Experien in digital forensic fieldPlease see detial instructions in the attachments and you will need to FTK tools to analyz data.Before you begin your analysis of Internet and network activity, you s

Before you begin your analysis of Internet and network activity, you should review the following readings about tools and techniques that can be used to reconstruct Internet activity.

1. Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigations, 8, S62–S70. Read the original paper and review the DFRWS 2011 conference presentation.

2. FTK User Guide (access the PDF file from the FTK help menu)

• Chapter 19: Examining Email

• Chapter 22: Examining Miscellaneous Evidence: Examining Internet Artifact Data

• Chapter 25: Searching with Indexed Search

1. Wireshark User Guide (access the help file from the Wireshark help menu)

• Chapter 6: Working with Captured Packets

Note: The version of FTK that has been licensed for student use in the VDA does not include the Visualization component. You may, however, find useful pointers, charts, and techniques for generating activity charts and timelines in the FTK User Guide's chapters on visualization.

A laptop and several USB drives from the offices of Practical Applied Gaming Solutions, Inc., have been sent to your lab for analysis. This laptop was returned to the company by a former employee several weeks after the employee's unexpected resignation. A single USB drive was found in a deep pocket in the laptop carrying case.

During case triage, it was determined that VMWare was installed on the laptop. Several folders containing virtual machines were also found. A forensic image (E01 format) was created from each of the virtual disks (VMDK files) by a forensic technician using FTK Imager. You have been asked to contribute to the investigation by reconstructing the usage of one of the virtual machines from the contents of the associated VMDK file. The chain-of-custody log states that this file contains an image of a Windows 7 system disk. You were also given an E01 image from the USB drive that was found in the laptop carrying case.

The lead investigator has asked you to address the following case questions about Internet artifacts and usage history.

1. What web browsers and other Internet applications were loaded and available for use in the VM?

2. Who used the web browsers and Internet applications? (More than one user?)

3. What websites or IP addresses were accessed by users of the VM? Are any of these network hosts blacklisted or otherwise suspicious in nature?

4. Was the VM used to send or receive electronic mail messages? What information was contained in these messages? Who were the recipients?

5. Are there indications of an intent to hide or obscure Internet activity and/or other uses of the VM?

6. Are there indications of an intent to use the VM to facilitate illegal or unethical behavior? (Unethical includes actions that are contrary to the employer's best interests or that violate the company's Acceptable Use Policy while using company resources, such as the laptop on which the VM was found.)

In this lab you will search for and recover Internet usage information from one or more forensic images and one or more packet capture (PCAP) files as provided by your instructor. Your focus should be upon finding and documenting answers to the case questions as provided in the lab scenario. Your presentation of your findings should be succinct. This means that you will need to apply your best judgment as to which information should be included in your report and which information should be omitted.

Note: in your reports and tables you should clearly identify which items were found in which evidence files.

The lab scenario and case questions are your starting point for this investigation. You must develop and execute your own strategy and procedure for conducting the required forensic examination. At a minimum, you should perform the following tasks:

• Document the system configuration for the virtual machine using registry files (computer name, operating system name, operating system version, and installation date, at a minimum).

• Analyze Windows registry files to find information related to Internet activity (including the IP address of the target computer).

• Find and analyze artifacts related to or containing electronic mail messages.

• Analyze the contents of the web-browsing histories and file caches for each of the installed web browsers. Your analysis should include (a) visited web pages, (b) searches and search terms, and (c) downloaded files.

• Using Internet tools such as WhoIS (http://www.who.is), determine the ownership and registration information for suspicious websites or domain names found in the browsing history, browser cache, or packet capture files.

• Using Wireshark, analyze the packet capture streams (pcap or pcapng files) found in the forensic image. Identify URLs, IP addresses, and domain names that were accessed.

• Construct a timeline showing significant Internet activity. Pay special attention to any timeline anomalies that may be present in the forensic image.

You will find that a large number of files in the forensic image have been wiped (contents set to 0x00). The contents of these files are not important to this lab and the wiping should not be reported as part of your examination. The directory information (file names and create/modify/access dates) for all files, including those that were wiped, is correct and accurately reflects system usage. The directory information is important to this lab and should be used in your analysis.

You are expected to use appropriate tools and techniques during your analysis of the provided files. Document your processes, procedures, and findings using a memo format report (five pages maximum). Provide your timeline of Internet usage (table format) and your analysis summary tables as attachments to your memo. The tables are not included in the maximum page count but you should include only the information necessary to explain or support your findings.

• Forensic Toolkit

• FTK Registry Viewer

• MS Excel (or equivalent spreadsheet application)

• Wireshark

1. Incident Investigation Summary Report : a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab.

2. Your report should include high-level analysis summaries in table format for:

   1. network activity (MAC addresses, IP addresses, domain names, etc.)

   2. email and webmail

   3. web browsing history

   4. ownership/registration information for suspicious websites or domain names

   5. names and contents of suspicious files

   6. timeline for Internet and Network Activity

Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included.

1. Incident Investigation Summary Report 50%

   1. Overview 15%

   2. Findings & Answers to Case Questions 15%

   3. Description of Analysis & Processing 15%

   4. Evidence Handling (including use of hash values) 5%

2. High Level Summaries (attachments or internal to memo) 35%

   1. network activity (MAC addresses, IP addresses, domain names, etc.)

   2. email and webmail

   3. web browsing history

   4. ownership/registration information for suspicious websites or domain names

   5. names and contents of suspicious files

   6. timeline for Internet and Network Activity

3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)

The following table lists the Lab 6 outcomes mapped to the corresponding course outcomes.