What constitutes an “incident”?
An incident is described as a danger to policies relating to PC security.
What is Incident Response (IR)?
It is a constructed path that finds the problem through to the conclusion of the problem. The IR may involve situations that:
Decide if a situation is present
Offers fast acknowledgment and quarantine of the problem
Finds and discusses the issue
Discards a non-unified explanation
Comes up with real facts regarding the problem
Decreases issues with organizational networks
Decreases harm to the business or company
Fixes regular performance
Control society’s views on the issue
Offers permission to proceed against criminals
Teaches higher administration
Ensures the safety and protection against new problems
Type of windows systems that stores all passwords?
The system of windows saves its security passwords in the control section of the platform. It processes a Laman hash for security passwords’ that are less than 15 figures. If the security password is less than nine figures the NTLM hash is used. The password is integrated into the main point of the program setup.
What is C2 (command and control) data?
The C2 is related to directions that a hacker gives and answers received by the procedure. The C2 servers are not surrounded by an individual, and the hackers use this release and obtain information.
Which TCP port is commonly used as a web proxy port?
The TCP port that is commonly used as a web proxy port is 88.
How can you determine a list of running processes on a window system?
The process tabs of the API can be viewed in the task manager of the system. It shows what is currently active and operating on the system.
Define/Describe E2EE (end-to-end encryption)?
The process codes information to the card reader, and only decodes it once it reaches its end location.
Instant attack
Recognize threat
Extend rights
Inside intelligence
Go around or side to side
Inside proximity
Finish operation
How many phases are in the attack lifecycle? Do all attacks encompass all phases of the attack lifecycle?
The attack lifecycle has seven phases. Not all of the attacks encompass all phases of the attack lifestyle.
Is all malware (malicious software) operating system (OS) specific?
Operating systems are not the only focal point for harmful written words like the Java program. It can decide what type of system is present before sending the harmful data.
Explain the pros and cons of completing a live response evidence collection versus a forensic disk image?
The live information is stored and properly kept to be able to find the information faster. In the past, all of the content was kept but was not very useful because of the time and problems that occurred. Using the viral information will help keep the operation running without much of a problem. The hacker won’t be able to harm everything or steal it but will only get a small amount.
Define/Describe mtime, atime, and ctime (MAC) times in windows NTFS (New Technology File System)?
The main metadata that is kept in MFT File Timestamps. The NFTS timestamps are called MACE times by the scientific researchers. There are four timestamps. The first time stamp is Modified because it relates to when the last time the data was edited. The second time stamp is Accessed and relates to the last time the data was viewed. The third time stamp is Created, and this involves the moment the data was made. The fourth timestamp is Entry Modified and involves the last time the MFT entry was edited instead of the internal data.
Define/Describe alternate data streams in the windows NTFS?
The alternate data stream of an MFT file can have more than one character names. This can focus the group of runs and act like an attachable file to any main file. The ADS will not offer a unique MACE timestamp.
Define/Describe the following terms in the content of digital forensics and the F times open Source tool?
The baseline is related to the setting that has been used the least of all the settings.
Snapshot involves keeping previous pictures to use to set the system back to a previous image that was time captured.
Change analysis relates to the process followed when moving files.
Message digest performance keeps information safe while in messages when it uses hash functions.
Perspective is the main point
Acuity refers to the information being real and factual
Integrity relates to the information not being harmed and it is safe and accurate
What is the test used to determine the reliability of scientific technique as set forth by the “Daubert” case?
There are four categories that are viewed when deciding if the forensic measures were reliable in a case. The court or judge decides the reliability factors to be real and truthful. This relates to the case of Daubert v. Merrell Dow Pharmaceuticals 509, United States 579. The four categories that are involved in determining reliability are:
Had the theory of science been examined or analyzed?
Had the theory been viewed by society or advertised in a journal?
Is there a known problem? Are there guidelines that are present that handle the technical operation?
Is the process acknowledged in the environment the scientific experiment exists?
Describe indicators of compromise (IOC) creation?
IOC handles the situations or areas of information that has been analyzed and structured. The process evolves around all areas of networking and hosting. This wide variety involves IP address, persistence mechanisms, active directory names, export file names, names of domains and protocol signatures of malware networks. The main point is to ensure people can accurately look up information in a detailed communicative manner. It may not find exactly what you’re looking for because it is only a definitive word. People may need to buy the IOC level of language.
Describe the 5 “W” s that we attempted to answer via incident response and digital forensics?
Answers to the questions of the five W’s and one H is very critical. These are who, what, when, where, why, and how. The questions that may be asked to find out information are: Who used the computer? What section does the person answer to? Were there people at the operating system? What time did the incident occur? Has anyone spoken with the people at the computer? How did it happen?
Describe how we use the MDS one-way cryptographic hash to verify file integrity?
If you use a crypto graphical hash it will tell you what is stored on the file. You can be accurate that you are looking at the proper file. An MD5 had been a popular tool to examine files.
Describe what we mean by volatile data in the context of digital forensics. Name some type of volatile data?
The volatile memory needs the energy to keep the volatile data that is controlled by RAM. The RAM also needs the energy to store the data and keep it safe. A few examples of volatile data are cache information, and instructions a computer goes through to run a program.
Explain why you might want to have your digital forensics tools stored on read-only media such as DVD-R?
Having forensic tools kept on a read-only disc is safer. This is because people cannot alter or change the information on it. A read-only disc has little risk in regards to malware with the forensic integrity tools.
