Plagiarism Free Homework and Assignment Help

Lab 5 Guide CMIT 424 Computer Forensics

Lab 5 Guide CMIT 424 Computer
Forensics

CMIT_424_LAB5_GUIDE_FINAL (1)

1
Lab 5 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………………. 2
Section 1 – Lab Setup……………………………………………………………………………………………………………………………….. 3
Section 2 – Imaging………………………………………………………………………………………………………………………………… 19
Section 3 – Creating a Case with Autopsy………………………………………………………………………………………………….. 34
Section 4– Analysis with Autopsy …………………………………………………………………………………………………………….. 42
2
Introduction
Important Note: To complete Lab 5, you need to complete Labs 1-4.
During this lab, we will examine a disk image and recover deleted files.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup
1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
Windows 10 VM
2. Use this button to send a Control+Alt+Delete to the Windows VM.
Control+Alt+Delete
3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
and the password of [email protected]
4
4. Open Windows Explorer and Double Click on MY PC. At this point, you should have two disks, a C:
Drive named Your FirstName and an E: Drive named yourname backup (Created in Lab2). Go back and
do Lab 2, Section 3 if you are missing one of the Disks.
Windows Explorer
5
5. Go to VM from the VMware Workstation Menu bar and select Settings.
Settings
6
6. Click Add to add a device.
Add
7
7. Select Hard Disk and Click Next
Hard Disk
8. Click Next to SCSI (Recommended).
9. Accept the default of create a new virtual disk.
8
10. For the maximum disk size (GB), put 1 GB. Click Next. Click Finish. Click OK.
New Disk
9
11. Right click on the Start Menu and select Disk Management.
Disk Management
10
12. Click OK to Initiate the Disk. Notice that we are using the Master Boot Record partitioning style.
Disk Management
\
11
13. Right click on Disk 2 (Unallocated) and select New Simple Volume.
Disk Management
14. Click Next
15. Click Next to accept the default volume size.
16. Click Next to assign to Drive letter of F:
12
17. At Format Partition, Change the File System to FAT32 from the Dropdown Box.
Put YourFIRSTNAME-R for the Volume name and take a screenshot.
Note: If you first name is long, you only need to include the first 9 letters.
Add your screenshot to page 3 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
Click. Next. Click Finish.
Disk Management
13
18. Click. Next. Click Finish. Take a screenshot of the Disk Mazement with the 3 yourname drives.
Disk Management
Add your screenshot to page 4 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
Click. Next. Click Finish.
19. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
Command Prompt
14
20. Type the following to copy the image files to the Newley created F: Drive using xcopy.
.
C:\WIndows\System32\>xcopy C:\Windows\Web\Wallpaper /s F:\
Command Prompt
15
21. Click on Windows Explorer. Click the arrow to the left of F: to show the 3 created folders. Click on the
first folder to view some of the images copied.
Windows Explorer
16
22. Right click on F: and select format.
Format
23. Click Start. Wait for the quick format to finish, click ok, and click close.
Format
17
24. Right click on E: and select format.
Format
18
25. Click Start. Wait for it to finish, click ok, and click close.
Format
19
Section 2 – Imaging
1. If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
2. Click edit virtual machines settings.
Edit Settings
20
3. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
CMIT 424 Tools
21
4. Click This PC. Right Click the DVD and select open. Double click on Autopsy.
DVD Tools
5. Find the FTK Imager program and right click and run as Administrator. Click Yes to the User Account
Control Warning.
FTK Imager
22
6. Select File and then choose Create Disk Image
FTK Imager
7. Click Physical Drive and click Next
FTK Imager
23
8. Select The IDE Disk (25 GB). Click Finish. In this scenario, mine is Physical Disk 1.
FTK Imager
9. Click Add.
FTK Imager
24
10. Select Raw (dd) and click Next
FTK Imager
11. For the Evidence Item Information, put
Case number: Today’s Date – Lab 5
Evidence number: 1- OS Image
Unique Description: CMIT 424
Examiner: Your First Name and Your Last Name
Note: Put Your Instructor’s Name Here
FTK Imager
Add your screenshot to page 5 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
25
12. For the Image Destination Folder, you can either type E:\ or you can click Browse and go to the E:
Drive. For the image name. put in OSImage.dd. For the Fragment Size, put 0. Click Finish.
FTK Imager
13. Click Start.
14. You will see that the image is created with a Progress bar.
FTK Imager
Note: DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
26
15. DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
FTK Imager
You can record the hashes when you take the image and then provide the hashes to other examiners. When
they hash the image, they will look for the same hash that you recorded to verify the integrity of the data and
they can have confidence that the data has not been altered or tampered with in any way. Next, we will go
through the verification process.
27
16. To do this, click Windows Explorer, This PC, Local Disk E:, Right click on the image file and then go to
Properites, and select the hash tab. It may take a while to calculate the hash.
Windows Explorer
Add your screenshots to page 6 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
17. Click OK to the Properties of the file. Click close to the Drive/Image Verify Results. Next, we will image
the 1 GB FAT32 Drive where we copied the picture files and then formatted the disk.
28
18. Close Select File and then choose Create Disk Image
FTK Imager
19. Click Physical Drive and click Next
FTK Imager
29
20. Select The SCSI Disk (1 GB). Click Finish. In this scenario, mine is Physical Disk 2.
FTK Imager
21. Click Add.
FTK Imager
30
22. Select Raw (dd) and click Next
FTK Imager
23. For the Evidence Item Information, put
Case number: Today’s Date – Lab 5
Evidence number: 2- 1 GB Image
Unique Description: CMIT 424
Examiner: Your First Name and Your Last Name
Note: Put Your Instructor’s Name Here
FTK Imager
31
24. For the Image Destination Folder, you can either type E:\ or you can click Browse and go to the E:
Drive. For the image name. put in Deleted1GBFAT32.dd. For the Fragment Size, put 0. Click Finish.
FTK Imager
25. Click Start.
26. You will see that the image is created with a Progress bar.
FTK Imager
Note: DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
32
27. DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
FTK Imager
You can record the hashes when you take the image and then provide the hashes to other examiners. When
they hash the image, they will look for the same hash that you recorded to verify the integrity of the data and
they can have confidence that the data has not been altered or tampered with in any way. Next, we will go
through the verification process.
33
28. To do this, click Windows Explorer, This PC, Local Disk E:, Right click on the image file and then go to
Properites, and select the hash tab. It may take a while to calculate the hash.
Windows Explorer
Add your screenshots to page 7 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
34
Section 3 – Creating a Case with Autopsy
1. Click on Windows Explorer. Click This PC. Click on the DVD and select open. Right click on
autopsy-4.17.0-64bit.msi and click Install. Click next, Next, Install. Click Yes. Click Finish.
Install Autopsy
35
2. Right click on the Autopsy Shortcut on the Desktop and select Run as Administrator. Click yes
to the User Account Control Warning. Click No to the Central Repository.
Autopsy
3. Click New Case.
Autopsy
36
4. For the Case Information, put Your First and Last Name for the Case Name.
For the Base Directory, type C:\Users\Public. Click Next.
Autopsy
37
5. In the Optional Information, Type CMIT424 for the case number. For the Name, type
yourname. For the email, use your UMGC email.
Autopsy
Add your screenshot to page 8 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
38
6. Click Disk Image or VM. Click Next.
Autopsy
39
7. Click Browse and go to E: and double click the OSImage.dd file. Click Next, Next.
Autopsy
40
8. Click Finish when it is done parsing the data. If Autopsy crashes,
open it again, select open recent case, and select yourname case.
9. To add the second image, perform the following steps in Autopsy:
Click Add Data Source in the top left corner, choose Disk Image.
Click Next.
Autopsy
41
10. Click Browse and go to E: and double click the Deleted1GBFAT32.dd file. Click Next, Next.
Autopsy
11. Click Finish when it is done parsing the data. If Autopsy crashes,
open it again, select open recent case, and select yourname case.
42
Section 4– Analysis with Autopsy
1. Click on the OS Image.
Click Volume 3
There you will see Windows and all of the files on the Local Disk C:, including your ls.bat.
Notice the Master File Table, or $MFT which is a file on NTFS systems you can’t see in the OS>
Feel Free to explore in the Common Locations of Windows artifacts for the files you created in
Lab 4. Examine C:\Windows, C:\Windows\System32, and C:\Windows\System32\Tasks.
Autopsy
Add your screenshot to page 9 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
.
43
2. Click on Deleted1GBFAT32 image.
Click Volume 2. O On the root, notice the FAT1 and FAT2 files indicative of a FAT file system. You
are unable to view those 2 files in the Windows Operating System. Click Carved Files. Click
though the files until you recover one of the images from the “quick” formatted 1GBFAT32 disk.
Autopsy
Add the screenshots to page 10 of your CMIT_424_LAB5_WORKSHEET.
Note: Your screenshot will be different from the examples provided. Do not use the EXAMPLE screenshot.
Hint: Do not forget your Introduction and Conclusion in your lab
worksheet or you will lose points on your assignment.