Expert Answer:Digital Forensics Analysis and Application lab

Answer & Explanation:The attached summary report needs to be filled out. The cmit 424 lab 3 procedures give instructions on how to complete the lab and the how to access lab pdf shows how to log into the lab.https://vdi.umuc.edu/Citrix/UMGCWeb/ is the website to access the labWill provide username and password to log into umuc.
cmit_424_lab_3_procedure_v2_rev.docx

howtoaccesslab.pdf

summary_report_template_cmit_4241.docx

Unformatted Attachment Preview

CMIT 424: Digital Forensics Analysis and Application
Lab 3: Analysis of Partitions, File Systems, and Unallocated Space
WinHex (Specialist License) is a trimmed down version of a very powerful suite of digital forensics
software – X-Ways Forensics. In this lab, you will learn how to use WinHex to perform advanced
analytical techniques.
One of the limitations of the “Specialist” license is that WinHex will only allow analysis and
processing for raw format image files. “Container” files, .i.e. E01, can be viewed in WinHex but,
no searching or processing is allowed.
Note: for some processing operations in this lab, an estimated time-to-complete is provided. During
times of heavy system loading for the VDA or if there are significant network delays between your
location and the VDA hosting facility, these times may be significantly longer.
The lab is divided into sections which can be completed independently provided that you save your
work products in between sessions.
Guided Practice #1: Converting a Forensic Image File from E01 to Raw Format
In this Guided Practice, you will use FTK Imager to convert a compressed and encrypted forensic image
“container” file (E01 format) to an uncompressed and unencrypted format (Raw / dd format) so that you
can examine it using WinHex Specialist. The output file(s) will have a numeric file extension beginning
with .001. If additional files are needed, the extensions will be .002, .003, etc. To open the set of files
containing the raw format forensic image, you will always choose the .001 file. (If you cannot see the file
extensions, change your folder view options. Unselect “hide file extensions for known files.”)
1. Create a folder to hold your converted file (C:CasesImages)
2. Launch FTK Imager using the short cut found in the “Forensic Tools” folder on the VDA desktop.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
3. Select File > Create Disk Image from the FTK Imager menus
4. In the “Select Source” window, choose “Image File” as your source evidence type. Then click
Next.
5. In the “Select File” window, click Browse.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
6. In the “Open” window, navigate to H:Lab ResourcesResourcesLab3 and select file
Lab3_USB1.E01. Then click Open.
7. Verify that the correct file is shown under “Evidence Source Selection” in the “Select File”
window. Then click Finish.
8. In the “Create Image” window, click Add (under “Image Destination(s)”).
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
9. Select “Raw” in the “Select Image Type” window. Then click Next.
10. Click Next in the “Evidence Item Information” window.
You do not need to enter “Evidence Item Information” since this information is not stored with the raw
format file and we will not be using the text log file from this acquisition.
11. Click Browse in the “Select Image Destination” window.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
12. In the “Browse for Folder” window, navigate to C:CasesImages (the folder you created in Step
#1). Select the folder then click OK.
13. In the “Select Image Destination” window, enter “Lab3_USB1” in the “Image Filename
(Excluding Extension)” field. Then click Finish.
14. In the “Create Image” window verify that the correct image destination has been set. Then click
Start. (Note: you may check “Verify images after they are created” and “Precalculate Progress
Statistics” if you wish to have status updates during the conversion process.)
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
15. The conversion process should take less than 2 minutes. Verify that your file has been created
by opening a File Explorer window and navigating to C:CasesImages. You should have two
image files in the set: Lab3_USB1.001 and Lab3_USB1.002 (You can ignore the .txt file.)
16. Close FTK Imager and return to the VDA desktop.
Guided Practice #2: Examination of Partition Structures and Recovery of Lost
Partitions
1. Open WinHex using the short cut icon on the VDA desktop in the Lab Resources > Applications
folder.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
2. Close the “Case Data” pane if it is open. We will not be using this feature. To close the pane, go
to View > Show in the menus and then uncheck the option for Case Data.
3. Select File > Open from the menu.
4. In the “Open Files” window, navigate to C:CasesImages then select “Lab3_USB1.001” (You will
always choose the first file – .001 – when processing a set of image files in Raw format.)
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
5. Click Open. WinHex will display the contents of the image file in “raw” format.
6. Using the WinHex menus, select Specialist > Interpret Image File As Disk
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
7. Review the partition structure shown in the Directory Browser pane. You should see a total of 4
partitions plus 3 regions of “Unpartitioned space” (this is the label that WinHex gives to “interpartition gaps”). There will also be a region of “Unpartitionable space” (these are the sectors at
the end of the physical device which could be allocated to a partition during the re-partitioning
operation).
You should also note the partition sizes, file system types (“Ext.” column), sizes (for both
partitions and inter-partition gaps), and “1st Sector” information provided by WinHex.
Next, we will scan the image file for “Lost Partitions.” This will update the display in the Directory
Browser pane.
1. Using the WinHex menus, select Tools > Disk Tools > Scan For Lost Partitions.
2. In the “Scan For Lost Partitions” window, check the boxes for
a. FAT 12, FAT 16, FAT 32, exFAT, NTFS partitions
b. Ext2, Ext3, Ext4 partitions
c. MBR partition tables
d. All
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
3. Click OK to start the scan. When it finishes, WinHex will display the results in a pop-up window.
4. Read the message and then click OK to dismiss the window.
We will not be excluding the newly found partitions at this time. If you needed to do so, you would
right-click on the partition name and then select “Exclude” from the pop-up menu.
5. Review the changes in the Directory Browser pane. Note the locations of the new partitions (5, 6, &
7), the type of file system, size, and starting location.
6. Double click on “Partition 5” to open this partition in a new tab.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
7. You may receive a warning message about the length of the image file. Read the message and
then dismiss the pop-up by clicking OK. This type of error could be caused by a corrupted boot
sector. If the error message stated that the image file was larger than expected, this could
indicate that the boot sector had been manipulated to conceal sectors at the end of the disk.
This technique can be used to “hide” files and folders” in a place where they could be recovered
later (by changing the boot sector).
8. Review the information about Partition 5’s filesystem structure (in the Directory Browser pane
in the new tab).
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
9. Click on the (root directory) line to view the contents of the directory in the Contents pane. Note
that there is a volume record (“References”) but no directory entries for files. (After you have
completed your review of this partition, you may close it using the close box.)
10. Return to the Lab3_USB1 tab. Then, double-click on Partition 6 to open it in a new tab. Dismiss
the warning pop-up (image file size warning).
11. Click on the (root directory) line to view the contents. Note that we again have a volume record.
In this partition, it shows the name “STUFF.”
12. Repeat steps 10-11 for Partition 7. You should again see a volume record (in the root directory)
which shows the name “STUFF.”
13. Return to the Lab3_USB1 tab.
We could continue our manual review of the active and lost partitions for some time. But, there is a
quick way to gather much of the required information using a WinHex feature – the Technical Details
Report.
14. From the WinHex menus, select Specialist > Technical Details Report.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
15. Dismiss the warning message about image file size (click OK).
16. The “Technical Details Report” window will open.
17. Click “Copy All” to copy the report to your clip-board (the Windows “paste buffer”).
18. Close the “Technical Details Report” window and minimize the WinHex window.
19. Navigate to the Amazon WorkSpace (AWS). Select the Start menu, open a new MS Word
document. Paste the contents of the clip-board into this document (control-V).
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
20. Save your document to the VDA desktop as lastname_Lab3_TechnicalDetails Report.docx
21. Scroll through the document to review the information reported by WinHex for each partition
(both Active and “Lost”).
22. Examine the information for “Partition 4.” This was one of the original “active” partitions. The
information reported in the Technical Details Report (“File system:”) does not match what is
displayed in the Directory Browser pane.
As you scroll through the report and compare the information against the Directory Browser and the
contents of the MBR for each partition you will find additional discrepancies. The easy answer is that
there is conflicting information in the MBRs and the active / recovered partition tables. Determining
how the “corruption” happened would require a substantial amount of low-level analysis and research
into the characteristics and behavior of partition editors and filesystems for both Windows and Linux.
For this lab, it is sufficient for you to make note in your summary report that the conflicting information
exists and that there are multiple indications (warning messages, lost partitions and partition tables)
that the drive was repartitioned at least once. You should also note which partitions overlap each other
(use the starting – ending sector ranges as reported in the Technical Details Report) and which partitions
(“STUFF”) were resized.
23. Close the MS Word window after you have finished reviewing the Technical Details Report.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
24. Open HashCalc using the shortcut found in the “Forensic Tools” folder on the VDA desktop.
25. Click the
button next to the “Data:” field.
26. In the “Find” window, navigate to the AWS Desktop
(tsclientDUsersloginnamedesktoplastname_Lab3_Technial Details Report.docx) and select
your lastname_Lab3_TechnicalDetails Report.docx file. Click Open.
27. In the HashCalc window, click Calculate.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
28. Select the text in the MD5 field. Then type control-C to copy the text to the clip-board. (Your
hash value may be different from the value shown above – use YOUR calculated hash value for
YOUR file.)
29. Open a File Explorer window and navigate to the AWS Desktop. Right click on the entry for your
technical details report document. Select “Rename” from the pop-up menu.
30. Add the MD5 hash value to the end of the filename (before the .docx extension). This will save
the MD5 hash value in a convenient place. (Alternatively, you could write the MD5 hash value
into your examiner notes.) You will need the MD5 hash value when preparing your summary
memo for your lab 3 deliverables.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
31. Transfer your technical details report document to your local PC (via your Google Drive or other
means).
32. Close any unneeded Windows on the desktop and return to the WinHex window to continue
with the next Guided Practice.
Guided Practice #3: File Recovery and Examination (Data Carving)
Before you Begin
Create a folder to hold the results of your data carving: C:CasesLab3_WinHex_Export
Data Carving
There are two different ways to perform data carving using WinHex:
a. Tools > Disk Tools > File Recovery by Type
b. Specialist > Refine Volume Snapshot
Of the two options, “Refine Volume Snapshot” is the more powerful tool and is the one that WinHex will
ask you to use. “File Recovery by Type” could also be used but, the recovered files will be exported to
disk. Since we do not know if we have child pornography or other types of materials that should not be
copied (e.g. national security or “classified information”), we should start with “Refine Volume
Snapshot.” This tool will not export files automatically.
When you select “Refine Volume Snapshot,” WinHex will display a warning that this tool will reset the
image and all analysis performed previously (which includes the results of our search for lost partitions).
Since we have already saved the technical details report for the lost partitions, the “reset” should not
adversely impact our analysis.
1. From the menus, select Specialist > Refine Volume Snapshot.
2. In the “Refine Volume Snapshot: Lab3_USB1” window, select the following options:
a. Take a new one
b. Particularly through file system data structure search
c. File header signature search
d. Compute Hash: MD5 (use
button to open selection menu)
e. Apply selected operations to “all” files
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
3. Verify your options settings then click OK.
4. In the “File Header Search on Lab3_USB1” window, you will select the file types for the carving
operation. Use the plus sign to the left of the category name to expand it. (Do not check the
category box at this time.)
5. Under “Pictures” select the following file types: JPEG, PNG, GIF, and Bitmap. Click the minus
sign to collapse the category.
6. Under “Documents” select the following file types: Rich Text Format, MS Office/OLE2, MS Office
2007+, Adobe Acrobat (pdf). Click the minus sign to collapse the category.
7. On the right-hand side of the “File Header Search” window, set your options as follows:
a. Filename Prefix: Lab3_
b. Check the box for “Intelligent naming …”
c. Check the box for “Always ignore start sectors of known files”
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
i. Select complete byte-level search
8. “Optional subdirectory of Path UnknownCarved files:” Do not change this setting.
9. Review your settings and then click OK to start the data carving operation.
10. WinHex will display a warning pop-up. Read the text in the window and then click OK to dismiss
it.
11. Monitor the carving operation using the “File header signature search …” pop-up window.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
12. WinHex will display a completion status pop-up window that provides the number of recovered
files.
13. As you can see, a large number of “carved” files were recovered. Think back to the Lab 3 lecture
and other readings for this lab … remember that not all of the “carved” files will actually be
usable files. Many will be false positives.
14. Review the results shown in the Directory Browser pane. After the “Unpartitioned Space” line,
you will see a large number of carved files. These are files that were found inside the gap
between the start of the media and the start of the first partition. Double-click Carved Files.
15. Next, we will preview the contents of several carved files. Right click on the first carved file
Lab3_000001.docx. In the pop-up menu, choose Viewer Programs > Associated Program. This
will launch MS Word and display the contents of the file.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
16. Next, we want to screen the carved files for child pornography. This is in preparation to
exporting the files for easier review using another tool. (We will be randomly checking a subset
of the image files in WinHex.) Record this screening in your examiner notes (just in case child
pornography is found in the exported files at a later date).
In a forensics lab, we would export the carved files to a hard drive volume (partition) or removable
media which could be “wiped” (forensically sterilized) in the event that child pornography (or, in the
case of national security investigations – classified materials) were to be recovered and exported.
17. Click on the “Ext.” column to sort the files into groups by file types.
18. Select at least 3 files each in the picture/graphic file types that we carved for: bmp, gif, jpg, png.
Choose files from the beginning, middle, and end of the image. This will serve as your “due
diligence” scan for child pornography (which must be conducted before you export files from
this image). Make a note of which files (by name) were reviewed and record a general
description of the picture or graphic image.
If you find child pornography, contact your instructor and wait for permission prior to exporting any files
from this image. (Note: there shouldn’t be any pictures of “cats” or “kittens” but, just in case … we
include this warning.)
19. Next, we will export both a file inventory and the individual files (including the carved files).
20. Select the first file listed in the Directory Browser pane.
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
21. Scroll down to the last “file” item in the pane. Press and hold the SHIFT key. Then use your
mouse (left click) to select the last “file” item in the pane. This should select ALL of the file items,
from first to last.
22. Right-click (once) in the Directory Browser pane. From the pop-up menu, choose
“Recover/Copy”
23. In the “Select Target Folder” window, select
(C:CasesLab3_WinHex_Export) then click OK.
navigate to your export folder
Copyright © 2018 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application
24. Leave the “Recover/Copy” default options selected and click OK.
25. After the export operation completes, WinHex will display …
Purchase answer to see full
attachment