TU Wien:Digital Forensics VU (Weippl)/2022-01-12

Aus VoWi
Zur Navigation springen Zur Suche springen

In total you have to answer five open-text questions (5 x 10 points in total). The questions require that you grasped the basic concepts discussed in the Digital Forensics lectures.

- Difference is saving between magnetic HDD and SSD?

- order of volatility

- faraday cages, why?

- psscan? pslist ? difference

- wifi networks, what and where stored

- network connections and running processes using a RAM dump

- 6 artefacts that you can retrieve from RAM

Encryption: 
1) (4 pt) where (and how) is encryption used on modern smartphones PCs and in digital communication? 
2) (2 pt) Describe use cases for both symmetric and asymmetric cryptography (in the context of digital forensics) 
3) (4 pt) What different methods do you know to break/bypass encryption?
In the RAM of a computer you can find plenty of valuable information for investigations that are never written to disk, and are lost once the PC Is shut down. 
1) (4 pt) Describe in your own words how the cold boot attack works. 
2) (4 pt) Can one correlate network connections and running processes using a RAM dump, and why would that be useful? 
3) (2 pt) What information can you retrieve from RAM? Name at least six different artefacts.
During an investigabon you are tasked to analyze a modern Pixel phone running Android 12.0. The owner is not giving you the password/unlocking code. 
1) (4 pt) Describe different methods to get access to the data nonetheless. 
2) (3 pt) Describe in your own words what a jailbreak is, and why it can be usefullduring analysis. Can you bypass a user password with a jailbreak? 
3) (3 pt) You obtain different access tokens and passwords for online services during analysis, and are allowed to use them to retrieve data. How do you proceed?
NTFS is one of the most common file systems for computers. 
1) (4 pt) Describe in your own words how the Master File Table in NTFS is structured 
2) (4 pt) What happens on disk when a file is deleted (without it going to the recycle bin), what methods do you know that can he used to still retrieve the file content? 
3) (2 pt) You are looking for a file with a speceific known string (something distinct, like "AAAAAAAAAAAAAAAAAAAA") in it. How can you a) identify and and b) retrieve all files that contain that string?
Your bass wants to enable the company to react to new APT reports within 24h, and to find out if your network is affected or not. The network in question contains about 20.000 client machines and 3000 servers. 
1) (4 pt) What are artefacts that are usually  included as "indicators of compromise"? Which of those can be collected rather easily, which are rather hard to obtain? 
2) (4 pt) Which data points would you pro-actively collect from the network, and how? 
3) (2 pt) A small subnet has suspicious traffic. How would you proceed to a) collect and b) analyze the network traffic from that subnet?
You are tasked as an expert witness as part of a raid on a criminal headquarters, and you think they have around 10 servers, few workstations and the smartphones of the people there. 
1) (4 pt) How do you prepare yourself for the raid, what do you plan to take with you? 
2) (4 pt) Once arrived you discover it is rather 100 servers spread over 19" racks and more than x workstations.How do you proceed?
3) (2 pt) Describe in your own words the role of an expert witness in court cases and investigations by the police?
You are tasked with developing a forensic app for Android and iOS. The goal is to Install it on a smartphone and to automatically retrieve all files including apps and their data for creating a forensic report.
1) (3 pt) Which security mechanisms prevent such an app from working as intended? Describe the different security mechanisms. 
2) (3 pt) Which specific security mechanisms on Android and iOS prevent malicious apps/malware. Why can you not replace an already installed app with a manipulated one? 
3) (4 pt) Describe in your own words how data encryption works on iOS (with active file protection). Is a brute force attack with a cracking server & plenty of GPUs possible? 
Justify you answers.