Ssekazinga's Cyber Security Notes

What is the hibernation file and what purpose does it serve? What type of data can we expect to find in this file? Are hibernation files more prevalent on mobile devices? Please explain. Hibernate mode uses the hiberfil.sys file to store the current state (memory) of the PC on the hard drive and the file is used when Windows is turned back on. In Hibernate mode the PC power is down entirely, so you can even take the battery out, put it back in, and be right back where you were.  when hibernate is enabled it reserves some of your disk for its file -- the hiberfil. sys file -- which is allocated at 75 percent of your computer's installed RAM file to store the current state (memory) of the PC on the hard drive and the file is used when Windows is turned back on and  all the contents, and user work will remain as it is because contents of system’s RAM is stored on a hard disk by system. Since a mechanism was proposed for smartphones based on hibernation called Hibernation Mechanis...

Where is internet history stored by default on a Windows operating system? How do different browsers store internet history? What is the effect of running browsers in "privacy" or "incognito" mode on artifact creation?  By default, windows stores user internet history at C:\Users\<Username>\AppData\Local\Microsoft\Windows\History. C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache Internet Explore: Internet Explorer internet history records are stored in the 'WebCacheV01. dat' ESE database. C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\ Google Chrome Google Chrome’s browser cache contains information from Internet sites you have visited. It may store images and videos, or the layouts for entire Web pages. Chrome uses these files to make websites load faster. \AppData\Local\Google\Chrome\User Data\Default\Cache  Google Chrome browser keeps the browsing history for 90 days and then it deletes the history automaticall...

Windows uses a Registry to store system, software, and user settings. What does Linux use to store this type of information? Does Linux or Windows provide more evidence (artifacts) from a forensic analysis perspective? Please explain. According to (Imam, 2017), Linux holds many file systems of the ext family, including ext2, ext3, and ext4. Linux can provide an empirical evidence if the Linux-embedded machine is recovered from a crime scene. In this case, forensic investigators should analyze the following folders and directories. /etc    [%SystemRoot%/System32/config] This contains system configurations directory that holds separate configuration files for each application. /var/log This directory contains application logs and security logs. They are kept for 4-5 weeks. /home/$USER This directory holds user data and configuration information. /etc/passwd This directory has user account information. Including /etc/shadow, /etc/hosts, /etc/sysconfig, /etc/syslog.conf Windows pr...

WannaCry is ransomware that contains a worm component. It attempts to exploit vulnerabilities in the Windows SMBv1 server to remotely compromise systems, encrypt files and spread to other hosts. Systems that have installed the MS17-010 patch are not vulnerable to the exploits used. Patches to address the vulnerabilities identified in Microsoft Security Bulletin MS17-010 are available for all versions of Windows from XP onward. The 2017 WannaCry ransomware attack was probably the clearest example of what can go wrong when patches aren't applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organizations had failed to use it.  Software vendors are constantly publishing new patches to fix problems in software that they have sold. It's then up to the users of the software to apply the patches. This wannacry or wanaceryt would have been avoided if users had updated and patched there operating systems  - Keep systems up to date ...

Reference Site:  https://www.garykessler.net/library/file_sigs.html   File Signature Table What are file signatures? How do they relate to file carving? How does the size between a file header and footer affect carving?  According to ("File Signatures", 2020), File Signatures or Magic Numbers are  protocol set of constant numerical and text values used to identify file format thus every file type requires a unique signature in order for an operating system to recognize it, classify it and show it to an end user.  The object of carving is to identify and extract (carve) the file based on this signature information alone. File carving is a process used in computer forensics to extract data within a block of raw data basing or searching for the magic numbers or file signatures.  Since File carving  is usually done by examining the header (the first few bytes) and footer (the last few bytes) of a file, larger distance between the footer and header will affect t...

113th Congress Bills in the 113th Congress have been more limited in scope than those in the 112th. H.R. 3696 and S. 1353 would establish a process led by NIST like that created in Executive Order 13636. H.R. 3696 and S. 2519 would provide statutory authority and stipulate responsibilities for the National Cyber-security and Communications Integration Center (NCCIC), which was established by DHS in 2009 under existing statutory authority to provide and facilitate information sharing and incident response among public and private-sector CI entities.43 S. 2519 was enacted in December 2014. H.R. 3696 would also give DHS responsibility for coordinating across (Critical Infrastructure) CI sectors on cyber security activities, providing incident response to assist CI entities, and promoting the development of cyber security technologies.  The major point brought up above is sharing incident response plans among public and private-sector Critical Infrastructure entities.  It should b...

Why is memory acquisition and analysis important? What types of information can be acquired from RAM that may not be available on a hard drive?  Memory acquisition and analysis is important because it includes the memory that was stored before the system crash that provides experts with diagnostic information at the time of the crash and contains a code that caused the crash.  Through the practice of memory forensics, experts are supplied with run-time system activity, such as open network connections or recently executed commands &processes. Before programs are executed on the computer, they are loaded into the memory making the use of memory forensics of high importance. Each program or data which is created, examined, or deleted is stored in the RAM.   The information that can be acquired from RAM includes images, all web-browsing activity, encryption keys, network connections, or injected code fragments.  According to ("The Importance of Memory Forensics...

What are write blockers? Why would you choose a hardware write blocker over a software write blocker? In what situations would you use a software write blocker? Is evidence that has been acquired without a write blocker admissible in court?  Write blockers are tools that permit read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody.  I would choose a hardware write blocker because they are portable and hard to manipulate since hardware write blockers have write blocking software installed on a controller chip inside a portable physical device. Hardware write blockers provide built in interfaces to several storage's devices and can connect to other types of storage with adapters. Hardware devices that write block also provide visual indication of function through LED's and switches. This makes them easy to use and makes functionality clear to users....

Compare and contrast dead and live box data acquisition. When would a live acquisition be preferable to a dead acquisition? Is it legal or accepted practice to copy evidence from a cloud provider during live acquisition, such as copying files from a suspect's Dropbox account before shutting off the system?  A live acquisition is where data is retrieved from a digital device directly via its normal interface when its powered; for example, switching a computer on and running programs from within the operating system well as dead-box acquisition is the methodology referred to as “pull the plug” on the computer system prior to acquiring an exact copy of the hard drive, a technique that analyzes the data at rest (MAYO, 2016).  A live acquisition be preferable When the investigator is to confiscate a live system before cutting the power. A live system refers to system that are up and running where information may be altered as data is continuously processed and Switching it off may ...

Its important to have a CSIR plan because incident response process safeguards your organization from a potential loss of revenue. The faster your organization can detect and respond to a data breach or even security incidents the less likely it will have a significant impact on your data, customer trust, reputation, and a potential loss in revenue.  According to ("Incident Response Plan - Cipher", 2020), having a CSIR plan helps in the following;  Protecting data is of importance both personally and professionally. By following an updated incident response plan, your team can proactively protect your data. Protecting data assets throughout the incident response process includes countless tasks and responsibilities for the IR team.  Protect Organization Reputation & Customer Trust, IDC found that 78% of consumers would take their business elsewhere if directly affected by a data breach. If a security breach is not properly handled quickly, the company risks losing som...

Research the OJ Simpson trial. How do you think chain of custody was handled? What should have been done differently? There was a lot of doubts due to the amount of evidence that was collected but not actually recorded using the chain of custody. This resulted in theories being created which claimed that the police and scenes of crime officers were actually planting evidence, an example of evidence that was collected but not recorded in the chain of custody would be the drops of blood that were found at the crime scene which scenes of crimes officers thought was OJ Simpsons, it was later found that test tube filled with blood was not sent straight to the lab for inspection, it was left at the police station for many hours before actually making its way to the lab to be analyzed which further increased suspicion that evidence was being tampered with.  Everything from the crime scene should have been documented and added over to the right personnel in charge and for the time sensitiv...

What does the term "data carving" or "file carving" really mean? What are the implications of carving with a large distance (in bytes) between the header and footer? Is it feasible for a malware author to create their own file format, hide the file on a system, and use carving to extract it?   File carving is the process of reassembling computer files from fragments in the absence of file-system metadata.  File carving is a well-known computer forensics term used to describe the identification and extraction of file types from unallocated clusters using file signatures. A file signature, also commonly referred to as a magic number, is a constant numerical or text value used to identify a file format   ("Data Carving", 2018) .   Since File carving   is usually done by examining the header (the first few bytes) and footer (the last few bytes) of a file, larger distance between the footer and header will affect the amount of data recovered during  the process...