please see attached
Forensic Imaging and Windows | Lab 2 |
Notes:
All labs should be completed in VMWare to prevent unintentional damage to your system. Lab tools are for Windows and will not run on Mac systems unless you are in your VMWare setup.
All answers must be in complete sentences for full credit.
For this lab, use the smallest thumb drive you can… the larger it is, the longer your lab will take.
Objective:
The purpose of this exercise is to give you experience with some basic disk and file recovery operations and introduce you to some basics of Windows forensics.
Terms:
boot: short for “bootstrap.” This is the startup process. A “cold boot” is from the power off to power on state. A “warm boot” is a restart that simply reloads the operating system.
data carving is the process of locating files that have been deleted or embedded in other files.
dd image: an exact duplicate, bit for bit, of a file or disk. The term derives from the Unix dd command that is used for this purpose.
driver: a utility program that operates a device such as a printer, scanner, or mouse.
hash: a computed value that can be used to represent the state of a file or disk.
Software to Install:
NOTE: When using these tools, run the program as administrator, to do this, right-click and select “run as administrator”
FTK (Forensic Toolkit): http://accessdata.com
Download the install from Blackboard (Course Content – Handouts – Software - FTK-Forensic_Toolkit-1.81.6.exe)
Install it, ignoring any error messages that appear
FTK Imager: http://accessdata.com
Download the install from Blackboard (Course Content – Handouts – Software - AccessData_FTK_Imager_3-1-0.exe)
You can use a newer version from the website if you would like. The versions posted on blackboard are small files that can be easily run from a thumbdrive.
Autopsy: https://www.sleuthkit.org/autopsy/
You can use Autopsy in addition to or in place of FTK
WinHex: http://www.winhex.com/winhex/index-m.html
Choose winhex and download the Demo version
Run setup.exe to install the program
If given the option, run WinHex using the Computer Forensic Interface
Note: X-Ways Forensics is the “forensics” version of this, but there is no demo version available.
“Create Some Evidence”:
Insert a thumb drive (make sure it does not contain any important information)
Open Word
Create a file called test1.doc (or docx) and save it to your thumbdrive
In the file, type the word “inculpatory”
Create a file called test2.doc (or docx) and save it to your thumbdrive
In the file, type the word “exculpatory”
Using Notepad
Create a file called evidence.txt
In the file type “This is evidence.”
Create a file called hidden_evidence.txt
In the file type “This is hidden evidence.”
Create a file called deleted_evidence.txt
In the file type “This is deleted evidence.”
Open your web browser
Search for a picture of a puppy and save it to your thumb drive
Go to: http://ist.gmu.edu/
Save Page As
Save the complete webpage to your thumbdrive
Open your thumbdrive from “My Computer”
Right-click and delete:
test2.doc
the picture of the puppy
deleted_evidence.txt
Rick-click on hidden_evidence.txt, go to properties and make it a hidden file
***If you are getting a security error with FTK or Imager, you need to adjust your OS security settings. See this site for an example to fix: https://blog.pcrisk.com/windows/12622-an-administrator-has-blocked-you-from-running-this-app
Creating a Forensic Image with FTK Imager:
(We are now going to treat this disk as evidence. In an actual case, we would be using a hardware write blocker at this point.)
Launch FTK Imager
File-> Create Disk Image
Choose the Physical Drive radio button
Then choose Next-> Select your thumb drive->Finish
Make sure you don’t select the hard drive!
You then need to indicate how and where the drive image will be saved.
Choose Add-> E01 ->Next
Enter the requested information (you can make up the case name, etc.)
Browse and add a new folder called Lab2 to the desktop to save the image to and click OK
Name the image testcase.E01
Choose Finish->Start
When it finishes, record the MD5 and SHA1 hashes (Question 2)
Load the image into Imager if it did not load after creating the image. In the evidence tree, note the structure of the evidence file. What do you see?
File Recovery with FTK
Close the Imager and launch FTK Toolkit
If you get a security or dongle “error,” ignore it and click OK/continue.
Start a new case
In the screens that follow, enter in some sample data as requested (name, case number, address, etc.).
Accept the default logs, processes, and refinements
At the add evidence screen, Add evidence button -> Acquired Image of Drive.
Browse and open the image file you created above (testcase.E01)
Enter the time zone (Eastern Time with daylight savings)
Next->Finish.
Go to the Overview tab (include a screenshot for question 3)
Look at the different file item categories
Click on Documents. How many did it find? Did you find the items you created?
Click on Deleted Files. How many did it find? Did you find your deleted items?
Choose the Explore tab and see if you can locate these files
Select your deleted file and then choose File->Export Files…
Browse to locate your Lab2 folder on the desktop to save the recovered file to
Click OK
Use My Computer to confirm that the deleted file was recovered
Verify Hashes with FTK Imager
Open Imager
File->Add Evidence->Image File
Browse to open testcase.E01 ->Open->Finish
Choose File->Verify Drive/Image
It will take a minute or two to verify the drive and compute the hashes (record the hash in question 5)
Check the MD5 and SHA1 you recorded from before…They should match!
This proves that the information on the disk has not been altered
Close Imager. You do not need to save the case.
WinHex
WinHex is a “hex editor.” It allows you to work with disks and files at the binary level. When making a forensic copy, you need to be sure that the media you are copying to is forensically sterile. You need to be able to assure a court that you have not contaminated the evidence in any way.
To erase a disk securely using Winhex:
Tools->Open Disk->E: (Click OK) ***Or whatever your drive your thumb drive is mounted to
Note that the demo version of WinHex will not let you complete this operation
Edit->Fill Disk Sectors
You may choose 0x00 or random values. (The DoD standard requires 3 passes)
Exit WinHex
Searching for test using Winhex:
Using “My Computer” locate your test1 file on the thumb drive
Right click and delete it
Reopen WinHex and ask for a new “snapshot” of the disk in the dialog box
Go to:
Search ->Find Text and type in “exculpatory”
Uncheck “match case” and check the option to give you a certain number of search results
Even though the file has been deleted, you can recover this text
To locate any text:
Search ->Text Passages …
If you do not find your text here, try again in FTK.
In order to erase a file securely:
Note that the demo version of WinHex will not let you complete this operation
Tools->File Tools->Wipe Securely
Choose your test1 file
You may choose 0x00 or random values
Click OK and confirm the deletion
Do this to securely delete your test file1
Exit WinHex and check the contents of the disk
Recovering an Image File
Download the Data files for Lab 2 from Blackboard
practicecase.001 is the forensic image
The text file that contains the hashes and other information about the image
Launch FTK Toolkit
File->Add evidence -> Acquired Image of Drive
Browse and open the dd image file you downloaded (practicecase.001)
Do the following steps:
What can you find out about this disk image? What is the file system? Hint: Look under “Evidence Type.” (If you don’t see this, select the “Evidence Items button.”)
Click on Total File Items and view the files listed. What type of disk is this? (Hint: what type of file is .sxw? Use Google and find out.) What was in the file evil.sxw?
Is there an image on this disk? Note that it has the extension .sxw (not .jpg/.jpeg). Criminals may try to hide images by renaming them with bogus extensions.
Verify the image and compare the hashes to the hashes in the text file
Windows Basics
BIOS and Safe Mode
BIOS: When you boot the machine, a key sequence will be briefly displayed on the screen to get into the BIOS.
Do this to get into the BIOS screen and hit the escape key (Esc).
View the boot sequence. Don’t make any changes to the BIOS. Use the Esc key to cancel any changes and Esc to exit.
Safe Mode: Sometimes you may wish to get into Safe Mode, especially if you need to restore a machine that has become corrupt or won’t boot due to some conflict (missing driver, etc.).
To get into Safe Mode in Windows 10, see: https://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10
File ownership and File Permissions
File Ownership: You can use the command line to find out the owner of files on systems that have multiple accounts. The steps below will save the directory information into a file that you can view with Notepad or any other text editor.
All Programs – Accessories – Command Prompt
Type:
cd \ (takes you to the root directory)
dir /q > C:\Fileowner.txt
exit
File Permissions: While in Safe Mode, you can view or change the owner of files/directories as well as their permissions.
Right click on any file and then choose Properties-> Security tab.
You can then view the users and groups who have access to this file.
By clicking on the Advanced button, you can choose the Owner or Permissions tab to view or change those settings.
We will not have you make changes, but do make a note so that you remember how to do this.
System Restore Tool
Windows 10 has a “System Restore” tool that allows you to restore the system to a previous state. While any recently installed software will be lost, changes to user data files will be preserved. It does this by saving “restore points” periodically. You can also use the System Restore tool to create your own restore points before you install applications, drivers, or make major changes that might be risky.
Go to Programs->Accessories->System Tools->System Restore.
It should allow you to pick a date to restore the system to. (Note: this may or may not work here in the lab, but give it a try. Note that if an anti-viral software program has quarantined or deleted files in a restore point the restoration will fail.) If it works, the software you installed today should be gone. Why is this of interest to a forensic examiner?
Note for All Labs:
All answers must be in complete sentences for full credit.
Use your own words.
You will not receive credit for questions that ask for definitions or examples if you use the ones given in the directions.
7 | © 2006 Anne Marchant with contributions by Kristin Baldassaro & Rebecca Pollard, updated 2017 |