please see the attached file

Notes:

• All answers must be in complete sentences for full credit.

• Reminder: Experiment with these tools in the classroom lab, VMWare or on your own personal machine. Use of these tools outside this lab is not sanctioned and may be in violation of policy or law.

Objective:
The purpose of this exercise is to give you more experience with Windows forensics by having you examine the Internet History, analyze the Windows Registry, and work with the Recycle Bin and Event Logs.

Software to Install:

• SSH (Secure Shell)

  • Download and install PUTTY SSH (Secure Shell) from:

  • https://its.gmu.edu/knowledge-base/how-to-install-putty-ssh-for-windows/

  • You may need to use VPN if you are trying to access the account from a non-GMU network (https://its.gmu.edu/service/virtual-private-network-vpn/)

• John the Ripper

  • Go to: http://www.openwall.com/john/ and download the Windows version of John the Ripper (directions are written for version 1.7.9 - if you install a different version you will need to adjust your commands to match the version you download)

  • Important: Save it to the desktop

  • Don’t unzip until you disable your antivirus!

  • How to disable Windows Defender: https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10

https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus

• AxCrypt

  • Go to: https://www.axcrypt.net/

  • Download the current version: https://www.axcrypt.net/download/

  • Install with the Default Settings (Note: You may need to register for a trial account at https://account.axcrypt.net/en/Home/Register)

• PSTools

  • Download PSTools: https://pstools.en.softonic.com/

Preparation:

• Log in as the administrator account/local PC on the computer….

Note: Basic Unix/Linux

• Note: in the exercises below ‘>’ is the unix prompt (which may be a different character on your screen.)

• Don’t type the prompt.

• Also, be careful with spaces.

• You may need to use the Delete key instead of Backspace. Control-U can be used to erase a whole line.

• Unix is case sensitive. The general format is:

>command filename

or:

>command –switch filename. (A switch is a way to modify a command.)

Secure Shell Client

• Download and install SSH (Secure Shell) from: http://itservices.gmu.edu/downloads/

• Go to: https://itservices.gmu.edu/services/view-service.cfm?customel_dataPageID_4609=7459 View the “How to Get this Service” section if you need help setting up your account.

• You may need to login through VPN first (https://its.gmu.edu/service/virtual-private-network-vpn/)

• Launch SSH, choose Quick Connect.

• The Host Name is mason.gmu.edu.

• Login to your mason account. (Leave the port number set at the default, 22.)

• You can choose Yes and OK to the initial screens that appear at login.

• Note: It will not show that you are typing your password when you are at the password prompt. Type your password and hit enter.

1. cat, more, man commands

• man is a unix command that will allow you to see a help file.

• In SSH, type man cat and man more to find out what these commands do.

• (Press q to get out of man.)

1. .login file

• The .login file contains settings that are executed when you login.

• We will have you use a very simple editor called pico to edit this file to change your system prompt and create an alias:
  

>pico .login

• Use the arrow keys to move down to the bottom of the file.

• Add these two lines to the file, each on a separate line:
  

set prompt=’yourname>’

alias logut logout

• Then type Ctrl-X (press x while holding down the CTRL key) to exit, y to save changes, press enter to confirm the filename .login.

• Your changes won’t take effect until you log in again, so log out and log in again to test them. You should see your new command line prompt and you should be able to type logut (a common typo) to logout.

1. Practice chmod and ls

• Type:

> ls –l

• Then type:

>ls –al

• What is the difference? Use pico to create a file called temp. Type:

>chmod a-w temp

• What did that do? Try to delete the file with:

>rm temp

• Did it work? How can you fix this so that you can delete the file?
  

• View password file:

>more /etc/passwd

• What information is in this file? How might this information be misused?

• Answer questions 1-5.

Cracking Unix Passwords

You will have to disable Windows Defender or Symantec AntiVirus auto-protect (or whatever anti-virus you are running) before you can run the software… If you are not in VMWare, I suggest disabling the internet connection while you do this.

How to disable Windows Defender:

https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10

https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus

Disable Symantec:

Start->programs->Symantec Client Security->Semantic Anti-virus->Configure->File System Autoprotect->Deselect the check box to disable-> OK. 

Or:

Start->Programs-> Symantec Endpoint Protection

• Click on each option button and disable

• Click on the Antivirus & Antispyware Protection button – click change settings – file system auto protect, and uncheck “Enable File System Auto Protect”

Weak Passwords:

• Blank (no password)

• The word 'password'

• The user's name or login name or the name of spouse or child

• Birthplace, date of birth, anniversary

• A pet's name or license plate number

• Rows of keys on the keyboard: qwerty

Stronger Passwords:

Use at least 8 characters and combine alpha and non-alphanumeric characters. Avoid dictionary words or proper names in any language.

• 4sa7ya0f (Gettysburg address incipit)

• Patr10t&

On Linux/Unix systems, the password file is usually accessible in this file: /etc/passwd

This file contains the login name and information about the login account. This file is readable since many programs depend on it. The actual password is stored, encrypted, in a separate file called the shadow file.

Forensic examiners and system administrators will want to check this file for new, unauthorized accounts. Upon breaking into a system, a hacker will often make new accounts (often with blank passwords) for his/her own use.

For this exercise, we have created a shadow file and stored 3 passwords in it. Your job will be to crack as many passwords as you can. Two of the passwords are weak; the third is a strong password.

John the Ripper:

• Go to: http://www.openwall.com/john/ and download the Windows version of John the Ripper. Important: Save it to the desktop.

• Locate and right-click the John179w2 folder. (Note: if you downloaded a version other than 1.7.9, this file path may be different)

• Extract all zipped files if they don’t extract automatically. The files we will be using will be in: john179\run (Note: if you downloaded a version other than 1.7.9, this file path may be different)

• Login to Blackboard, and locate and download the shadow file and password files.

• Copy and paste the files into the john179\run file. Important: Click OK to overwrite the password.lst file.

• Open your command prompt (Go to Start->Run. Type: command)

• Type: cd desktop \john179\run

  • Verify this is the correct filepath. Note: if you downloaded a version other than 1.7.9, this file path may be different.

• Type: john-omp --wordlist=password.lst shadow.txt

• 2 Passwords will be revealed, with account names in parentheses. Record them on the last page. Type exit to exit the command line window.

***If you get an error here, your Anti-virus software was not disabled and it ate the john -omp file. Disable the Anti-virus and unzip John the Ripper again and start this section over.

Ophcrack:

• Go to the websites below and read/watch the tutorials.

  • http://www.wikihow.com/Crack-Windows-Passwords-With-Ophcrack-and-Rainbow-Tables

  • https://www.youtube.com/watch?v=x4WfTdlmwyY

• After rebooting, you will need to disable Symantec Autoprotect again.

• Answer questions 6-10.

Other Good Tools…

• AccessData Password Recovery Toolkit and AccessData DNA software are great tools.

• The Demo versions are pretty limited, but try them out when you have some free time!

• http://www.accessdata.com/support/product-downloads#.UdHeKNjzA_I

Encryption using AxCrypt:

• Install AxCrypt

• Create a folder called TEST

• Create a word document called TEST.docx and place it inside the test folder

• Right Click on the TEST folder – go to AxCrypt – Encrypt

• Enter a passphrase and click ok

• Open FTK Imager

  • Add Evidence Item – Contents of a Folder

  • Select your test folder

  • Expand the view so you can see the file contents. Include a screenshot for question 14.

  • From the evidence tree, try to export/open the file. What happens? Answer question 15.

• Go back to the test folder.

• Right Click on the TEST folder – go to AxCrypt – Decrypt

• Enter a passphrase and click ok

• Open FTK Imager

  • Remove your previous evidence item.

  • Add Evidence Item – Contents of a Folder

  • Select your test folder

  • Expand the view so you can see the file contents. Include a screenshot for question 16.

  • From the evidence tree, try to export/open the file. What happens? Answer question 17.

PSTools:

• Download PSTools from Blackboard

• Extract PSTools and save it to your desktop

• Go to the cmd prompt change directory to your desktop, then to the PSTools folder

• Type in pslist

  • This will give you a list of the current processes running

• You should see an entry for AxCrypt