Mac Forensics
This directory has many logs in it and contains data on all mounted volumes, including the dates they were mounted (useful in cases involving stolen data)
What is /var/log?
This command lists the current device files that are in use
What is ls /dev/disk?
This temporary cache location may store passwords
What is pagefile.sys?
In NetFlow v9, these FlowSets provide an extensible design to the record format (a feature that should allow future enhancements w/o requiring changes to the basic flow record format.
What are Templates?
The name of the un-hackable mainframe
What is the Gibson?
Use this command line input to see the timestamp of any file usage
What is stat?
This directory replaced /var/run and is designed to allow applications to store process IDs, socket information, lock files and other data which is required at run-time but can't be stored in /tmp/
What is /run?
The BIOS of a computer uses ___ to load critical files allowing Windows to load
What is the Boot Loader?
This core function described by HTTP 3xx status codes is often used by malicious URLs and sites
What is Redirection?
Dade Murphy's first hacker name in the movie "Hackers"?
What is Zero Cool?
This setting prepares a running Mac to be imaged without compromising the data
What is Target Disk Mode?
This lesser known subdirectory of /dev is world-writable and a favorite of hackers
What is /shm?
This ROT13-encoded registry key located in SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ gives the file name and path, application run count, associated user, and the date/time when the program was last executed
What is UserAssist
In RFC 9114, this protocol boasts features like stream multiplexing, per-stream flow control, and low-latency connection establishment
What is HTTP/3 or QUIC?
The virus intended to capsize the oil fleet.
What is the Da Vinci virus?
These two Domains of the logical Mac filesystem contain system-specific items of forensic interest: Application Installation, System Settings, Preferences (.plist), System Logs (.asl)
What are the Local and System Domains?
This Linux audit daemon works for SELinux, is integrated with the Linux kernel, can be exported to remote log server, but does not use syslog
What is auditd or /etc/auditd/*?
The file compression algorithm used by the NTFS file system
What is Lempel-Ziv?
Frequent DNS replies for an IP address that return different hostnames over time, and that return NXDOMAIN for the previous hostnames, all likely indicates this malicious behavior
What is DGA or Domain Generating Algorithm?
The phrase used to make the Cookie Monster virus go away?
What is Cookie?
This service provides a historical and current perspective on program execution from two data sources: /Library/Logs/DiagnosticReports/ and /private/var/db/analyticsd/aggregates/
What is the Core Analytics service?
This two-part command sequence is a popular defense evasion technique to modify/remove command line history
What are unset HISTFILE HISTSIZE HISTFILESIZE and then history -c?
The program that handles tasks like creating threads, console windows, and so forth in Windows
What is crss.exe?
Describe the output of this command:
tshark -nn -r capturefile.dmp -T fields -E separator=’;’ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport ‘(tcp.flags.syn == 1 and tcp.flags.ack == 0)’
What is a semicolon-separated file with SrcIP, SrcPort, DestIP, and DestPort from all SYN-flagged packets?
The name Dade used in a social engineering hack on a security guard?
Who is Eddie Vedder?