Bruce Nikkel App_forensic_artifacts.pdf

Bruce Nikkel App_forensic_artifacts.pdf

Bruce Nikkel App_forensic_artifacts.pdf

15

0.0 (0)

Set of flashcards Details

Flashcards	15
Language	English
Category	Computer Science
Level	University
Created / Updated	20.06.2019 / 01.07.2020
Weblink	https://card2brain.ch/box/20190620_bruce_nikkel_appforensicartifacts_pdf
Embed	<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_appforensicartifacts_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

Name some common user applications.

web browser
email client
office suite
file managers
media players
photo / piv vieweres/managers
social media apps, cloud sync/connect apps

name some examples of professional applications that leave artifacts

financial software
company developted fat clients
scientific, engineering apps
industrial control apps

what are some special intrest apps that leave traces?

bitcoin wallets and clients
file-sharing apps
TOR clients
hack/crack/exploit tools
malware binaries

application forensic analysis involves the examination of what?

Application forensic analysis involves examination of:

installation date, last used
configuration, plugins, user preferences
log data, and audit trails
persistent data (cookies, cache, objects, recents [eg. recent files in word])
user activity over time
application data/content
additional application meta-data in data/content
abuse or misuse of an application
correlate timestamps with other times (logs,physical access logs, CCTV, etc)

What are some charecteristics of application data files?

use open standards or proprietry formats
magic string (#!/bin/bash)
some files containers may be compressed or encrypted
dome files may have many nested files (emails with attachments)

what does the linux file command do?

The linux file command is used to identify file formats

What should you always do when viewing typical files (office documents, pictures, music, etc...) with a standard viewers?

Always use a write-blocker or read only image to prevent data being writen do the image by viewers.

What are the problems when dealing with proprietary formats?

Proprietary formats:

need reverse engineering to access the file
pay for licenses to access the file
use existing proprietary tools to extract data
commercial forensic tools are very good with proprietary data

What meta data can be found in files? (not from filesystem)

hidden information (visually redacted text)
deleted text / images form office docs
user infromation (who created? who edited?)
original file location (directory path)
timestamps and loaction info (GPS)
application used to create file
device used to record/capture images, sound, or video
edit history ("track changes")
technical details

What is EXIF data?

EXIF - EXchangeable Imagefile Format

standard metadata format for media files
extensible, most common compatible standard
many tools to extract info

What is the goal of deeper analysis of executable files?

The goal is to understand exactly what th program is doing (without having the original source code)

What could be gained from a deep analysis of an executable and what could be a problem in doing so?

Problem:

obfuscation
- phishing kits and browser injects may us obfuscated javascript

What could be gained:

binaries could be malware samples form an attack (identification)
all binaries contain some meta information (segments, sections)
binaries like malware can be "reverse engineered"

What is static analysis?

Static analysis is when you:

anayze binary without exection
dissassembling (convert machine code to assemly language)
decompiling (convert to high level language like C)
IDA Pro, ollydbg are programs that can be used for static analysis

What is dynamic analysis?

Dynamic analysis is when you:

analyze binary during execution
dangerous, use sandboxes
Joebox, Cuckoo are tools that can be used.

Why is malware analysis not always done?

Malware analysis is a time consuming task requiring good knowledge of operating systems and how programs are compiled into assembly language.