1

CHFI v9 Crash Study Guide

1. Netstat -ano
Netstat tool helps in collecting information about network connections operative in a
Windows system. The most common way to run Netstat is with the -ano switches. These
switches tell the program to display the TCP and UDP network connections, listening
ports, and the identifiers of the processes (PIDs). –r routing table, -e ethernet stats, -p
Protocol
2. Know: /proc (list process in Linux). DumpChk= Microsoft Crash Dump File Checker Tool
is used to perform a Quick Analysis of a crash dump file. Allows you a summary of what
the dump file contains. RegEdit: Is the Registry Editor.
3. Exchange server email header info: Priv.edb, priv.stm, pub.edb,
a. PRIV.EDB​: It is a rich text database file that contains message headers,
message text, and standard attachments.
b. PUB.EDB​: It is a database file to store public folder hierarchies and contents .
c. PRIV.STM​: It is a streaming Internet content file containing video, audio,
and other media that are streams of MIME’s.
4. UTC stands for: ​Coordinated Universal Time
5. CHKDSK
a. It verifies the file system integrity of a volume and fixes logical file system errors.
It is similar to the fsck command in Unix.
6. OLE​ (Object Linking and Embedding) is used by Microsoft Office, ​not used by PDF
7. Porn images from a company computer - ​Criminal and Admin
8. How to list what sessions are open? net sessions​ – displays information about all logged
in sessions of the local computer.
9. Types of Analysis
a. Forensic examination of logs has two categories:
i. Postmortem
1. Investigators perform postmortem of logs to detect something
that has already occurred in a network/device and determine
what it is.
2. Here, an investigator can go through the log files a number of
times to examine and check the flow of previous runs. When
compared to real-time analysis, it is an exhaustive process, since
the investigators need to examine the attack in detail and give a
final report.
ii. Real-Time Analysis
 2

1. Real-time analysis is an ongoing process, which returns results

simultaneously, so that the system or operators can respond to
the attacks immediately.

10. DDOS attack on ​specific IP ​address of company’s website is ​Network attack

11. What file type is ​FF D8 FF​ E1? It is ​JPEG
12. Tasklist​ /p (password), /v,/s,/u
a. /v: Specifies that verbose task information be displayed in the output.
Should not be used with the /svc or the /m parameter
b. /s​ Computer: Specifies the name or IP address of a remote computer (do
not use backslashes).
c. /u Domain \ User: Runs the command with the account permissions of the
user specified by User or Domain\User.
13. Last access time change for Windows 10: ​fsutil
14. MNC - Mobile network code (MNC): MNC is a two-digit network identification number
used along with the MCC printed on SIM. It used to identify the SIM user on a mobile
phone network
15. Analyze web server logs for small/medium website: ​Deep Log Analyzer (web analytics
for small/medium websites)
16. Doskey history: displays all commands stored in memory
17. Jv16 tool-- ​used for registry change analysis​, not malware installation file analysis.
18. GIF​ is XX RGB with 256 colors and ​8 bits
19. Trojan network detection: ​Capsa​ can be used for Trojan detection
20. Recuva​: recovers pictures, music, documents, videos, emails, or any other file type that
are lost. Can also recover from rewritable media like memory cards, external hard drives,
USB, etc… Offers superior file recovery and can recover files from damaged or newly
formatted drives and the chances of recovery are higher. Offers Advanced Deep Scan
mode that scours a drive to find any traces of files that have been deleted. Securely
deletes files with secure overwrite feature that meets military standards.
21. Rogue Access points - Client misassociation
22. Email client to view ​DBX files​ - ​Microsoft Outlook Express ​DBX files
23. ESN has the manufacturer information
24. Which linux boot stage initializes the sys hd: ​BIOS
25. What is put at the front of a ​deleted FAT file​: ​E5H,
a. E5h is a special tag that indicates the deleted file
26. Drivespy​ carries out data acquisition and duplication:
27. Event correlation approach uses only two variables? Bayesian or binary
28. Dxy.ext
a. “x” denotes the name of drive such as “C,” “D,” and others; “y” denotes the
sequential number starting from one; and .ext is the extension of the original file.
29. RIYG6VR.doc in recycle bin. What can be derived from the title? ​This is a document
file​.
 3

30. NTFS offers journaling

31. Snort is an IDS
32. Comodo Programs Manager: ​dynamic malware analysis to review installation files
33. $I​ file does not contain: ​does not contain the original file name
The ​$I​ files contain:
● The original file's size
● The date the file was sent to the recycle bin
● The original file's full path
● 544 bytes long
● In Windows 7 and Vista, when a file is deleted, it is renamed $R followed by
random characters, then the original file extension. At the same time, a new file
with $I the same random characters, and the same extension is created.
34. Law company wants to search for evidence themselves - no, because it might change
date/time information. This alteration would prevent a criminal case from moving
forward, since evidence is altered.
35. File Salvage (Mac)​: recovers lost files, iTunes libraries, iPhoto collections, lost data.
Recovers from Mac OS hard drive, USB, PC disk, Linux disk, FAT32 disk, FLASH card,
scratched CD, digital camera, iPod, and any other file system recognized by Mac OS.
36. MySQL server start/stop can be found in​ what log file? ​General Query Log File
37. MIME​ Stream can be found in: ​PRIV.STM
38. Brute force has taken out Domain Controller, where should you look next? SIEM (could
show you a large number of failure audits for a Brute Force dictionary type attack)
39. Show active network connections: netstat
40. Tripwire is used for file integrity
41. 503 Event log = (​503​ error message: Service Unavailable), 530 = failed login attempt
42. Registry Editor (regedit.exe) used to load or unload registry hives (hives begin with
HKEY).
43. Database of every file and directory in NTFS is stored in the MFT ​(Master File
Table)
44. Object file is a sequence of bytes organized into blocks understandable by the systems
Linker
45. Nbtstat -c ​ shows the contents of the ​NetBIOS name cache​, which contain NetBIOS
name-to-IP address mappings
46. Use Bit stream imaging for copying data
47. %SEC-6-IPACCESSLOG​P​ Cisco means that ​a Packet matching log criteria for the given
access list has been detected (TCP or UDP)
48. Nltest is a command that can be used to get a list of Domain Controllers in Windows
Server (2008R2, 2012, etc…)
49. Devcon​.exe displays detailed information about devices on Windows computers
50. ICCID XX254XXXXXXXXX The 254 stands for: country code
51. Physical evidence - image file on hard disk is not physical evidence
 4

52. Cisdem Data Recovery (DR) 3 (Mac OS)​: designed to help you recover and restore
your lost data like videos, music, documents, archives, photos, and more. Offers a
Quick scan and Deep scan. Link: ​https://www.cisdem.com/manual/datarecovery.pdf
53. Known Stego attack​-- steganography ​tool (algorithm) is known and both original and
stego-object are available
54. Metasploit​ - WaffenFS, FragFS, RuneFS, ​Slacker-- ​Slacker is the tool in Metasploit that
will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in
the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS
stores data in bad blocks. Only thing mentioned in the EC-Council text for Metasploit is
Timestomp​, which is used to modify/edit/delete the date and time of metadata to make it
useless for investigators.
55. Boot Record Signature (according to EC-Council) = ​00AA
56. Warrants:​ ​Service Provider Search Warrant​ -- first responders can obtain things like
service records, billing records, and subscriber information. ​Electronic Storage Device
Search Warrant​ -- allows the first responder to Search and Seize the victim’s computer
components like: hardware, software, storage devices, and documentation. ​Warrantless
Seizure​ -- used when the destruction of evidence is imminent and there is probable
cause to believe that the item seized constitutes evidence of criminal activity. Agents
may also search a place or object without a warrant or probable cause, if a person with
authority has consented (example: you are a teenager and your parents give police the
consent to search your room).
57. Is the testimony by an ​expert witness​: Expert Witness ​Authenticates Evidence
58. Direct examination refers to the process of a witness being questioned by the
attorney who called him or her to the stand
a. Cross-examination is the process of providing the opposing side in a trial the
opportunity to question a witness
59. First 8 bits of ESN​ is manufacturer’s code
60. Verbal formal report​: board, managers, jury
61. BMP: 1 bit per pixel to 24 bits, RGBQUAD array (this table does not support bitmaps
with 24 bits)
62. Linux bootloader active in what stage​: ​Bootloader stage​ (LILO and/or GRUB load
the Kernel)
63. iOS Jailbreaking tool​: R ​ edSn0w​ (tip: anything with Root in the name is Android)
64. Prefetch folder saves data about programs, so programs load faster at boot
65. Running processes: RAM, Virt Mem, Swap space
66. ISO 9660 --- CDROM and DVD
67. PSLoggedon​, ​net sessions​, and ​LogonSessions​ to determine logged on users
68. Commands to Know: ​ ​net view​ -- review file shares to ensure their purpose ​net
session​ -- verify the users using open sessions ​net use​ -- check if sessions have been
opened with other systems ​netstat -na​ -- find if TCP/UDP ports have unusual listening
net start​ -- look for unusual network services ​net file​ -- displays the names of all open
shared files on a server and the number of file locks on each file ​PsFile​ -- command-line
utility that can retrieve the list of remotely opened files on a system ​Openfiles​ --
 5

queries or displays open files and also queries, displays, or disconnects files opened by
network users ​---nbtstat -c command​ The nbtstat -c command shows the contents of
the NetBIOS name cache, which contains the NetBIOS name-to-IP address mappings
---netstat command​ netstat -ano -- netstat is used to show active network
connections. The -ano is added to display the TCP/UDP network connections, listening
ports, and the process IDs (PID) You can also use -r for the routing table, -e for the
ethernet stats, and -p to see the protocol
69. All passwords - ​Passware Kit 4​,
70. Frye standard -- covers ​scientific​ testimony
71. Know:​ Exhibit numbering: aaa/ddmmyy/nnnn/zzz ​aaa​ ​ is the initials of the forensic
analyst or investigator that is seizing the equipment ​dd/mm/yy​ is the date of the actual
seizure ​nnnn​ is the sequential number of exhibits seized by the forensic
analyst/investigator, starting with 001 and going to nnnn ​zz​ is the sequence number for
parts of the same exhibit (i.e.- A could be the CPU, B could the monitor, C could be the
mouse, D could be the keyboard, etc…)
72. Know the different RAID levels​: ​RAID 0​ -- simplest RAID level, does not involve any
redundancy and fragments the file into user-defined stripe size of the array, it then sends
these stripes to every disk in the array, RAID 0 does not have redundancy, offers best
overall performance of the single RAID levels, requires at least 2 drives ​ RAID 1​ --
executes mirroring as it duplicates or copies the drive data onto two different drives
using a hardware RAID controller or a software. If one drive fails other drive functions as
a single drive until the failed drive is replaced, requires 2 drives minimum ​RAID 2​ --
only RAID level that does not implement even one of the standard techniques of parity,
mirroring, and striping. Uses technique similar to striping with parity, includes splitting of
data at the bit level and distributing it to numerous data disks and redundancy disks,
Hamming Code of ECC is in RAID 2. ​RAID 3​ -- uses byte-level striping with a
dedicated parity disk which stores checksums. Also supports a special processor for
parity codes calculation. This RAID level cannot cater to multiple data requests
simultaneously. If failure occurs, it enables data recovery by an applicable calculation of
the parity bytes and the remaining bytes which relate with them. ​RAID 5​ -- uses byte
level data striping across multiple drives and distributes parity information among all
member drives, the data writing process is slow, requires a minimum of 3 drives to set
up, the RAID stripes and distributes the error detection and correction code or data and
parity code across three or more drives ​RAID 10 (1+0)​ -- combination of RAID 9
(striping volume data) and RAID 1 (Disk Mirroring) to protect data, requires at least 4
drives to implement, has same fault tolerance as RAID level 1 and the same overheads
as mirroring alone. It allows mirroring of disks in pairs for redundancy and improved
performance and then stripes data across multiple disks for maximum performance.
User retrieves data from the RAID if one disk in each mirrored pair is working; however,
if two disks in the same mirrored pair fail, the data is not available.
73. Federal Rules of Evidence:​ ​Rule 101​ -- Scope. Rules govern proceedings in the
courts of the United States. ​Rule 102​ -- Purpose and Construction. Rules shall be
construed to secure fairness in administration, elimination of unjustifiable expense and
 6

delay, and promotion of growth and development of the law of evidence to the end that
the ​truth may be ascertained and proceedings justly determined.​ ​Rule 103​ --
Rulings on Evidence. ​Rule 105​ -- Limited Admissibility. ​Rule 402​ -- General
Admissibility of Relevant Evidence ​Rule 502​ -- Attorney/Client privilege and work
product ​Rule 608​ -- Evidence of character and conduct of witness ​Rule 609​ --
Impeachment by evidence of a criminal conviction ​Rule 614​ -- Calling and Interrogation
of witnesses by the court ​Rule 701​ -- Disclosure of facts or data underlying expert
opinion ​Rule 705​ -- Disclosure of facts or data underlying expert opinion ​Rules
801-804 ​-- hearsay ​Rule 901​ -- Authenticating or identifying evidence ​Rule 1001 ​--
Definitions ​Rule 1002​ -- Requirement of Original. Original is required to prove the
content of a writing, recording, or photograph. ​Rule 1003​ -- Admissibility of Duplicates.
States a duplicate is admissible to the same extent of the original, unless a genuine
question is raised on the authenticity of an original or in circumstances where it would be
unfair to admit the duplicate over the original. ​Rule 1004​ -- Admissibility of other
Evidence of Content. The original evidence is not required if the original is lost or
destroyed (unless done in bad faith), original not obtainable, original in possession of
opponent.
74. Superblock in UFS has magic number, in EXT2 Superblock stores info about size and
shape of EXT2 filesystem
75. $BitMap is in NTFS​ and it keeps track of used and unused clusters
76. 18 USC § ​1030​ covers Fraud and related activity in connection with computers
77. 18 USC § ​2252​A = child porn law
78. HKEY_CLASSES_ROOT is a subset of HKEY_LOCAL_MACHINE\Software and
contains file extension association information and also programmatic identifier (ProgID),
Class ID (CLSID), and Interface ID (IID) data.
79. HKEY_CURRENT_USER contains the configuration information related to the user
currently logged on (wall paper, screen colors, display settings, etc…)
80. HKEY_LOCAL_MACHINE contains most of the configuration information for installed
software which includes type, installed cards, memory type, startup control parameters,
and device drives.
81. HKEY_USERS contains information about all the currently active user profiles on the
computer.
82. HKEY_CURRENT_CONFIG stores information about the current HARDWARE profile of
the system. It is also a pointer to
HKEY_LOCAL_MACHINE\SYSTEM\CUrrentControlSet\CurrentControlSet\HardwarePro
files\Current
83. Registry Tools include: RegRipper, ProDiscover, Process Monitor, RegScanner,
RegEdit, Registry Viewer, jv16
84. In FHS (Filesystem Hierarchy Standard), essential user command binaries are in /bin.
85. Google Drive logs are syn_log.log DROPBOX should also be *.log
86. Open GL/ES is Android library
 7

87. Error code 500 = internal server error, 502 = Bad Gateway, 503 = Service Unavailable,
504 = Gateway timeout, 505 = usually related to an application installation error of HTTP
error, especially on Android OS, 530 = logon failure
88. Page file​ = HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\
89. Event Correlation
Types:
Code-book based stores sets of events in codes
Rule-based uses rules to correlate events
Field-based uses and compares files in the data for correlation
Automated Field Correlation: compares some or all fields and determines correlation across
these fields
Packet Parameter/Payload Correlation: compares packets with signatures (IPS/IDS)
Profile/Fingerprint: collects data to see if system was used as a relay or compromised host
Vulnerability-based: helps map IDS events to vulnerability scanner output
Open-Port based: determines risk of attack by evaluating list of open ports
Bayesian Correlation: predicts next steps based on statistics and probability
Time/Role-Based approach: monitors computer and user behavior for anomalies
Route correlation: extracts attack route information to single out other attack data
90. Swatch: tool used for monitoring log files produced by UNIX syslog facility
91. Logcheck: allows system Admins to view log files, which are produced by hosts under
their control.
92. NTP (Network Time Protocol)​ is used to synchronize time of computers connected to a
network and guarantees the synchronization of time down to the millisecond.
93. Physical Evidence includes​: cables, removable media, Publications, all computer
equipment including peripherals (mice, keyboard, etc…), items taken from the trash.
94. Anti-forensics: data deletion, encryption, data hiding (Steganography), Trail Obfuscation
(deleting log files, spoofing, zombie accounts, misinformation), Program Packers,
Rootkits, Privacy Eraser (tool that deletes browser history)
95. Lspd.pl is a Perl script that allows you to list the details of a process
96. Data Duplication​ includes bit-by-bit copying of the original data using software or a
hardware tool. ​Data Duplication can sometimes overwrite data fragments and damage
the integrity of the evidence, can also alter the data stored in the swap file​.
97. What data to collect after RAM? ​Collect any other volatile data​ (cache, registries).
Non-volatile data that can be collected later is things like swap file, slackspace,
CD-ROM, USB, etc…
98. Most Recently Used lists (​MRU​) are the lists of recently visited web pages, opened
documents, etc… The ​MRU list​ registry key ​IS​ the ​RecentDocs key​.
99. The MRUListEx is located in this HKEY:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Re
centDocs
100. System Log Extensions: review p 597 in Chapter 6 of the official EC-Council
material for Mac log file information/extensions.
 8

101. DropBox: review p838 of the official EC-Council material on Dropbox file extensions.
Also remember that .dbx is a dropbox file extension.
102. format of MYSQL server log file end in .err
103. hard drive disk block is 512 bytes (or 0.5kb)
104. Hard disk data addressing is a method of allocating addresses to each logical block
of data on the physical disk
105. Eprocess​ is a data structure that stores attributes of a process as well as pointers to
the attributes and the data structures
106. The tool that can be used to extract artifacts from Google Drive and Dropbox is:
WhatChanged Portable
107.
108. RuMRU: when a user types a command or name of a file, entries are added into the
following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMR
U
109. TypedURL: This key maintains a MRU list of URLs that the user types in the address
bar: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
110. MRU = most recently used
111. First 8 digits of IMEI is the Type Allocation Code (TAC)
112. Failed user log in is event ID 530
113. Nibble​ = 4 bits
114. Key cell = contains Registry key information and includes offsets to other cells as
well as the LastWrite time for the key
115. If you lock up a phone do to failed attempts at guessing the PIN, you will need to
contact the provider and ask for the PUK code
116. Apache error log​ looks like this:
127.0.0.1 - frank [10/Oct/2001:13:55:39-0600] “GET /apache_pb.gif HTTP/1.0” 200 2326

Apache log format:

%h %l %u %t \”%r\” %>s %b

%h​ represents the client’s IP address

%l​ (fyi-this is the letter L) represents the Remote log name. This will return a dash unless
mod_ident is present and IdentityCheck is set on.
%u​ is the client User ID
%t ​ represents the time when the server received the request. It is displayed in the format
[day/month/year:hour:minute:second zone]
\”%r\” ​ indicates the methods used for a request-response between a client and a server, the
resource requested by a client (apache_pb.gif), and the protocol used (HTTP/1.0).
%>s ​ represents the status code which the server sends back to the client.
%b​ represents the size of the object which the server sends to the client.
 9

117. cross-platform correlation is used for different OS and network hardware platforms
on the network
118. Automated Field Correlation = checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the
correlation across one or multiple fields
119. Path for Security IDs in Windows 7:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList
120. Securing the scene can be done by non-forensic staff. The can maintain the scene
in a secure state and make notes that will be handed over to the forensic investigators
121. A Buffer Overflow attack allows the attacker to modify the Target process' address
space.
122. An "Errors-To" email header allows you to specify an address for mailer-generated
errors to go to.
123. The ​Information Header​ specifies dimensions, compression type, and color format
for bitmap.
124. Remember to always check volatile data (registry, etc...) first, especially if you
suspect that files may not have been saved.
125. Expert witness = authenticates evidence
126. GLBA = protects consumers personal financial information
127. promiscuous sniffing​ is generally done on routers at the ​Network layer​ of OSI
128. Network Time Protocol (NTP) = lets you synchronize time among multiple computers
129. The Rebuttal Session (p1078 of EC-Council material) is the process of
cross-examination of the expert witness by both the plaintiff and defendant.