Antedating: Creating a document with incorrect time stamps.
How to antedate a document?
Let me try to list down some of the things that a Incident response team will lose volatile data if they turn off the suspect's machine.
1) Logged in Users
2) TCP Connections
3) Running Processes
Network Forensics: It’s basically sniffing, recording, acquisition, and analysis of network traffic and event logs in order to investigate security.
It can reveal many things like, Source of security incidents and attacks, Path of attack, Techniques used by attacker.
Types of network addressing scheme:
Intrusion detection System gathers and analyzes information.
As name suggest, it’s set to attract and trap people.
IP Address Spoofing: Attacker changes his/her IP address to hide identity.
Man in the middle attack: It’s intrudes into an existing connection between systems and to intercept messages being exchanged.
Packet sniffing: An attacker can capture the packet by putting a packet sniffer on the network.
Buffer Overflow: Buffer overrun in the stack space. Attacker inject malicious code on the stack and overflows it to overwrite in return pointer so that the flow of control switches to the malicious code.
New line injection attack: Attacker inject plaintext into the log file.
Computer Security logs – contains information about events in an organizational and network
ii.Audit Logs: Security event information like failed auth, file access, policy changes, account changes
Popular Event ID’s
UDP Port 123- NTP
Event Correlation Approaches:
What is Steganography?
Hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of the data.
Example: Popular method is hiding a file inside an image or using image file as a cover.
Uses physical and chemical means to hide the existence of a message.Example – Invisible ink, Microdots, In Computers (Uses redundant information in pictures, text, sound etc)
Uses written natural language to hide the message in the carrier in some non-obvious ways.
Cache Memory and History Analysis:
Active Directory - NTDS.DID –
For a System is SAM (System Account Manager) File – System32 Config, Additional Copy in repair folder.
NTLM V2 is the latest version used by windows:
Sigverif: Shows unsigned drivers
what is Master boot record
MBR is first sector of a data storage device such as HD. It stores information about logical Partition like C:, D: (max 4)
- File type
-Store/end (CHS Format)
-Weather partition is boot-able or not
- Works with Max 2 TB Drives
Boot Loader - Small bit of code which is used to store boot information.
When an os marks a cluster as a used, but does not allocate any files to them, such clusters are lost clusters.
In windows OS, ScanDisk utility or CheckDisk (windows 10) can identify such lost clusters
Another way to check the status of your HD is though command prompt in windows: