gistfile1.txt

2 (COMP5350- 20pts, COMP 635*-15pts) Essay question. Explain “live incident response” (aka live forensic analysis). Why you do it, what you hope to achieve, how it produces useful evidence. Why live? What kind of information? (5-6 sentences, bullets, diagram if useful).
● Live Incident Response Process addresses running system
● forensically sound way to collect data and analyze it
● Data that we will be looking for - volatile data. Since, Non volatile data can be collected even
when system turns off
● what we are looking for : network connections, activities ongoing, running states of processes
● Once turned off, the system’s temp files, log files and some volatile registry files are altered- in
order to capture data that is only available in running system
3 (COMP 5350-15pts, COMP 635*-12pts). Explain the differences between “volatile” and “non-volatile” data, and give examples of each for Windows and Linux – bullets/lists/facts.
The main difference between volatile and non-volatile storage is what happens when you turn-off the system.
Volatile data is lost instantly the power is cut off.
Non volatile data remains as it is irrespective of power supply.
Any two or more examples for each type.
Windows volatile data:
● The System Date and Time
● Current Network Connections
● Open TCP and UDP Ports
● Which Executables are opening TCP/UDP ports
● Cached NetBIOS Name Table
● Users Currently Logged in
● Internal Routing T able
● Running Processes
● Running Services
● Scheduled Jobs
● Open Files
● Process Memory Dumps
● Windows Registry Settings [not in book]
Windows non-volatile data:
● System V ersion and Patch Level
● File System Time and Date Stamps
● Registry Data
● Audit Policy
● History of Logins
● System Event Logs
● User Accounts
● IIS Logs
● Suspicious Files
Linux volatile data:
● System date and time
● Current Network Connections
● Open TCP/UDP Ports
● Which executables are opening TCP/UDP ports
● Running processes
● Open files
● The internal routing table
● Loaded kernel modules
● Mounted file systems
Linux non-volatile data:
● /proc/cpuinfo - CPU info
● /proc/meminfo - Memory info
● /var/run/utmp - full accounting of current state of system
● history files
● log files
4 (COMP-5350-5pts, COMP 635*-4pts). Why is Linux preferred and recommended by the book (and more generally) as “the forensic workstation.” Short answer (bullets with reasons).
If any two of these points mentioned, full points were given.
● more secure
● flexible
● in-built tools
5 (COMP 5350-15pts, COMP 635*-12pts). Diagram out and explain the Windows/Linux virtual machine set up you did for HW #1 part1, including networking. Bulleted list of information OK, essay format of full sentences not required.
Diagram carried points. (3 points). Rest were for explanation.
host system two vms
oracle virtual box
vms connected via nat network linux vm
netcat listener over tcp connection forensic workstation
windows system
system under test
points listed
1) check file integrity - use md5
5 (COMP 5350-10pts, COMP 635*-8pts). Explain the purpose and function of netcat (ns) – features/uses/bullets/facts.
Netcat is a feature-rich network debugging and investigation tool.
Working :
Netcat makes and accepts TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) connections. Netcat writes and reads data over those connections until they are closed. It provides a basic TCP/UDP networking subsystem that allows users to interact manually or via script with network applications and services on the application layer.
6 (COMP 5350-10pts, COMP 635*-8pts). Explain the purpose and function of dd in the windows and linux conexts (e.g., forensics dd) – features/uses/bullets/facts.
dd is an imaging tool for hard disks.
Linux - built in command line tool
Windows- get a third party tool to use dd command Uses of dd
· Data transfer
· master boot record back up and restore
· Data deletion/wiping
· Data recovery
· Data modification
7 (COMP 5350-10pts, COMP 635*-8pts). List several kinds of challenges to forensics that are new in a cloud computer environment as compared to a computer environment owned by and controlled by an organization - bullets/facts.
● Physical Inaccessibility
● Arbitrary Location
● Volatile Data
● Replicated Data
● Multi-tenancy
● Potential for Collusion
● New attack surface (bigger)
8 (COMP 5350-10pts, COMP 635*-8pts). Describe any other forensic software tool you’ve learned about in class or in the book, besides dd and netcat, express what it does and how useful - bullets/facts.
Points were allotted for following: Name of Tool of your choice Functions it does

Forensic Uses
[COMP 5350-You’ve reached 100 points here.]
9 (COMP 5350-6pts, COMP 635*-6pts). Define digital/computer forensics (short answer – 2-3 sentences maximum).
An applied science to identify an incident, collection, examination, and analysis of evidence data” Some Applications of DF-
Intellectual Property theft
Industrial espionage
Employment disputes Fraud investigations Forgeries
10 (COMP 5350-7pts, COMP 635*-7pts). Describe the “phases” of a forensic procedure. List them and define them briefly.
Need not be same side headings, if content matched we allotted points.
Evaluation
When a situation is presented, DF expert should be able to understand
● nature of data presented.
● necessary approvals to collect data from relevant authorities,
● getting specialized personnel on-board for expert advice
● preparing tools that might be needed in the next steps.
Acquisition
Once the Evaluation stage is carried out, acquisition of data starts. In this process, data related to the case is
● identified : find the data on different devices and putting together their relevance to the case
● acquired : without modifying the identified data, it has to be acquired by the forensic examiner in
order to carry out further steps
● transported : a copy of available data is made
● stored : the collected data is stored in order to produce documentation
Analysis
This phase is the critical phase as it involves various tasks such as - manual data examinations to using advanced tools to get to the roots of the problem and identifying the persons involved.
Presentation
Every step that is carried out is documented and produced to the client / jury in order to make them realize the problem and the background that provoked the situation that is being examined.
(Optional)Post-Process:
This phase deals with closing of the case which includes-
● making sure the data used for examination is not exploited and is in it’s right state
● review of the all the steps and if any of them had complications - measures needed to be taken to
avoid them are put forth and are made a note.
Above steps are sometimes carried out multiple times for a single situation, in order to be exact with the forensic examination.
11 (COMP 5350-7pts, COMP 635*-7pts). Explain how rules of evidence impact digital forensics. 2-3 sentences.
The growth and evolution of digital forensics has been closely informed and guided by cyber laws. The rules of evidence govern how an organization goes about proving its case in a legal proceeding. Initially courts followed Frye Standard, Frye Test, General Acceptance Test but it is superseded by Daubert standard in many places. Other standard is Federal Rules of Evidence.
The (generalized for all 3 mentioned standards) requirements of these standards to determine reliability and validity of forensics tools and technologies we use are :
· potential error rates
· whether it has been subjected to peer review and publication
· whether the tools and techniques can be and/or been tested
· whether it has been accepted and owned by relevant scientific community These requirements impact forensic investigation because of the following reasons:
· tool vendors have not published information relating to error rates or even the exact reasons for minor and major version changes
· there is no entity that certifies or accredits computer forensics tools, nor assumes accountability for their testing
· no existing relevant scientific community, since digital forensics is relatively a new field