Karten 10 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 21.06.2019 / 21.06.2019
Lizenzierung Keine Angabe
0 Exakte Antworten 10 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

What does the forensic analysis of an OS include?

  • boot and shutdown
  • scheduled tasks
  • installed software
  • user activity
  • system logs
  • system configuration
  • other OS related files
Fenster schliessen

What information can be extracted from the system and kernel?

  • OS version, kernel version
  • kernel config / parameters
  • boot sequence
  • startup services / daemons (systemd, launchctl)
  • old: init.d and rc.d scripts
  • boot up and shutdown times

Fo most of these, no special forensic tools are needed, just knowledge of the OS and files

Fenster schliessen

Name some system components that handle scheduled tasks.

Scheduled jobs / tasks:

  • cron / at
  • systemd timers
  • Windows schtasks
  • user and system jobs are separat
Fenster schliessen

Name some things that can be looked at to identify useractivities.

Human user activity:

  • users and groups 
  • logins, logouts
  • home directories, user files
  • user permissions and security

It is always a challenge to separate human activity from system activity.

Fenster schliessen

What is the problem with information in logs, and wher can logs be found?

Logs tell you a lot (but can be tampered!)

Locations where logs can be found:

  • system logs (dmesg, syslog, journalctl)
  • MS Windows event logs (Linux tool: grokevt, libevtx)
  • log files (/var/log/*)
Fenster schliessen

Name some locations where OS configuration is stored.

OS configuration:

  • Traditional Unix/Linux: files in  /etc
  • MS Windows registry (Linux tools: registry-tools, reglookup)
  • gconf/dconf, plist files, systemd units
  • dot files ~/.config
  • network configuration (DNS, proxy)
  • disk configuration (raid? encryption?)
  • automounted local and remote drives
Fenster schliessen

Name some other interesting OS information.

OS files that are interesting for forensics:

  • temporary files and directories (/tmp, /var/tmp)
  • cache fiesl, prefetch files
  • crash dumps, error report files
  • hibernation files
Fenster schliessen

Name some application layer OS data that is forensically interesting.

Application layer OS data:

  • clipboard data/history
  • last used documents
  • recycle bin, trash cans (these are not filesystem artifacts)
  • OS search queries, index, thumbnails

The difference between OS and applications is sometimes unclear.