SANS 508 Book 5 UPDATED ACTUAL
Exam Questions and CORRECT Answers
Common types of Anti-forensics utilized - CORRECT ANSWER - these are the common
locations anti-forensics targets
-filesystem
-registry
-other ( event logs tamper and process evasion)
-time to respond to an intrusion is the biggest factor as to whether or not we discover malicious
activity. artifacts may roll out of the logs
Common types of Anti-forensics utilized: FILE SYSTEM - CORRECT ANSWER - these
are the common antiforensics techniques used in filesystems:
-timestomping
-file deletion
-file/freespace wiping
-data encrypting
-fileless malware (not artifact-less)
Common types of Anti-forensics utilized: REGISTRY - CORRECT ANSWER - these are
the common antiforensics techniques used in REGISTRY:
-registry key/ value deletion
-registry key/ value wiping
-hiding scripts in registry
Common types of Anti-forensics utilized: OTHER - CORRECT ANSWER - these are the
common antiforensics techniques used in OTHER:
-event log deletion/ tampering
-process evasion with rootkits and code injection
,Timestomping - CORRECT ANSWER - Timestomping is a technique used to alter a file's
timestamps to hide changes or new files. It's a common anti-forensic tactic used by threat actors
to make it harder for examiners to find important artifacts.
Here are some details about timestomping:
How it works
Timestomping modifies a file's timestamps, such as the create, access, change, and modify times.
The most common method is to modify the $STANDARD_INFORMATION ($SI) attribute,
which is displayed to the user.
-attackers often make files creation time and modification time similar to files that surround to
blend in
File deleting/ wiping - CORRECT ANSWER - -attackers use tools to overwrite and delete
malware or data that was exfiltrated
-some LOL techniques do overwrite data, but many attackers use a tool like Sdelete.exe to delete
data. However, this wont allow attackers to hide the fact they used a wiping tool
-attackers often wipe escalation tools and archive files like rar archives
Anti-forensics utilized: data encryption - CORRECT ANSWER - -attackers use encryption
methods to hide the data they are stealing. this is commonly in a rar format and is difficult to
break into.
Anti-forensics utilized: fileless malware - CORRECT ANSWER - Fileless malware is a
type of malicious software that operates entirely within a computer's memory, meaning it doesn't
write any files to the hard drive, making it difficult to detect by traditional antivirus software that
relies on file-based detection methods; instead, it uses legitimate system tools to execute its
malicious code, often referred to as "living off the land" attacks
How fileless malware attacks might occur:
Exploiting vulnerabilities:
, An attacker might exploit a system vulnerability to inject malicious code into a running process.
Anti-forensics utilized: registry key modification - CORRECT ANSWER - - once a
key/value is added to a registry hive file, it is difficult to fully remove
-windows operating systems goes to great lengths to backup registry hive files
Anti-forensics utilized: event log tampering - CORRECT ANSWER - -attacker for a long
time have cleared event logss
-advanced attackers are able to suspend and modify these event logs
-logs forwarded to a siem are protected against these methods
Volume Shadow Copies (VSS/VSC) - CORRECT ANSWER - A "volume shadow copy" is
a technology within Microsoft Windows, also known as "Volume Shadow Copy Service (VSS),"
which allows users to create snapshots or backup copies of files and volumes on a computer even
while they are actively being used
-provides backups of nearly the entire volume to earlier points in time
-they are similar to virtual machine snapshots
-you are able to recover key files like event logs, registry malware and even wiped files
-scope snapshots were introduced in windows 8+
-xp restore points are created from various activities, including application installation, windows
updates, and driver installation
- these triggers cause backups of key system files like exes, dlls, drivers, and registry files
-vista+ started to user persistent snapshots, but there are a few files excluded. these are in the
backuprestore\filesnottoshapshot folder. some windows versions may exclude the hibernation
and page file in the VSS backup
Scope Snapshot - CORRECT ANSWER - A "Scope Snapshot" refers to a specific type of
snapshot that captures only a defined set of data within a larger system, essentially limiting the
Exam Questions and CORRECT Answers
Common types of Anti-forensics utilized - CORRECT ANSWER - these are the common
locations anti-forensics targets
-filesystem
-registry
-other ( event logs tamper and process evasion)
-time to respond to an intrusion is the biggest factor as to whether or not we discover malicious
activity. artifacts may roll out of the logs
Common types of Anti-forensics utilized: FILE SYSTEM - CORRECT ANSWER - these
are the common antiforensics techniques used in filesystems:
-timestomping
-file deletion
-file/freespace wiping
-data encrypting
-fileless malware (not artifact-less)
Common types of Anti-forensics utilized: REGISTRY - CORRECT ANSWER - these are
the common antiforensics techniques used in REGISTRY:
-registry key/ value deletion
-registry key/ value wiping
-hiding scripts in registry
Common types of Anti-forensics utilized: OTHER - CORRECT ANSWER - these are the
common antiforensics techniques used in OTHER:
-event log deletion/ tampering
-process evasion with rootkits and code injection
,Timestomping - CORRECT ANSWER - Timestomping is a technique used to alter a file's
timestamps to hide changes or new files. It's a common anti-forensic tactic used by threat actors
to make it harder for examiners to find important artifacts.
Here are some details about timestomping:
How it works
Timestomping modifies a file's timestamps, such as the create, access, change, and modify times.
The most common method is to modify the $STANDARD_INFORMATION ($SI) attribute,
which is displayed to the user.
-attackers often make files creation time and modification time similar to files that surround to
blend in
File deleting/ wiping - CORRECT ANSWER - -attackers use tools to overwrite and delete
malware or data that was exfiltrated
-some LOL techniques do overwrite data, but many attackers use a tool like Sdelete.exe to delete
data. However, this wont allow attackers to hide the fact they used a wiping tool
-attackers often wipe escalation tools and archive files like rar archives
Anti-forensics utilized: data encryption - CORRECT ANSWER - -attackers use encryption
methods to hide the data they are stealing. this is commonly in a rar format and is difficult to
break into.
Anti-forensics utilized: fileless malware - CORRECT ANSWER - Fileless malware is a
type of malicious software that operates entirely within a computer's memory, meaning it doesn't
write any files to the hard drive, making it difficult to detect by traditional antivirus software that
relies on file-based detection methods; instead, it uses legitimate system tools to execute its
malicious code, often referred to as "living off the land" attacks
How fileless malware attacks might occur:
Exploiting vulnerabilities:
, An attacker might exploit a system vulnerability to inject malicious code into a running process.
Anti-forensics utilized: registry key modification - CORRECT ANSWER - - once a
key/value is added to a registry hive file, it is difficult to fully remove
-windows operating systems goes to great lengths to backup registry hive files
Anti-forensics utilized: event log tampering - CORRECT ANSWER - -attacker for a long
time have cleared event logss
-advanced attackers are able to suspend and modify these event logs
-logs forwarded to a siem are protected against these methods
Volume Shadow Copies (VSS/VSC) - CORRECT ANSWER - A "volume shadow copy" is
a technology within Microsoft Windows, also known as "Volume Shadow Copy Service (VSS),"
which allows users to create snapshots or backup copies of files and volumes on a computer even
while they are actively being used
-provides backups of nearly the entire volume to earlier points in time
-they are similar to virtual machine snapshots
-you are able to recover key files like event logs, registry malware and even wiped files
-scope snapshots were introduced in windows 8+
-xp restore points are created from various activities, including application installation, windows
updates, and driver installation
- these triggers cause backups of key system files like exes, dlls, drivers, and registry files
-vista+ started to user persistent snapshots, but there are a few files excluded. these are in the
backuprestore\filesnottoshapshot folder. some windows versions may exclude the hibernation
and page file in the VSS backup
Scope Snapshot - CORRECT ANSWER - A "Scope Snapshot" refers to a specific type of
snapshot that captures only a defined set of data within a larger system, essentially limiting the
