CYS 285 - Lab 9 - Digital Forensics_Student2023-1
docx
keyboard_arrow_up
School
Northern Kentucky University *
*We aren’t endorsed by this school
Course
285
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
6
Uploaded by KidFire12260
CYS 285: Lab 9 – Digital Forensics
In this lab you’ll perform several digital forensic practices, where you’ll get experience with the
‘Analysis’ and ‘Examination’ phases of the Digital Forensics Research Workshop (DFRWS) framework,
which is used to structure and organize the digital forensic process. There are other frameworks and
models used with different stages and phases, but most follow a similar structure, where the key
components include Acquisition (Collection), Examination, Analysis and Presentation. The steps taken at
a phase is also variable, but the overall goal of digital forensics is to use data to answer questions about
‘what’ happened, ‘how’ it happened, and in the case of incident response, prevent it from happening
again.
References:
DFRWS Framework slides -
https://dfrws.org/wp-content/uploads/2019/06/2004_USA_pres-
a_framework_for_digital_forensic_science.pdf
Digital Forensic models -
https://resources.infosecinstitute.com/topic/digital-forensics-models/
1: DFRWS Framework: Collecting Data
Collecting evidence includes maintaining a chain of custody and creating a forensic copy of evidence to
work with during the investigation. For the purposes of this section, forensic copies of the files to be
analyzed have already been made. Follow the steps below to begin the examination.
1.1
In your Kali VM, download the lab files from Canvas or If unable to connect to Canvas in Kali
download the files from:
https://github.com/thomasc5NKU/CYS285-/blob/main/ForensicLab_Zipped%20(1).zip
1.
At the Git Hub page, towards the bottom, select the ‘View raw’ link or download button to start
the download
2.
Once the zip folder is downloaded to Kali, select the "Save File" radial button and hit the "Open"
button
3.
Select the "Files" folder icon in the left menu, then double click the "Downloads" folder
4.
Double click the "ForensicLab_Zipped.zip" folder, then select "Extract" button (top left corner)
5.
In the new window, select the new "Extract" button (upper right corner)
6.
Either close the message window or select the view files button.
7.
There should be 4 files in Downloads now.
o
test1.jpg
o
test2.jpg
o
test3.jpg
o
image_carv_2017.raw
Double-click the three test#.jpeg to open them in Image Viewer.
Are there any differences in the photos you can detect visually?
Are there differences between what is listed under the ‘Properties’ section?
Updated 2023 p1
2: Analyzing Data
2.1: For each test#.jpeg file, view more of its properties by clicking the button with three vertical dots,
then select ‘Image Properties’. In the new window, information about each file is provided under the
‘General’, ‘Metadata’ and ‘Details’ tabs. Explore these tabs to complete the table below. Note: be sure to
expand the header information under the tabs by clicking the arrows.
File Name
Size (Width, Height, Bytes)
File
Type
Time Stamp Information (original and digitized)
test1.jpg
Original:
Digitized:
test2.jpg
Original:
Digitized:
test3.jpg
Original:
Digitized:
File Name
Camera Make
Camera Model
Flash (on/off)
Image Creator
test1.jpg
test2.jpg
test3.jpg
3: Analyzing data with Exif
Exif is a program commonly used in a computer forensic investigation to examine metadata from the
command-line. Programs such as exiftool can modify metadata.
Resources for Exif
https://exiftool.org/sample_images.html
- image repository
https://exiftool.org/examples.html
ExifTool command line examples
https://metacpan.org/pod/exiftool
&
https://metacpan.org/pod/exiftool#WRITING-EXAMPLES
Reading and Writing metadata from ExifTool
3.1: Open a new terminal, change to the ForensicLab folder and run exif on each test#.jpg file
cd Downloads/ForensicLab
exif test1.jpg
exif test2.jpg
exif test3.jpg
Complete the table below using the returned output.
test1jpg
Manufacturer
Model
Flash
XP author / XP keyword
Updated 2023 p2
Date and Time stamp (Original)
Date and Time stamp (Digital)
test2.jpg
Manufacturer
Model
Flash
XP author / XP keyword
Date and Time stamp (Original)
Date and Time stamp (Digital)
test3.jpg
Manufacturer
Model
Flash
XP author / XP keywork
Date and Time stamp (Original)
Date and Time stamp (Digital)
3.2: Calculate a md5 hash for each test#.jpg and screenshot the values below.
md5sum test#.jpg
Based on the output from the visual inspection, viewing the test#.jpg metadata using exif and the
md5 hashes calculated, what do you think is going on with these files?
If you were a digital forensic examiner tasked with analyzing these files and got these results,
would you have any suspicions of malicious activity?
4: Data Collection and Recovery using File Carving
In this section you will carve an jpeg image file out of raw data using the dd program. DD is a
“command-line utility for Unix and Unix-like operating systems”. Although dd was not originally
designed for computer forensics, it has become a defacto tool many investigators are familiar with.
Reference:
“A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform” - Barry J. Grundy.
[
https://linuxleo.com/
]
4.1: From a new terminal, change to the Downloads/ForensicLab folder. Next, use the program xxd to
open and parse through the image file by hitting the spacebar. After briefly looking through the file’s
content, hit the letter ‘q’ to return to the prompt.
Updated 2023 p3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
xxd image_carv_2017.raw | less
As you can see from the command above, the image_carv_2017.raw image is really just a file full of
random characters, but somewhere inside this random data is a standard JPEG image. Let’s try and
recover the picture.
4.2: In the example below, xxd was used to view the content of a PNG image. Notice in the output the
PNG file signature (highlighted in yellow), starts at hexadecimal offset row 0x00, with a file signature of
8950 4E47 0D0A 1A0A.
The second highlighted portion (in orange) provides information about the image itself. While this is not a
file signature, it does show the readable text string “Software gnome-screenshot” begins at hexadecimal
offset row 0x30 and ends at 0x50.
A JPEG has a standard file signature starting with
ffd8
in hexadecimal. The string ‘ffd8’ is common and
will most likely be found by xxd in multiple places. The key is to also look for additional hexadecimal
strings confirming this is a JPEG image.
Find the
ffd8
string that is followed by the hex characters
ffe0 0010 4a46 4946
, the file signature of JFIF
format for sending images over the Internet.
xxd image_carv_2017.raw | grep ffd8
1.
What hexadecimal offset row has the full file signature string ffd8 ffe0 0010 4a46 4946?
To carve out our jpeg image from the raw data, we’ll need every byte of the image, including file headers
and footers. In the next steps you’ll use a simple calculator to convert the offset row hexadecimal found
above to decimal.
printf “%d\n” 0xQuestion_1_HexValue
2.
What decimal number was returned?
Updated 2023 p4
From the results, you can see multiple lines are returned. So, to reduce the number of results, we need the
actual (i.e., physical) starting position of the jpeg header and not just the offset row where the header is
located. To get the physical starting position of the header, add 6 to the decimal value calculated found in
question 2 using the GNU calculator gcal. We add 6 because the jpeg image does not start at the
beginning of an offset row (e.g., 0x00). It actually starts 6 bits into the offset row found in question 1.
gcalccmd
Question_2_Decimal_Number + 6
Use ctrl+c to exit and get back to the prompt.
3.
What is the physical starting position of the jpeg file in decimal?
The resulting number above is the starting offset row of the jpeg in decimal. However, we also need to
find the end of the jpeg. This allows us to only carve out what is needed. Issue the command below to
search for the jpeg file footer signature value of
ffd9
.
xxd image_carv_2017.raw | grep ffd9
Next, issue the following command, where Decimal_Start is the value from question 3.
xxd -s Decimal_Start image_carv_2017.raw | grep ffd9
4.
What offset row hex value is returned?
5.
Convert this value to decimal and record it below.
Updated 2023 p5
The full size of the image can now be calculated by subtracting the
beginning of the jpeg file header
from
the end of the jpeg file.
Issue the command below where Question 4 value is the decimal number
from question 4 and Question 3 Value is the decimal number from question 3.
echo “Question 5 Value – Question 3 Value” | gcalccmd
6.
What is the size of the image to be carved?
If the above was done correctly, the jpeg can now be carved from the raw data using dd and the following
options:
skip
= number of bytes skipped to reach the start of the image.
Use the decimal value from
question 3
.
bs
= number of bytes per block
count
= number of blocks carved out of the raw data.
Use the decimal value from question 5
.
dd if=image_carv_2017.raw of=carved.jpg bs=1 skip=Q3_value count=Q6_value
If no errors are reported from dd, you’ll see an output of total bytes copied and the amount of time to
complete the carve.
7.
Screenshot this information and insert it below.
If errors are returned, go back and double-
check your calculations.
View your forensic work with the command below.
eog carved.jpg
Submission
After successfully carving the image from the data, upload a completed version of this document to
Canvas.
Updated 2023 p6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help