SECURITY BLUE TEAM LATEST
LEVEL 1 EXAM
ACPO Principles
ACPO Principle 1
No action taken by law enforcement agencies or their agents should change data
held on a computer or storage media which may subsequently be relied upon in
court.
ACPO Principle 2
Where a person finds it necessary to access original data held on a digital device,
that the person must be competent to do so, and able to explain their actions and
the implications of those actions on the digital evidence to a Court.
ACPO Principle 3
An audit trail or other record of all processes applied to computer-based electronic
evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.
ACPO Principle 4
The individual that is leading the investigation has the overall responsibility to
ensure that the ACPO principles are followed throughout the investigation.
Chain of Custody
a crucial process to ensure that all of the evidence collected in a case has not been
tampered with by an unauthorized individual and the original evidence remains
unchanged
Types of Evidence Destruction
- degaussing
- file shredding
- physical shredding
END OF
PAGE
1
, SECURITY BLUE TEAM LATEST
LEVEL 1 EXAM
- hydraulic crusher
- overwriting
LNK Files
used by Windows OS to link one file to another, is how we have application
shortcuts that work as redirectors
valuable metadata such as:
- location of folder it's linked to
- date file was created
- date file was modified
- date file was last accessed
- file size
Found at: C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent
Analysis: View files using Windows File Analyzer
Prefetch Files
provides useful information about programs including:
- name of application
- path to the executable file
- when program was last run
- when program was created/installed
Found at: C:\Windows\Prefetch
Analysis: View files using Prefetch Explorer Command Line
END OF
PAGE
2
, SECURITY BLUE TEAM LATEST
LEVEL 1 EXAM
Jump List Files
contain information about applications that are pinned to the taskbar such as:
- file path
- timestamps
- application identifiers (AppIDs)
two different types: automaticDestination-ms and customDestination-ms
Found at: C:\Users\% USERNAME%\AppData\
Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\%USERNAME%\AppData\
Roaming\Microsoft\Windows\Recent\CustomDestinations
Analysis: View files using JumpList Explorer
Windows Logon Events
Event IDs
- 4624 (Successful Logon)
- 4672 (Special Logon)
- 4625 (Failed Logon)
- 4634 (Logoff)
Found at: C:\Windows\System32\winevt\Logs\Security
Recycle Bin
a system folder designed to temporarily store deleted files and folders before they
are permanently removed from the computer's hard drive or storage device
END OF
PAGE
3
LEVEL 1 EXAM
ACPO Principles
ACPO Principle 1
No action taken by law enforcement agencies or their agents should change data
held on a computer or storage media which may subsequently be relied upon in
court.
ACPO Principle 2
Where a person finds it necessary to access original data held on a digital device,
that the person must be competent to do so, and able to explain their actions and
the implications of those actions on the digital evidence to a Court.
ACPO Principle 3
An audit trail or other record of all processes applied to computer-based electronic
evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.
ACPO Principle 4
The individual that is leading the investigation has the overall responsibility to
ensure that the ACPO principles are followed throughout the investigation.
Chain of Custody
a crucial process to ensure that all of the evidence collected in a case has not been
tampered with by an unauthorized individual and the original evidence remains
unchanged
Types of Evidence Destruction
- degaussing
- file shredding
- physical shredding
END OF
PAGE
1
, SECURITY BLUE TEAM LATEST
LEVEL 1 EXAM
- hydraulic crusher
- overwriting
LNK Files
used by Windows OS to link one file to another, is how we have application
shortcuts that work as redirectors
valuable metadata such as:
- location of folder it's linked to
- date file was created
- date file was modified
- date file was last accessed
- file size
Found at: C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent
Analysis: View files using Windows File Analyzer
Prefetch Files
provides useful information about programs including:
- name of application
- path to the executable file
- when program was last run
- when program was created/installed
Found at: C:\Windows\Prefetch
Analysis: View files using Prefetch Explorer Command Line
END OF
PAGE
2
, SECURITY BLUE TEAM LATEST
LEVEL 1 EXAM
Jump List Files
contain information about applications that are pinned to the taskbar such as:
- file path
- timestamps
- application identifiers (AppIDs)
two different types: automaticDestination-ms and customDestination-ms
Found at: C:\Users\% USERNAME%\AppData\
Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\%USERNAME%\AppData\
Roaming\Microsoft\Windows\Recent\CustomDestinations
Analysis: View files using JumpList Explorer
Windows Logon Events
Event IDs
- 4624 (Successful Logon)
- 4672 (Special Logon)
- 4625 (Failed Logon)
- 4634 (Logoff)
Found at: C:\Windows\System32\winevt\Logs\Security
Recycle Bin
a system folder designed to temporarily store deleted files and folders before they
are permanently removed from the computer's hard drive or storage device
END OF
PAGE
3
