Karten 15 Karten
Lernende 2 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 20.06.2019 / 01.07.2020
Lizenzierung Keine Angabe
0 Exakte Antworten 15 Text Antworten 0 Multiple Choice Antworten


Fenster schliessen

Name some common user applications.

  • web browser
  • email client
  • office suite
  • file managers
  • media players
  • photo / piv vieweres/managers
  • social media apps, cloud sync/connect apps


Fenster schliessen

name some examples of professional applications that leave artifacts

  • financial software
  • company developted fat clients
  • scientific, engineering apps
  • industrial control apps
Fenster schliessen

what are some special intrest apps that leave traces?

  • bitcoin wallets and clients
  • file-sharing apps
  • TOR clients
  • hack/crack/exploit tools
  • malware binaries
Fenster schliessen

application forensic analysis involves the examination of what?

Application forensic analysis involves examination of:

  • installation date, last used
  • configuration, plugins, user preferences
  • log data, and audit trails
  • persistent data (cookies, cache, objects, recents [eg. recent files in word])
  • user activity over time
  • application data/content
  • additional application meta-data in data/content
  • abuse or misuse of an application
  • correlate timestamps with other times (logs,physical access logs, CCTV, etc)
Fenster schliessen

What are some charecteristics of application data files?

  • use open standards or proprietry formats
  • magic string (#!/bin/bash)
  • some files containers may be compressed or encrypted
  • dome files may have many nested files (emails with attachments)
Fenster schliessen

what does the linux file command do?

The linux file command is used to identify file formats

Fenster schliessen

What should you always do when viewing typical files (office documents, pictures, music, etc...) with a standard viewers?

Always use a write-blocker or read only image to prevent data being writen do the image by viewers.

Fenster schliessen

What are the problems when dealing with proprietary formats?

Proprietary formats:

  • need reverse engineering to access the file
  • pay for licenses to access the file 
  • use existing proprietary tools to extract data
  • commercial forensic tools are very good with proprietary data
Fenster schliessen

What meta data can be found in files? (not from filesystem)


  • hidden information (visually redacted text)
  • deleted text / images form office docs
  • user infromation (who created? who edited?)
  • original file location (directory path)
  • timestamps and loaction info (GPS)
  • application used to create file
  • device used to record/capture images, sound, or video
  • edit history ("track changes")
  • technical details
Fenster schliessen

What is EXIF data?

EXIF - EXchangeable Imagefile Format

  • standard metadata format for media files
  • extensible, most common compatible standard
  • many tools to extract info
Fenster schliessen

What is the goal of deeper analysis of executable files?

The goal is to understand exactly what th program is doing (without having the original source code)

Fenster schliessen

What could be gained from a deep analysis of an executable and what could be a problem in doing so?


  • obfuscation
    • phishing kits and browser injects may us obfuscated javascript

What could be gained:

  • binaries could be malware samples form an attack (identification)
  • all binaries contain some meta information (segments, sections)
  • binaries like malware can be "reverse engineered"
Fenster schliessen

What is static analysis?

Static analysis is when you:

  • anayze binary without exection
  • dissassembling (convert machine code to assemly language)
  • decompiling (convert to high level language like C)
  • IDA Pro, ollydbg are programs that can be used for static analysis
Fenster schliessen

What is dynamic analysis?

Dynamic analysis is when you:

  • analyze binary during execution
  • dangerous, use sandboxes
  • Joebox, Cuckoo are tools that can be used.
Fenster schliessen

Why is malware analysis not always done?

Malware analysis is a time consuming task requiring good knowledge of operating systems and how programs are compiled into assembly language.