Bruce Nikkel App_forensic_artifacts.pdf
Bruce Nikkel App_forensic_artifacts.pdf
Bruce Nikkel App_forensic_artifacts.pdf
Kartei Details
Karten | 15 |
---|---|
Sprache | English |
Kategorie | Informatik |
Stufe | Universität |
Erstellt / Aktualisiert | 20.06.2019 / 01.07.2020 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_appforensicartifacts_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_appforensicartifacts_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Name some common user applications.
- web browser
- email client
- office suite
- file managers
- media players
- photo / piv vieweres/managers
- social media apps, cloud sync/connect apps
name some examples of professional applications that leave artifacts
- financial software
- company developted fat clients
- scientific, engineering apps
- industrial control apps
what are some special intrest apps that leave traces?
- bitcoin wallets and clients
- file-sharing apps
- TOR clients
- hack/crack/exploit tools
- malware binaries
application forensic analysis involves the examination of what?
Application forensic analysis involves examination of:
- installation date, last used
- configuration, plugins, user preferences
- log data, and audit trails
- persistent data (cookies, cache, objects, recents [eg. recent files in word])
- user activity over time
- application data/content
- additional application meta-data in data/content
- abuse or misuse of an application
- correlate timestamps with other times (logs,physical access logs, CCTV, etc)
What are some charecteristics of application data files?
- use open standards or proprietry formats
- magic string (#!/bin/bash)
- some files containers may be compressed or encrypted
- dome files may have many nested files (emails with attachments)
what does the linux file command do?
The linux file command is used to identify file formats
What should you always do when viewing typical files (office documents, pictures, music, etc...) with a standard viewers?
Always use a write-blocker or read only image to prevent data being writen do the image by viewers.
What are the problems when dealing with proprietary formats?
Proprietary formats:
- need reverse engineering to access the file
- pay for licenses to access the file
- use existing proprietary tools to extract data
- commercial forensic tools are very good with proprietary data