CS 693 Lab 5

docx

School

Boston University *

*We aren’t endorsed by this school

Course

693

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

25

Uploaded by CoachRook2818

Report
MET CS 693_Lab 5_Jimin Choi MET CS 693 Digital Forensics and Investigations (Fall 2023) Laboratory Report 5 Forensic Examiner – Jimin Choi 11/26/2023 Table of Contents: Hardware and Software used 2 Purposes 2 Step-by-Step instructions with- 4 Screenshots and Comments Summary 22 Review Question and Answers 23 References 25 1
MET CS 693_Lab 5_Jimin Choi Hardware and Software used Hardware: - Model: 11th Gen Intel® Core (TM) i7-11800H @ 2.30GHz (16 CPUs) ~2.3GHz - Memory: 32.0GB - Devices: LENOVO Legion 5 Pro 82JF - Oracle VM VirtualBox with Windows 10 Pro 64-bit - Kingston DT 101 G2 USB Device 16 GB - Seagate BUP Slim Mac SL SCSI Disk Device 500 GB Software - Operating System: Windows 11 Home 64-bit (10.0, Build 22621) - BIOS: H1CN33WW, 7/18/2021, mode UEFI, BaseBoard Product LNVNB161216 - Virtual Machine: Windows 10 Pro 64-bit (10.0, Build 19045), Memory 12GB, Processor 11th Gen Intel® Core (TM) i7-11800H @ 2.30GHz (4 CPUs) ~2.3GHz, HD 80 GB, Network Intel® Pro/1000 MT Purposes Lab 9-1 This lab focuses to use Autopsy tool, emphasizing its ability for keyword searches an drive image and their hash values which is an identification of those files (Nelson, 2018). Lab 9-2 FTK Imager Lite will be utilized in this lab to calculate and validate MD5 hash values for files from Lab 9-1. This exercise highlights the critical role of hash values in verifying the integrity of digital evidence and the utility of FTK Imager Lite in forensic investigations. (Nelson, 2018). Lab 9-3 This lab uses WinHex to calculate and validate MD5 and SHA-1 hash values. Unique features of WinHex are editing hexadecimal values and examining hidden partitions. This lab highlights the versatility of WinHex in forensic analysis, particularly in validating and examining complex data structures. (Nelson, 2018). Lab 10-1 The objective of this lab is to utilize Autopsy to analyze a drive image file containing a virtual machine. The lab includes identifying mismatched file extensions which could be evidence related to a specific project. (Nelson, 2018). Lab 10-2 2
MET CS 693_Lab 5_Jimin Choi The primary purpose of this lab is to conduct a live acquisition of a computer’s operating system and applications. This lab uses variety software tools, including screen capture, calculating file hashes, system information gathering, memory capture, and imaging a drive in real-time (Nelson, 2018). 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Step-by-Step instructions with screenshots and comments Module 9 Lab Activities: Lab 9.1 Using Autopsy to Search for Keywords in an Image 1. Open the Autopsy . Add an new case. Select Directory and Case type as a single-user, and fill out the case information. Click Disk Image or VM file to add an image file, GCFI-NTFS.E01 file, to be investigated. Figure 1-1. Adding a new case to Autopsy 4.9.0 Figure 1-2 Selecting a data source to the case. 4
MET CS 693_Lab 5_Jimin Choi 2. In the Configure Ingest Modules window, select all options and click start to begin analyzing the image drive. *Analyzing process took 15 minutes Figure 1-3 Configuring ingest modules. 3. From the tool bar, click down arrow next to the Keyword Lists . Select the Phone numbers, IP Addresses, Email Addresses URLs, and Credit Card Numbers , then hit the Search Button (Keyword search 1). Click the Keyword Search at the upper right bar. Click the Exact Match option then type ‘ project ’ and click Search (Keyword search 2). *Keyword search 1 took 10 minutes and the search returns 7693 results. Keyword search 2 took 3 minutes and the search returns 213 results. I noticed that I had more results than the manual because I used the newer version of Autopsy program. Figure 1-4 Look for evidence using Keyword Lists function. 5
MET CS 693_Lab 5_Jimin Choi Figure 1-5 Look for files that containing ‘project’ using Keyword Search function. 4. In the Keyword search 2-project tab, sort the results alphabetically by name by clicking the Name column, find the CREDITS.txt file. View its contents and MD5 hash values. Right-click the file and extract to save the file separately. Figure 1-6 Viewing the CREDITS.txt file from the keyword search 2. 5. From the left tree pane, go to Keyword Hits > Single Literal Keyword Search > project . Sort the files alphabetically by name by clicking the Source File . Find and observe the Inbox.dbx file. *I noticed this is the inbox from the e-mail, which has keyword ‘ project. 6. In the same directory, extract following files: HISTORY.txt, LFG.pdf, Manual.pdf, and README.TXT . Do not close Autopsy program for Lab 9-2. 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Lab 9.2 Validating File Hash Values with FTK Imager Lite 1. Launch the FTK Imager , and add the folder that contains exported files from Lab 9-1 as Evidence file. Figure 2-1 Adding evidence files to the FTK Imager program. 2. In the Evidence Tree pane, expand Export and right-click the directory. Click the Export File Hash List to obtain hash values of files from Lab 9-1. Save as a .csv file. Figure 2-2 Obtaining hash values of all files in the folder. 7
MET CS 693_Lab 5_Jimin Choi 3. Observe each file in the FTK Imager and its properties. *I noticed that file size in the Properties pane is different than file size in the file list pane. In the Properties pane, the file size includes slack space. Figure 2-3 Hex values and properties of the Manual.pdf file shown in the FTK Imager 4.7.1.2. 4. Open the exported .csv file to view the MD5 and SHA-1 hash values of files. Figure 2-4 Hash values of files (.csv) shown in Microsoft Excel. 5. Go back to the Autopsy and double click each file that has exported, to display all those files’ metadata and compare MD5 hash values with the hash value in the .csv file. *They all match the values in the .csv file. 8
MET CS 693_Lab 5_Jimin Choi Figure 2-5 Comparing MD5 hash values of evidence files in Autopsy with the hash value in the .csv file. Lab 9.3 Validating File Hash Values with WinHex 1. Open the WinHex and open CREDITS.txt and HISTORY.txt files. Figure 3-1 Viewing CREDITS.txt and HISTORY.txt files in the WinHex 19.7. 2. For each file, click Tools from the tool bar, and click Compute Hash. Click SHA-1 (160 bit) in the drop down list to see SHA-1 hash value. This time, click MD5 (128 bit) instead and view MD5 hash value of each file. Save all hash values and record. *Hash values obtained from the FTK Imager and WinHex were the same. 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Figure 3-2 Computing hash value of CREDITS.txt file. Figure 3-3 SHA-1 (160 bit) hash value of CREDITS.txt file. 3. Compare the hash values computed by WinHex with the hash values exported from the FTK Imager. *Hash values obtained from the FTK Imager and WinHex were the same. Figure 3-4 Comparing MD5 and SHA1 hash values of files from FTK Imager and WinHex. * I noticed that I could edit hex values of files in the WinHex unlike the FTK Imager. Also noticed that hash values change if I change hex values. 10
MET CS 693_Lab 5_Jimin Choi Module 10 Lab Activities: Lab 10.1 Analyzing a Forensic Image Hosting a Virtual Machine 1. Open the Autopsy program. Go to the Options from the Tools menu. Click the Hash Sets and import database, GCFI-Speical Project-B-md5-hashes.txt . Check the Notable option and the Send ingest inbox message for each hit check box. In the Options window, under Information , click Index . *Some options and names are might different based on the version of the Autopsy. I am using Autopsy 4.9.0. Figure 4-1 Importing and saving a new hash set on Autopsy 4.9.0. 2. Create a new case and add GCFI-Chris_Murphy.E01 as the data source. In the Configure Ingest Module window, select all options except the Android Analyzer . Make sure you select Hash Lookup option. Select GCFI-Special Project-B-md5-hashes check box for the Select notable hash set to use pane. Figure 4-2 Configuring ingest modules for analyzing GCFI-Chris_Murphy.E01 image file. 11
MET CS 693_Lab 5_Jimin Choi 3. Wait until the process is finished. *I noticed that there was a new drive appeared in the Data Sources pane, named cmvm- 32bit.vid. I realized that it was a Linux OS virtual environment installed in the Chris Murphy’s PC. The image analyzing took approximately 5 hours to be completed. Figure 4-3 Analyzing GCFI-Christ_Murphy.E01 image and its virtual environment cmvm- 32bit.vhd on Autopsy 4.9.0. 4. In the left tree pane, Go to the Hashset Hits > GCFI-Special Project-B-md5-hashes (20) folder. Select all contents and tag them as ‘ Special Project-B ’. Figure 4-4 Tagging files in the GCFI-Special Project-B-md5-hashes folder. 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Figure 4-5 Creating a new ‘Special Project-B’ tag. 5. From the left tree pane, Go to the Results > Extracted Content > Extension Mismatch Detected . Click the åAAA.DAT file, click the Hex tab and examine the file’s first two bytes in the Content Viewer pane. Then tag the file for follow up . *I was not able to see the hex values of the åAAA.DAT file. The first two bytes should read as FF D8, which refer to the binary values for JPEG files and it means the extension of the file had been modified. Instead, I looked MIME Type (Media Type) in the Result Viewer pane and realized that the file extension and the MIME type is not matched. Figure 4-6 Examining an extension mismatched file, åAAA.DAT. 6. Click the Keyword Lists , and click the Manage Lists button, and then click the New List button in the Global Keyword Search Settings dialog box. In the New Keyword List dialog box, type Special Project-B . On the lower right side of the window, click New Keywords and add trade secret’ , ‘ Special Project-B ’, and ‘ classic American ’ to the keywords. Click OK and select Exact Match check box and click OK . Click the Keyword Lists again then click Special Project-B check box and click Search . 13
MET CS 693_Lab 5_Jimin Choi Figure 4-7 Configuring Global Keyword Search Settings by adding certain keywords to a list, Special Project-B. Figure 4-8 Selecting a new keyword list, Special Project-B for the Keyword Lists search option. 7. View the results and find following files: project2.exe, project2.odt, and project3.pdf . Multi-select those files and tag them as Special Project-B . *There are two project2.exe files and two project2.odt files, therefore selecting and tagging five files. 14
MET CS 693_Lab 5_Jimin Choi Figure 4-9 Tagging project files which are possible evidence for the special project-B. 8. In the left tree pane, go to the Data Sources > GCFI-Chris_Murphy.E01 > Users > Documents . Examine each folder and their contents. After that, go to the cmvm-32bit.vhd > vol2 (Linux (0x83): 2048-58427391) > home > Documents > Special Project-B . Examine its contents. *I noticed that there are multiple files marked with yellow or red icons under the ‘S’ column in the Result Viewing Pane and it says they are suspicious files (Red is more suspicious file). Figure 4-10 Suspicious files in the cmvm-32bit.vhd virtual drive related to the keyword list search. 9. From the left tree pane, go to the Results > Extracted Content > EXIF Metadata . View its contents and notice different data source. Generate HTML report with the tagged items, Follow up ’ and ‘ Special Project-B ’. View the report . 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Figure 4-11 Generating report of tagged results. Figure 4-12 Viewing the report with Microsoft Edge. Lab 10.2 Conducting a Live Acquisition 1. In a USB drive (GCFI-Evid), download and save the following tools: Quickhash 3.0.2, WinAudit 3.4.3, MWSnap, and FTK Imager (same or above 3.1.1). *Make sure all tools are installed in the USB drive. 16
MET CS 693_Lab 5_Jimin Choi Figure 5-1 Multiple tools that are installed in a USB Drive, GCFI-Evid, for the live acquisition. 2. Open the WinAudit , let it run to automatically begins collecting and displaying computer information. Once it is done, go to the Windows Firewall under the Security . Save the file in the USB Drive. *The process took approximately 5 minutes. Figure 5-2 Viewing the Windows Firewall settings of the target system in WinAudit 3.4.3. 3. Open the QuickHash and click the File tab. Select the MD5 option for the hash values and select BOOTNXT file in the root folder (Normally C drive ). The program will display the hash value . Save the hash value in the USB drive. * I could not find the BOOTNXT file right in the root folder. I had to search for the file in the file explorer and there were multiple BOOTNXT files in various location. I selected the most recent file which the date modified on 7/20/2023 3:44 AM. 17
MET CS 693_Lab 5_Jimin Choi Figure 5-3 Various BOOTNXT files in the system. Figure 5-4 MD5 hash value of the BOOTNXT file computed in the QuickHash 3.0.2 64-bit. 4. Launch the MWSnap program and select Full desktop on the left side pane under the Snap tab. Then click the Snap full desktop . Save the screenshot to the USB drive as PNG file. 18
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Figure 5-5 Full desktop screenshot with MWSnap. 5. Open the FTK Imager , click File , and then click Capture Memory . Click the Include pagefile check box and set the save location to the USB drive. Click Capture Memory to begin to capture RAM and the pagefile.sys file. *The memory capture took about 1 hour and it was longer than I expected because the system had 13 GB RAM. Capturing the pagefile took much less time, about 10 minutes. Figure 5-6 Capturing RAM and pagefile.sys of the target system using FTK Imager 4.7.1.2. 19
MET CS 693_Lab 5_Jimin Choi Figure 5-7 The process of the RAM capturing in the FTK Imager. Figure 5-8 The process of the page file extraction in the FTK Imager. 6. After finish memory capture, create a disk image from the menu. Click the Logical Drive option and select the target drive. Create an image as E01 format and configure the image compression level to 9 (smallest). Save the image to the USB drive and click Finish to start capturing the target drive. When it finishes, examine the results and hash values of the created image. * This process took approximately 30 minutes. The bigger the drive volume, the longer time takes to capture the drive. Figure 5-9 Configuring Image option. 20
MET CS 693_Lab 5_Jimin Choi Figure 5-10 The process of creating image of the target drive in the FTK Imager. Figure 5-11 The results of the drive image. 21
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Summary Lab 9 Lab 9 focused on keyword searches, hash value calculations, and validation using and comparing Autopsy, FTK Imager Lite, and WinHex. During Lab 9-1, I utilized Autopsy for keyword searches within an image file, revealing many results, including email content, with the keyword "project." The process was efficient, though the newer version of Autopsy used in the lab produced more results than expected. Lab 9-2 transitioned to validating file hash values using FTK Imager Lite. An interesting observation was the difference in file sizes in different panes, attributed to the inclusion of slack space in the Properties pane. The hash values matched across the tools used. Lab 9-3 employed WinHex for further hash value validation, confirming the consistency of hash values obtained from FTK Imager Lite and the ability to edit hex values in WinHex, which was impossible in FTK Imager Lite. Lab 10 I successfully analyzed a forensic image containing a virtual machine and conducted a live acquisition of the target system. In Lab 10-1, I used Autopsy to explore a virtual machine within a forensic image. It was worth noting that findings included identifying a Linux OS virtual environment and several suspicious files, as indicated by the color-coded icons in Autopsy. I found the proposed business plan file with the keywords 'trade secret' and 'classic American' and noticed that the file was what I was looking for. The lab also highlighted the importance of matching file extensions with MIME types to detect potential file alterations. Lab 10-2 focused on the live acquisition, utilizing various tools like WinAudit, QuickHash, MWSnap, and FTK Imager. Key observations included the duration of memory capture, which was influenced by the system's RAM size, and the efficiency of capturing the pagefile. Creating a disk image and capturing the target drive was also noted for its duration, which was dependent on the drive volume. 22
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi Review Questions & Answers Lab 9-1 1. A 2. False 3. Yes. jim.shu@superiorbicycles.biz, jim_shu1@yahoo.com, jim_shu1@yahoo.comorbicycles.biz, jim_shu@comcast.net 4. 10 5. B, C, D Lab 9-2 1. False 2. 857e0ac0648b17d68527a711942d0f10f95bc369 3. True 4. A 5. True Lab 9-3 1. False 2. True 3. 10,317 bytes 4. False 5. A, C Lab 10-1 1. C 2. D 3. D 4. A 5. A Lab 10-2 1. A, B 2. B 23
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi 3. True 4. A, C, D 5. True 24
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab 5_Jimin Choi References Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations: Processing digital evidence (6th ed.). CENGAGE LEARNING. 25
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CIS190 LAB5.docx
CIS190Lab 2(1).docx
Javascript-Developer-I V12.35.pdf
SE471 Exam 1 - Part II - 2024 - Tagged (1).pdf
CHAPTER 3 MCQ.docx
networking.docx
CS 693 Lab 3.docx
CS 693 Lab 2.docx
Cyber Security Essay Ernesto Gonzales.docx
decision_tree_classifier_visualization.py
Project 4 Introduction W22.pptx
data_repairing_and_priming_lab.py
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781285196145
Author:Steven, Steven Morris, Carlos Coronel, Carlos, Coronel, Carlos; Morris, Carlos Coronel and Steven Morris, Carlos Coronel; Steven Morris, Steven Morris; Carlos Coronel
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781285196145
Author:Steven, Steven Morris, Carlos Coronel, Carlos, Coronel, Carlos; Morris, Carlos Coronel and Steven Morris, Carlos Coronel; Steven Morris, Steven Morris; Carlos Coronel
Publisher:Cengage Learning
SEE MORE TEXTBOOKS