Lab-3 forensics

docx

School

Laurentian University *

*We aren’t endorsed by this school

Course

SP24

Subject

Computer Science

Date

Jun 24, 2024

Type

docx

Pages

27

Uploaded by HighnessMaskDinosaur35

Report
Computer Forensics Lab Assignments Course Code: CPSC_5207EL_62 Spring 2024 LAB-3 Module 4 Data Acquisition and Duplication Submitted to Professor: Sk Md Mizanur Rahman Submitted by Student Name: Israt Khan Mojlish Student ID:0443734
Module 04: Data Acquisition and Duplication Lab Objectives The objective of this lab is to help students learn to monitor a system remotely and to extract hidden text strings and other tasks that include: Creating a dd image file Converting image file to a bootable virtual machine Memory acquisition (RAM) on Windows workstation Extracting the hidden content from hard drives Lab Tasks Recommended labs to assist you in data acquisition and duplication: Creating a dd image of a system drive Converting acquired image file to a bootable virtual machine Acquiring RAM from Windows workstation Viewing contents of forensic image file
Lab 1: Creating a dd Image of a System Drive Lab Tasks 1. By default  Windows Server 2019  virtual machine is selected. Clickeded  Windows 10  to select  Windows 10  virtual machine. Clicked  Ctrl+Alt+Delete .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
2.By default,  Admin  user profile is selected, clicked qwerty@123 to paste the password in the  Password  field and pressed   Enter  to login.Before beginning this lab, copied   dd  folder from  Z:\DFE Module 04 Data Acquisition and Duplication\Data Acquisition Tools  and pasted it onto  Desktop .
To obtain information about the available drives on Microsoft Windows, the  wmic  command is issued in  Windows PowerShell . To launch PowerShell as an administrator, right-clicked on the  Windows  icon and select  Windows PowerShell (Admin) .
3.Windows PowerShell  appears; typed the command  wmic diskdrive list brief /format:list  and pressed  Enter . 4.Now, use  cd  command to navigate to the directory  C:\Users\Admin\Desktop\dd .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
5.Next, typed the command  .\dd.exe if=\\.\PHYSICALDRIVE0 of=F:\Windows_Evidence_002.dd bs=512k --size --progress  and pressed  Enter . This begins to create a physical image of the drive  PHYSICALDRIVE0  in the  Forensic Disk  ( F:\  in this lab) and It takes some time for the tool to create the image. Upon successfully creating the image, it displays the number of records in and the number of records out, as shown in the following screenshot:
2. Navigate to the  Forensic Disk  ( F:\  drive in this lab) to see the captured  dd image  file, as seen in the screenshot below: Then Deleted this image file.
Completed the quiz and clicked next .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Lab 2: Converting Acquired Image File to a Bootable Virtual Machine Lab Tasks 1.Clicked  Ubuntu Forensics  to select  Ubuntu Forensics  virtual machine. By default,  Jason  user profile is selected, typed  toor  in the  Password  field and pressed  Enter  to login. 2.Converting an image to a bootable disk requires special tools like  qemu-utils  to be installed on the machine.Therefore, launch a command line terminal, typed the command  sudo apt-get install -y qemu- utils , and pressed  Enter . typed  toor  in the  Password  field and pressed  Enter . This begins to install the tool utilities, as shown in the following screenshot:
3.Closed the terminal window. Now, clicked on the  Files  icon in the  Launcher  panel to launch the  File Manager .
4. File manager  window will appear pointing to  Home  directory. Clicked on the bookmarked  dfe-tools on 10.0.0.19  directory. 5. DFE-Tools  appear in the window; open  Evidence Files  folder.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
6.Now, right-clicked on  Forensic Images  folder and selected  Open in Terminal  from the context menu. This will launch a terminal pointing to the  Forensic Images  folder. 7. To convert, typed  qemu-img convert -f raw Windows_Evidence_002.dd -O vhdx /home/jason/Desktop/Windows.vhdx  and pressed  Enter .This takes some time and converts the raw dd image to a vhdx file named  Windows.vhdx  on the  Desktop , as shown in the following screenshot:
8. Closed all the open windows and deleted the  Windows.vhdx  file from the  Desktop . Upon deleting the file, it is moved to  Trash . Ensured empty the trash before proceeding to the next lab. Completed the quiz and proceed to next lab. Lab 3: Acquiring RAM from Windows Workstations Lab Tasks If you are already logged into the  Windows 10  machine, then skip to  Step#3 . 1.Clicked  Windows 10  to select Windows 10 virtual machine. Clicked  Ctrl+Alt+Delete . By default,  Admin  user profile is selected, clicked qwerty@123 to paste the password in the Password field and pressed  Enter  to login.
1.Before beginning this lab, navigated to the directory  Z:\DFE Module 04 Data Acquisition and Duplication\Data Acquisition Tools , copied  Belkasoft RAM Capturer  folder and pasted it onto  Desktop .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
2.Now navigate to the directory  Desktop --> Belkasoft RAM Capturer folder --> x64  and double- clicked  RamCapture64.exe  to launch the application.
3.Navigated to the  Forensic Disk (F Drive)  and create a folder named  Windows RAM .Then, enter the path for the output (here,  F:\Windows RAM ) under  Select output folder path field  and clicked  Capture!
4.The application begins to capture the RAM, as shown in the following screenshot: 5.Once the memory dump is successfully created, clicked  Close  to close the application.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
6.Navigated to  F:\Windows RAM  to view the created memory dump. The dump is saved in the  yyyymmdd.mem  format, where yyyy refers to the year, mm refers to the month, and dd refers to the date. 7.Closed  all open windows and completed the quiz.
Lab 4: Viewing Contents of Forensic Image File Lab Tasks 1.Click  Windows Server 2019  to select  Windows Server 2019  machine. Click  Ctrl+Alt+Delete . Navigated to  C:\DFE-Tools\DFE Module 04 Data Acquisition and Duplication\Data Acquisition Tools\ AccessData FTK Imager , double-click  AccessData_FTK_Imager_4.3.1.exe  to launch the setup, and follow the wizard-driven installation instructions to install the application.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
At the end of the installation process, ensure that the Launch AccessData FTK Imager option is checked in the setup wizard and then click Finish.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
2. The main window of  AccessData FTK Imager  appears, as shown in the following screenshot: 3.Clicked  File --> Add Evidence Item…  to add evidence.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Also, clicked on the  Add Evidence icon  from the toolbar to add evidence. 4.A  Select Source  window opens. Select the  Image File  option and click  Next .In this lab, we will be examining a  dd  image; therefore, selected the  Image File  radio button
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
5.Clicked the  Browse  button to specify the image file path ( C:\DFE-Tools\Evidence Files\Forensic Images\Windows_Evidence_001.dd ) and then click  Finish . 6.The evidence file ( Windows_Evidence_001.dd ) appears in the left pane of the main window under the  Evidence Tree  section.  Expand  the evidence file and its contents so that it appears in the form of a tree, as shown in the following screenshot:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
7.Select from the  Evidence Tree  to view the file list in the  Right  pane under  File List . 8.To view the  Hex  value of a file, selected  1200px-Peace_sign.svg.png ) from the  File List . Clicked the  Hex  icon on the toolbar and Hex values of the selected file displayed in the  bottom-right  pane.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
9.Clicked the  Properties  tab in the  lower-left  pane to view the properties such as file class, size, date, start cluster, etc. of the selected file. Close  all open windows and completed the quiz to submit the lab.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Lab 4 - CIS Control 01 - Vulnerability Scanning and Asset Discovery Tool (Active Scanning).docx
ABA 624 WEEK 1 SAFMEDS.docx
Requirements.docx
ABA 624 WEEK 2 SAFMEDS.docx
The K-mean Clustering Analysis .docx
BUSINESS 13 - Machine Learning Practice Quiz.docx
Hack the box.docx
Assignment1 P1, CPSC5207E Virtualization and s24 v7.pdf
CTS1133C-M03Prt01-NETLAB15.8-202210.pdf
W08 Quiz_ Chapter 9 Reading Check_ Child Development.pdf
Lab Wireshark Packet Capture Assignment Complete.docx
Project 2 Full Documentiation.docx
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
A+ Guide To It Technical Support
Computer Science
ISBN:9780357108291
Author:ANDREWS, Jean.
Publisher:Cengage,
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
A+ Guide To It Technical Support
Computer Science
ISBN:9780357108291
Author:ANDREWS, Jean.
Publisher:Cengage,
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS