEWER:

    

EDB Viewer aids system administrators in opening EDB files without the installation of an MS Exchange Server.

    
    FEATURES:
    
        Views the Exchange data on stand-alone workstations
        
        Open corrupted EDB files
        
        View user mailboxes and public folders 
        
        Filter the mailbox data based on various criteria
        
MBOX VIEWER:

    

Standalone MBOX Explorer tool. Allows to easily open MBOX file emails and attachments of any email client.

FILE DATA AND ANALYSIS:

EXIFTOOL:

    

ExifTool is a platform-independent Perl library plus a command line application for reading, writing and editing meta information in a wide variety of files.

    
LASTACTIVITYVIEW:

    

Is a tool for windows that collects information from various sources on a running system and display a log of actions made by the user and evets occurred on the computer.

    
    FEATURES:
    
        Know which user runs the .EXE fle
        
        History about open file and folder, and view folder actions
        
        Information related to software installation
        
        System started and shutdown logs
        
        Software crash logs
        
        Logs about user logon and logoff
        

MOBILE DEVICES:

IPBA2:

    

Allows browsing through the content of an iPhone/iPad backup made by iTunes or other backup software. It is packet with all the routines needed to understand and show the content of files found.

    
SAFT:

    

Free and easy mobile forensic application that allows you to extract valuable information from device in just one click. It only supports Android devices.

    
    It can collect:
    
    - Call logs.
    
    - SMS logs
    
    - All the contact list
    
    - Well-structured reports
    

INTERNET ANALYSIS:

BROWSER HISTORY CAPTURER:

    

Allows you to easily capture web browser history form a Windows computer. The tool can be run from a USB dongle to capture history from web browsers.

    
DUMPZILLA:

    

Dumpzilla is developed with the purpose to extract all forensic interesting information of Firefox, Iceweasel and Seanmonkey browsers to be analyzed.

REGISTRY ANALYSIS:

PROCESS MONITOR:

    

Allows you to spy registry, file system and process and thread activity.

    
REGSHOT:

    

Allow you to promptly take a snapshot of fyour registry and compare it with a second one, done after doing system changes or installing new softawre.

    
WINDOWS REGISTRY RECOVERY:

    

This tool allows reading files containing Windows registry artifacts. It extracts useful information about configuration and windows installation settings.

DATA ANALYSIS SUITES:

BURP SUITE:

    

Integrated platform for performing security testing of web applications.

    
    FEATURES:
    
        Operates as a proxy server
        
        Often used form perforing automated vulnerability scans
        
        Used to manually test an application and also to perform automated attacks
        
        It has a module for transforming encoded data into its canonical form.

X-WAYS FORENSICS:

    

Advanced platform for digital forensics investigators.

    
    FEATURES:
    
        Disk imaging and cloning.
        
        Ability to read file system structures inside various image files.
        
        Automatic detection of deleted or lost hard disk partition
        
        Various data recovery techniques
        
        Memory and RAM analysis
        
        Extracts metadata from various file types
        
        Ability to extract emails from various available email clients
        
PLAINSIGHT:

    

Versatile computer forensics environment that allows inexperienced forensic researchers to conduct common tasks using powerful open source tools

    
    FEATURES:
    
        Get hard disk and partition information.
        
        Extract user and group information
        
        Examine Windows Firewall configuration
        
        Discover recent documents
        
        Examine physical memory dumps
        
        Preview a system before acquiring it
        
MICROSOFT SYSINTERNALS SUITE

    

Offers technical resources and utilities to manage, diagnose and troubleshoot Windows environment.