Bruce Nikkel OS_forensic_artifacts.pdf
Bruce Nikkel OS_forensic_artifacts.pdf
Bruce Nikkel OS_forensic_artifacts.pdf
Set of flashcards Details
Flashcards | 10 |
---|---|
Language | English |
Category | Computer Science |
Level | University |
Created / Updated | 21.06.2019 / 01.07.2020 |
Licencing | Not defined |
Weblink |
https://card2brain.ch/box/20190621_bruce_nikkel_osforensicartifacts_pdf
|
Embed |
<iframe src="https://card2brain.ch/box/20190621_bruce_nikkel_osforensicartifacts_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What does the forensic analysis of an OS include?
- boot and shutdown
- scheduled tasks
- installed software
- user activity
- system logs
- system configuration
- other OS related files
What information can be extracted from the system and kernel?
- OS version, kernel version
- kernel config / parameters
- boot sequence
- startup services / daemons (systemd, launchctl)
- old: init.d and rc.d scripts
- boot up and shutdown times
Fo most of these, no special forensic tools are needed, just knowledge of the OS and files
Name some system components that handle scheduled tasks.
Scheduled jobs / tasks:
- cron / at
- systemd timers
- Windows schtasks
- user and system jobs are separat
Name some things that can be looked at to identify useractivities.
Human user activity:
- users and groups
- logins, logouts
- home directories, user files
- user permissions and security
It is always a challenge to separate human activity from system activity.
What is the problem with information in logs, and wher can logs be found?
Logs tell you a lot (but can be tampered!)
Locations where logs can be found:
- system logs (dmesg, syslog, journalctl)
- MS Windows event logs (Linux tool: grokevt, libevtx)
- log files (/var/log/*)
Name some locations where OS configuration is stored.
OS configuration:
- Traditional Unix/Linux: files in /etc
- MS Windows registry (Linux tools: registry-tools, reglookup)
- gconf/dconf, plist files, systemd units
- dot files ~/.config
- network configuration (DNS, proxy)
- disk configuration (raid? encryption?)
- automounted local and remote drives
Name some other interesting OS information.
OS files that are interesting for forensics:
- temporary files and directories (/tmp, /var/tmp)
- cache fiesl, prefetch files
- crash dumps, error report files
- hibernation files
Name some application layer OS data that is forensically interesting.
Application layer OS data:
- clipboard data/history
- last used documents
- recycle bin, trash cans (these are not filesystem artifacts)
- OS search queries, index, thumbnails
The difference between OS and applications is sometimes unclear.