Welcome to Cyber Ops

Syllabus
Good Resources
▪ Cisco CyberOps Prep
❖ CyberOps Associate self-study plan
❖ FREE!!!!

https://mkto.cisco.com/cyberops-prep.html

▪ DetectionLab
❖ Repository of labs to secure Active Directory
❖ https://detectionlab.network

MyComputerCareer.com 4
Host-Based Analysis
• Certificate Components Overview
• Host Based Analysis Intrusion Detection
• Operating System Components (Windows and Linux)
• Attribution Role in Investigation
• Evidence Types Used in Logs
Certificate Components Overview
▪ Cipher-Suite
❖ The cipher-suite defines what encryption algorithms are used.
❖ A cipher is a set of rules, which can also be called an algorithm, about
how to perform encryption or decryption.
❖ Common methods that ciphers use include the following:

❑ Substitution: This type of cipher substitutes one character for another.

❑ Polyalphabetic: This is similar to substitution, but instead of using a

single alphabet, it can use multiple alphabets and switch between them
by some trigger character in the encoded message.
❑ Transposition: This method uses many different options, including the

rearrangement of letters. For example, if we have the message “This is

secret,” we could write it out (top to bottom, left to right)

MyComputerCareer.com 6
Certificate Components Overview
▪ Cipher-Suite
❖ Block and Stream Ciphers

❑ Encryption algorithms can operate on blocks of data at a time, or bits

and bytes of data, based on the type of cipher.

❑ A Block cipher is a symmetric key cipher

• operates on a group of bits called a block.

• A block cipher encryption algorithm may take a 64-bit block of
plaintext and generate a 64-bit block of ciphertext. With this type
of encryption, the key to encrypt is also used to decrypt.
❖ Examples of symmetric block cipher algorithms include the following:
❑ Advanced Encryption Standard (AES)

❑ Triple Digital Encryption Standard (3DES)

❑ Blowfish

❑ Digital Encryption Standard (DES)

❑ International Data Encryption Algorithm (IDEA)

MyComputerCareer.com 7
Certificate Components Overview
▪ Cipher-Suite (cont.)
▪ Stream Ciphers
❖ A stream cipher is a symmetric key cipher

❑ the plaintext data to be encrypted is done a bit at a time against

the bits of the key stream, also called a cipher digit stream .
❑ The resulting output is a ciphertext stream.

❑ Because a cipher stream does not have to fit in a given block

size, may be slightly less overhead than with a block cipher.

MyComputerCareer.com 8
Certificate Components Overview
▪ X.500 and X.509v3 Certificates
❖ Popular Formats for digital certificates issued by the CA
❖ X.500 is a series of standards focused on directory services and how
those directories are organized.
❖ Many popular network operating systems have been based on X.500,
including Microsoft Active Directory.
❖ X.509 Version 3 is a standard for digital certificates that is widely accepted
and incorporates many of the same directory and naming standards.
❖ A common protocol used to perform lookups from a directory is the
Lightweight Directory Access Protocol (LDAP).
❖ A common use for this protocol is having a digital certificate that’s used for
authentication, and then based on the details of that certificate.

MyComputerCareer.com 9
 Certificate Components Overview
▪ X.509 Certificates (cont.)
❖ As a review, most digital certificates contain the following information:
❖ Serial number: Assigned by the CA and used to uniquely identify the
certificate
❖ Subject: The person or entity that is being identified.
❖ Signature algorithm: Specific algorithm used for signing the digital certificate.
❖ Signature: The digital signature from the certificate authority, which is used by
devices that want to verify the authenticity of the certificate issued by CA.
❖ Issuer: The entity or CA that created and issued the digital certificate.

MyComputerCareer.com 10
 Certificate Components Overview
▪ X.509 Certificates (cont.)
❖ Valid from: The date the certificate became valid.
❖ Valid to: The expiration date of the certificate.
❖ Key usage: The functions for which the public key in the certificate used.
❖ Public key: The public portion of the public and private key pair generated by
the host whose certificate is being looked at.
❖ Thumbprint algorithm: The hash algorithm used for data integrity.
❖ Thumbprint: The actual hash
❖ Certificate revocation list location: The URL that can be checked to see
whether the serial number of any certificates issued by the CA was revoked.

MyComputerCareer.com 11
 Certificate Components Overview
▪ X.509 Certificates Sample

MyComputerCareer.com 12
Certificate Components Overview
▪ Key Exchange
❖ Key exchange: is the process of exchanging the keys needed for
encryption.
❖ The key refers to the instructions for how to reassemble the characters.

❑ it begins at the top-right corner and moves clockwise and spirals

inward.
❖ A One-Time Pad (OTP) is a good example of a key that is only used once.
❖ to encrypt a 32-bit message, we use a 32-bit key, also called the pad,
which is used one time only.
❖ Each bit from the pad is mathematically computed with a corresponding
bit from our message, and the results are our cipher text, or encrypted
content.

MyComputerCareer.com 13
Certificate Components Overview
▪ Key Exchange
Public and Private Key Pairs
❖ A key pair is a set of two keys that work in combination with
each other as a team. In a typical key pair, you have one public
key and one private key.
❖ The public key may be shared with everyone, and the private
key is not shared with anyone.
❖ Another name for this asymmetric encryption is public key
cryptography, or asymmetric key cryptography.
❖ The uses for asymmetric algorithms are not just limited to
authentication.

MyComputerCareer.com 14
Certificate Components Overview
▪ Protocol Version
❖ Many Internet protocols are used in digital certificates, including TLS/SSL,
which is the basis for HTTPS, the secure protocol for browsing the web.
SSL versions are all deprecated along with TLS 1.0 and 1.1. 1.2 and soon
1.3 are secure.
▪ PKCS
❖ Public Key Cryptography Standards (PKCS)
❖ Many standards are in use for the PKI.
❖ Many of them have Public Key Cryptography Standards (PKCS) numbers.
❖ These standards control the format and use of certificates for:

❑ Requests to a CA for new certificates,

❑ The format for a file that is going to be the new identity certificate,

❑ The file format and usage access for certificates.

❖ Having the standards in place helps with interoperability between different

CA servers and many different CA clients.

MyComputerCareer.com 15
Certificate Components Overview
PKCS (cont.)
▪ Here are a few standards you should become familiar with; these include
protocols by themselves and protocols used for working with digital
certificates:
❖ PKCS #1: The RSA cryptography standard.
❖ PKCS #3: Diffie-Hellman key exchange.
❖ PKCS #7: This is a format that can be used by a CA as a response to a
PKCS #10 request. The response itself will very likely be the identity
certificate (or certificates) that had been previously requested.
❖ PKCS #10: This is a format of a certificate request sent to a CA that wants
to receive its identity certificate. This type of request would include the
public key for the entity desiring a certificate.
❖ PKCS #12: A format for storing both public and private keys using a
symmetric password-based key to “unlock” the data whenever the key
needs to be used or accessed.

MyComputerCareer.com 16
Among MD5, SHA-1, and SHA-2, which is the
most secure?

A. SHA-1
B. SHA-2
C. MD5
D. They are all equally secure

© 2018 My Computer Career. All Rights Reserved. 17

Among MD5, SHA-1, and SHA-2, which is the
most secure?

A. SHA-1
B. SHA-2
C. MD5
D. They are all equally secure

© 2018 My Computer Career. All Rights Reserved. 18

Which of the following is a format for storing both public
and private keys using a symmetric password-based key
to “unlock” the data whenever the key needs to be used
or accessed?

A. PKCS #12
B. PKCS #10
C. PKCS #7
D. PKCS #2

© 2018 My Computer Career. All Rights Reserved. 19

Which of the following is a format for storing both public
and private keys using a symmetric password-based key
to “unlock” the data whenever the key needs to be used
or accessed?

A. PKCS #12
B. PKCS #10
C. PKCS #7
D. PKCS #2

© 2018 My Computer Career. All Rights Reserved. 20

Which of the following are examples of hashing
algorithms? (Pick 2)

A. SHA
B. AES
C. MD5
D. RC4

© 2018 My Computer Career. All Rights Reserved. 21

Which of the following are examples of hashing
algorithms? (Pick 2)

A. SHA
B. AES
C. MD5
D. RC4

© 2018 My Computer Career. All Rights Reserved. 22

Which of the following are examples of asymmetric
encryption algorithms? (Pick 2)

A. AES
B. SHA
C. Diffie-Hellman
D. RSA

© 2018 My Computer Career. All Rights Reserved. 23

Which of the following are examples of asymmetric
encryption algorithms? (Pick 2)

A. AES
B. SHA
C. Diffie-Hellman
D. RSA

© 2018 My Computer Career. All Rights Reserved. 24

Which of the following are examples of symmetric
encryption algorithms? (pick 2)

A. AES
B. IDEA
C. Diffie-Hellman
D. MD5

© 2018 My Computer Career. All Rights Reserved. 25

Which of the following are examples of symmetric
encryption algorithms? (Pick 2)

A. AES
B. IDEA
C. Diffie-Hellman
D. MD5

© 2018 My Computer Career. All Rights Reserved. 26

Which of the following is a format of a certificate request
sent to a CA that wants to receive its identity certificate?
This type of request would include the public key for the
entity desiring a certificate.

A. PKCS #1
B. PKCS #7
C. PKCS #10
D. PKCS #12

© 2018 My Computer Career. All Rights Reserved. 27

Which of the following is a format of a certificate request
sent to a CA that wants to receive its identity certificate?
This type of request would include the public key for the
entity desiring a certificate.

A. PKCS #1
B. PKCS #7
C. PKCS #10
D. PKCS #12

© 2018 My Computer Career. All Rights Reserved. 28

What is SSH used for? (select the best answer)

A. Remote access
B. To provide a client-based VPN solution for remote users
C. Managing network equipment remotely
D. Preventing man-in-the-middle attacks by securing traffic
between the client and server

© 2018 My Computer Career. All Rights Reserved. 29

What is SSH used for? (select the best answer)

A. Remote access
B. To provide a client-based VPN solution for remote users
C. Managing network equipment remotely
D. Preventing man-in-the-middle attacks by securing traffic
between the client and server

© 2018 My Computer Career. All Rights Reserved. 30

Which of the following is a true statement?

A. A remote access VPN must include a host installed on the client

B. A clientless VPN can connect multiple concentrators together
C. A remote access VPN may include a host installed on the client
D. A clientless VPN installs software on the host to establish the
VPN connection

© 2018 My Computer Career. All Rights Reserved. 31

Which of the following is a true statement?

A. A remote access VPN must include a host installed on the client

B. A clientless VPN can connect multiple concentrators together
C. A remote access VPN may include a host installed on the client
D. A clientless VPN installs software on the host to establish the
VPN connection

© 2018 My Computer Career. All Rights Reserved. 32

Which of the following is not a possible outcome of a
resource exhaustion attack?

A. Corrupting applications by modifying the code

B. A denial of service on the target system
C. Bypassing access control security
D. Causing blackouts in network monitoring

© 2018 My Computer Career. All Rights Reserved. 33

Which of the following is not a possible outcome of a
resource exhaustion attack?

A. Corrupting applications by modifying the code

B. A denial of service on the target system
C. Bypassing access control security
D. Causing blackouts in network monitoring

© 2018 My Computer Career. All Rights Reserved. 34

Which of the following is not a technique used to confuse
an IPS from assembling fragmenting packets?

A. Encrypting traffic
B. TCP segmentation and reordering attack
C. Overlapping fragments
D. Sending traffic in very slow method

© 2018 My Computer Career. All Rights Reserved. 35

Which of the following is not a technique used to confuse
an IPS from assembling fragmenting packets?

A. Encrypting traffic
B. TCP segmentation and reordering attack
C. Overlapping fragments
D. Sending traffic in very slow method

© 2018 My Computer Career. All Rights Reserved. 36

 Which of the following is the best explanation of an
overlapping fragment attack?

A. This attack works by setting the offset values in the IP header

to match up, causing one fragment to overlap another
B. This attack works by setting the TCP values in the IP header
to not match up, causing one fragment to overlap another
C. This attack works by setting the UDP values in the IP header
to match up, causing one fragment to overlap another
D. This attack works by setting the offset values in the IP header
to not match up, causing one fragment to overlap another

© 2018 My Computer Career. All Rights Reserved. 37

 Which of the following is the best explanation of an
overlapping fragment attack?

A. This attack works by setting the offset values in the IP header

to match up, causing one fragment to overlap another
B. This attack works by setting the TCP values in the IP header
to not match up, causing one fragment to overlap another
C. This attack works by setting the UDP values in the IP header
to match up, causing one fragment to overlap another
D. This attack works by setting the offset values in the IP header
to not match up, causing one fragment to overlap another

© 2018 My Computer Career. All Rights Reserved. 38

 Which of the following best describes a timing attack?

A. Sending a ton of traffic to render the system or data

useless
B. Sending traffic in a method that is slower than the
system can accept
C. Sending traffic slowly enough where the system can
accept it but overlooks it
D. Sending the traffic over different protocols

© 2018 My Computer Career. All Rights Reserved. 39

 Which of the following best describes a timing attack?

A. Sending a ton of traffic to render the system or data

useless
B. Sending traffic in a method that is slower than the
system can accept
C. Sending traffic slowly enough where the system can
accept it but overlooks it
D. Sending the traffic over different protocols

© 2018 My Computer Career. All Rights Reserved. 40

 Which of the following is an example of a traffic
substitution and insertion attack?

A. Inputting more characters that requested

B. Using functions and classes
C. Changing spaces with tabs
D. Inputting wildcard characters

© 2018 My Computer Career. All Rights Reserved. 41

 Which of the following is an example of a traffic
substitution and insertion attack?

A. Inputting more characters that requested

B. Using functions and classes
C. Changing spaces with tabs
D. Inputting wildcard characters

© 2018 My Computer Career. All Rights Reserved. 42

 Which of the following is not a method used to pivot a
network?

A. Exploiting a host on the same network

B. Creating a back door to the network
C. VLAN hopping
D. Exploiting a network server

© 2018 My Computer Career. All Rights Reserved. 43

 Which of the following is not a method used to pivot a
network?

A. Exploiting a host on the same network

B. Creating a back door to the network
C. VLAN hopping
D. Exploiting a network server

© 2018 My Computer Career. All Rights Reserved. 44

 Which is the best answer to explain why Cisco Identity
Services Engine would reduce the risk of pivoting to a higher,
trusted network?

A. ISE ensures systems have the latest antivirus

updates prior to permitting access to the network
B. ISE can unify and enforce the LAN, wireless, and
VPN access control policies into one secure policy
C. ISE can profile devices, providing greater detail on
which ones can access what resources
D. ISE enforces network segmentation

© 2018 My Computer Career. All Rights Reserved. 45

 Which is the best answer to explain why Cisco Identity
Services Engine would reduce the risk of pivoting to a higher,
trusted network?

A. ISE ensures systems have the latest antivirus

updates prior to permitting access to the network
B. ISE can unify and enforce the LAN, wireless, and
VPN access control policies into one secure policy
C. ISE can profile devices, providing greater detail on
which ones can access what resources
D. ISE enforces network segmentation

© 2018 My Computer Career. All Rights Reserved. 46

 Which of the following statements is not true about SSH?

A. SSH uses TCP port 22

B. SSH is composed of an SSH server, clients and
keys
C. SSH uses asymmetric encryption
D. SSH encrypts traffic between a client and an SSH
server

© 2018 My Computer Career. All Rights Reserved. 47

 Which of the following statements is not true about SSH?

A. SSH uses TCP port 22

B. SSH is composed of an SSH server, clients and
keys
C. SSH uses asymmetric encryption
D. SSH encrypts traffic between a client and an SSH
server

© 2018 My Computer Career. All Rights Reserved. 48

Host-Based Analysis
▪ Host-Based Analysis
❖ Different technologies can be deployed on a host to gather
information for analysis
❖ Information such as who logged on, who/what accessed certain
operating system components, what applications are running on
the host, and id the host has become compromised by malware or
an intruder.

❖ HID system
❖ Antimalware and antivirus
❖ Host-based firewalls
❖ Application-level whitelisting/blacklisting
❖ Systems-based sandboxing

https://cyber-
defense.sans.org/resources/papers/gsec/host-vs-
network-based-intrusion-detection-systems-102574

MyComputerCareer.com 49
Host-Based Analysis
▪ Host-Based Intrusion Detection

❖ A Host-Based IDS (HIDS) or IPS (HIPS) is specialized software

that interacts with the host operating system to provide access
control and threat protection.
❖ Also includes network detection and protection capabilities on the
host network interface cards.
❖ Used for end-host security policy enforcement and for compliance
and audit control.
❖ Usually inserts itself between the application and the operating
system kernel functionality and monitors the application calls to
the kernel.
❖ It adopts most of the detection techniques mentioned for a
NIDS/NIPS, such as anomaly based, heuristic based, and so on.

MyComputerCareer.com 50
Host-Based Analysis
▪ Host-Based Intrusion Detection (cont.)
❖ A disadvantage of a host-based system - has visibility only on traffic or
attacks hitting the host and ignores anything else.
❖ Many commercial products offer management control facilities and
integration to network-based intrusion systems to overcome limitation.
❖ Most security architecture will adopt both network-based and host-
based solutions.
▪ The Cisco Security Agent (CSA) resides between the applications and
the kernel, enabling maximum application visibility with minimal effect on
the stability and performance of the underlying operating system. The
agent can intercept all system calls to:
▪ File, network and registry sources
▪ Dynamic runtime resources—such as memory pages, shared library
modules and Component Object Model (COM) objects

MyComputerCareer.com 51
Host-Based Analysis
Network-Based vs. Host-Based Detection/Prevention Systems

MyComputerCareer.com 52
Cisco CSA Host Implementation

MyComputerCareer.com 53
Cisco Security Agent Network Implementation

MyComputerCareer.com 54
Host-Based Analysis
▪ Anti-Malware and Antivirus
❖ The terms antivirus and antimalware are generally used
interchangeably
❖ Software that can be used to detect and prevent the installation of
computer malware and in some cases, quarantine affected
computers.
❖ Eradicate the malware and restore the operation of the system.
❖ Antivirus was signature-based software that scanned a system or a
downloaded file looking for a match on the signature database.
❖ The signature usually resided on the host itself
❖ User was required to download new signatures to keep up the
protection.
❖ Antimalware integrates the initial functionality of antivirus and
expands it to cope with most modern malware attack techniques.

MyComputerCareer.com 55
Host-Based Analysis
▪ Anti-Malware and Antivirus (cont.)
❖ Similar to IDS and IPS, anti-malware technologies can be implemented in
two modes: Host-Based and Network Based
❑ Network-Based antimalware:

• Internet work-based anti-malware share most of the same

benefits and limitations of HIDS and NIDS
• Integrated with other functional devices such as email gateways,
web proxies, or intrusion prevention systems.
• For example, Cisco ESA, Cisco WSA, and Cisco FirePower
Next-Gen IPS all include antimalware features.
❑ Host-Based antimalware: Cisco Anti-Malware Protection (AMP) comes
as antimalware, known as AMP for Endpoints, and network-based
antimalware, known as AMP for Networks.
❖ Antivirus scanning offered on Cisco Email Security Appliance (ESA),
integrates antivirus engines from antivirus vendors McAfee and Sophos.

MyComputerCareer.com 56
Host-Based Analysis
Network-Based vs. Host-Based Antivirus/Antimalware Systems

MyComputerCareer.com 57
Host-Based Analysis
▪ Host-Based Firewall
❖ Host-based firewalls are often referred to as “personal firewalls.”
❖ Personal firewalls and Host Intrusion Prevention Systems (HIPSs)
are software applications installed on end-user machines or servers.
❖ The term personal firewall typically applies to basic software that
can control Layer 3 and Layer 4 access to client machines.
❖ HIPS provide several features offering more robust security than a
traditional personal firewall, such as host intrusion prevention and
protection against spyware, viruses, worms, Trojans.
❖ More sophisticated software is available on the market that makes
basic personal firewalls and HIPS obsolete.
❖ Cisco Advanced Malware Protection (AMP) for Endpoints provides
more granular visibility and controls to stop advanced threats
missed by other security layers.

MyComputerCareer.com 58
Host-Based Analysis
▪ Host-Based Firewall (cont.)
❖ Cisco AMP for Endpoints

❑ Takes advantage of telemetry from big data,

❑ Continuous analysis, and advanced analytics provided by Cisco

threat intelligence to detect, analyze, and stop advanced malware.

❑ Provides advanced malware protection for many operating

systems, including the following:

• Windows
• Mac OS X
• Android
❖ Cisco acquired a security company called Threat Grid that provides
cloud-based and on-premises malware analysis solutions.
❖ Cisco integrated Cisco AMP and Threat Grid to provide a solution for
advanced malware analysis with deep threat analytics.

MyComputerCareer.com 59
Cisco AMP ( Cisco Secure Endpoint)

MyComputerCareer.com 60
Host-Based Analysis
▪ Application-Level Whitelisting and Blacklisting
Three different concepts are defined:
Whitelisting, Blacklisting, and Graylisting:
Whitelist:
❖ A list of separate things that are authorized to be installed or active
on a system in accordance with a predetermined baseline.
❖ Application whitelisting can be used to stop threats on managed
hosts where users are not able to install or run applications without
authorization.
❖ You may want to whitelist that application and prohibit running any
additional applications in the system.
❖ Different application file and folder attributes can help with
application whitelisting. The following are a few examples:

MyComputerCareer.com 61
 Host-Based Analysis
▪ Application-Level (cont.)
Whitelist (cont.)
❖ File path:

❑ The process to permit all applications contained within a particular path or

directory/folder.
❑ This is a very weak attribute if used by itself because it allows any malicious

files residing in such path/directory to be executed.

❖ Filename:

❑ This is also a weak attribute if used in isolation because an attacker could

simply change the name of the file to be the same as a common benign file.
❑ It is recommended to combine path and filename attributes with strict access

controls or to combine a filename attribute with a digital signature attribute.

❖ File size:

❑ Monitoring the file size assumes that a malicious version of an application

would have a different file size than the original.

❑ Attackers can also change the size of any given file.

❖ Use attributes - digital signatures and cryptographic hashes (MD5 or SHA).

MyComputerCareer.com 62
Host-Based Analysis
▪ Application-Level (cont.)
Blacklist:
❖ A list of different entities that have been determined to be malicious.
❖ Application blacklisting works by keeping a list of applications that will
be blocked on a system, preventing such applications from installing.
❖ Major drawbacks of application blacklisting is that the number,
diversity, and complexity of threats are constantly increasing.
❖ The Cisco Firepower solutions include:

❑ Security Intelligence feature allows immediately blacklist (block)

connections, and applications.

❑ Blocks files based on the latest threat intelligence provided by the

Cisco Talos research team, removing the need for a more

resource-intensive, in-depth analysis.
Graylist:
❖ A list of different objects that have not yet been established as not
harmful or malicious. Once additional information is obtained, graylist
items can be moved onto a whitelist or a blacklist.

MyComputerCareer.com 63
Host-Based Analysis
▪ Systems-Based Sandboxing
❖ Sandboxing limits the impact of security vulnerabilities and bugs
in code to only run inside the “sandbox.”
❖ Goal of sandboxing is to ensure software bugs and exploits of
vulnerabilities cannot affect the rest of the system and cannot
install persistent malware in the system.
❖ Prevents exploits or malware from reading and stealing arbitrary
files from the user’s machine.
❖ The application has complete access to user data and other
system resources.
❖ Several system-based sandboxing implementations available.
❖ Examples:

❑ Google Chromium sandboxing Java JVM sandboxing

❑ HTML5 “sandbox” attribute for use with iframes

MyComputerCareer.com 64
Host-Based Analysis
▪ Systems-Based Sandboxing - Example

MyComputerCareer.com 65
 Operating System Components (Windows)
▪ Process and Threads – Key Concepts
❖ A process is a program that the system is running.

❑ Each process provides the required resources to execute a program.

❑ Is made up of one or more threads, which are the basic unit an operating

system allocates process time to.

❑ Must have permission to run within Windows.

❑ Each process starts with a single thread, known as the primary thread, but

can also create additional threads from any of its threads.

❖ A thread

❑ Basic unit of an operating system allocates process time.

❑ Executed during any part of the application runtime, including being

executed by another thread.

❖ A job is a group of processes.
❖ A thread pool is a group of worker threads that efficiently execute
asynchronous callbacks for the application.
❖ Windows stores data in a token that describes the security context of all
processes associated with user role, and specifies current security context
for process using CreateProcessWithTokenW function.

MyComputerCareer.com 66
Operating System Components (Windows)

MyComputerCareer.com 67
Operating System Components (Windows)
▪ Services
❖ Windows services are long running executable applications that run in
their own Windows session.
❖ Services run in the background.
❖ Services can automatically kick on when a computer boots up.
❖ Services are ideal for running things within a user security context,
starting applications that should always be run for a specific user,
❖ Windows administrators can manage services using services snap-in,
Sc.exe, or Windows PowerShell.
❖ The services snap-in - built in with the services management console
connecting to a local or remote computer on a network enabling the
administrator to perform actions.

MyComputerCareer.com 68
Operating System Components (Windows)
▪ Services (cont.)
❖ Services are targeted by attackers.
❖ Windows has improved securing services in later versions of the
operating system after finding various attack methods.
❖ Best practice dictates securing services such as disabling the following
services unless they are needed:
❑ TCP 53: DNS Zone Transfer

❑ TCP 135: RPC Endpoint Mapper

❑ TCP 139: NetBIOS Session Service

❑ TCP 445: SMB Over TCP

❑ TCP 3389: Terminal Services

❑ UDP 137: NetBIOS Name Service

❑ UDP 161: Simple Network Management Protocol

❑ TCP/UDP 389: Lightweight Directory Access Protocol

MyComputerCareer.com 69
Operating System Components (Windows)

MyComputerCareer.com 70
Operating System Components (Windows)
▪ Memory Allocation
❖ Memory can be managed different ways, - referred to as memory
allocation or memory management.
❖ Static memory allocation is when a program allocates memory at
compile time.
❖ Dynamic memory allocation

❑ Is when a program allocates memory at runtime.

❑ Memory can be assigned to blocks representing portions of allocated

memory dedicated to a running program.

❖ A program will request a block of memory, which

❑ Memory manager will assign to the program.

❑ When the program completes the allocated memory blocks are

released and available for other uses.

❖ A Stack is the memory set aside as scratch space for a thread of
execution.
❖ A Heap is memory set aside for dynamic allocation, - where you put
data on the fly. Unlike a stack, there isn’t an enforced pattern to the
allocation and deallocation of blocks from the heap.

MyComputerCareer.com 71
 Operating System Components (Windows)
▪ Memory Allocation (cont.)
❖ VirtualAlloc is a specialized allocation of the OS virtual memory
system, meaning it is allocated straight into virtual memory via
reserved blocks of memory.
❑ VirtualAlloc manages pages in the Windows virtual memory system.

❑ It is used for special-purpose type allocation because the allocation

has to be very large, needs to be shared, needs a specific value.

❑ Allocating memory in the virtual memory system is the most basic

form of memory allocation.

❖ HeapAlloc allocates any size of memory that is requested dynamically.

❑ Is a Windows API function.

❑ Designed to be very fast and used for general-purpose allocation.

❑ Heaps are set up by VirtualAlloc used to initially reserve allocation

space from the OS.

❑ Once the memory space is initialized by the VirtualAlloc, various

tables, lists, and other data structures are built to maintain operation
of heap.

MyComputerCareer.com 72
Operating System Components (Windows)

MyComputerCareer.com 73
Operating System Components (Windows)
▪ Windows Registration
❖ Anything performed in Windows is recorded into the registry
❖ the Windows registry is a hierarchical database - stores information
necessary to configure the system for users, applications, and hardware
Registry functions:
❑ Load device drivers,

❑ Run startup programs,

❑ Set environment variables

❑ Store user settings

❑ Operating system parameters

❖ View Windows registry by command regedit in the Run window.

❖ The Windows registry can contain very valuable information that is useful
to cyber forensic professionals.
❑ Contains information about recently run programs,

❑ Programs that have been installed or uninstalled,

❑ Users who perhaps have been removed or created by a threat actor,

and much more.

MyComputerCareer.com 74
 Operating System Components (Windows)
▪ Windows Registration (cont.)
❖ The following list defines the functions of the five hives within Windows
registry:
❑ HKEY_CLASSES_ROOT (HKCR)
❑ HKEY_CURRENT_USER (HKCU)
❑ HKEY_CURRENT_CONFIG (HKCC)
❑ HKEY_LOCAL_MACHINE (HKLM)
❑ HKEY_USERS (HKU)

▪ A hive is a logical group of keys, subkeys, and values in the registry that has a
set of supporting files loaded into memory when the operating system is
started or a user logs in.

MyComputerCareer.com 75
 Operating System Components (Windows)
▪ Windows Management Instrumentation
❖ Administrators can use Windows Management Instrumentation (WMI) to
track, monitor, and control computers, networking devices, and applications
belonging to an enterprise network over the Internet by using a
standard Web browser such as Microsoft Internet Explorer.
❖ Providing information about the status of local or remote computer systems
❖ Configuring security settings
❖ Modifying system properties
❖ Changing permissions for authorized users and user groups
❖ Assigning and changing drive labels
❖ Scheduling times for processes to run
❖ Backing up the object repository
❖ Enabling or disabling error logging

MyComputerCareer.com 76
 Operating System Components (Windows)
▪ Handles
❖ A process handle is an integer value that identifies a process to Windows

❑ The Win32 API calls them a handle

❖ Hide the real memory address from the API user while permitting system to
reorganize physical memory that’s transparent to the program.
❖ A handle associate access rights to an API memory value.
❖ A handle leak can occur if a handle is not released after being used.

Shows how many handles a

process has open

MyComputerCareer.com 77
 Operating System Components (Windows)
▪ Windows Event Logs
Key concepts:
❖ Logs are records of events that happen on a computer.
❖ The most common place for Windows logs is the Windows event log.
❖ Windows Event Viewer is a common tool to view Windows event logs.
❖ You can generally find the Windows event logs in the
C:\Windowsystem3config directory.
❖ Event logs typically maintain three event log types: Application, System,
and Security log files.
❖ Within the log types are generally five event types:

❑ Error, Warning, Information, Success Audit, and Failure Audit

❖ A log parser is a versatile tool that provides universal query access to

text-based data.

MyComputerCareer.com 78
 Operating System Components (Windows)
▪ The Windows File System
You need to understand the different parts in a partitioned hard drive.
❖ Master Boot Record (MBR)

❑ The MBR is the first sector (512 bytes) of the hard drive.

❑ It contains the boot code and information about the hard drive itself.

❑ The MBR contains the partition table, which includes information

about the partition structure in the hard disk drive.

❑ The MBR can tell where each partition starts, its size, and the type of

partition.
❑ While performing forensics analysis, you can verify the existing

partition with the information in the MBR and the printed size of the
hard drive for a match.
❑ If there is some missing space, you can assume a potential

compromise or corruption of the system.

MyComputerCareer.com 79
Operating System Components (Windows)
▪ The Windows File System (cont.)
The Master File Table (MFT)
❖ The first sector (512 bytes) of each partition contains information,

❑ Type of the file system,

❑ Booting code location,

❑ Sector size

❑ Cluster size in reference to the sector.

❖ Formatting the partition with FAT or NTFS:

❑ Some sectors at the beginning of the partition will be reserved for the

master file table (MFT),

❑ This location contains the metadata about the files in the system.

❖ Each entry is 1 KB in size, and when a user deletes a file, the file’s
entry in the MFT is marked as unallocated.
❖ The rest of the partition space after the file system’s area has been
reserved will be available for data.
❖ Each unit of the data area is called a cluster or block.
❖ Two types of clusters; Allocated cluster, and Unallocated cluster

MyComputerCareer.com 80
 Operating System Components (Windows)
▪ The Windows File System (cont.)
The File Allocation Table (FAT)
❑ Was the default file system of the Microsoft DOS operating system.

❑ Other versions include FAT12, FAT16, FAT32, and exFAT.

❑ Each version overcame some of the limitations of the file system until the

introduction of the New Technology File System (NTFS).

❖ FAT partitions include the following main areas:

❑ Boot sector, is the first sector of the partition that is loaded in memory.

❑ The boot sector includes:

• Jump code, which is the location of the bootstrap and the operating
system initialization code
• Sector size Cluster size
• The total number of sectors in the partition Number of root entries
(FAT12 and FAT16 only)
❖ The File Allocation Table (FAT),
❑ FAT12, FAT16, or FAT32, number represents number of bits that are
assigned to address clusters in the FAT table.

MyComputerCareer.com 81
 Operating System Components (Windows)
▪ The Windows File System (cont.)
NTFS
❖ Default file system in Microsoft Windows since Windows NT - a more
secure, scalable, and advanced file system compared to FAT.
❖ NTFS has several components:

❑ The boot sector:

• the first sector in the partition, and

• it contains information about the file system itself,
• the start code, sector size, cluster size in sectors, and the number
of reserved sectors.
❑ The MFT
• includes metadata of the files and directories in the partition.
• The data area holds the actual contents of the files,
• it is divided in clusters with a size assigned during formatting and
recorded in the boot sector.

MyComputerCareer.com 82
Operating System Components (Windows)
▪ The Windows File System (cont.)

MFT
MBF MFT FILES
Copy

Master File Metadata

Table File

MyComputerCareer.com 83
 Operating System Components (Windows)
▪ The Windows File System
EFI
❖ The EFI System Partition (ESP) is a partition on a hard disk drive or solid-
state drive whose main purpose is to interact with the Unified Extensible
Firmware Interface (UEFI).
❑ UEFI firmware loads files stored on the EFI system partition to

❑ Start the operating system and different utilities.

❑ The Unified Extensible Firmware Interface Forum at http://www.uefi.org

• Great information about Secure Boot,

• UEFI operations, specifications, tools, and much more.
❖ An EFI system partition:
❑ Needs to be formatted with a file system whose specification is based on
the FAT file system and maintained as part of the UEFI specification.
❑ The EFI system partition also contains data files, including error logs.

MyComputerCareer.com 84
Operating System Components (Windows)
▪ The Windows File System

EFI Partition

MyComputerCareer.com 85
 Operating System Components (Linux)
▪ Linux
❖ Covered here are Cyber forensics fundamentals of Linux-based
systems.
❑ Most of these concepts also apply to the Mac OS X operating system.
❖ In Linux, there are two methods for starting a process—
starting in foreground and in the background.
❖ View all the processes in UNIX by using the command ps ()
in a terminal window, also known as shell.
❖ What follows ps are the details of what type of processes should be
displayed.

MyComputerCareer.com 86
 Operating System Components (Linux)
▪ Linux Processes - the output of the ps command in a Linux system.

MyComputerCareer.com 87
 Operating System Components (Linux)
▪ Linux Processes (cont.)
❖ Several other tools are great for displaying not only the processes running
in the system but also the resource consumption (CPU, memory, network)
❖ Two widely used tools are top and Htop.
❖ An example of top utility is shown below.

MyComputerCareer.com 88
 Operating System Components (Linux)
▪ Linux Processes - Example shows the output of htop utility

MyComputerCareer.com 89
 Operating System Components (Linux)
▪ Linux Processes (cont.)
❖ Looking for orphan, zombie, and suspicious processes is one of the
tasks in Linux forensics.
❖ There may be something suspicious on the system if you find a process
running with open network sockets that doesn’t show up on a similar
system,
❖ You may find network saturation originating from a single host

❑ By way of tracing its Ethernet address or

❑ Packet counts on its switch port

❑ Or a program eating up 100% of the CPU but nothing in the file

system with that name.

MyComputerCareer.com 90
 Operating System Components (Linux)
▪ Linux Processes (cont.)
Ext4
❖ This process is one of the most used Linux file systems.
❖ It has several improvements over its predecessors Ext3 and Ext2.
❖ Ext4 not only supports journaling but also modifies important data structures
of the file system, such as the ones destined to store the file data.
❖ This is done for better performance, reliability, and additional features.
❖ Ext4 allows an unlimited number of sub directories.
❖ It uses a “multiblock allocator” (mballoc) to allocate many blocks in a single
call, instead of a single block per call.
❖ This feature avoids a lot of overhead and improves system performance.
❖ Becoming familiar with the Linux file system is recommended for any cyber
forensics practitioner.
❖ For example, in a compromised system, you may find a partition showing
100% utilization, but if you use the du command, the system may only show
30% utilization. Journaling: A journaling file system is a file system that
keeps track of changes not yet committed to the file
system's main part by recording the intentions of such
changes in a data structure known as a "journal", which is
usually a circular log. MyComputerCareer.com 91
 Operating System Components (Linux)
▪ Linux Processes (cont.)
Linux MBR and Swap File System
❖ the MBR is a special type of boot sector that contains 512 or more bytes
located in the first sector of the drive.
❖ The MBR includes instructions about how the logical partitions that have
file systems are organized on the drive.
❖ It also has executable code to load the installed operating system.
❖ The most common boot loaders in Linux are Linux Loader (LILO), Load
Linux (LOADLIN), and the Grand Unified Bootloader (GRUB).
❖ This example illustrates the Linux boot process in detail.

MyComputerCareer.com 92
 Operating System Components (Linux)
▪ Linux Processes (cont.)
❖ There are two main partitions on a Linux system:

❑ The data partition, which contains all Linux system data, including the root

partition
❑ The swap partition, which is extra memory on the hard disk drive or SSD

that is an expansion of the system’s physical memory

❑ The swap space is only accessible and viewable by the system itself.

• The swap makes sure that the operating system keeps working.
• Windows, Mac OS X, and other operating systems also use swap
or virtual memory.
• Linux counts on having twice the amount of swap than physical
memory.
❑ Related to cyber forensics pretty much everything in RAM has the
potential of being stored in swap space at any given time.
❑ System data such as plaintext data, encryption keys, user credentials,
emails, and other sensitive information—especially due to the weaknesses
in some applications that allow unencrypted keys to reside in memory.

MyComputerCareer.com 93
Demo: Linux Processes
▪ Video
▪ Linux Sysadmin Basics: Process Overview
▪ https://www.youtube.com/watch?v=ls5cGi12kGw

MyComputerCareer.com 94
Attribution Role in an Investigation
▪ Key topics in cybersecurity forensics are:
Attribution of Assets and Threat Actors
❖ Undeniable motivation to support an evidence-led approach to
cybersecurity forensics to achieve good attribution.
❖ A suspect-led approach is pejorative and often biased to the
disadvantage of those being investigated.
❖ Due to technical complexities, often impractical for cybersecurity
forensics experts to determine fully the reliability of endpoints,
servers, or network infrastructure devices and provide assurances to
the court about the soundness of the processes involved and the
complete attribution to a threat actor.
❖ The forensics expert needs to ensure any part of the examination
process is overlooked or repetitive.
❖ Cybersecurity forensic experts are often confronted with the
inefficacy of traditional security processes in systems and networks
designed to preserve documents and network functionality,
**Especially because most systems are not designed to enhance
digital evidence recovery.

MyComputerCareer.com 95
 Attribution Role in an Investigation
▪ Attribution of Assets
❖ There is a need for appropriate cybersecurity forensic tools, including

❑ Software imaging and the indexing of increasingly large datasets in order to

successfully reconstruct an attack.

❑ Attribute the attack to an asset or threat actor.

❖ Traditional digital forensics tools are typically designed

❑ To obtain the “lowest-hanging fruit” and Encourage security professionals to

look for evidence that is easiest to identify/ recover.

❑ These tools do not have capability to recognize other less-obvious

evidence.
❖ Cybersecurity forensics (or digital forensics) has been of growing interest
among many organizations due to large number of breaches recently.
❖ There are three broad categories of cybersecurity investigations

❑ Public investigations: These investigations are resolved in court of law.

❑ Private investigations: These are corporate investigations.

❑ Individual investigations: often take the form of ediscovery.

MyComputerCareer.com 96
 Attribution Role in an Investigation
▪ Threat Actor
❖ Cybersecurity forensic practitioners are at a crossroads about changes
affecting evidence recovery and management.
❖ Forensic evidence is often used in a court of law.

❑ Why it is extremely important for digital forensic experts to perform an

excellent analysis and collect and maintain reliable evidence.

❑ Huge increase in cybercrime has accelerated the need for enhanced

information security management.

❑ requires forensics experts to help remediate the network and affected

systems and try to reveal the responsible threat actor,

called Threat Actor Attribution.
❖ Desktops, laptops, mobile devices, servers, firewall logs, and logs from
network infrastructure devices are rich in information:
❑ Of evidentiary value that can assist forensics experts in reconstructing the

attack and
❑ Gain a better understanding of the threat actor responsible for the attack.

MyComputerCareer.com 97
 Attribution Role in an Investigation
▪ Indicators of Compromise
❖ Indicators of Compromise (IoC) applications presents a security operational
challenge. We are starting to experience these challenges nowadays.
❖ Example, embedded Programmable Logic Controllers (PLCs) that operate
manufacturing systems and robots can be a huge target for bad actors.
❖ Need to know:

❑ All the potential true indicators of compromise so that we can perform

deep-dive analysis and perform good incident response.

❑ The need to combine threat intelligence and big data analytics will be

paramount in this ever-changing world.

❖ Threat intelligence is referred to as the knowledge about an existing or
emerging threat to assets, including networks and systems.
❑ Includes context, mechanisms, indicators of compromise (IoCs),

implications, and actionable advice.

❑ Primary purpose is to inform business decisions regarding the risks and

implications associated with threats.

MyComputerCareer.com 98
 Attribution Role in an Investigation
▪ Indicators of Attack
❖ According to NIST, an Attack Vector is:

❑ “A segment of the entire pathway that an attack uses to access a

vulnerability.
❑ Each attack vector is a comprising of a source of malicious content, a

potentially vulnerable processor of that malicious content, and the nature of

the malicious content itself.”
❖ Examples of Attack Vectors:

❑ A malicious email attachment or a malicious link on an email. Malicious

web page content

❑ A vulnerable or compromised network service used maliciously

❑ A social engineering conversation by a threat actor done in person or by

phone, email, text, or instant messaging to obtain sensitive information

from the user, such as credentials, date of birth, account information, social
security numbers, and so on.

MyComputerCareer.com 99
 Attribution Role in an Investigation
▪ Indicators of Attack (cont.)
❖ Examples of Attack Vectors (cont.):

❑ Personal information gathered by a threat actor from social media to carry

out a targeted attack.

❑ An open port on a system that could lead to services being exposed to an

attacker. A database with default or no credentials.

❑ An infrastructure device with default or easily guessable credentials.

❖ In order to measure and understand the attack surface,

❑ Read through the source code of an application and

❑ Identify different points of entry and exit, including the following:

• Application programming interfaces (APIs) Databases

• Email or other kinds of messages Files
• Other local storage Runtime arguments
• User interface (UI) forms and fields

10
MyComputerCareer.com 0
 Evidence Types Used in Provided Logs
▪ There are three general types of evidence:
Best evidence, Corroborating evidence, Indirect or circumstantial evidence
❖ Best Evidence

❑ Historically, the term best evidence refers to evidence that can be

presented in court in the original form.

❑ Properly collected system images and appropriate copies of files can be

used in court.
❖ Corroborative Evidence

❑ Evidence that tends to support a theory, or an assumption deduced by

some initial evidence.

❑ Confirms the proposition.

❖ Indirect Evidence

❑ Indirect or circumstantial evidence relies on an extrapolation to a

conclusion of fact.
❑ Direct evidence supports the truth of a proclamation without need for any

additional evidence or interpretation.

❑ Indirect or circumstantial evidence is often used in civil and criminal cases

that lack direct evidence.

▪ 10
MyComputerCareer.com 1
FYI
▪ End of Day 6 video this appears
▪ ~$ :(){:|:$};:

▪ It’s called a Fork Bomb Dos Attack

▪ https://www.cyberciti.biz/faq/understanding-bash-fork-bomb/

10
MyComputerCareer.com 2
 Have you planned your exam date yet????

It only takes a 70% on the

final exam to get your first
golden ticket before the
end of the course.

Take your final now! Get

you exam scheduled!

No Review Tonight 103

 10
MyComputerCareer.com 4