please see attached. You have to follow the instructions and solve the questions.

Do you require help with your paper? Use our custom writing service to achieve better grades and meet your deadlines. Trust our team of writing experts with your work today, and enjoy peace of mind.


Order a Similar Paper Order a Different Paper

please see attached.

You have to follow the instructions and solve the  questions.

please see attached. You have to follow the instructions and solve the questions.
Forensic Imaging and Windows Lab 2 Notes: All labs should be completed in VMWare to prevent unintentional damage to your system. Lab tools are for Windows and will not run on Mac systems unless you are in your VMWare setup. All answers must be in complete sentences for full credit. For this lab, use the smallest thumb drive you can… the larger it is, the longer your lab will take. Objective: The purpose of this exercise is to give you experience with some basic disk and file recovery operations and introduce you to some basics of Windows forensics. Terms: boot: short for “bootstrap.” This is the startup process. A “cold boot” is from the power off to power on state. A “warm boot” is a restart that simply reloads the operating system. data carving is the process of locating files that have been deleted or embedded in other files. dd image: an exact duplicate, bit for bit, of a file or disk. The term derives from the Unix dd command that is used for this purpose. driver: a utility program that operates a device such as a printer, scanner, or mouse. hash: a computed value that can be used to represent the state of a file or disk. Software to Install: NOTE: When using these tools, run the program as administrator, to do this, right-click and select “run as administrator” FTK (Forensic Toolkit): http://accessdata.com Download the install from Blackboard (Course Content – Handouts – Software – FTK-Forensic_Toolkit-1.81.6.exe) Install it, ignoring any error messages that appear FTK Imager: http://accessdata.com Download the install from Blackboard (Course Content – Handouts – Software – AccessData_FTK_Imager_3-1-0.exe) You can use a newer version from the website if you would like. The versions posted on blackboard are small files that can be easily run from a thumbdrive. Autopsy: https://www.sleuthkit.org/autopsy/ You can use Autopsy in addition to or in place of FTK WinHex: http://www.winhex.com/winhex/index-m.html Choose winhex and download the Demo version Run setup.exe to install the program If given the option, run WinHex using the Computer Forensic Interface Note: X-Ways Forensics is the “forensics” version of this, but there is no demo version available. “Create Some Evidence”: Insert a thumb drive (make sure it does not contain any important information) Open Word Create a file called test1.doc (or docx) and save it to your thumbdrive In the file, type the word “inculpatory” Create a file called test2.doc (or docx) and save it to your thumbdrive In the file, type the word “exculpatory” Using Notepad Create a file called evidence.txt In the file type “This is evidence.” Create a file called hidden_evidence.txt In the file type “This is hidden evidence.” Create a file called deleted_evidence.txt In the file type “This is deleted evidence.” Open your web browser Search for a picture of a puppy and save it to your thumb drive Go to: http://ist.gmu.edu/ Save Page As Save the complete webpage to your thumbdrive Open your thumbdrive from “My Computer” Right-click and delete: test2.doc the picture of the puppy deleted_evidence.txt Rick-click on hidden_evidence.txt, go to properties and make it a hidden file ***If you are getting a security error with FTK or Imager, you need to adjust your OS security settings. See this site for an example to fix: https://blog.pcrisk.com/windows/12622-an-administrator-has-blocked-you-from-running-this-app Creating a Forensic Image with FTK Imager: (We are now going to treat this disk as evidence. In an actual case, we would be using a hardware write blocker at this point.) Launch FTK Imager File-> Create Disk Image Choose the Physical Drive radio button Then choose Next-> Select your thumb drive->Finish Make sure you don’t select the hard drive! You then need to indicate how and where the drive image will be saved. Choose Add-> E01 ->Next Enter the requested information (you can make up the case name, etc.) Browse and add a new folder called Lab2 to the desktop to save the image to and click OK Name the image testcase.E01 Choose Finish->Start When it finishes, record the MD5 and SHA1 hashes (Question 2) Load the image into Imager if it did not load after creating the image. In the evidence tree, note the structure of the evidence file. What do you see? File Recovery with FTK Close the Imager and launch FTK Toolkit If you get a security or dongle “error,” ignore it and click OK/continue. Start a new case In the screens that follow, enter in some sample data as requested (name, case number, address, etc.). Accept the default logs, processes, and refinements At the add evidence screen, Add evidence button -> Acquired Image of Drive. Browse and open the image file you created above (testcase.E01) Enter the time zone (Eastern Time with daylight savings) Next->Finish. Go to the Overview tab (include a screenshot for question 3) Look at the different file item categories Click on Documents. How many did it find? Did you find the items you created? Click on Deleted Files. How many did it find? Did you find your deleted items? Choose the Explore tab and see if you can locate these files Select your deleted file and then choose File->Export Files… Browse to locate your Lab2 folder on the desktop to save the recovered file to Click OK Use My Computer to confirm that the deleted file was recovered Verify Hashes with FTK Imager Open Imager File->Add Evidence->Image File Browse to open testcase.E01 ->Open->Finish Choose File->Verify Drive/Image It will take a minute or two to verify the drive and compute the hashes (record the hash in question 5) Check the MD5 and SHA1 you recorded from before…They should match! This proves that the information on the disk has not been altered Close Imager. You do not need to save the case. WinHex WinHex is a “hex editor.” It allows you to work with disks and files at the binary level. When making a forensic copy, you need to be sure that the media you are copying to is forensically sterile. You need to be able to assure a court that you have not contaminated the evidence in any way. To erase a disk securely using Winhex: Tools->Open Disk->E: (Click OK) ***Or whatever your drive your thumb drive is mounted to Note that the demo version of WinHex will not let you complete this operation Edit->Fill Disk Sectors You may choose 0x00 or random values. (The DoD standard requires 3 passes) Exit WinHex Searching for test using Winhex: Using “My Computer” locate your test1 file on the thumb drive Right click and delete it Reopen WinHex and ask for a new “snapshot” of the disk in the dialog box Go to: Search ->Find Text and type in “exculpatory” Uncheck “match case” and check the option to give you a certain number of search results Even though the file has been deleted, you can recover this text To locate any text: Search ->Text Passages … If you do not find your text here, try again in FTK. In order to erase a file securely: Note that the demo version of WinHex will not let you complete this operation Tools->File Tools->Wipe Securely Choose your test1 file You may choose 0x00 or random values Click OK and confirm the deletion Do this to securely delete your test file1 Exit WinHex and check the contents of the disk Recovering an Image File Download the Data files for Lab 2 from Blackboard practicecase.001 is the forensic image The text file that contains the hashes and other information about the image Launch FTK Toolkit File->Add evidence -> Acquired Image of Drive Browse and open the dd image file you downloaded (practicecase.001) Do the following steps: What can you find out about this disk image? What is the file system? Hint: Look under “Evidence Type.” (If you don’t see this, select the “Evidence Items button.”) Click on Total File Items and view the files listed. What type of disk is this? (Hint: what type of file is .sxw? Use Google and find out.) What was in the file evil.sxw? Is there an image on this disk? Note that it has the extension .sxw (not .jpg/.jpeg). Criminals may try to hide images by renaming them with bogus extensions. Verify the image and compare the hashes to the hashes in the text file Windows Basics BIOS and Safe Mode BIOS: When you boot the machine, a key sequence will be briefly displayed on the screen to get into the BIOS. Do this to get into the BIOS screen and hit the escape key (Esc). View the boot sequence. Don’t make any changes to the BIOS. Use the Esc key to cancel any changes and Esc to exit. Safe Mode: Sometimes you may wish to get into Safe Mode, especially if you need to restore a machine that has become corrupt or won’t boot due to some conflict (missing driver, etc.). To get into Safe Mode in Windows 10, see: https://www.digitalcitizen.life/4-ways-boot-safe-mode-windows-10 File ownership and File Permissions File Ownership: You can use the command line to find out the owner of files on systems that have multiple accounts. The steps below will save the directory information into a file that you can view with Notepad or any other text editor. All Programs – Accessories – Command Prompt Type: cd (takes you to the root directory) dir /q > C:Fileowner.txt exit File Permissions: While in Safe Mode, you can view or change the owner of files/directories as well as their permissions. Right click on any file and then choose Properties-> Security tab. You can then view the users and groups who have access to this file. By clicking on the Advanced button, you can choose the Owner or Permissions tab to view or change those settings. We will not have you make changes, but do make a note so that you remember how to do this. System Restore Tool Windows 10 has a “System Restore” tool that allows you to restore the system to a previous state. While any recently installed software will be lost, changes to user data files will be preserved. It does this by saving “restore points” periodically. You can also use the System Restore tool to create your own restore points before you install applications, drivers, or make major changes that might be risky. Go to Programs->Accessories->System Tools->System Restore. It should allow you to pick a date to restore the system to. (Note: this may or may not work here in the lab, but give it a try. Note that if an anti-viral software program has quarantined or deleted files in a restore point the restoration will fail.) If it works, the software you installed today should be gone. Why is this of interest to a forensic examiner? Note for All Labs: All answers must be in complete sentences for full credit. Use your own words. You will not receive credit for questions that ask for definitions or examples if you use the ones given in the directions. 7 © 2006 Anne Marchant with contributions by Kristin Baldassaro & Rebecca Pollard, updated 2017
please see attached. You have to follow the instructions and solve the questions.
Forensic Imaging and Windows Lab 2 Name: G#: Lab Questions: ANSWERS MUST BE IN COMPLETE SENTENCES FOR FULL CREDIT. What is a forensic image? Record your MD5 and SHA hashes. Include a screenshot from your overview tab showing the breakdown of evidence types. What indicates a file has been deleted in FTK? (Besides showing up in the “deleted files” section of the overview tab.) Record your MD5 and SHA hashes. What is the difference (if any) between the computed hash and the report hash calculated in your lab? (Were the hashes in Question 2 and Question 5 the same? What does this indicate?) What information did you learn about the practicecase.001 dd image you downloaded from Blackboard? What kind of file system and operating system was used to create this disk? (Hint: If you can identify the file system, look up the associated operating system.) Why is it important to run WinHex or other forensic tools Write Protect mode? Why is it important to securely wipe (erase) a disk before saving evidence to it? What is Safe Mode and how do you get into it? Where would you go to find out which device the machine is set to boot from? What is the System Restore tool used for? How do you set a system restore point? Why is the System Restore tool of interest to a forensic examiner? © 2006 Anne Marchant with contributions by Kristin Baldassaro & Rebecca Tenally, updated 2014 By submitting this assignment, I certify I have abided by all requirements of the GMU honor code. I certify that this is entirely my own work, no unauthorized sources have been used, and all sources used have been properly cited.

Writerbay.net

Our writing experts are ready and waiting to assist with any writing project you may have. From simple essays, research papers, lab reports, and dissertations, to online classes, you can be sure we have a service that perfectly matches your needs.


Order a Similar Paper Order a Different Paper