1
Lab 2 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………………. 2
Section 1 – Lab Setup……………………………………………………………………………………………………………………………….. 3
Section 2 – Hashing………………………………………………………………………………………………………………………………… 11
Section 3 – Disks and Disk Management…………………………………………………………………………………………………… 17
Section 4 – Imaging………………………………………………………………………………………………………………………………… 28
2
Introduction
Important Note: To complete Lab 2, you need to complete Lab1.
During this lab, we will use a variety of hashing tools, imaging tools, and even analysis tools.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup
- (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
Windows 10 VM - Use this button to send a Control+Alt+Delete to the Windows VM.
Control+Alt+Delete - Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
and the password of [email protected] - If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
4 - Click edit virtual machines settings.
Edit Settings
5 - Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
CMIT 424 Tools
6 - Click This PC. Right Click the DVD and select open. Double click on the HashTab Setup.
HashTab - Click Yes, Next, I agree, Install, Finish. Close the browser.
- Double Click on HashCalc202. Yes, Next, I accept. Next, Next, Next, Install.
HashCalc
7 - Right click on the SysinternalsSuite zip file and select Send to Documents.
SysinternalsSuite - Within the Documents folder, right click on SysinternalsSuite and select Extract All… Click Extract.
- Find sigcheck in the list. Right click on the file and select copy.
sigcheck
8 - Click on Local Disk C:\, find the Windows Directory, and then click Paste. Click Continue.
Windows Directory
9 - Double click on system32. Find cmd.exe in the list.
cmd - Right click on cmd.exe and select copy.
cmd
10 - Select Paste to paste the file to the Desktop.
Paste the file
Here is a summary of what was done in Section 1: - Install Hashtab from the CMIT 424 tools DVD.
- Install Hashcalc from the CMIT 424 tools DVD.
- SysinternalsSuite was extracted to Documents.
- The file sigcheck was copied to the Windows directory.
- There was a shortcut created to cmd.exe created to the Desktop.
- CMD.EXE was copied from C:\Windows\System32 to the Desktop.
The directions to perform all of these steps are listed in section 1. You will need them in the next sections.
11
Section 2 – Hashing - Click the shortcut to the command Prompt on the Desktop:
Windows Command Prompt Shortcut
12 - Type the following command to get the file hashes for cmd.exe:
C:\Windows\System32>sigcheck -h cmd.exe
sigcheck
Ever student in the class is seeing the same MD5, SHA-1, and SHA256 hash. See below:
MD5: E08FE2DE3DDD22123247D49A11B4F53D
SHA1: 3585B37200EF3321262B0977401183694A3C15C6
SHA256: EC436AEEE41857EEE5875EFDB7166FE043349DB5F58F3EE9FC4FF7F50005767F - Right click on CMD.exe (not the shortcut) and click the hashes tab. The hashes will match sigcheck.
HashTab
13 - Hashes look at only the contents of the file, not the name of the file. We will prove this right now by
renaming the file and then re-hashing it.
Rename
14 - Rename the file your first name. Right click on the yourname file and click file hashes.
Notice, even though the filename has changed, the hash remains the same. This is because the hash
looks at the contents of the file, not the actual filename. This is important to know about hashes.
Add your screenshot to page 3 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
15 - Click the shortcut to the command Prompt on the Desktop:
Windows Command Prompt - Type the following command to get the file hashes for the renamed cmd file, replacing jesse.exe with
yourname.
C:\Windows\System32>sigcheck -h C:\Users\%username%\Desktop\yourname.exe
sigcheck
Add your screenshot to page 4 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
16 - Double click on the HashCalc shortcut from on the Desktop.
Hashcalc - Check every available hash. Notice the hash is the same as the hash from Hashtab and sigcheck.
However, the has is in all lowercase (Hexadecimal value) as opposed to the all Uppercase hexadecimal
value provided by sigcheck and hashcalc. This is important because some of the Capture the Flag (CTF)
questions from Project 1 and Project 2 ask for a specific case (uppercase or lowercase).
HashCalc
Add your screenshot to page 5 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
You have learned about 3 widely used, industry approved tools for hashing in this section.
17
Section 3 – Disks and Disk Management - Click This PC. Right Click on Local Disk C: and go to properties.
Local Disk C:\
18 - Notice that the File System is NTFS. This means that there will be a Security tab present for NTFS
permissions. In the blank space, add your first name into the name for the Volume label. Click
continue when you are told that you will need permission to rename this drive.
Local Disk C:\
Add your screenshot to page 6 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
19
Very Important Note. You will need at least 30 GB of additional disk space on your host computer to go
through the next few steps. Hopefully, you have that. If not, one other option is to use a USB Mass storage
device. If you choose that route, shut down the VM, and copy it to the USB Storage device, and then you can
actually just double click on the Windows 10 CMIT 424.vmx file on the removable drive and it will start.
- Go to VM from the VMware Workstation Menu bar and select Settings.
Settings
20 - Click Add to add a device.
Add
21 - Select Hard Disk and Click Next
Hard Disk - Click Next to SCSI (Recommended).
- Accept the default of create a new virtual disk.
22 - For the maximum disk size (GB), put 30. Click Next. Click Finish. Click OK.
New Disk
23 - Right click on the Start Menu and select Disk Management.
Disk Management
24 - Click OK to Initiate the Disk. Notice that we are using the Master Boot Record partitioning style.
Disk Management
25 - Right click and select New Simple Volume.
Disk Management - Click Next
- Click Next to accept the default volume size.
- Click Next to assign to Drive letter of e:
26 - At Format Partition, put YourFIRSTNAME-backup for the Volume name and take a screenshot.
Add your screenshot to page 7 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
Click. Next. Click Finish.
Disk Management
27 - Click. Next. Click Finish. Take a screenshot of the Disk Management with the 2 yourname drives.
Add your screenshot to page 8 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided.
Do not use the EXAMPLE screenshot.
Click. Next. Click Finish.
Disk Management
28
Section 4 – Imaging - Click This PC. Right Click the DVD and select open. Double click on the FTK Imager Lite folder.
DVD Tools
29 - Find the FTK Imager program and right click and run as Administrator. Click Yes to the User
Account Control Warning.
FTK Imager - Select File and then choose Create Disk Image
FTK Imager
30 - Click Physical Drive and click Next
FTK Imager - Select Physical Drive 0 is selected. Click Finish
FTK Imager
31 - Click Add.
FTK Imager - Select Raw (dd) and click Next
FTK Imager
32 - For the Evidence Item Information, put
Case number: Today’s Date
Evidence number: 424
Unique Description: Computer Forensics
Examiner: Your First Name and Your Last Name
Note: Put Your Instructor’s Name Here
FTK Imager
Add your screenshot to page 9 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
33 - For the Image Destination Folder, you can either type E:\ or you can click Browse and go to the
E: Drive. For the image name. put in yourname.dd. For the Fragment Size, put 0. Click Finish.
FTK Imager - Click Start.
- You will see that the image is created with a Progress bar.
FTK Imager
34 - DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
FTK Imager
You can record the hashes when you take the image and then provide the hashes to other examiners. When
they hash the image, they will look for the same hash that you recorded to verify the integrity of the data and
they can have confidence that the data has not been altered or tampered with in any way. Next, we will go
through the verification process.
35 - To do this, click Windows Explorer, This PC, Local Disk E:, Right click on the image file and then
go to Properites, and select the hash tab. It may take a while to calculate the hash.
FTK Imager and Hashtab
Add your screenshots to page 10 of your CMIT_424_LAB2_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
Hint: Do not forget your Introduction and Conclusion in your lab
worksheet or you will lose points on your assignment.