1. What is a rootkit?
A rootkit is a series of malware applications that replace the standard windows utilites with Trojan horse program, in an attempt to take over the system. The rootkit can modify the operating system so that it can successfully hide and avoid traditional means of detection.
2. In Helix, what does the Protected Storage Viewer reveal?
It reveals the passwords stored on the host computer by Internet Explorer, Outlook Express and MSN Explorer.
3. What other way can you access this information?
IE History Viewer can access IE stored password; Network Password Viewer and Mail Password Viewer can access to Outlook password; Network Password Viewer and Messenger Password can access to MSN Explorer password.
4. Briefly discuss the pros and cons of doing corporate forensic work from a GUI rather than a CLI?
Pros: GUI tools are more user-friendly, and do not require as much specialized knowledge as command line tools. Most of the time, a computer forensics examiner can readily open a suspicious file in another window without closing the GUI tool.
Cons: Forensic work from GUI requires more system resources, and it will not fit on a floppy disk, but CLI tools will.
5. In computer forensics, for what is the dd command used?
The dd command is used in computer forensics to perform a physical backup of hardware device media. It has special flags that make is suitable for imaging block-oriented devices such as tapes.
6. What is NetCat? And for when would you use it?
NetCat is a networking utility which reads and writes data across network connections using the TCP/IP protocol. It is used to connect to or listen a port or some ports.
7. Briefly explain how a file system, such as FAT, stores data in files.
A disk formatted with FAT is allocated in clusters, whose size is determined by the size of the volume. When a file is created, an entry is created in the directory and the first cluster number containing data is established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to the next cluster.
8. Briefly explain how it is possible to recover files that have been deleted from a file system, such as FAT.
Helix has such a tool named fatback, which can analyze and recover deleted FAT files. Fatback is a forensic tool for undeleting files from Microsoft FAT file systems. In fact, besides Helix toolkit, there are many other tools that can recover data from FAT, such as FTK Imager.
9. Briefly list tools contained on the Helix LiveCD that would be useful in investigating a filesystem.
Adepto, Air, Linen, Retriever, Autopsy, pyFlag, Regviewer, xhfs.
10. Briefly explain the sleuthkit.
The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.
Thursday, April 3, 2008
Wednesday, April 2, 2008
Online Journal-Bring a LiveCD in your casebag
Why 'LiveCD' Should Be a Part of Every Computer User's Vocabulary
Setting up security at a public terminal
Linux based LiveCDs come in a great variety with one of the first Linux LiveCDs to appear being Knoppix. Many Linux LiveCDs like Knoppix and the Fedora and Ubuntu Live distributions load versions of Linux that closely resemble desktop installs of Linux, and provide access to robust desktop environments such as KDE or Gnome and applications such as OpenOffice.org. While these types of LiveCD distributions are great if you need all of the features of a full Linux desktop, their performance can be somewhat lacking since data often needs to be read from the CD to load certain applications. Users who are simply interested in a LiveCD distribution for purposes of accessing the Web and email may instead want to consider distributions such as Puppy Linux and Damn Small Linux, as these distributions can be completely loaded into system RAM. While not as application rich as other Linux distributions, most users will find them surprisingly feature complete given their small size, and as a result of running solely off of system RAM, they will yield extremely rapid response times.
Linux based LiveCDs come in a great variety with one of the first Linux LiveCDs to appear being Knoppix. Many Linux LiveCDs like Knoppix and the Fedora and Ubuntu Live distributions load versions of Linux that closely resemble desktop installs of Linux, and provide access to robust desktop environments such as KDE or Gnome and applications such as OpenOffice.org. While these types of LiveCD distributions are great if you need all of the features of a full Linux desktop, their performance can be somewhat lacking since data often needs to be read from the CD to load certain applications. Users who are simply interested in a LiveCD distribution for purposes of accessing the Web and email may instead want to consider distributions such as Puppy Linux and Damn Small Linux, as these distributions can be completely loaded into system RAM. While not as application rich as other Linux distributions, most users will find them surprisingly feature complete given their small size, and as a result of running solely off of system RAM, they will yield extremely rapid response times.
Before you head out the door to make a trip to the airport or even the local coffee shop, remember to grab not only your keys, but also a copy of a Linux Live CD.
Original journal is here : http://www.sys-con.com/read/514335.htm
Subscribe to:
Posts (Atom)
