CS 693 Lab 3

docx

School

Boston University *

*We aren’t endorsed by this school

Course

693

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

23

Uploaded by CoachRook2818

Report
MET CS 693_Lab3_Jimin Choi MET CS 693 Digital Forensics and Investigations (Fall 2023) Laboratory Report 3 Forensic Examiner – Jimin Choi 10/25/2023 Table of Contents: Hardware and Software used 2 Purposes 2 Step-by-Step instructions with- 4 Screenshots and Comments Summary 20 Review Question and Answers 21 References 23 1
MET CS 693_Lab3_Jimin Choi Hardware and Software used Hardware: - Model: 11th Gen Intel® Core (TM) i7-11800H @ 2.30GHz (16 CPUs) ~2.3GHz - Memory: 32.0GB - Devices: LENOVO Legion 5 Pro 82JF - Citrix Workspace with Windows 10 Pro 64-bit Software - Operating System: Windows 11 Home 64-bit (10.0, Build 22621) - BIOS: H1CN33WW, 7/18/2021, mode UEFI, BaseBoard Product LNVNB161216 - Virtual Machine: Windows 10 Pro 64-bit (10.0, Build 19045), Memory 8GB, Processor Intel® Xeon® Platinum 8272CL CPU @ 2.60GHz (2 CPUs) ~2.6 GHz, HD 100 GB, Network Microsoft Hyper-V Purposes Lab 3-2 The primary purpose of this lab is to understand different types of file system structures when investigators search for evidence in current and deleted files and folders (Nelson, 2018). FAT12 and FAT16 are not commonly seen these days because they are not compatible larger than 512 MB. FAT32 can support up to 2 terabytes (2TB) and is supported by all operating systems: Linux, macOS, and Windows (Nelson, 2018). In this lab, I will be focusing on examining the FAT32 file system. Lab 3-3 Several types of file systems were observed during the lab 3-2. In this lab, the main goal is to familiarize with the NTFS file system by examining an NTFS image using FTK Imager. NTFS offers advanced features like file encryption, compression, and journaling, making it more reliable and secure compared to FAT file systems (Nelson, 2018). Lab 3-4 Similar to the lab 3-2 and lab 3-3, this lab aims to learn how to process an HFS+ image using FTK Imager and understand the differences from FAT32 and NTFS file systems. Lab 5-1 The objective of this lab is to introduce the various Windows forensic tools available in DART. This lab demonstrates on how to export Registry files using FTK Imager in DART. DART is a comprehensive toolkit for examining and imaging live Windows computers, capturing RAM contents, and recovering deleted or lost files (Nelson, 2018). Registry files like Users, default, SAM, SECURITY, software, system, and userdiff are invaluable for investigators. They offer insights into user profiles, system configurations, and identifying user accounts and hashed 2
MET CS 693_Lab3_Jimin Choi passwords. They also help to recreate the system state during an incident. Together, these files form a comprehensive picture of system usage, aiding investigators in their work. More information of SAM and SYSTEM registry hives will be discussed during the lab 5-2 and 5-3. Lab 5-2 This lab demonstrates on how to examine the SAM hive, which contains usernames and password hashes, using FTK Imager and AccessData Registry Viewer. The SAM hive is crucial for forensic investigators as it stores valuable information about user accounts, passwords, and group definitions (Nelson, 2018). Lab 5-3 The purpose of this lab is explorer how to view the SYSTEM hive using Registry Viewer and identify useful forensic information. The SYSTEM hive contains data about the computer's hardware and software configurations, drive letter designations, and unique identifiers like the product ID key (Nelson, 2018). Lab 5-4 This lab focuses on learning how to load and examine the ntuser.dat file using Registry Viewer. The ntuser.dat file contains user-specific information, such as recently used files and devices, and can be crucial in forensic investigations (Nelson, 2018). 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi Step-by-Step instructions with screenshots and comments Module 3 Lab Activities: Lab 3.2 Examining a FAT Image 1. Open the FTK Imager Lite . Add an evidence image file, C3Proj2-1, C3Proj2-2, and C3Proj2-3 . 2. Expand these evidence items in the Evidence Tree . * I noticed that the default setting does not display the properties of the evidence. Under the View , click Properties to view properties. Then I was able to observe Bytes per Sector and Sector count of C3Proj2-1 (FAT32). 4
MET CS 693_Lab3_Jimin Choi 3. Observe and record other information for all three evidence items including: cluster size, cluster count, free cluster count, volume label, and volume serial number . 4. Under USBDEVICE [FAT32] , select [root] folder. Observe files in the folder with different views: Plain, Text, and Hex (eyeglasses icons on the toolbar). * I was able to see the image with the plain view. 5
MET CS 693_Lab3_Jimin Choi 5. In each evidence items, find files named ‘ Bank Location.doc ’, ‘ Interior safe.jpg’ , and ‘safe deposit bonds.xls' and record their Start Cluster and Start Sector values in the Properties pane. * I noticed that HFS+ format file C3Proj2-3, does not have volume serial numbers and Start Sector of the files. According to Apple Inc. (2004), HFS+ file system is developed by Apple and uses a different method for volume identification than Windows OS, the Volume UUID instead of a volume serial number. Also, HFS+ uses a B-Tree structure to store file metadata, including file locations. It does not require a fixed start sector like other file systems Windows uses. 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi Lab 3.3 Examining an NTFS Image 1. Click the [root] folder of the USBDevice [NTFS] and examine files. * I noticed that NTFS file system contains a bad cluster identification ($BadClus) folder and Master File Table (MFT) files unlike the FAT32. Additionally, for deleted items, NTFS has the Date Accessed field, which FAT32 does not have. 7
MET CS 693_Lab3_Jimin Choi 2. Compare the properties and hex data of files in NTFS and FAT32. * I noticed that the image file of NTFS contains EXIF data, which the information about the camera used for the image. The information includes model, manufacture, shutter speed, lens 8
MET CS 693_Lab3_Jimin Choi aperture, ISO speed, and software (Nelson, 2018). For the ‘lobby.jpg’ image, I could observe the image was taken by Canon EOS camera, modified with Adobe Photoshop 7.0 on Mac OS X 10.3.9. Lab 3.4 Examining an HFS+ Image 1. Similar to the lab 3-3, examine USBDevice HFS+ contents and differences. * I noticed that HFS+ has .Trashes folder instead of ‘X’ marked files (Deleted files) in FAT32 and NTFS. As I mentioned in the lab 3-2, HFS+ did not have the volume serial number and the Start Sector of files. It lists a Date Accessed field and provides EXIF data as NTFS does. I also noticed that HFS+ does not have [root] folder as FAT32 and NTFS do. 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi 10
MET CS 693_Lab3_Jimin Choi Module 5 Lab Activities: Lab 5.1 Using DART to Export Windows Registry Files 1. Open the DART program with the authenticated user (refer to the lab 2-1, step 8). When Browse For Folder ’ window pops up, select DISK_1 (C:) drive. Select Acquire icon, expand Image , and click FTK Imager . Click the START AS ADMIN to launch FTK Imager. 11
MET CS 693_Lab3_Jimin Choi 2. In the FTK Imager , click the Obtain Protected Files under the File tab. In the Obtain System Files window, select a ‘ Password recovery and all registry files ’ option. * The process took about 1 minute. 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi 3. Go to the saved folder and view registry files. * These are essential registry files for the investigation as discussed in the purpose of the lab (page 2). Lab 5.2 Examining the SAM Hive 1. Download the lab file, Inch05.exe , and launch to extract. Open the FKT Imager and add the extracted file , Inch05.img . Expand the InCh05.img in the Evidence Tree pane, go to 6gb [NTFS] – Users – Denise folder. Right click the ‘ntuser.dat’ file and export. 2. In the Evidence Tree pane, Go to Windows – System 32 - Config folder multi-select SYSTEM , SOFTWARE , SECURITY , SAM , and DEFAULT files. Right click to export. 13
MET CS 693_Lab3_Jimin Choi 3. Open the Registry Viewer [Demo], open the file ‘ SAM ’, which was exported from the FTK Imager. On the left tree pane, go to SAM – Domains – Account – Users – 000001F4 folder and observe the key properties on the lower left pane. * SID is a unique number for a system account, default accounts have values of 500, 501, and 1000 (Nelson, 2018). That indicates the User 000001F4 is a default Administrator account as it says in the figure. Key properties also indicates other valuable information such as logon count, the last logon time, the time when password was changed, etc. This tells me the SAM data provides tons of information associated with system accounts. 4. Observe other accounts as well. * I noticed that I could find out whether the account is activated or not. Non-default accounts had random SID values, 1001 and 1004. 14
MET CS 693_Lab3_Jimin Choi 5. In the left pane, expand the Names folder, and click the jfriday folder to see the last written time entry of the account. * The last written time was 2/6/2014 18:44:26 UTC, which is the time when the password of this account was changed. 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi Lab 5.3 Examining the SYSTEM Hive 1. In the Registry Viewer , open the ‘ SYSTEM ’ file that was exported from the FTK Imager in the lab 5-2. In the left pane, go to the ControlSet001 – Control – ComputerName – ComputerName folder. *I noticed that there are two registry files in the ComputerName folder, but the registry with the name ‘ComputerName’ should be the one user created, ‘ GCFI5E .’ 2. In the left pane, find and click the TimeZoneInformation folder. Observe registry files in the folder. * This is critical information when investigating due to the various time zones of the computer 16
MET CS 693_Lab3_Jimin Choi systems. Investigator uses Coordinated Universal Time (UTC) when time-stamping and reporting the investigation. This account uses Pacific Standard Time (PST). 3. On the left pane, expand the Enum folder and the IDE folder, observe CdRomVBox_CD- ROM folder under the IDE and USB folders. * It tells me that SYSTEM data provides the information of devices that has been connected to the system and configuration data for the system’s hardware and software (Nelson, 2018). 17
MET CS 693_Lab3_Jimin Choi 4. In the left pane, select the MountedDevices folder and observe registry files that indicate storage devices that has been mounted in the system. *they also indicate the drive letter of the storage device. Lab 5.4 Examining the ntuser.dat Registry File 1. In the Registry Viewer, open the ‘ ntuser.dat ’ file. Click Find under the Edit toolbar, type Denise and press Enter . Press F3 on the keyboard to find the next. *The first registry key associated with Denise was Dropbox. As I keep searching for the associated registry files, I found the email address registered with the system with the full name of Denise, ‘denise.robinson5@outlook.com.’ As the lab instructed, I typed and searched ‘jfriday’ however no results found because the ntuser.dat file was specific to the account, ‘Denise’. Thus, I opened and searched the ntuser.dat file for the ‘jfriday’ account, and I could find valuable information such as, what software the user in ‘jfriday’ used. 18
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi 19
MET CS 693_Lab3_Jimin Choi Summary Lab 3 The labs focusing on examining FAT, NTFS, and HFS+ images serve as a comprehensive introduction to different file systems and their forensic implications. The FAT32 file system has limitations in terms of storage capacity and features compared to the NTFS file system. NTFS file system has a feature like encryption that makes it more secure and reliable and contains and provides more file properties than FAT32, such as Data Accessed Time and EXIF information of image files. The HFS+ file system had similar features as NTFS, but it was unique because of its different filing system than Windows OS. It did not have some information that FAT32 and NTFS have, such as the volume serial number of the device and the start sector of the files. Lab 5 Lab 5 introduced the sophistication of Windows Registry files and their importance in forensic investigations. I learned how to export key registry files using DART and FTK Imager, a toolkit for examining live Windows systems. During the examination of the SAM hive, which is vital for understanding user accounts, I was able to differentiate between default user accounts, non- default accounts, active accounts, and inactive accounts. The SAM hive also provided a timeline of user access and password changes. The SYSTEM hive was also crucial to be examined, revealing valuable information about the computer's hardware that has been used, such as CD- ROM and USB devices. I also could tell which time zone the computer system used, which is essential information when investigating. The ntuser.dat file contained user-specific and crucial information for investigators to understand individual user behavior. For example, I could obtain the email address, which had the full name of the user, and the software and programs the user used. 20
MET CS 693_Lab3_Jimin Choi Review Questions & Answers Lab 3-2 1. B 2. C 3. A 4. B 5. A Lab 3-3 1. C 2. B 3. A 4. B 5. A and B Lab 3-4 1. C 2. A 3. C 4. D 5. A Lab 5-1 1. False 2. False 3. B and C 4. True 5. True Lab 5-2 1. C 2. A 21
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi 3. False 4. 500, 501 5. True Lab 5-3 1. B 2. D 3. 2 4. D 5. False Lab 5-4 1. False 2. C 3. B and D 4. B and C 5. C 22
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab3_Jimin Choi References Apple Inc. (2004). HFS Plus Volume Format . Technical Note TN1150: HFS Plus Volume Format. https://developer.apple.com/library/archive/technotes/tn/tn1150.html#BTrees Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations: Processing digital evidence (6th ed.). CENGAGE LEARNING. 23
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CIS190Lab 2(1).docx
Javascript-Developer-I V12.35.pdf
SE471 Exam 1 - Part II - 2024 - Tagged (1).pdf
CHAPTER 3 MCQ.docx
networking.docx
CS 693 Lab 5.docx
CS 693 Lab 2.docx
Cyber Security Essay Ernesto Gonzales.docx
decision_tree_classifier_visualization.py
Project 4 Introduction W22.pptx
data_repairing_and_priming_lab.py
understanding_k_means.py
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
SEE MORE TEXTBOOKS