GET QUOTE IN 2 MINUTES*    Order Now     

Lab 6 Guide CMIT 424 Computer

1
Lab 6 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………….2
Section 1 – Lab Setup …………………………………………………………………………………………………………………………..3
Section 2 – Incident Response ……………………………………………………………………………………………………………..19
Section 4 – Capturing and Analyzing RAM………………………………………………………………………………………………26
2
Introduction
Important Note: To complete Lab 6 you need to complete Labs 1-5.
During this lab, we will examine volatile data collection, RAM collection, and the Volatility Framework.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup

  1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
    Windows 10 VM
    Tools Install
  2. Use this button to send a Control+Alt+Delete to the Windows VM.
    Control+Alt+Delete
  3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
    and the password of [email protected]
    4
  4. Go to VM from the VMware Workstation Menu bar and select Settings.
    Settings
    5
  5. Click Add to add a device.
    Add
    6
  6. Select Hard Disk and Click Next
    Settings
  7. Click Next to SCSI (Recommended).
  8. Accept the default of create a new virtual disk.
    7
  9. For the maximum disk size (GB), put 5 GB. Click Next. Click Finish. Click OK.
    New Disk
    8
  10. Right click on the Start Menu and select Disk Management.
    Disk Management
    9
  11. Click OK to Initiate the Disk. Notice that we are using the Master Boot Record partitioning style.
    Disk Management
    10
  12. Scroll Down in Disk Management. Right click on Disk 3 (Unallocated) and select New Simple Volume.
    Disk Management
  13. Click Next
  14. Click Next to accept the default volume size.
  15. Click Next to assign to Drive letter of G:
    11
  16. At Format Partition, Leave NTFS as the File System.
    Put YourFIRSTNAME-IR for the Volume name and take a screenshot.
    Add your screenshot to page 3 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided.
    Do not use the EXAMPLE screenshot.
    Click. Next. Click Finish.
    Disk Management
    Close Disk Management. In the field, we can bring along a trusted tool set on a USB stick that has all the
    binaries (EXE files). Files on the operating system of the compromised machine cannot be trusted because
    hackers can alter these files. Next, we will load some of the files from the CDROM on to our new IR Drive
    (which is simulated adding a trusted tool set as a USB Drive in this environment).
    12
  17. If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
    class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
  18. Click edit virtual machines settings.
    Edit Settings
    13
  19. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    14
  20. Under This PC, go to the DVD.
    CMIT 424 Tools
    15
  21. Hold down the Control Key and select the following 3 files below, and then click copy.
    • SysinternalsSuite
    • DumpIt
    • volatility_2.6_win64_standalone
    CMIT 424 Tools
    16
  22. Right click on the IR Drive (G:) that you created and paste.
    CMIT 424 Tools
    17
  23. Right click on SysinternalsSuite and select Extract All… Click Extract.
    Sysinternals
  24. After the Window opens with all of files extracted from the Sysinternals Suite, select Control+A to
    select all of the files, and then select Copy
    Sysinternals Suite
    18
  25. Go back to the root of the G: Drive. Right click and then paste all of the files.
    Sysinternals Suite
  26. You should see a list of the Sysinternals tools on the root of the G: Drive.
    Sysinternals Suite
    19
    Section 2 – Incident Response
    It is always better to collect IR data manually first, because collecting the RAM on a system that is
    compromised can sometimes result in the system freezing. The free python-based tool volitivity can be used to
    parse a captured RAM file to look for values like network connections or running processes.
  27. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  28. Type the following below to show the PATH.
    C:\Windows\System32>PATH
    Command Prompt
    20
  29. Type the following command to switch to the G:\ Drive:
    C:\Windows\system32>G:
    Command Prompt
    The Path is where the operating system will look for the executable files. We will change the PATH to use the
    trued tools we have instead of relying on tools on the operating system which could be compromised
  30. Type the following command to set the PATH to your “trusted tool Drive”.
    G:\PATH=G:\
    Command Prompt
  31. Type the following command to verify that the PATH is set to your “trusted tool Drive”.
    G:\PATH
    Command Prompt
  32. Type the following command to send your name (replacing my name with your name) to the IR File.
    G:\echo “Incident Responder Jesse Varsalone” >> MYIRTEXT.TXT
    Command Prompt
    21
  33. Type the following command to view the contents of the IR File with the internal command “type”.
    G:\type MYIRTEXT.TXT
    Command Prompt
    Add your screenshot to page 4 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  34. Type the following command to add the time and date to your IR Text file.
    G:\time /t >> MYIRTEXT.TXT && date /t >> MYIRTEXT.TXT
    Command Prompt
  35. Type the following command to view the contents of the IR File with the internal command “type”.
    G:\type MYIRTEXT.TXT
    Command Prompt
    Add your screenshot to page 5 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    22
  36. Type the following command to add the network connection information to the IR Text file.
    G:\tcpvcon.exe /a >>MYIRTEXT.TXT
    Click I Agree if you recive a warning.
    Command Prompt
  37. Type the following command to view the network connection information of the IR File with the
    internal command “type”.
    G:\type MYIRTEXT.TXT
    Command Prompt
    23
  38. Type the following command to add the process list information to the IR Text file.
    G:\pslist >> MYIRTEXT.TXT
    Click I Agree if you recive a warning.
    Command Prompt
  39. Type the following command to view the process list information of the IR File with the internal
    command “type”.
    G:\type MYIRTEXT.TXT
    Command Prompt
    24
  40. Type the following command to add the computer information to the IR Text file.
    G:\psinfo>> MYIRTEXT.TXT
    Click I Agree if you recive a warning.
    Command Prompt
  41. Type the following command to view the computer information of the IR File with the internal
    command “type”.
    G:\type MYIRTEXT.TXT
    Command Prompt
    Add your screenshot to page 6 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    25
  42. Now we will hash our MYIRTEXT file. To do this, type the following command:
    G:\ sigcheck -h MYIRTEXT.TXT
    Click I Agree if you recive a warning.
    Command Prompt
    Hashing
    Add your screenshot to page 7 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    It is mathematically possible that you and another student could have the same MD5 hash for your IR text file.
    But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the
    hash should be unique or there may be an academic integrity review by your professor.
    26
    Section 4 – Capturing and Analyzing RAM
    Next, we will capture RAM. It is always better to collect IR data manually first, because collecting the RAM on a
    system that is compromised can sometimes result in the system freezing. The free python-based tool volitivity
    can be used to parse this RAM to look for values like network connections or running processes.
    Note: The Max RAM DUMP on a 5 GB Drive would be 4 GB. You should not have more than this.
  43. Find Dumpit.exe on the G: Drive and right click on it and run as administrator. Click Yes and Y
    Dumpit
  44. When the RAM dump has completed, you should see a message that it was a success.
    Dumpit
    Add your screenshot to page 8 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    27
  45. Return to the command prompt at the root of G: Type the following find yourname RAM capture.
    G:\ dir *.RAW
    Dir Command
  46. Find the name of your raw file includes a date stamp. Type the following command to get the hash of
    your Dumpit RAM capture. This will take a few minutes to get the hash.
    G:>sigcheck -h *.raw
    sigcheck
    Hashes
    Add your screenshot to page 9 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    It is mathematically possible that you and another student could have the same MD5 hash for your RAM dump.
    But the chance of that is 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456. For that reason, the
    hash should be unique or there may be an academic integrity review by your professor
    28
  47. Type the following command to command to run the Volatility Framework standalone.
    G:\ volatility_2.6_win64_standalone.exe -h
    Volatility Framework
  48. Next, use the Volatility Framework standalone to parse the information from your RAM capture.
    .
    G:\ volatility.exe imageinfo -f *.raw
    Volatility Framework
    29
  49. Next, use the Volatility Framework standalone to parse the network connection information from your
    RAM capture.
    G:\ volatility_2.6_win64_standalone.exe netscan -f *.raw –profile=Win10x64_14393
    Volatility Framework
    Add the screenshots to page 10 of your CMIT_424_LAB6_WORKSHEET.
    Note: Your screenshot will be different from the examples provided. Do not use the EXAMPLE screenshot.
    30
  50. Next, use the Volatility Framework standalone to parse the process list information from your RAM
    capture. The profile is not exact, so the processes do not parse perfectly, although you can still see
    part of the process names and the corresponding PID’s (Process ID’s) The investigator can always go
    back to the manually collected IR data to cross reference, which is another to collect IR data manually.
    G:\ volatility_2.6_win64_standalone.exe pslist -f *.raw –profile=Win10x64_14393
    Volatility Framework
    Hint: Do not forget your Introduction and Conclusion in your lab
    worksheet or you will lose points on your assignment.