---------------------------------------------------------------------- Chapter 1: Systems Overview ---------------------------------------------------------------------- 1. What component assists the CPU in address translation? A) The Memory Management Unit (MMU) B) The Address Translation Unit (ATU) C) The Central Memory Hub (CMH) D) The Memory Management Controller (MMC) 2. When dealing with raw, padded memory dumps, a physical address is an offset into the memory dump file. True or False? 3. Which statement(s) are false? A) IA32 architecture is also known as x86 B) Physical Address Extension (PAE) allows up to 64GB of physical memory C) 64-bit CPUs only actually use 52 bits of the available address space D) A typical page size is 4KB, but it can be larger if the page size entry (PSE) flag is set E) All of the above 4. Which CPU register is used to store the directory table base (page directory base)? A) CR0 B) EAX C) CR3 D) DR3 5. Which statement(s) are true? A) Paging allows processes to "see" more RAM than is physically present B) The page fault handler code must never be paged C) Paging complicates memory forensics because not all data is memory resident at the time of acquisition D) Paging writes potentially valuable volatile evidence to non-volatile storage such as disk E) All of the above 6. The winlogon.exe process (PID 628) in sample001.bin has a virtual address 0x77a80000 and DTB value 0x682e000. What is the corresponding physical offset? What do you see at the physical offset within the file? ---------------------------------------------------------------------- Chapter 2: Data Structures ---------------------------------------------------------------------- 1. Which of the following data types consume 4 bytes on a 32-bit system? A) char B) unsigned int C) long D) pointer to an int E) pointer to a char 2. Which statement(s) are false about arrays? A) Elements can be found by multiplying the desired index by the size of an element and adding it to the array's base address B) Elements are contiguous in memory C) Elements must be of a single data type (homogenous) D) Arrays cannot store pointers 3. Which statements(s) are true about structures? A) Structures can store various different data types B) Structure sizes and member offsets can vary depending on compiler optimizations C) Operating systems and applications make heavy use of structures D) The names of structure members should indicate their purpose 4. Linked lists are easily manipulated by rootkits. True or False? 5. Performing memory forensics at the physical layer (i.e. without virtual address translation) limits analysis because: A) Strings that cross page boundaries may be fragmented in physical memory B) You cannot traverse linked lists C) Some hash tables and trees are never found in physical memory D) _UNICODE_STRING data types store metadata separately from the actual string content 6. Perform the following steps: A) Create a C source file with one or more data structures B) Initialize the structure members in the your main() function and print out their values C) Compile it with GCC or Microsoft Visual Studio Express D) Analyze the binary in a disassembler, or pause it in a debugger, and inspect the offsets for the structure members being passed to the print function E) Do your offsets match your expectations? ---------------------------------------------------------------------- Chapter 3: The Volatility Framework ---------------------------------------------------------------------- 1. Install Volatility and the dependency libraries (unless you're working with the standalone version). 2. Run the "vol.py --info" command. What profiles does your version support? 3. Run the "vol.py --help" command with and without a plugin name. How does the output differ? 4. Run the kdbgscan plugin against a Windows memory sample. A) What profile does it suggest? B) What is the virtual address of the kernel debugger data structure? C) Were any inaccurate profiles suggested? Why or why not? 5. Using the profile you determined in step 4, list processes in your memory dump. Then run the same plugin again, but redirect output to a text file so you can save it for later analysis. 6. Perform the following steps: A) Copy exampleplugin.py into volatility/plugins B) Edit exampleplugin.py and change the name from ExamplePlugin to a name of your choice C) Edit the description of the plugin D) Edit the plugin to print the process ID (UniqueProcessId) in addition to the process name E) Run "vol.py --info" and see if your new plugin is registered F) Run your new plugin and observe the output G) Add a new method named render_csv (comma separated values) to the plugin and configure it to output data in CSV format H) Run the plugin with --output=csv and observe the output ---------------------------------------------------------------------- Chapter 4: Memory Acquisition ---------------------------------------------------------------------- 1. If a suspect computer is not powered on, you can attempt to recover memory in which of the following ways? A) page files on disk B) hibernation files C) old crash dumps D) introspection 2. Why is memory acquisition not a trivial task? What are some of the "gotchas" you need to watch out for? 3. Which API is not commonly used by acquisition tools? A) MmCreateMemoryDump B) MmMapMemoryDumpMdl C) MmProbeAndLockPages D) ZwMapViewOfMemory E) MmMapIoSpace 4. It is important to run live response tools to gather evidence before acquiring physical memory, so that your memory capture contains the extra data generated by the live IR tools. True or False? 5. Perform the following steps: A) Dump memory from one of your machines to local USB/Firewire/ESATA B) Dump memory across the network (you can use a NAT or Host-only VM configuration). Make sure to use compression and encryption. C) If possible, analyze memory using remote interrogation. Capture traffic while you run Volatility plugins. How much data is transferred with a basic process listing? 6. Perform the following steps: A) Analyze the registry of a target system to determine how many page files are in use B) Extract the page files from the running system (with TSK Windows binaries) C) Can Volatility analyze page files directly? Why or why not? D) Can you use Volatility's imagecopy plugin to convert a page file into a raw memory dump? Why or why not? E) Use page_brute to scan across your extracted page files. Does it find any hits? F) If necessary, extend page_brute's default Yara rules and scan your page files again ---------------------------------------------------------------------- Chapter 5: Windows Objects and Pool Allocation ---------------------------------------------------------------------- 1. Run the objtypescan plugin against a memory dump from a system you own. A) How many different executive object types exist? B) Does the list of objects match what WinObj (Sysinternals) reports? C) What's the most highly used object type on your system? D) Which object types can be paged to disk? E) What is the 4-byte key (AKA tag) for process objects? 2. Perform the following steps: A) Take two memory dumps - one before running allocator.exe and one after B) Use the pooltracker plugin to compare the changes it makes to the "Muta" pools C) If you integrate pooltag.txt into your pooltracker plugin output, what description does it provide for "Muta" objects? D) Run the mutantscan plugin. Does the output support the theories about allocator.exe's activity based on pool tag use statistics? 3. The memory image sample002.bin is running a kernel driver that defines the following structure type. The driver allocates structures from nonpaged pools using tag 'RedR'. Write a pool scanner to find these allocations and parse them. typedef struct _MMREDIR { int src_port; int dst_port; int redirect_port; char src_address[32]; char dst_address[32]; char redirect_address[32]; } MMREDIR, *PMMREDIR; 4. Run the pslist and psscan plugins against sample003.bin. A) Which process(es) are active? B) Which process(es) have terminated? C) Which process(es) are leftover from a previous reboot? 5. Which of the following is not a weakness of the pool tag scanning approach? A) It's possible to find false positives (decoys, fake objects, etc.) B) Pool tags can be manipulated because they're not essential to the OS C) Large allocations (> 4096 bytes) cannot be found with pool tag scanning D) Not all kernel allocations are tagged in the first place (i.e. ExAllocatePool) E) All of the above ---------------------------------------------------------------------- Chapter 6: Processes, Handles, and Tokens ---------------------------------------------------------------------- 1. Which of the following situations should have you worried? A) Two or more instances of svchost.exe are running B) The parent of winlogon.exe is services.exe C) csrss.exe is running from the "C:\Windows\system32" directory D) ssms.exe is running E) explorer.exe is running from the "C:\Windows\system32" directory 2. Run the psscan plugin on one of your memory images and generate a Graphviz diagram (--output=dot --output-file=graph.dot) A) Why doesn't explorer.exe have a parent? B) Which process spawned AcroRd32.exe? 3. Run the psxview plugin against sample003.bin. A) Which process(es) are hidden? B) In what ways did the rootkit attempt to hide? 4. Run the getsids plugin against sample005.bin. A) How many users are logged on? B) What are their names? C) Is there any evidence of privilege escalation attacks? 5. Run the privs plugin against sample004.bin and sample005.bin. A) In sample004.bin, which process(es) have the ability to load kernel drivers? B) In sample005.bin, the dfssvc.exe process (PID 1608) enabled SeRestorePrivilege and SeBackupPrivilege. Do you think that's something to be worried about? 6. Which process is currently accessing the ")!VoqA.I4" mutex in sample004.bin? ---------------------------------------------------------------------- Chapter 7: Processes Memory Internals ---------------------------------------------------------------------- 1. Run the processmemory.exe program on one of your virtual machines. Dump memory while it's running. What is the process ID of processmemory.exe in your memory dump? 2. What data does it write to its heap? Use volshell to investigate. 3. Use the yarascan plugin to scan for the data you identified in Question 2. Does it show up in the expected location? 4. The application's output tells you "File mapping created at..." Use vadinfo and determine the name of the file it maps into that address. 5. What VAD tag is used to map the file you identified on Question 4? 6. How can you distinguish the mapping you identified in Question 4 from the mapping of the process' executable? 7. Run the zeusscan2 plugin against sample006.bin. A) How many unique variants of Zeus are running? B) Dump the associated VAD segment from one of the infected processes. Upload it to VirusTotal. Do you get any hits? ---------------------------------------------------------------------- Chapter 8: Hunting Malware in Process Memory ---------------------------------------------------------------------- 1. Use a Windows XP or 2003 system and open one or more Notepad processes. Either open existing text files or type into the document. A) Run the notepad plugin against the system. Does it properly locate the document's text? B) Extract the memory region containing the text to a separate file on disk 2. Execute shelly.exe on a virtual machine. Dump memory while it's running. A) What port does shelly.exe listen on? B) Connect to shelly.exe using telnet or netcat. What do you see? C) Analyze the standard handles on the memory dump. What process(es) have redirected handles? 3. Analyze sample007.bin. A) Are any processes hosting injected code? If so, which one(s)? B) Have any processes been hollowed? If so, which one(s)? C) Extract the injected code segments or hollowed process executables to disk for further static analysis. 4. Extract storytime.dll.zip (password: infected). A) Can you analyze the file in IDA pro, PE analyzers, etc? B) Run the DLL on a 64-bit system and dump memory while it's running. C) Determine the load address of the DLL and unpack it from memory. 5. Perform the following steps: A) Create an account on virusshare.com B) Download some malware samples (packed or unpacked) C) Run them in your virtual machine and develop Yara signatures for detecting their presence D) Create memory dumps and scan for your signatures with the yarascan plugin ---------------------------------------------------------------------- Chapter 9: Event Logs ---------------------------------------------------------------------- 1. What process on XP and 2003 stores mapped copies of the event log files? A) evtsvc.exe B) System C) services.exe D) mmc.exe 2. Which of the following statement(s) are False? A) Event logs can be cleared B) Reconstructing event logs from memory may yield incomplete results, because not all records are mapped into memory (or they're paged) C) If the Security event log is empty, you should check the logging policy in the registry D) Volatility natively parses Vista and later event log formats 3. Use the evtlogs plugin against an XP or 2003 memory image. A) Analyze the outputted text files for particular event IDs B) Export the raw logs and process them with a tool external to Volatility 4. Analyze a Vista or later memory image. A) Extract the event logs with the "dumpfiles" plugin B) Analyze the event logs with a tool external to Volatility ---------------------------------------------------------------------- Chapter 10: Registry in Memory ---------------------------------------------------------------------- 1. Run the hivelist plugin on sample004.bin. A) What's the virtual address of the HKEY_LOCAL_MACHINE\SOFTWARE hive? B) What's the virtual address of the "administrator" user's HKEY_CURRENT_USER hive? 2. Use the printkey plugin to check the "Microsoft\Windows\CurrentVersion\Run" key in both identified hives above. Do you see any entries that are worth further investigation? 3. Analyzing sample007.bin. Determine which services were most recently added or modified. 4. Extract the cached password hashes (using hashdump) on some of your memory samples. Load them into a password cracker to determine the plain text password (if possible). 5. Execute the following steps: A) On your system, launch some programs, browse to some directories in Explorer, etc B) Create a memory dump of your system C) Run the shimcache, userassist, and shellbags plugins. Do you see any artifacts of the actions you performed in A? D) Run the plugins on some memory images from prior investigations ---------------------------------------------------------------------- Chapter 11: Networking ---------------------------------------------------------------------- 1. What is one potential way to hide network activity from memory forensics tools? A) Hook the DeviceIoControl API in user mode B) Hook the IRP_MJ_DEVICE_CONTROL of tcpip.sys in kernel mode C) Unlink the singly linked list of connection or socket structures in kernel mode D) Use an NDIS driver 2. TCP client and server applications both create _ADDRESS_OBJECT (sockets). True or False? 3. Was RDP enabled on sample004.bin? 4. How many active connections did sample004.bin have? What websites (port 80 or 443) did it access in the recent past? 5. Run Bulk Extractor or CapLoader against a memory image. Can you trace back the network activity to process(es) or driver(s) that generated it? 6. Perform the following steps: A) Use Internet Explorer v4 - v9 on one of your virtual machines to access web pages B) Visit an FTP site with Windows Explorer C) Acquire memory from your system D) Use the iehistory plugin against the IE and Explorer process to gather artifacts. Does it contain what you expect? 7. Use the filescan and dumpfiles plugins to extract and analyze the HOSTS file from some of your memory dumps. ---------------------------------------------------------------------- Chapter 12: Services ---------------------------------------------------------------------- 1. Which of the following is NOT a reason why malware uses services: A) For persistence B) To load kernel drivers C) To get code running inside services.exe D) To hide among the various svchost.exe processes that you typically see 2. Malware that leverages services must directly or indirectly call CreateService and StartService eventually. True or False? 3. Perform the following steps: A) Run servicedll_whitelist.py on one of your systems (make sure to install Pywin32 first) B) Dump memory from the system C) Run svcscan with the --verbose flag to see the ServiceDll values D) Can you spot any discrepancies? 4. Perform the following steps: A) Create a memory dump of your Windows XP or 2003 system B) Download the UnlinkServiceRecord.zip tool from https://code.google.com/p/malwarecookbook/source/browse/trunk/17/10/UnlinkServiceRecord.zip C) Choose a service that's running and unlink it with the tool D) Type "sc query NAME" on command line (where NAME is the name of the service you unlinked). Can the system find any information on that service? E) Dump memory a second time F) Use the svcscan plugin to detect the unlinked service 5. Analyze sample001.bin. A) What new service did the malware install? How do you know it's new? B) What is the path to the malicious DLL that implements the service? C) Google the name of the service. Is it related to any known exploits or threat groups? D) Is the service running? If so, what is the host process ID? E) Dump the malicious DLL from memory for static analysis ---------------------------------------------------------------------- Chapter 13: Kernel Forensics and Rootkits ---------------------------------------------------------------------- 1. If a kernel module unlinks from the PsLoadedModuleList, manipulates the MmLd pool tags, and zeroes out its PE header, you can still find the malicious rootkit code how? A) By following thread start addresses B) By following kernel callbacks C) By following timer DPCs D) By analyzing corresponding driver objects E) All of the above 2. You may not find entries in the "services" key of the registry for drivers loaded via NtLoadDriver. True or False? 3. Perform the following steps: A) Run Process Explorer from Sysinternals on a 64-bit Windows system B) Dump memory of the system C) Run the modules plugin. Does Process Explorer show up at the start or end of the list? Why? D) Run the callbacks plugin. What types of callbacks does Process Explorer use? 4. Perform the following steps on sample008.bin: A) Determine if the system is infected B) Identify and extract the rootkit code (if any) from kernel memory C) What is/was the name of the driver file on disk? 5. Analyze sample007.bin: A) Does this rootkit work by hooking IRP functions or using layered devices? B) What functionality or capabilities can you uncover? C) Are any of the kernel modules digitally signed? D) Does the rootkit install any callbacks or timers? E) Extract the rootkit code, fix the PE header (if necessary), and load into IDA Pro. Label the malicious functions based on addresses you see in the answers to A and D. ---------------------------------------------------------------------- Chapter 14: Windows GUI Subsystem, Part I ---------------------------------------------------------------------- 1. Perform the following steps: A) Configure one of your virtual machines with multiple users B) Log onto the console with one user account and RDP with another user account C) Acquire a memory dump from the system D) Run the screenshots plugin. Do you see each user's desktop? E) Run the session plugin. Can you tell which user is logged in via RDP? 2. Perform the following steps: A) Launch Sysinternals Desktops and create some additional desktops B) Execute some applications on each desktop C) Use WinLister or Spy++ on your main desktop. Can you see the windows in other desktops? D) Run the desktops Volatility plugin. Do you see the new desktops? Are the proper threads/processes associated with the proper desktops? E) Run the windows and wintree plugins. 3. Analyze sample007.bin. A) Which window is monitoring USB insertions? B) What is the address of the malicious window procedure? C) What is the window's class atom (integer) value? D) Run the atoms or atomscan plugin. Do you see the class atom string? ---------------------------------------------------------------------- Chapter 15: Windows GUI Subsystem, Part II ---------------------------------------------------------------------- 1. Perform the following steps on sample009.bin: A) Run the messagehooks plugin. Are there any global hooks? B) What type of messages are being filtered/hooked? C) What is the full path to the injected hook DLL? D) What is the address of the hook handler function inside the DLL? E) Extract the malicious DLL and analyze the handler in IDA Pro. What is the purpose of the hook? 2. Perform the following steps on your own virtual machine: A) Copy message_hook_installer.exe and message_hooklib.dll to your machine B) Double-click the exe file C) Acquire a memory dump D) Perform the same steps as #1 3. Perform the following steps on your own virtual machine: A) Copy some text to your clipboard B) Copy a file from Windows Explorer C) Acquire a memory dump D) Run the clipboard plugin. Do you see what you expect? ---------------------------------------------------------------------- Chapter 16: Disk Artifacts in Memory ---------------------------------------------------------------------- 1. Run the mftparser plugin against some of your memory dumps. Collect the output in body file format and build a timeline. What were the most recently accessed and created files? 2. Analyze sample004.bin with mftparser. Specifically, extract the MFT-resident file data. Can you find any attacker batch scripts? 3. Create one or more ADS files on your system. Acquire memory and run mftparser. Does it find the ADS associations? 4. Move a file on your machine to the recycle bin. Then analyze your activity with mftparser. Can you find evidence of the "deleted" file? Parse the $I file and recover the original full path. 5. Extract all files from one or more memory dumps. Run the UNIX "file" command against the output directory. What types of files did you recover? 6. Perform the following steps: A) Install Truecrypt on your machine B) Create a virtual file-based container C) Mount the container with or without cached passwords D) Store some files within the encrypted container E) Acquire a memory dump from your system F) Use the truecryptpassphrase, truecryptsummary, and truecryptmaster plugins to investigate the activity 7. Assuming your Truecrypt file was using NTFS, locate the $Mft file and extract it with dumpfiles. Parse it offline to determine the names of other files within the encrypted volume. ---------------------------------------------------------------------- Chapter 17: Event Reconstruction ---------------------------------------------------------------------- 1. Extract strings from one or more of your memory dumps. 2. Translate the strings with Volatility. 3. Search your translated strings file for activity related to file execution (prefetch), C2 hostnames (this will depend on the malware you install prior to dumping memory), etc. 4. Are there any related strings immediately above or below the potentially interesting strings you found in Step 3? 5. Isolate the "FREE MEMORY" strings from the translated file. What percentage of the total strings are found in free/deallocated memory? 6. What strings are shared between multiple processes? Can you map them back to specific DLLs in those processes? 7. Run the cmdscan and consoles plugins against all samples provided with the book as well as your own memory images. Do you find any useful information? ---------------------------------------------------------------------- Chapter 18: Timelining ---------------------------------------------------------------------- 1. Most timelines found in Windows memory dumps are in local time. True or False? 2. Which command-line option helps create timelines in a format that's compatible with disk forensics tools and other common utilities? A) --output=timeline B) --output=csv C) --output=body D) --output=bodyfile 3. Create a timeline from sample001.bin. A) Run timeliner B) Run shellbags C) Run mftparser D) Extract the registry hive files and process them with python-registry E) Combine the output into one large timeline F) Sort the timeline with mactime 4. Analyze the timeline you created in Question 3 for signs of infection. What was the initial infection vector and when did it occur? What events followed? 5. Create a timeline for sample005.bin. Can you find any relation with sample001.bin? --------------------------------------------------------------- Chapter 19: Linux Memory Acquisition --------------------------------------------------------------- 1. Why is /dev/mem no longer usable for memory acquisition? A) It is disabled on modern distributions B) It only supports acquisition of 1MB of memory C) It only supports acquisition of 2GB of memory D) It is not readable by userland programs 2. Why is /dev/kmem no longer usable for memory acquisition? A) It is disabled on modern distributions B) It only supports acquisition of 1MB of memory C) It only supports acquisition of 2GB of memory D) It is not readable by userland programs 3. What is one advantage that LiME has over fmem? A) It runs from userland B) It can be compiled once and work on any supported system C) It is open source D) It automates the acquisition process 4. On which of the following system(s) would /proc/kcore be usable? A) 32-bit Redhat running kernel version 2.6.32 B) 64-bit Ubuntu running kernel version 2.6.24 C) 32-bit Mandriva running kernel version 2.6.21 D) 64-bit SuSe running kernel version 3.12 5. In order to create a Volatility Linux profile you must compile the profile on a system running the same kernel version and OS as you want to analyze. True/False? 6. Perform the following steps: A) Install the latest version of Ubuntu within a virtual machine or on real hardware B) Compile LiME for the system and create a Volatility profile. This will require installing the compiler tools and the kernel headers C) Use LiME to acquire memory and then analyze it with the linux_pslist plugin using the profile you created --------------------------------------------------------------- Chapter 20: Linux Operating System --------------------------------------------------------------- 1. Which of the following dictate the sections of an ELF file load into memory at runtime? A) The ELF header B) The section headers C) The program headers D) The section symbol table 2. How does Volatility's Linux support find the initial DTB? A) Scanning physical memory looking for an allocation signature B) Utilizing Linux's identity mapping of kernel code and data C) Finding the init process and then finding its page table value D) Walking the list of kernel modules until the kernel is found and then finding its page table value 3. The proc file system is correctly acquired when performing disk imaging, such as through the dd command. True/False? 4. The /proc/1/ directory corresponds to which type of object? A) Process B) Network Connection C) Opened File Handles D) Kernel Module 5. Analyze /bin/ls from the Ubuntu installation that you created in the previous chapter. Using readelf and nm, answer the following questions: A) How many sections does the binary have? B) How many symbols does the binary contain? C) What is the virtual address of the .text section? --------------------------------------------------------------- Chapter 21: Processes and Process Memory --------------------------------------------------------------- 1. The linux_pstree plugin is helpful in which situation? A) Finding hidden processes B) Determining when processes exited C) Mapping processes to network connections D) Determining the child/parent relationship between processes 2. The name of the process reported by linux_pslist is susceptible to userland manipulation. True/False? 3. The name of the process reported by linux_psaux is susceptible to userland manipulation. True/False? 4. What does the PATH environment variable specify? A) The list of directories writable by the user B) The list of directories to search for applications C) The list of directories to search for shared libraries D) The list of directories storing user configuration files 5. When using default settings, which of these appear in bash's data structures in memory, but not on disk? A) The order in which commands were executed B) The time when commands were executed C) The user who executed commands D) The directory commands were executed from 6. For the remaining questions of this chapter, analyze linux-sample-1.bin using the provided profile. A) What is the ID of the user that read the passwd and shadow file? B) Did this user log in locally or over SSH? C) Which command did the user elevate privileges with? D) Which parameters were passed to the command when first elevating privileges (hint: check the environment of the relevant process)? E) What is the ID of the user logged into the desktop locally? F) Which network services are running on the system? --------------------------------------------------------------- Chapter 22: Networking Artifacts --------------------------------------------------------------- 1. Activity related to UNIX sockets would appear in a program such as Wireshark running on the local machine. True/False 2. Raw sockets are used only for malicious purposes. True/False 3. Why is the ARP cache useful for forensics? A) It contains remote IP addresses of attackers B) It contains remote IP addresses used for data exfiltration C) It contains information about local IP addresses contacted during lateral movement D) It contains information about local IP addresses connected printers 4. Which networking artifact was removed from subsequent versions of the Linux kernel? A) Packet queues B) Aliased interfaces C) ARP cache D) Routing cache 5. For the remaining questions of this chapter, analyze linux-sample-2.bin using the provided profile. A) Which web browser was used by the user of the system? B) What was the PID of the main browser in use? C) Which IP addresses were contacted using HTTPS? D) What type of browsing activity does the route cache show? E) Which processes are listening for connections? F) How many network interfaces are active on the system? G) Are any of the interfaces in promiscuous mode? --------------------------------------------------------------- Chapter 23: Kernel Memory Artifacts --------------------------------------------------------------- 1. What type of information would NOT be found in the kernel debug buffer? A) User logins B) Removable device usage C) Wireless network activity D) Listings of attached hardware devices 2. The linux_lsmod plugin finds kernel modules through scanning physical memory. True/False? 3. The Linux kernel uses a 2GB / 2GB split of virtual memory on 32-bit systems. True/False 4. What is NOT true of kernel modules extracted with linux_moddump? A) They can be scanned with AV and Yara signatures B) They can be reverse engineered C) They can be reloaded on the live system D) They will not match the hash of the original LKM from disk 5. module_addr_min and module_addr_max specify the beginning and ending address of which data in kernel memory? A) The kernel executable B) The last kernel module to load C) The memory range occupied by all kernel modules D) The last kernel module to unload 6. For the remaining questions of this chapter, analyze linux-sample-3.bin using the provided profile. A) At what address is the lime kernel module loaded? Use this address to dump the kernel module from memory B) How many sections does the module have? C) Where is the .text section loaded in memory? D) Which parameter(s) were passed to LiME to dump memory? E) Which physical addresses does RAM occupy? F) Did LiME acquire only these regions or others as well? --------------------------------------------------------------- Chapter 24: File Systems in Memory --------------------------------------------------------------- 1. What effect does the noatime mount option have on forensics? A) Access times of directories are not updated B) Access times of files are not updated C) Access times of files and directories are not updated D) Access times of files are updated only when accessed by the owner 2. When replicating file systems from memory, which MAC time is not replicated? A) Modified B) Accessed C) Created 3. Which of the following file systems is not stored on disk? A) tmpfs B) ext3 C) xfs D) jfs 4. Which of the following directories is often used by attackers to store data that does not need to persist across reboots? A) /usr/tmp B) /dev/mm C) /tmp D) /var/runlib 5. If one page of a file is accessed by an application, then the entire file is read into the file cache True/False? 6. For the remaining questions of this chapter, analyze linux-sample-3.bin using the provided profile. A) Recover the cookies.sqlite file of the vol user. Which websites stored cookies on this user's system? B) How many entries are in /etc/hosts? C) What type of file is /home/vol/.cache/mozilla/firefox/sren9std.default/Cache/8/10/4B0E7d01? --------------------------------------------------------------- Chapter 25: Userland Rootkits --------------------------------------------------------------- 1. Which of the following operations is not directly supported by ptrace? A) Attaching to a running process B) Reading from a remote process' memory C) Creating a thread in a remote process D) Setting the general purpose registers of a remote process 2. How are LD_PRELOAD-based rootkits detected? A) By checking for inline hooks B) By hashing files on disk and comparing the hash to the in-memory version C) By checking for GOT overwrites D) By comparing string comparison operations 3. GOT overwrites are equivalent to which type of hook on Windows? A) SSDT hooks B) IAT/EAT hooks C) Callback hooks D) IDT hooks 4. For stability reasons, which set of instructions is generally overwritten by inline hooks? A) The first few instructions of a function B) The last few instructions of a function C) The instructions after the first CALL instruction D) The instructions after the first CMP instruction 5. Detection of which type of hook requires the original application binary or shared library? A) Inline hook B) GOT overwrite C) Process hollowing D) Function pointer overwrite 6. For the following questions analyze linux-sample-4.bin using the provided profile. A) Which processes are victim of an LD_PRELOAD attack? B) Which user is running the infected processes? C) What is the full path to the injected library? D) How does the library get injected into each process of the user? E) Which function(s) are the malicious library hooking? F) What is the path to the logfile that the library stores stolen data to disk in? 7. For the following questions analyze linux-sample-5.bin using the provided profile. A) Which process is inline hooked? B) Which function is inline hooked? C) What is the purpose of the inline hook? D) What is the name of the library performing the hook? E) What is the name of the binary that was used to inject the malicious library? --------------------------------------------------------------- Chapter 26: Kernel Mode Rootkits --------------------------------------------------------------- 1. Legitimate system call handlers can be implemented in kernel modules. True/False? 2. Which of the following members of tcp4_seq_info is commonly hooked in order to hide a rootkit's network connections? A) start B) stop C) next D) show 3. The NF_REPEAT Netfilter option is often used by rootkits to hide network connections from other kernel components and userland packet sniffers. True/False? 4. How does Average Coder hide logged-in users from the system? A) Hooking the write operation of /proc/buddyinfo B) Hooking the read operation of /var/run/utmp C) Hooking the read directory operation of /var/run D) Hooking the open operation of /usr/bin/who 5. Which userland-accessible source on a live system can find kernel modules hidden from the global list of modules? A) The IO_GET_MODULES I/O control request B) The /sys/module directory C) The /proc/modules file D) The get_modules system call 6. For the following questions analyze linux-sample-6.bin using the provided profile. A) Where is the malicious kernel module loaded? B) Which system calls are hooked? C) Which capabilities can the hooks give to the rootkit? D) What type of hooks are placed in the file system? E) Are there hooks in the network stack? --------------------------------------------------------------- Chapter 27: Case Study: Phalanx 2 --------------------------------------------------------------- 1. How does P2 hide processes? A) IOCTL handler hooks B) System call hooks C) Direct Kernel Object Manipulation (DKOM) D) Inline hooks in the libc mapped into each process 2. What was unusual about P2's network connections? A) P2 connected multiple times to a hardcoded remote IP addresses B) P2 connected to itself over the network C) P2 connected performed DNS resolution using Godaddy's DNS servers D) The connections occurred only over IPv6 3. P2 performs the majority of its work through a loadable kernel module. True/False? 4. Which directory does P2 use to mark its presence on a system? A) /tmp B) /var/run C) /dev/shm D) /etc 5. P2 re-executes itself upon startup so that it will not appear in the process list. True/False? ---------------------------------------------------------------------- Chapter 28: Mac Acquisition and Internals ---------------------------------------------------------------------- 1. On Mac systems, processes run in the Mach layer and the kernel runs in the BSD layer. True/False? 2. Why does Volatility need to account for the Mac kernel's address space layout randomization? A) Userland libraries will be mapped into different offsets than reported by the virtual memory subsystem structures B) Addresses in the profile will not correspond to where the data structures are mapped in the memory capture C) Scanning for data structures requires smarter algorithms when ASLR is in use D) Volatility does not need to account for it 3. Physical memory acquisition on Mac systems can be accomplished using built-in operating system facilities. True/False? 4. Mac Memory Reader supports capture to the ELF format. True/False? 5. Which of the following is required to build a Mac Volatility profile? A) The kernel header files B) C/C++ Compiler tools C) Mac ports D) The kernel debug kit 6. If you have access to an OS X system, then build a Volatility profile for Mac 10.9.3. ---------------------------------------------------------------------- Chapter 29: Mac Memory Overview ---------------------------------------------------------------------- 1. What is the name of the process that spawns the initial launchd process? A) kernel_task B) swapper C) init D) SYSTEM 2. When the dyld cache is in use, mac_proc_maps will properly list all shared libraries. True/False? 3. Mac tracks kernel modules only through a global list of modules. True/False? 4. Which command lists active network connections along with their owning process on a live Mac system? A) netstat –an B) netstat –pan C) lsof –i D) lsof -p 5. To answer the following questions, analyze mac-sample-1.bin with the provided 10.9.3 profile. A) Which user is the vim process run by? B) Is the user logged in locally or remotely? C) What is the path to the file being edited in vim? D) What is the full path to vim on the local system? E) What is the load address of libmacho.dylib inside the running vim process? F) What text was being typed in vim at the time of acquisition? G) Which websites were being accessed around the time of acquisition? ---------------------------------------------------------------------- Chapter 30: Malicious Code and Rootkits ---------------------------------------------------------------------- 1. DYLD_INSERT_LIBRARIES is similar to which concept of Linux? A) ptrace B) MAP_LIBRARY_ON_START C) LD_PRELOAD D) Inline hooking 2. sysctl provides an interface for the kernel to request actions from userland processes. True/False? 3. Which of the following is not a standard TrustedBSD policy module? A) TMSafetyNet B) Sandbox C) Quarantine D) AppleEvents 4. Which feature of Mac is similar to Windows run keys? A) Launch Agents B) Spotlight C) Service Indexes D) Application Preloads 5. The NSCreateObjectFileImageFromMemory API facilitates which of the following anti-forensics techniques? A) Hiding a library from a process' list of libraries B) Process hollowing C) API hooking D) Reconstructed library injection 6. To answer the following questions, analyze mac-sample-2.bin with the provided 10.9.3 profile. There is a kernel rootkit installed that you must find and track. A) What is the name of the kernel rootkit? B) How does it hook the system? C) What is the address of the kernel module in memory? D) Extract the kernel module E) What is the MD5 hash of the extracted module? ---------------------------------------------------------------------- Chapter 31: Tracking User Activity ---------------------------------------------------------------------- 1. The Mac default login keychain only holds the password of the user. True/False? 2. Each password inside a keychain is encrypted with a different key and must be opened separately. True/False? 3. Which of the following plugins enables rapid development of new application-specific analysis plugins? A) mac_pslist B) mac_proc_maps C) mac_yarascan D) mac_lsof 4. How does Volatility recover clear-text OTR messages? A) It finds remnant session keys then attempts to decrypt all recovered encrypted messages B) It finds the clear-text messages displayed to the user through the chat window C) It finds the data structures that hold clear-text messages after they are sent on the wire D) It finds encryption keys in memory then applies them to encrypted messages stored in PCAP files 5. To answer the following questions analyze mac-sample-3.bin using the provided 10.9.3 profile. In this sample a user is logged into an email account using the Apple Mail client. A) What is the user account configured for the Apple Mail client to use? B) Which account did the person send an email to and receive a reply from? C) What time was the email sent? D) What is (was) the password to the Gmail account? E) How many emails did the user send? 6. To answer the following questions analyze mac-sample-4.bin using the provided 10.9.3 profile. A) Which messages were being written in the Notes application? B) Create a plugin that can automatically find messages within the address space of the TextEdit application. Use this plugin to recover the messages being typed by