GET QUOTE IN 2 MINUTES*    Order Now     

Lab 4 Guide CMIT 424 Computer
Forensics

1
Lab 4 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………….2
Section 1 – The Recycle Bin……………………………………………………………………………………………………………………3
Section 2 – The Path…………………………………………………………………………………………………………………………..12
Section 3 – Services……………………………………………………………………………………………………………………………17
Section 4– Windows Tasks…………………………………………………………………………………………………………………..19
Section 5– Data Hiding Techniques……………………………………………………………………………………………………….20
2
Introduction
Important Note: To complete Lab 4 you need to complete Lab1-Lab3.
During this lab, we will examine the Common locations of Windows artifacts. There are usually
thousands and thousands of files on an average hard drive that has an Operating System present. Sifting
through all that data can take a computer forensics examiner a lot of time. That is why experienced
investigators will look in some key places where some of the most important artifacts are typically
located. Two of the key places where computer forensics artifacts are stored will be covered in other
labs. Lab 3 covered events in the Event Viewer Logs and Lab 8 will cover Browser History.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – The Recycle Bin

  1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
    Power On
  2. Use this button to send a Control+Alt+Delete to the Windows VM.
    Control+Alt+Delete
  3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
    and the password of [email protected]
    One of my coworkers at DC3 who had literally performed hundreds of Computer Forensics investigations and
    testified in Court numerous times, told me the first place they always looked in an investigation is in the
    Recycle Bin. They said what a person was deleting told them a lot about the person they investigated.
    4
  4. Right click on the Desktop and click text document. Name the file yourname.
    Right click on the Desktop and click New Folder. Name the folder yourname.
    Right click on the Desktop and click New Compressed Folder. Name the zip file yourname.
    Folder Creation
    Add your screenshot to page 3 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    5
  5. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
    6
  6. Type Control to open the Control Panel.
    Control Panel
  7. Click on System and Security. Next, click on File History. Click Turn on. It should say “Tuned On”.
    File History
    7
  8. Right click on each of the Desktop items and delete them. They will then go to the Recycle Bin which
    has been around since Windows 95. If an item is in the Recycle Bin, it can be restored or deleted. Next
    week in Lab 5, you will learn how to recover files that were “deleted” within the Operating System.
    Double Click on the Recycle Bin and notice that your files are there. You will be able to view the
    Recycle bin when you analyze a disk image using Autopsy in Week 5 lab. Close and don’t delete yet.
    Recycle Bin
  9. Right click on the Recycle Bin and select Empty the Recycle Bin.
    Recycle Bin
    After deleting the files from the Recycle bin, most people might assume they are gone.
    8
  10. Open File Explorer. Right click on the C: Drive. Go to the Previous Versions Tab. Under Unspecified C:\,
    click Open and then go to users, then go to the Yourname folder. Go into the Desktop Folder to look
    for the 3 deleted files.
    Previous Versions
    9
  11. Click Open in File History Your files will re-appear. The Green button allows you to restore them.
    File History
    Add your screenshot to page 4 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    Note: In some versions of Windows, like Windows 7 and Windows 8.1, Previous Versions may be automatically
    enabled. The automatically created restore points will make copies of files in a similar fashion to this scenario.
    10
  12. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  13. Type the following below to switch to the directory.
    .
    C:\WIndows\System32>cd c:\Users\%Username%\Desktop
    Command Prompt
    11
  14. Type the following below, replacing YourFirstName with your First Name.
    .
    C:\Users\%username%\Desktop>echo my name is YourFirstName >> name.txt
    Command Prompt
    Notice that the file now appears on the desktop.
  15. Type the following below, type name.txt && date /t && time /t
    .
    C:\Users\%username%\Desktop> type name.txt && date /t && time /t
    Command Prompt
    Add your screenshot to page 5 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
  16. Type the following below to delete the file from the command line. Notice that it never goes to the
    Recycle bin. When you delete a file within the command line, it will not go to the Recycle Bin.
    C:\Users\%username%\Desktop>del name.txt
    Command Prompt
    12
    Section 2 – The Path
  17. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  18. Type the following below to show the PATH.
    C:\Windows\System32>PATH
    Command Prompt
    13
    The Path is where the operating system will look for the executable files. If the program you are running is not
    in the path, then you would need to specify the location of the executable or be in the directory where it is
    located. For example if nc.exe (netcat) was in the root of C:, which is not in the PATH, you would need to type
    c:\nc.exe (unless you were in the root of c:\ at the command line. For this reason, malware is often placed in
    the actual path, so the attacker does not need to remember the full path to get their executable to launch.
  19. Type the following below to switch back to the root of C:\
    C:\Windows\System32>cd \
    Command Prompt
    Note: Caution. The next step will fail and that is supposed to happen. The command “ls” is for Linux.
  20. Type the following command to attempt to use ls in the Windows Command Prompt.
    C:\ >ls
    Command Prompt
  21. Type the following below to switch back to the root of C:\
    C:\ > echo dir /a > ls.bat
    Command Prompt
    14
  22. Type the following command to attempt to use ls in the Windows Command Prompt.
    C:\ >ls
    Command Prompt
  23. Type the following below to switch back to C:\Users directory
    C:\ > cd c:\Users
    Command Prompt
    15
  24. Type the following command to attempt to use ls (or hit the up-arrow key a few times).
    C:\Users>ls
    Command Prompt
    The command failed because the file is not in the path. If you typed c:\ls.bat, it would work.
  25. Type the following below to copy the bat file from the root of C:\ to the Windows directory.
    C:\Users>copy c:\ls.bat C:\Windows
    Command Prompt
  26. Type the following command to attempt to use ls (or hit the up-arrow key a few times).
    C:\Users>ls
    Command Prompt
    Add your screenshot to page 6 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    16
    While Windows does have many files and folders, The folder Windows\System32 has the majority of
    executables for the operating system. When I did a dir of Windows\System32, it listed over 4000 files. For that
    reason, and the fact that it is in the PATH, is a great place for an attacker to store files. A Computer Forensics
    Investigator will often look in the PATH Folders first and sort the many files by their creation date.
  27. Type the following below to copy the bat file from the root of C:\ to the Windows directory.
    Note: please change yourname to your first name.
    C:\Users>copy c:\ls.bat C:\Windows\System32\yourname.bat
    Command Prompt
  28. Open Windows Explorer. Go to C:\, Windows, System32. Double click the Date Modified column until
    you see the yourname file.
    Windows Explorer
    Add your screenshot to page 7 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    17
    Do not use the EXAMPLE screenshot.
    Section 3 – Services
  29. Type the command to create a new batch file called mynamediskfix.bat in the Users directory.
    C:\Users> echo chkdsk /f e: > mynamediskfix.bat
    Note: please change myname to your first name.
    Command Prompt
  30. This program will just check the E: Drive for errors and fix them. To run it, type
    Note: replace myname with your firstname.
    C:\Users> mynamediskfix.bat
    Command Prompt
    18
    We can actually create a service so that this program we created will run every time the computer starts.
  31. Type the following command below to create the yourname service. Please replace Yourname with
    your firstname, followed by service (no spaces).
    C:\Users> sc.exe create YournameService binpath= c:\Users\mynamediskfix.bat type= share start= auto
    Service Created
  32. Type the following command to open services:
    C:\Users> services.msc
    Services
    Scroll down in the list (alphabetical until you find the yourname service).
    Note that your name service lacks a description. This could be a sign of something noteworthy.
    Add your screenshot to page 8 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    19
    Do not use the EXAMPLE screenshot.
    Section 4– Windows Tasks
    People may use the Recycle Bin to try to hide things. Hackers might leave artifacts in Directories on the File
    System, and in Services. Another place that you can look for suspicious activity is in the Scheduled Tasks.
  33. Type the following command to create a scheduled task.
    C:\Users> schtasks /create /sc DAILY /tn YOURNAME /tr C:\Users\mynamediskfix.bat
    Scheduled Task
  34. Click Windows Explorer, This PC, Local Disk C:\, Windows, System32, Tasks (Click Continue to get
    access) to see the Yourname task. You can right click on the file and edit with notepad++. You can also
    find this scheduled task in the Task Scheduler. You can find that by using the search feature in
    Windows or just by examining the task in the Windows\System32\Tasks folder.
    Notepad++
    Add your screenshot to page 9 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    20
    Section 5– Data Hiding Techniques
    There are other ways that users will try to hide file by changing their extension or using an alternate data
    stream. These methods may be effective against an untrained person but will not fool a forensic investigator.
  35. Click on Windows Explorer. Click on the Pictures Link. Select New Bitmap Image. Call one picture Cat
    and One Picture Dog.
    Pictures
    21
  36. Right Click on the Cat and select Open with and then choose Paint.
    Pictures
    22
  37. Draw a Cat. Click the Floppy Disk icon to Save your Cat.
    Cat
    23
  38. Right Click on the Dog and select Open with and then choose Paint.
    Dog
    24
  39. Draw a Dog. Click the Floppy Disk icon to Save your Dog.
    Dog
  40. You can see the thumbnails of your artwork and a preview of the cat and dog pictures.
    Dog
    25
  41. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  42. Type the following command to navigate to your pictures directory.
    C:\Windows\System32> cd C:\Users\%username%\Pictures
    Command Prompt
    26
  43. Type the following command to view the files and folders in your pictures directory.
    C:\Users\%username%\Pictures > dir
    Command Prompt
    27
  44. Type the following command to rename the files.
    C:\Users\%username%\Pictures > ren *.bmp *.pdf. If you open Windows Explorer and click Pictures, you will no
    longer see the picture thumbnail. Instead, you will see PDF printed on these files. They will not open though.
    28
    Picture Files Renamed
  45. Right Click on one of the files and select open with Notepad++. Notice the signature is BM, which is the
    file signature header for a Bitmap file. Renaming the file will not change the file signature.
    Notepad++
  46. Type the following command to hide an alternate data stream in your PDF files:
    C:\Users\%username%\Pictures > echo this is yourname’s secret > Cat.pdf:mysecret.txt
    Note: Replace yourname with your first name. However, name the file mysecret.txt
    Command Prompt
  47. Type the dir command to view the files and folders in your pictures directory. Notice that the ADS is
    not present. It is also not present in the Graphical User Interface, or GUI. Also, it is important to note
    that he space the file takes up on the disk is not counted by against available space by Windows.
    C:\Users\%username%\Pictures > dir
    Dir
    29
  48. Type the following command to view the files and folders in your pictures directory, as well as any
    alternate data streams created.
    C:\Users\%username%\Pictures > dir /r
    Command Prompt
  49. Type the following command to view the alternate data stream created.
    C:\Users\%username%\Pictures > notepad Cat.pdf:mysecret.txt
    Command Prompt
    Add your screenshot to page 10 of your CMIT_424_LAB4_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    Hint: Do not forget your Introduction and Conclusion in your lab
    30
    worksheet or you will lose points on your assignment.