Cyber Range Lab Assignment Report 11

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

MBA530

Subject

Industrial Engineering

Date

Jan 9, 2024

Type

docx

Pages

14

Uploaded by ericbraxton8

Report
IST 894 Capstone Experience Cyber Range Lab Assignment Report 11 Page 1 of 14
Table of Contents 1.0 Introduction ........................................................................................................................................ 3 2.0 General Context .................................................................................................................................. 3 3.0 Technical Context ............................................................................................................................... 4 4.0 Solution .............................................................................................................................................. 5 5.0 Activity Log ....................................................................................................................................... 12 6.0 References ........................................................................................................................................ 12 Page 2 of 14
1.0 Introduction In this lab, we will utilize the “Cyber Basics (2020.12)” environment within the U.S. Cyber Range. This lab exercise will provide hands on experience with reconnaissance, network scanning, and service enumeration. 2.0 General Context In this lab exercise, I utilized the U.S. Cyber Range, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a VM running the SANS SIFT Linux distribution to analyze the disk contents of a Windows 7 Enterprise laptop. The first portion of the lab was simply logging into the virtual machine and expanding the Windows 7 disk image. Once expanded, I was able to change the terminal directory to the Windows 7 filesystem to perform various forensics tasks using an application called RegRipper, which was developed by forensics software application designer, Harlan Carvey ( forensicswiki , 2019). RegRipper is an open-source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis ( Kali , 2021). Once I launched RegRipper, I explored the different plugins, which extracts different information from the disk file. One important thing to know with RegRipper is that you must have previous knowledge of the Windows file system, and which hives to search. Once I was comfortable with RegRipper and browsed through the different plugins, I took a deeper dive and used the different plugins to extract specific information about the Windows 7 laptop and information about the laptop users. This is where RegRipper is valuable for a digital forensics’ expert – it has a plugin for almost anything that you would inquire about, such as the Operating System information, versions, service pack installed, etc. ( osforensics , 2020). It also allows a user to view the user accounts and associated SIDs, what the workstation was used for, to the number of USB devices that have been used on the system, and the workstations IP address. It can also let you know about Page 3 of 14
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
specific information about a user, such as the browser history of the individual, navigating through files and searching for specific file types, startup programs down to the audit policy configuration. As you can see, having the knowledge to use a tool such as RegRipper is invaluable to a forensics expert when extracting specific information from a disk image. 3.0 Technical Context For this lab, I utilized the U.S. Cyber Range to get hands-on training, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a virtual machine running the SANS SIFT Linux distribution to analyze the disk contents of a Windows 7 Enterprise laptop. The first portion of the lab was simply logging into the virtual machine and expanding the Windows 7 disk image. Once the disk was expanded using the Linux tar command, I changed directories to the Windows 7 file system to further analyze the disk image using a plethora of forensics tools in an application called RegRipper. RegRipper is an open- source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis (Kali, 2021). RegRipper offers a GUI and CLI and I used the CLI for the purpose of this lab. Inside the RegRipper terminal window, I studied the different plugins and the syntax needed to run the plugins. I needed to be familiar with the Windows file system, so I know where to execute the RegRipper commands from. For instance, some commands need to be ran from the security hive, while others are ran from NTUSER.dat, system, etc. Therefore, it’s crucial to have the existing knowledge of the Windows file system structure. Once I was comfortable with RegRipper and completed browsing through the various plugins, I performed a deeper dive to extract specific data regarding the Windows 7 laptop. This includes analyzing things from the file system, user accounts, installed software, file types, etc. ( osforensics , 2020). I would suggest RegRipper to a digital forensics expert who wished to extract data from a disk image because it has a plugin for almost every aspect of the Windows system. Using the rip.pl syntax, Page 4 of 14
which executes RegRipper with the plugin winver will provide you with the operating system, service pack, and the initial installation date. RegRipper requires different parameters to use also, such as -r to specify the registry hive and -p for the plugin module that is being used. By using the software hive, a forensics expert can determine the name and path of installed software, product install information, network cards attached to the system, etc. By using the system hive, a user can determine the computer name, and devices that have been attached to a system (such as cameras, webcams, scanners, etc.), the mac address, mounted devices on the system, storage devices, network information from the nic, RDP information, network routes, etc. There is an abundance of options. Using the ntuser hive, you can determine what software was installed by a certain user and when, recently opened MMC plugins, recently opened applications, URLs typed by a specific user, Windows searches, etc. RegRipper is a powerful tool that can be extremely valuable to the correct user, while it can also be harmful if in the hands of a malicious actor. 4.0 Solution Initial Setup: I started the lab by first logging into the “Introduction to Forensics” VM on the US Cyber Range. I used the following credentials to logon. Username: sansforensics Password: forensics Once I successfully logged in, the next step was to use a Terminal window to expand an image file using the command cd /home/sansforensics/Desktop/cases/01_Filesystems and then tar -xvf ./Win7_Laptop.tar.gz. The screenshot below is the result of running those two commands, and the second screenshot is the File Manager view. Page 5 of 14
Tasks: In this task, I navigated to the location of the Windows 7 Registry hives via Terminal. I ran the command rip.pl -l , which lists all the available plugins for RegRipper. Currently, there are 312 available plugins, however, more are added regularly. Page 6 of 14
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Next, I ran the command rip.pl -r ./Windows/System32/config/SOFTWARE -p winver , which will let me know the operating system, service pack, and installation date. The -r is used to specify the registry hive location and -p for the plugin module being used. The next command, rip.pl -r ./Windows/System32/config/SOFTWARE -p profilelist , will provide a list of information about the local and domain profiles on the system, using the profilelist plugin. Page 7 of 14
The Windows 7 laptop was running Windows 7 Enterprise, Service Pack 1. The users and SIDs on the system are: 1. System Profile SID: S-1-5-18 2. Local Service SID: S-1-5-19 3. Network Service SID: S-1-5-20 4. John SID: S-1-5-21-1243504476-1526258261-327839578-1000 5. Dug SID: S-1-5-21-1243504476-1526258261-327839578-1001 Page 8 of 14
The Windows 7 Laptop is being used as a workstation. There has been several USB devices plugged in the Windows 7 system. The screenshot below lists them with their associated serial number. Page 9 of 14
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The system was last shutdown was on March 30, 2016. The computer is setup for RDP over port 3389 Dug’s recent files. You can see that best.txt, note.txt were accessed. Page 10 of 14
Dug’s URLs that he visited via Internet Explorer. Dug’s installed software. Page 11 of 14
Other information I can determine from the workstation is the time zone. Information about the Windows 7 Network Card. Page 12 of 14
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Installed Network Cards. Audit Policy Configuration. Auditing is not enabled. 5.0 Activity Log 5.1 - Member Log Page 13 of 14
Member Name Task Date Task Details Eric Braxton 11/17/2021 Completed all lab steps and lab report. 6.0 References https://www.kali.org/tools/regripper/ https://www.osforensics.com/faqs-and-tutorials/using-with-regripper.html https://forensicswiki.xyz/wiki/index.php?title=Regripper U.S. Cyber Range (2020). About the U.S. Cyber Range. Retrieved on 14 October 2021 from https://www.uscyberrange.org/about Page 14 of 14

Related Documents

A742 - Fall 2018 - Quiz 1 - Summary Stats.docx
engagement 7 Ecology.docx
Stream Lab, EES-152 Final data analysis.docx
2231-APS145-Quiz2 - AB - Answer.pdf
IEGR 367 - Report for service design.docx
Cyber Range Lab Assignment Report 10.docx
Cyber Range Lab Assignment Report 12.docx
Cyber Range Lab Assignment Report 3.docx
nrf top 100 retail list 2022 assignment - miller.docx
Cyber Range Lab Assignment Report 2.docx
IST554-Lab1-team1 v2.docx
Woolworths Benchmark Award 2022.docx