1
Lab 7 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ……………………………………………………………………………………………………………………………………………. 2
Section 1 – Lab Setup……………………………………………………………………………………………………………………………….. 3
Section 2 – Internet Explorer History………………………………………………………………………………………………………… 16
Section 3 – Chrome History …………………………………………………………………………………………………………………….. 23
Section 4 – Firefox History ………………………………………………………………………………………………………………………. 30
Section 5 – Optional – More Browser History ……………………………………………………………………………………………. 38
2
Introduction
Important Note: To complete Lab 7 you need to complete Labs 1-6
During this lab, we will examine browser artifacts and look at website history for Internet Explorer,
Chrome, and Firefox.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Lab Setup
- (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
Windows VM - Use this button to send a Control+Alt+Delete to the Windows VM.
Control+Alt+Delete - Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
and the password of [email protected]
4 - Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
Command Prompt - Type the following to bring up the Control Panel:
C:\Windows\System32>control
Control Panel
5 - Click Programs
Control Panel - Click Turn Windows Features on or off.
Control Panel
6 - Expand Internet Information Services. Select the three subcategories below and click ok:
• FTP Server
• Web Management Tools
• World Wide Web Services
Control Panel
7 - In the Search box, type IIS, and then click on Internet Information Services (IIS)
Internet Information Services
8 - Expand Sites. Notice that the website is present, but the FTP site is not there.
Internet Information Services
Add your screenshot to page 3 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Type the following command to add the time and date to your IR Text file.
Internet Information Services
9 - Name the FTP Site, Yourname FTP Site, where your name id your first name. Browse to C:\,
Inetpub\FTProot. Click OK. Click Next.
Internet Information Services
10 - Select No SSL for the SSL settings. Click Next.
Internet Information Services
11 - In the Authentication and Authorization page,
• Under Authentication, select Anonymous.
• Under Authorization, select Allow Access to Anonymous users
• Under Permissions Select Read
Click Next
Internet Information Services
12 - Now the Web Site and the Yourname FTP site will appear in the Internet Information Services (IIS).
Internet Information Services
Add your screenshot to page 4 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools - Click edit virtual machines settings.
Edit Settings
13 - Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
CMIT 424 Tools
14 - Click This PC, the DVD. and then drag the following 3 files to the desktop:
• browsinghistoryview-x64
• iehv
• mozillahistoryview-x64
CMIT 424 Tools - Click View in the top left in the Explorer menu. Click Options, and change folder and search options.
Windows Explorer
15 - Click the View Tab and then configure the following settings below:
• Select the radio button to Show hidden filed, folders, and drives.
• Uncheck Hide extensions for known types.
• Uncheck Hide Protected Operating System files (Recommended). Click Yes.
Windows Explorer
16
Section 2 – Internet Explorer History - Type IE in the search bar and then launch the Internet Explorer app.
Click Use Recommended settings
Internet Explorer
17 - Go to the following URL http://127.0.0.1 within Internet Explorer.
Internet Explorer
- Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
Command Prompt
18 - Type the following to switch to the wwwroot directory within Inetpub.
C:\Windows\System32>cd c:\Inetpub\wwwroot
Command Prompt - Type the following to list the files and folder in the directory.
C:\Inetpub\wwwroot >dir
Command Prompt - Type the following to echo your first name and last name into the website file.
C:\Inetpub\wwwroot >echo Yourfirstname Yourlastname CMIT 424 Website > iisstart.htm
Command Prompt
Add your screenshot to page 5 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
19 - Within Internet Explorer, go to the following URL http://127.0.0.1
Internet Explorer
Add your screenshot to page 6 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
Command Prompt - Type the following to switch to the ftproot directory within Inetpub.
C:\Windows\System32>cd c:\Inetpub\ftproot
Command Prompt
20 - Type the following to echo your first name and last name into the default website file.
C:\Inetpub\wwwroot > echo Yourfirstname Yourlastname ftp file > CMIT424.txt
Command Prompt
Add your screenshot to page 7 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Type IE in the search bar and then launch the Internet Explorer app.
Click Use Recommended settings
Internet Explorer
21 - Go to the following URL within Internet Explorer: ftp://127.0.0.1/cmit424.txt
Internet Explorer
Add your screenshot to page 8 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Right click on the iehv.zip file on the Desktop and select Extract All.
Internet Explorer History Tool - Double click on the exe file.
Internet Explorer History Tool
22 - From the View menu, select Display Typed URL’s
Internet Explorer History Tool - View all of the typed URL’s from your Internet Explorer Browse History.
Internet Explorer History Tool
23
Section 3 – Chrome History - If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools - Click edit virtual machines settings.
Edit Settings
24 - Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
CMIT 424 Tools
25 - Click This PC, the DVD. and then right click on the Chromeinstaller and select Run as Administrator.
CMIT 424 Tools
26 - Click Yes, after a moment Chrome will appear.
Chrome - Go to the following URL in Chrome http://127.0.0.1
Chrome
27 - Go to the following URLin Chrome: ftp://127.0.0.1/cmit424.txt
Chrome
Add your screenshot to page 9 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Right click on the browsinghistoryview-x64.zip on the Desktop and select Extract All.
Chrome History View Tool - Double click on the exe file.
Chrome History View Tool
28 - From the Load History button, click the three dots to load the sub menu.
Chrome History View Tool
Note: You can use this technique to parse Chrome History for Capture the Flag exercises.
29 - In the Chrome History files location, type the following
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\History
Chrome History View Tool - Your Chrome Browser history will appear
Chrome History View Tool
30
Section 4 – Firefox History - If you have not already done so, download the CMIT 424 Software Tools ISO file needed for this class
from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools - Click edit virtual machines settings.
Edit Settings
31 - Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
CMIT 424 Tools
32 - Click This PC, the DVD. and then right click on the Firefox_Setup and select Run as Administrator.
CMIT 424 Tools
33 - Click Yes. Click Next, Click Next, Click Install. Click Finish. Firefox Will Appear.
Firefox - Go to the following URL in Firefox: http://127.0.0.1
Firefox
34 - Go to the following URL in Firefox : ftp://127.0.0.1/cmit424.txt
Firefox
Add your screenshot to page 10 of your CMIT_424_LAB7_WORKSHEET.
Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. - Right click on the mozillahistoryview-64.zip file on the Desktop and select Extract All.
Firefox History Viewer
35 - Double click on the exe file.
Firefox History Viewer
36 - For Firefox history, you will need to locate the places.sqlite file. The Profile is unique.
Firefox History Viewer
Note: You can use this technique to parse Firefox History for Capture the Flag exercises.
37 - Click OK. Your Firefox Browser history will appear
Firefox History Viewer
Hint: Do not forget your Introduction and Conclusion in your lab
worksheet or you will lose points on your assignment.
38
Section 5 – Optional – More Browser History
If you want to examine more Browser history, now that you are done with the 7 hands-on labs (Lab 8 is just a
summary), you can change your VM and provide it Internet Access. These steps are not required and only if
you are interested in learning more about parsing browser objects from Internet Explorer, Chrome, or Firefox. - Click edit virtual machines settings.
Edit Settings
39 - Click on the Network Adapter and change it to NAT (Network Address Translation). Click OK.
CMIT 424 Tools
40 - Click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
Command Prompt - Type the following to switch the IP Address for the NAT network
C:\Windows\System32>ipconfig /renew
PATH
41 - Type the following to test for Internet Connectivity:
C:\Windows\System32>ping www.yahoo.com
Ping