COEN 152 / 252 Lab Exercise 1 Imaging, Hex Editors & File Types In this lab we will explore the concepts associated with creating a forensic image. Write-blocking will be accomplished utilizing a mounted volume in the prepared virtual machine. This is designed to simulate writeblocked media. Other write blocking techniques will be demonstrated during the lectures. Given time we will explore the option of using bootable Linux distributions and mounting volumes to be imaged as "read only". For this lab you will receive media that contains an.ova file. This file type is an exported appliance that will be recognized by the "Oracle VM Virtualbox" application. Current virtual machines are built using the 4.0.4r70112 version of the application. This version is included on the media for use in completing the lab assignments. The version of the application will be used throughout the course for lab exercises. It is recommended that you not utilize the automatic update feature in the software once you have installed it. This may cause labs prepared in the 4.0.4r70112 version to improperly function. All labs have been tested as functional with this version of the application. Install the Oracle VM Virtualbox application on a system available to you. It is advisable that you install the Virutalbox application on a Windows OS. These are the only versions that the virtual machines have been tested against. If you do not have access to a Window system, there are desktop systems available for your use in the lab. Once the Virtualbox application has installed, mount the provided media for this lab. Go to File > Import Applicance, and browse to the location of the mounted media. Select the.ova file provided for this lab. The application will import the VM. Upon completion it should appear in the left panel. Highlight the VM and select "Start". This will activate the VM instance for this lab exercise. Your VM instance should look similar to this: 1
Lab 1 VM contains 2 volumes: C:\ - Operating system and applications E:\ - 15 GB NTFS formatted partition that contains no data Simple volume with data and NTFS formatted, but not assigned a volume identifier. You will be using this Simple Volume (SV) as read-only media for the imaging exercises in this lab. The E:\ volume will be designated as storage media or the destination for your image segments. **NOTE: Before you begin the storage media preparation portion of this lab, you must go into the COEN252_VM_Base settings an unmount the read only volume that you will be imaging later. Otherwise EnCase will crash and you will be unable to do the lab exercises. In the VirtualBox Manager window, highlight the COEN252_VM_Base instance as below: 2
Go to Settings > Storage and remove the device in the Storage Tree as shown below: Your VM should now look like this: 3
Start the VM to continue the exercise. Storage Media Preparation Lab Exercise First the storage media must be prepared for writing image files to it. It is sound practice to have the storage media in a known state prior to using it for writing image segments two. It is common practice to overwrite your storage media with zero's (0's). This provides a known consistent state for the storage media. For this lab, we will use two methods for ensuring the media (E:\) is in this known state. Method 1: Guidance Software's EnCase product installed on the VM contains a function that does not require activation by a dongle. This function allows the examiner to prepare storage media for writing images without tying up the dongle that is need for the full analysis version of the product. You will note in the upper left corner of the EnCase application the words "EnCase Acquistion". This is commonly referred to as the acquisition mode of the product. The mode allows for storage media wiping and imaging without the use of the activation dongle. Method 2: There are two hex editor applications provided on the VM. WinHex and XVI32. Both of these applications can be used free with limited functionality. They can both be used to write character strings; WinHex can mount an entire partition or volume; XVI32 can write to individual files. You will be using one of these applications to conduct your storage wiping activity in addition to the activity described in Method 1. Deliverables: Method 1: Provide a series of screenshots illustrating the use of the EnCase application to "wipe" or reset all values on the E:\ volume to "0". You will need to include a screen shot of each step in the mounting and wiping sequence; a screenshot of the "wiping" application running (there will be an indicator in the lower right of the application window); a screenshot of the "Verification" process running (replaces the "Wiping" process indicator); as well as a text or screenshot of the final report verifying the completion of the Wiping / Verification process. Method 2: Provide a series of screenshots showing the steps you took with WinHex to overwrite the E:\ volume with a contiguous series of zero (0) characters. Screenshots should also include a view of the beginning, middle (approximate) and end of the "Storage" sectors. Refer to the Clearing_Media_WinHex.pdf in the Reference Docs folder on the Desktop of the VM for information. (Hint: for this exercise, it is not necessary to overwrite the Partition Table entries. Storage Media Preparation Method 1: Start the EnCase application, you should note that it is in Acquisition mode. More recent versions of EnCase require that you start a new case to which you will add media to be imaged. File > New Case will display the following window: 4
In the "Name" field, insert text that adequately and uniquely describes this media. As this field is applied to the file name for the E01 segments. For this section, please use: EnCase_(Student ID No.)_Lab1, where "Student ID No." is replaced by your student ID number. Leave the remaining fields as shown with the default settings. Select "Finish". This creates the framework case you will add the Simple Volume to. Select Tools > Wipe Drive. In the following window for the purposes of this lab, choose the E volume by clicking in the check box next to the entry as below: 5
Select Next and you will be presented with the following: Leave the default settings and select Finish. A new window will open asking you to confirm your selection. You must confirm your selection by typing Yes in the provided location: Wiping and verification of the selected media will begin at this time. A progress indicator will be displayed in the lower right of the EnCase application window. Once wiping is complete, it should display a Verifying progress indicator. Upon completion the following should display: 6
Include a screenshot of this informational box with your lab report. Once this wipe is complete use Windows Explorer to re-format the drive in FAT32. You can do this by opening right-clicking on the My Computer icon > Explore; right-click on the E:\STORAGE entry and choose format. Select the settings as noted below: Select Start. Once the format is complete proceed to Method 2. 7
Method 2: Use the help contents in WinHex as well as your Google Fu to similarly wipe the E:\ volume with a consistent pattern of data that is non-zero. Document your efforts with screen shots for your lab report and be sure to include the additional deliverable information listed above. For the remainder of the labs, you must go in and re-attach the volume that you detached from the VM for the above exercise. Imaging Process Now that you have appropriately prepared media to write your image segments to, you will use two of the applications provided on the VM; EnCase and FTK Imager to create images of the Simple Volume that is part of the VM. This volume contains various file types, some deleted and partially over written, other deleted and not over written. You will be creating images with both applications while using different image segment formats. - EnCase creates image segments in a proprietary format that are commonly known as E01 files. - FTK Imager will create image types in several formats. For this exercise, we will use the A01 format that was developed by AccessData and is the default evidence container format for the entire product suite including Forensic Tool Kit, AccessData Enterprise and AccessData ediscovery. In this portion of the lab, you will utilize AccessData FTK Imager to image the read only SUSPECT1 volume that is a component of the virtual machine. You will image the SUSPECT1 volume using two different image file types (dd; SMART; E01 or AFF) to the E:\ volume that you just prepared. This will walk you through the steps associated with creating one type of image. You should be able to utilize the same steps for creating other image formats. Open AccessData FTK Imager, choose the icon: 8
Select the Physical Drive option in the window that opens. I the Select Drive window, ensue the following virtual physical device is selected: Select Finish. Note the physical drive has been added to the FTK Imager application window. Right click on the physical drive image and select Export Image. Add the VM E:\ volume as the path for the image file. You may choose to create a separate folder for this particular version of the image. This will help you manage the two different types of images you will be creating. In the next window, select the image type you wish to create, followed by completing the Evidence Item Information (be creative). Complete the remaining information that is prompted for, be sure to use the default Verify images after they are created setting. Once this image is complete, repeat the steps for a second image format. If there is not enough room on the E:\ volume, you will need to go back through the steps you took for the wiping process. Deliverables: Method 1: Provide screen shots of your process for each segment extension you choose to use. Look for reporting that is available in FTK Imager and provide any reports that may be available for each imaging section. 9