GET QUOTE IN 2 MINUTES*    Order Now     

CMIT 424 – LAB 7- Digital Forensics Analysis and Application

Lab 7 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………………. 2
Section 1 – Lab Setup……………………………………………………………………………………………………………………………….. 3
Section 2 – Internet Explorer History………………………………………………………………………………………………………… 16
Section 3 – Chrome History …………………………………………………………………………………………………………………….. 23
Section 4 – Firefox History ………………………………………………………………………………………………………………………. 30
Section 5 – Optional – More Browser History ……………………………………………………………………………………………. 38
2
Introduction
Important Note: To complete Lab 7 you need to complete Labs 1-6
During this lab, we will examine browser artifacts and look at website history for Internet Explorer,
Chrome, and Firefox.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup

  1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
    Windows VM
  2. Use this button to send a Control+Alt+Delete to the Windows VM.
    Control+Alt+Delete
  3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
    and the password of [email protected]
    4
  4. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  5. Type the following to bring up the Control Panel:
    C:\Windows\System32>control
    Control Panel
    5
  6. Click Programs
    Control Panel
  7. Click Turn Windows Features on or off.
    Control Panel
    6
  8. Expand Internet Information Services. Select the three subcategories below and click ok:
    • FTP Server
    • Web Management Tools
    • World Wide Web Services
    Control Panel
    7
  9. In the Search box, type IIS, and then click on Internet Information Services (IIS)
    Internet Information Services
    8
  10. Expand Sites. Notice that the website is present, but the FTP site is not there.
    Internet Information Services
    Add your screenshot to page 3 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  11. Type the following command to add the time and date to your IR Text file.
    Internet Information Services
    9
  12. Name the FTP Site, Yourname FTP Site, where your name id your first name. Browse to C:\,
    Inetpub\FTProot. Click OK. Click Next.
    Internet Information Services
    10
  13. Select No SSL for the SSL settings. Click Next.
    Internet Information Services
    11
  14. In the Authentication and Authorization page,
    • Under Authentication, select Anonymous.
    • Under Authorization, select Allow Access to Anonymous users
    • Under Permissions Select Read
    Click Next
    Internet Information Services
    12
  15. Now the Web Site and the Yourname FTP site will appear in the Internet Information Services (IIS).
    Internet Information Services
    Add your screenshot to page 4 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  16. If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
    from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
  17. Click edit virtual machines settings.
    Edit Settings
    13
  18. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    14
  19. Click This PC, the DVD. and then drag the following 3 files to the desktop:
    • browsinghistoryview-x64
    • iehv
    • mozillahistoryview-x64
    CMIT 424 Tools
  20. Click View in the top left in the Explorer menu. Click Options, and change folder and search options.
    Windows Explorer
    15
  21. Click the View Tab and then configure the following settings below:
    • Select the radio button to Show hidden filed, folders, and drives.
    • Uncheck Hide extensions for known types.
    • Uncheck Hide Protected Operating System files (Recommended). Click Yes.
    Windows Explorer
    16
    Section 2 – Internet Explorer History
  22. Type IE in the search bar and then launch the Internet Explorer app.
    Click Use Recommended settings
    Internet Explorer
    17
  23. Go to the following URL http://127.0.0.1 within Internet Explorer.

Internet Explorer

  1. Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
    18
  2. Type the following to switch to the wwwroot directory within Inetpub.
    C:\Windows\System32>cd c:\Inetpub\wwwroot
    Command Prompt
  3. Type the following to list the files and folder in the directory.
    C:\Inetpub\wwwroot >dir
    Command Prompt
  4. Type the following to echo your first name and last name into the website file.
    C:\Inetpub\wwwroot >echo Yourfirstname Yourlastname CMIT 424 Website > iisstart.htm
    Command Prompt
    Add your screenshot to page 5 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    19
  5. Within Internet Explorer, go to the following URL http://127.0.0.1
    Internet Explorer
    Add your screenshot to page 6 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  6. Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  7. Type the following to switch to the ftproot directory within Inetpub.
    C:\Windows\System32>cd c:\Inetpub\ftproot
    Command Prompt
    20
  8. Type the following to echo your first name and last name into the default website file.
    C:\Inetpub\wwwroot > echo Yourfirstname Yourlastname ftp file > CMIT424.txt
    Command Prompt
    Add your screenshot to page 7 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  9. Type IE in the search bar and then launch the Internet Explorer app.
    Click Use Recommended settings
    Internet Explorer
    21
  10. Go to the following URL within Internet Explorer: ftp://127.0.0.1/cmit424.txt
    Internet Explorer
    Add your screenshot to page 8 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  11. Right click on the iehv.zip file on the Desktop and select Extract All.
    Internet Explorer History Tool
  12. Double click on the exe file.
    Internet Explorer History Tool
    22
  13. From the View menu, select Display Typed URL’s
    Internet Explorer History Tool
  14. View all of the typed URL’s from your Internet Explorer Browse History.
    Internet Explorer History Tool
    23
    Section 3 – Chrome History
  15. If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
    from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
  16. Click edit virtual machines settings.
    Edit Settings
    24
  17. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    25
  18. Click This PC, the DVD. and then right click on the Chromeinstaller and select Run as Administrator.
    CMIT 424 Tools
    26
  19. Click Yes, after a moment Chrome will appear.
    Chrome
  20. Go to the following URL in Chrome http://127.0.0.1
    Chrome
    27
  21. Go to the following URLin Chrome: ftp://127.0.0.1/cmit424.txt
    Chrome
    Add your screenshot to page 9 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  22. Right click on the browsinghistoryview-x64.zip on the Desktop and select Extract All.
    Chrome History View Tool
  23. Double click on the exe file.
    Chrome History View Tool
    28
  24. From the Load History button, click the three dots to load the sub menu.
    Chrome History View Tool
    Note: You can use this technique to parse Chrome History for Capture the Flag exercises.
    29
  25. In the Chrome History files location, type the following
    C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\History
    Chrome History View Tool
  26. Your Chrome Browser history will appear
    Chrome History View Tool
    30
    Section 4 – Firefox History
  27. If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
    from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
  28. Click edit virtual machines settings.
    Edit Settings
    31
  29. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    32
  30. Click This PC, the DVD. and then right click on the Firefox_Setup and select Run as Administrator.
    CMIT 424 Tools
    33
  31. Click Yes. Click Next, Click Next, Click Install. Click Finish. Firefox Will Appear.
    Firefox
  32. Go to the following URL in Firefox: http://127.0.0.1
    Firefox
    34
  33. Go to the following URL in Firefox : ftp://127.0.0.1/cmit424.txt
    Firefox
    Add your screenshot to page 10 of your CMIT_424_LAB7_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  34. Right click on the mozillahistoryview-64.zip file on the Desktop and select Extract All.
    Firefox History Viewer
    35
  35. Double click on the exe file.
    Firefox History Viewer
    36
  36. For Firefox history, you will need to locate the places.sqlite file. The Profile is unique.
    Firefox History Viewer
    Note: You can use this technique to parse Firefox History for Capture the Flag exercises.
    37
  37. Click OK. Your Firefox Browser history will appear
    Firefox History Viewer
    Hint: Do not forget your Introduction and Conclusion in your lab
    worksheet or you will lose points on your assignment.
    38
    Section 5 – Optional – More Browser History
    If you want to examine more Browser history, now that you are done with the 7 hands-on labs (Lab 8 is just a
    summary), you can change your VM and provide it Internet Access. These steps are not required and only if
    you are interested in learning more about parsing browser objects from Internet Explorer, Chrome, or Firefox.
  38. Click edit virtual machines settings.
    Edit Settings
    39
  39. Click on the Network Adapter and change it to NAT (Network Address Translation). Click OK.
    CMIT 424 Tools
    40
  40. Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  41. Type the following to switch the IP Address for the NAT network
    C:\Windows\System32>ipconfig /renew
    PATH
    41