CYSA+ Chapter 7
What are three important things that a digital forensics workstation should have? -
ANS-A powerful, multicore CPU, plenty of ram, and lots of fast, reliable storage.
What are write blockers? - ANS-Things that ensure that drives connected to a forensic
system or device cannot be written to.
What is the purpose of an imaging utility? - ANS-It creates a forensic image of a
complete disk, a disk partition, or a logical volume.
What is slack space? - ANS-The space left when a file is written.
What are packers? - ANS-A tool used in many malware packages intended to protect it
from reverse engineering.
What are the steps to the forensics process? - ANS-1. Determine what you are trying to
find out.
2. Outline the locations and types of data that you will need.
3. Document and review your plan.
4. Acquire and preserve evidence.
5. Perform the initial analysis.
6. Use the initial analysis to guide further work.
7. Report on the findings of the investigation.
What information can be found in the Windows Registry? - ANS-Information about files
and services, locations of deleted files, evidence of applications being run.
What information can be found in the Autorun keys? - ANS-Programs set to start on
startup (often associated with malware or compromise).
What information can be found in the Master File Table (MFT)? - ANS-Details of
inactive/removed records.
What information can be found in the Event logs? - ANS-Logins, service start/stop,
evidence of applications being run.
What information can be found in the INDX files and change logs? - ANS-Evidence of
deleted files, MAC timestamps.
What are three important things that a digital forensics workstation should have? -
ANS-A powerful, multicore CPU, plenty of ram, and lots of fast, reliable storage.
What are write blockers? - ANS-Things that ensure that drives connected to a forensic
system or device cannot be written to.
What is the purpose of an imaging utility? - ANS-It creates a forensic image of a
complete disk, a disk partition, or a logical volume.
What is slack space? - ANS-The space left when a file is written.
What are packers? - ANS-A tool used in many malware packages intended to protect it
from reverse engineering.
What are the steps to the forensics process? - ANS-1. Determine what you are trying to
find out.
2. Outline the locations and types of data that you will need.
3. Document and review your plan.
4. Acquire and preserve evidence.
5. Perform the initial analysis.
6. Use the initial analysis to guide further work.
7. Report on the findings of the investigation.
What information can be found in the Windows Registry? - ANS-Information about files
and services, locations of deleted files, evidence of applications being run.
What information can be found in the Autorun keys? - ANS-Programs set to start on
startup (often associated with malware or compromise).
What information can be found in the Master File Table (MFT)? - ANS-Details of
inactive/removed records.
What information can be found in the Event logs? - ANS-Logins, service start/stop,
evidence of applications being run.
What information can be found in the INDX files and change logs? - ANS-Evidence of
deleted files, MAC timestamps.
