StudyDaddy Computer Science please see attached

please see attached


Forensic Imaging and Windows

Lab 2


Notes:

  • All labs should be completed in VMWare to prevent unintentional damage to your system. Lab tools are for Windows and will not run on Mac systems unless you are in your VMWare setup.

  • All answers must be in complete sentences for full credit.

  • For this lab, use the smallest thumb drive you can… the larger it is, the longer your lab will take.

Objective:
The purpose of this exercise is to give you experience with some basic disk and file recovery operations and introduce you to some basics of Windows forensics.

Terms:

  • boot: short for “bootstrap.” This is the startup process. A “cold boot” is from the power off to power on state. A “warm boot” is a restart that simply reloads the operating system.

  • data carving is the process of locating files that have been deleted or embedded in other files.

  • dd image: an exact duplicate, bit for bit, of a file or disk. The term derives from the Unix dd command that is used for this purpose.

  • driver: a utility program that operates a device such as a printer, scanner, or mouse.

  • hash: a computed value that can be used to represent the state of a file or disk.


Software to Install:

NOTE: When using these tools, run the program as administrator, to do this, right-click and select “run as administrator”

  • FTK (Forensic Toolkit): http://accessdata.com

    • Download the install from Blackboard (Course Content – Handouts – Software - FTK-Forensic_Toolkit-1.81.6.exe)

    • Install it, ignoring any error messages that appear

  • FTK Imager: http://accessdata.com

    • Download the install from Blackboard (Course Content – Handouts – Software - AccessData_FTK_Imager_3-1-0.exe)

    • You can use a newer version from the website if you would like. The versions posted on blackboard are small files that can be easily run from a thumbdrive.

  • Autopsy: https://www.sleuthkit.org/autopsy/

    • You can use Autopsy in addition to or in place of FTK

  • WinHex: http://www.winhex.com/winhex/index-m.html

    • Choose winhex and download the Demo version

    • Run setup.exe to install the program

    • If given the option, run WinHex using the Computer Forensic Interface

    • Note: X-Ways Forensics is the “forensics” version of this, but there is no demo version available.

Create Some Evidence”:

  • Insert a thumb drive (make sure it does not contain any important information)

  • Open Word

    • Create a file called test1.doc (or docx) and save it to your thumbdrive

      • In the file, type the word “inculpatory”

    • Create a file called test2.doc (or docx) and save it to your thumbdrive

      • In the file, type the word “exculpatory”

  • Using Notepad

    • Create a file called evidence.txt

      • In the file type “This is evidence.”

    • Create a file called hidden_evidence.txt

      • In the file type “This is hidden evidence.”

    • Create a file called deleted_evidence.txt

      • In the file type “This is deleted evidence.”

  • Open your web browser

    • Search for a picture of a puppy and save it to your thumb drive

    • Go to: http://ist.gmu.edu/

      • Save Page As

      • Save the complete webpage to your thumbdrive

  • Open your thumbdrive from “My Computer”

    • Right-click and delete:

      • test2.doc

      • the picture of the puppy

      • deleted_evidence.txt

    • Rick-click on hidden_evidence.txt, go to properties and make it a hidden file

***If you are getting a security error with FTK or Imager, you need to adjust your OS security settings. See this site for an example to fix: https://blog.pcrisk.com/windows/12622-an-administrator-has-blocked-you-from-running-this-app

Creating a Forensic Image with FTK Imager:

(We are now going to treat this disk as evidence. In an actual case, we would be using a hardware write blocker at this point.)

  • Launch FTK Imager

    • File-> Create Disk Image

    • Choose the Physical Drive radio button

    • Then choose Next-> Select your thumb drive->Finish

      • Make sure you don’t select the hard drive!

  • You then need to indicate how and where the drive image will be saved.

    • Choose Add-> E01 ->Next

    • Enter the requested information (you can make up the case name, etc.)

    • Browse and add a new folder called Lab2 to the desktop to save the image to and click OK

    • Name the image testcase.E01

    • Choose Finish->Start

    • When it finishes, record the MD5 and SHA1 hashes (Question 2)

  • Load the image into Imager if it did not load after creating the image. In the evidence tree, note the structure of the evidence file. What do you see?

File Recovery with FTK

  • Close the Imager and launch FTK Toolkit

    • If you get a security or dongle “error,” ignore it and click OK/continue.

  • Start a new case

    • In the screens that follow, enter in some sample data as requested (name, case number, address, etc.).

    • Accept the default logs, processes, and refinements

    • At the add evidence screen, Add evidence button -> Acquired Image of Drive.

    • Browse and open the image file you created above (testcase.E01)

    • Enter the time zone (Eastern Time with daylight savings)

    • Next->Finish.

  • Go to the Overview tab (include a screenshot for question 3)

    • Look at the different file item categories

    • Click on Documents. How many did it find? Did you find the items you created?

    • Click on Deleted Files. How many did it find? Did you find your deleted items?

  • Choose the Explore tab and see if you can locate these files

  • Select your deleted file and then choose File->Export Files…

    • Browse to locate your Lab2 folder on the desktop to save the recovered file to

    • Click OK

    • Use My Computer to confirm that the deleted file was recovered

Verify Hashes with FTK Imager

  • Open Imager

    • File->Add Evidence->Image File

  • Browse to open testcase.E01 ->Open->Finish

  • Choose File->Verify Drive/Image

  • It will take a minute or two to verify the drive and compute the hashes (record the hash in question 5)

    • Check the MD5 and SHA1 you recorded from before…They should match!

      • This proves that the information on the disk has not been altered

    • Close Imager. You do not need to save the case.

WinHex

WinHex is a “hex editor.” It allows you to work with disks and files at the binary level. When making a forensic copy, you need to be sure that the media you are copying to is forensically sterile. You need to be able to assure a court that you have not contaminated the evidence in any way.

To erase a disk securely using Winhex:

  • Tools->Open Disk->E: (Click OK) ***Or whatever your drive your thumb drive is mounted to

  • Note that the demo version of WinHex will not let you complete this operation

  • Edit->Fill Disk Sectors

  • You may choose 0x00 or random values. (The DoD standard requires 3 passes)

  • Exit WinHex


Searching for test using Winhex:

  • Using “My Computer” locate your test1 file on the thumb drive

    • Right click and delete it

  • Reopen WinHex and ask for a new “snapshot” of the disk in the dialog box

    • Go to:

      • Search ->Find Text and type in “exculpatory”

      • Uncheck “match case” and check the option to give you a certain number of search results

  • Even though the file has been deleted, you can recover this text

    • To locate any text:

      • Search ->Text Passages …

  • If you do not find your text here, try again in FTK.

In order to erase a file securely:

  • Note that the demo version of WinHex will not let you complete this operation

  • Tools->File Tools->Wipe Securely

    • Choose your test1 file

    • You may choose 0x00 or random values

    • Click OK and confirm the deletion

    • Do this to securely delete your test file1

    • Exit WinHex and check the contents of the disk

Recovering an Image File

  • Download the Data files for Lab 2 from Blackboard

    • practicecase.001 is the forensic image

    • The text file that contains the hashes and other information about the image

  • Launch FTK Toolkit

    • File->Add evidence -> Acquired Image of Drive

    • Browse and open the dd image file you downloaded (practicecase.001)

  • Do the following steps:

    • What can you find out about this disk image? What is the file system? Hint: Look under “Evidence Type.” (If you don’t see this, select the “Evidence Items button.”)

    • Click on Total File Items and view the files listed. What type of disk is this? (Hint: what type of file is .sxw? Use Google and find out.) What was in the file evil.sxw?

    • Is there an image on this disk? Note that it has the extension .sxw (not .jpg/.jpeg). Criminals may try to hide images by renaming them with bogus extensions.

    • Verify the image and compare the hashes to the hashes in the text file

Windows Basics

BIOS and Safe Mode

  • BIOS: When you boot the machine, a key sequence will be briefly displayed on the screen to get into the BIOS.

  • Do this to get into the BIOS screen and hit the escape key (Esc).

  • View the boot sequence. Don’t make any changes to the BIOS. Use the Esc key to cancel any changes and Esc to exit.

  • Safe Mode: Sometimes you may wish to get into Safe Mode, especially if you need to restore a machine that has become corrupt or won’t boot due to some conflict (missing driver, etc.).

  • To get into Safe Mode in Windows 10, see: https://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10

File ownership and File Permissions

  • File Ownership: You can use the command line to find out the owner of files on systems that have multiple accounts. The steps below will save the directory information into a file that you can view with Notepad or any other text editor.

    • All Programs – Accessories – Command Prompt

    • Type:

      • cd \ (takes you to the root directory)

      • dir /q > C:\Fileowner.txt

      • exit

  • File Permissions: While in Safe Mode, you can view or change the owner of files/directories as well as their permissions.

      • Right click on any file and then choose Properties-> Security tab.

    • You can then view the users and groups who have access to this file.

    • By clicking on the Advanced button, you can choose the Owner or Permissions tab to view or change those settings.

    • We will not have you make changes, but do make a note so that you remember how to do this.

System Restore Tool

  • Windows 10 has a “System Restore” tool that allows you to restore the system to a previous state. While any recently installed software will be lost, changes to user data files will be preserved. It does this by saving “restore points” periodically. You can also use the System Restore tool to create your own restore points before you install applications, drivers, or make major changes that might be risky.

    • Go to Programs->Accessories->System Tools->System Restore.

      • It should allow you to pick a date to restore the system to. (Note: this may or may not work here in the lab, but give it a try. Note that if an anti-viral software program has quarantined or deleted files in a restore point the restoration will fail.) If it works, the software you installed today should be gone. Why is this of interest to a forensic examiner?

Note for All Labs:

  • All answers must be in complete sentences for full credit.

  • Use your own words.

  • You will not receive credit for questions that ask for definitions or examples if you use the ones given in the directions.


7

© 2006 Anne Marchant with contributions by Kristin Baldassaro & Rebecca Pollard, updated 2017


Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!