GET QUOTE IN 2 MINUTES*    Order Now     

Lab 2 Guide CMIT 424 Computer
Forensics

1
Lab 2 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………………. 2
Section 1 – Lab Setup……………………………………………………………………………………………………………………………….. 3
Section 2 – Hashing………………………………………………………………………………………………………………………………… 11
Section 3 – Disks and Disk Management…………………………………………………………………………………………………… 17
Section 4 – Imaging………………………………………………………………………………………………………………………………… 28
2
Introduction
Important Note: To complete Lab 2, you need to complete Lab1.
During this lab, we will use a variety of hashing tools, imaging tools, and even analysis tools.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup

  1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
    Windows 10 VM
  2. Use this button to send a Control+Alt+Delete to the Windows VM.
    Control+Alt+Delete
  3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
    and the password of [email protected]
  4. If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
    class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
    4
  5. Click edit virtual machines settings.
    Edit Settings
    5
  6. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    6
  7. Click This PC. Right Click the DVD and select open. Double click on the HashTab Setup.
    HashTab
  8. Click Yes, Next, I agree, Install, Finish. Close the browser.
  9. Double Click on HashCalc202. Yes, Next, I accept. Next, Next, Next, Install.
    HashCalc
    7
  10. Right click on the SysinternalsSuite zip file and select Send to Documents.
    SysinternalsSuite
  11. Within the Documents folder, right click on SysinternalsSuite and select Extract All… Click Extract.
  12. Find sigcheck in the list. Right click on the file and select copy.
    sigcheck
    8
  13. Click on Local Disk C:\, find the Windows Directory, and then click Paste. Click Continue.
    Windows Directory
    9
  14. Double click on system32. Find cmd.exe in the list.
    cmd
  15. Right click on cmd.exe and select copy.
    cmd
    10
  16. Select Paste to paste the file to the Desktop.
    Paste the file
    Here is a summary of what was done in Section 1:
  17. Install Hashtab from the CMIT 424 tools DVD.
  18. Install Hashcalc from the CMIT 424 tools DVD.
  19. SysinternalsSuite was extracted to Documents.
  20. The file sigcheck was copied to the Windows directory.
  21. There was a shortcut created to cmd.exe created to the Desktop.
  22. CMD.EXE was copied from C:\Windows\System32 to the Desktop.
    The directions to perform all of these steps are listed in section 1. You will need them in the next sections.
    11
    Section 2 – Hashing
  23. Click the shortcut to the command Prompt on the Desktop:
    Windows Command Prompt Shortcut
    12
  24. Type the following command to get the file hashes for cmd.exe:
    C:\Windows\System32>sigcheck -h cmd.exe
    sigcheck
    Ever student in the class is seeing the same MD5, SHA-1, and SHA256 hash. See below:
    MD5: E08FE2DE3DDD22123247D49A11B4F53D
    SHA1: 3585B37200EF3321262B0977401183694A3C15C6
    SHA256: EC436AEEE41857EEE5875EFDB7166FE043349DB5F58F3EE9FC4FF7F50005767F
  25. Right click on CMD.exe (not the shortcut) and click the hashes tab. The hashes will match sigcheck.
    HashTab
    13
  26. Hashes look at only the contents of the file, not the name of the file. We will prove this right now by
    renaming the file and then re-hashing it.
    Rename
    14
  27. Rename the file your first name. Right click on the yourname file and click file hashes.
    Notice, even though the filename has changed, the hash remains the same. This is because the hash
    looks at the contents of the file, not the actual filename. This is important to know about hashes.
    Add your screenshot to page 3 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    15
  28. Click the shortcut to the command Prompt on the Desktop:
    Windows Command Prompt
  29. Type the following command to get the file hashes for the renamed cmd file, replacing jesse.exe with
    yourname.
    C:\Windows\System32>sigcheck -h C:\Users\%username%\Desktop\yourname.exe
    sigcheck
    Add your screenshot to page 4 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    16
  30. Double click on the HashCalc shortcut from on the Desktop.
    Hashcalc
  31. Check every available hash. Notice the hash is the same as the hash from Hashtab and sigcheck.
    However, the has is in all lowercase (Hexadecimal value) as opposed to the all Uppercase hexadecimal
    value provided by sigcheck and hashcalc. This is important because some of the Capture the Flag (CTF)
    questions from Project 1 and Project 2 ask for a specific case (uppercase or lowercase).
    HashCalc
    Add your screenshot to page 5 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    You have learned about 3 widely used, industry approved tools for hashing in this section.
    17
    Section 3 – Disks and Disk Management
  32. Click This PC. Right Click on Local Disk C: and go to properties.
    Local Disk C:\
    18
  33. Notice that the File System is NTFS. This means that there will be a Security tab present for NTFS
    permissions. In the blank space, add your first name into the name for the Volume label. Click
    continue when you are told that you will need permission to rename this drive.
    Local Disk C:\
    Add your screenshot to page 6 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.

19
Very Important Note. You will need at least 30 GB of additional disk space on your host computer to go
through the next few steps. Hopefully, you have that. If not, one other option is to use a USB Mass storage
device. If you choose that route, shut down the VM, and copy it to the USB Storage device, and then you can
actually just double click on the Windows 10 CMIT 424.vmx file on the removable drive and it will start.

  1. Go to VM from the VMware Workstation Menu bar and select Settings.
    Settings
    20
  2. Click Add to add a device.
    Add
    21
  3. Select Hard Disk and Click Next
    Hard Disk
  4. Click Next to SCSI (Recommended).
  5. Accept the default of create a new virtual disk.
    22
  6. For the maximum disk size (GB), put 30. Click Next. Click Finish. Click OK.
    New Disk
    23
  7. Right click on the Start Menu and select Disk Management.
    Disk Management
    24
  8. Click OK to Initiate the Disk. Notice that we are using the Master Boot Record partitioning style.
    Disk Management
    25
  9. Right click and select New Simple Volume.
    Disk Management
  10. Click Next
  11. Click Next to accept the default volume size.
  12. Click Next to assign to Drive letter of e:
    26
  13. At Format Partition, put YourFIRSTNAME-backup for the Volume name and take a screenshot.
    Add your screenshot to page 7 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    Click. Next. Click Finish.
    Disk Management
    27
  14. Click. Next. Click Finish. Take a screenshot of the Disk Management with the 2 yourname drives.
    Add your screenshot to page 8 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    Click. Next. Click Finish.
    Disk Management
    28
    Section 4 – Imaging
  15. Click This PC. Right Click the DVD and select open. Double click on the FTK Imager Lite folder.
    DVD Tools
    29
  16. Find the FTK Imager program and right click and run as Administrator. Click Yes to the User
    Account Control Warning.
    FTK Imager
  17. Select File and then choose Create Disk Image
    FTK Imager
    30
  18. Click Physical Drive and click Next
    FTK Imager
  19. Select Physical Drive 0 is selected. Click Finish
    FTK Imager
    31
  20. Click Add.
    FTK Imager
  21. Select Raw (dd) and click Next
    FTK Imager
    32
  22. For the Evidence Item Information, put
    Case number: Today’s Date
    Evidence number: 424
    Unique Description: Computer Forensics
    Examiner: Your First Name and Your Last Name
    Note: Put Your Instructor’s Name Here
    FTK Imager
    Add your screenshot to page 9 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    33
  23. For the Image Destination Folder, you can either type E:\ or you can click Browse and go to the
    E: Drive. For the image name. put in yourname.dd. For the Fragment Size, put 0. Click Finish.
    FTK Imager
  24. Click Start.
  25. You will see that the image is created with a Progress bar.
    FTK Imager
    34
  26. DO NOT CLICK CLOSE at the Drive/Image Verify Results Screen.
    FTK Imager
    You can record the hashes when you take the image and then provide the hashes to other examiners. When
    they hash the image, they will look for the same hash that you recorded to verify the integrity of the data and
    they can have confidence that the data has not been altered or tampered with in any way. Next, we will go
    through the verification process.
    35
  27. To do this, click Windows Explorer, This PC, Local Disk E:, Right click on the image file and then
    go to Properites, and select the hash tab. It may take a while to calculate the hash.
    FTK Imager and Hashtab
    Add your screenshots to page 10 of your CMIT_424_LAB2_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    Hint: Do not forget your Introduction and Conclusion in your lab
    worksheet or you will lose points on your assignment.