M6-110 WIN OS ARTIFACTS & PROCESSES

An educational illustration showcasing Windows operating system elements like NTFS, logs, and digital forensics tools, with a sleek modern design.

WinOS Artifacts & Processes Quiz

Test your knowledge on Windows Operating System artifacts and processes with our comprehensive quiz! This quiz features 20 challenging questions designed for those interested in digital forensics and incident response.

Explore various aspects of Windows OS.
Learn about NTFS, timestamps, and logging.
Assess your understanding of process persistence and more!

20 Questions5 MinutesCreated by ExaminingTree457

What word does each letter of the PUFNTALR acronym represent? (write the single word only)

PROCESSES, USERS, FILES, NETWORK, TASKS, ACCOUNTS, LOGS, REGISTRY

PROCESSES, USERS, FILES, NETWORK, TIME, ACCOUNTS, LOGS, REGISTRY

PARTITION, USERS, FILES, NETWORK, TASKS, ACCOUNTS, LOGS, REGISTRY

WinOS employs several files/utilities intended to enhance performance and/or recovery, and these can also assist an investigator in finding evidence of attacker activities, even though the attacker may have tried to destroy such evidence. Which of these was not an example of one of these specifically named utilities?

The cad-cache

Prefetch files

LNK files

Jump lists

Which statement is false regarding a WinOS NTFS MFT record?

The $DATA field of an MFT record can contain an entire file

The four elements of an MFT record are: Record Header, $SI, $FN, and $DATA.

ADSs provide a way to "hide" data within an MFT record.

MACE timestamps are found only in the $SI field

Which statement is true regarding WinOS MACE timestamps?

Times in the Master time catalog record are the most easily modifiable by an attacker.

Tools exist to time-stomp timestamps in the $SI field of an MFT record.

Time-stomper is an attacker tool used to change the system clock time.

Any time changes made to the $FN are automatically made to the $SI as well.

It is noteworthy with regard to WinOS logging, that add-on AV and IPS (i.e., security tools) often log to the WinOS' _______________ log, rather than (or in addition to) their own logs.

Security

Application

Audit

System

When the $SI and $FN timestamps differ significantly for a suspect file or directory, what should the investigator do?

Assign more credibility to those found in the $FN

Assign more credibility to those found in the $SI

Ignore both, and—instead—refer to the timestamps in the Record Header of the MFT record.

Assume both have been "stomped", and average them for a "best estimate" attempt.

Which element of a WinOS log entry is most useful for "cross-referencing" with online research resources?

LID

PID

SID

EID

When the file named Notes.txt is deleted in the newer versions of WinOS,…

The file will be named $Notes.txt in the recycle bin

Both Notes.txt and a hash of Notes.txt will be stored in the recycle bin.

The original file and its metadata will be stored to a single file in the recycle bin

The file will be represented by two files in the recycle bin, the $R and the $I

Our course text (IR&CF3e) indicated a "top six" list of log events to look for; which of these is not one of them? (Hint: you likely did not memorize these, so just use your practical judgment)

Track all changes made to the Registry

Track alteration to the audit policy.

Track changes to user permissions.

Track the creation, starting, and stopping times of system services.

What was the $1,000,000 ($106) question presented in this section?

Figuring out which of the PUFNTALR artifacts to investigate next.

How to correlate logged events with what actually occurred during an incident

How to reverse engineer a given process to truly know what it does.

Knowing whether each process running on a system is "legitimate" or not.

What is a very well-known project that provides a resource of known-good and known-bad hash references?

JIMS

AVCentral

NSRL

MitreCVE

Which of these is not one of the four main WinOS process persistence methods mentioned in this section?

Malware masquerading as a WinOS service

Malware being set to run as a scheduled task

Malware changing Registry keys/values (e.g., setting to autorun)

Malware assigns itself a very high base priority value

Malware path is in a startup folder

How many of the 19 rogue process checks enumerated in Carnegie Mellon's First Responder Guide can you remember?

What was the (very useful) information provided by fport?

PID + process name

PID + process name + port using

PID + process name + port using + path (to executable)

PID + process name + port using + path (to executable) + NSRL hash check

Which of these terms is used to express the "lineage" (aka parent-child relationship) between processes?

Process tree

Process hierarchy

Execution linked-list

Execution sequence

Which command would provide a list of open files that are associated with a given process?

Netstat.exe

Handle.exe

Pslist.exe

Listdlls.exe

In which WinOS directory names are you likely to fund JMP lists or LNK files (i.e., where are many of these MRU-type resources located)

Recent

Cache

Shortcuts

System32

Which of these could the IR investigator not learn from a WinOS prefetch file?

That a given program ran (even if that program no longer exists on the system).

When a program ran

How many times a program ran.

The PID assigned to the program

Other files/programs opened/launched by a program

Which of these netstat output details is least likely to arouse your IR responder suspicion when investigating a client workstation

A known (often-used) Trojan port in a listening state

An established TCP connection, when no network applications are running

An established connection on a loopback address (127.*.*.*)

A well-know service port (e.g., port 53) open in listening state

Unlock and Upgrade

Remove all limits from your Quizzes

M6-110 WIN OS ARTIFACTS & PROCESSES

WinOS Artifacts & Processes Quiz

More Quizzes