Practice Exercise March 7, 2016



Similar documents
Lab: Data Backup and Recovery in Windows XP

How To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro

Java. How to install the Java Runtime Environment (JRE)

IT Quick Reference Guides Using Windows 7

Lab - Data Backup and Recovery in Windows XP

Lab - Data Backup and Recovery in Windows Vista

Personal Portfolios on Blackboard

NTFS Undelete User Manual

Qbox User Manual. Version 7.0

Virtual Appliance Setup Guide

Batch Scanning. 70 Royal Little Drive. Providence, RI Copyright Ingenix. All rights reserved.

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

6 USING WINDOWS XP 6.1 INTRODUCTION

Web File Management with SSH Secure Shell 3.2.3

CAS CLOUD WEB USER GUIDE. UAB College of Arts and Science Cloud Storage Service

Figure 1: Restore Tab

Online Backup Client User Manual

After going through this lesson you would be able to:

Most of your tasks in Windows XP will involve working with information

BackupAssist v6 quickstart guide

Comodo Disk Encryption

Server & Workstation Installation of Client Profiles for Windows (WAN Edition)

Frequently Asked Questions

BackupAssist v6 quickstart guide

LAVASOFT FILE SHREDDER FILE SHREDDER

Optional Lab: Data Backup and Recovery in Windows Vista

Migrating From Bobcat Mail To Google Apps (Using Microsoft Outlook and Google Apps Sync)

ARIS Education Package Process Design & Analysis Installation Guide. Version 7.2. Installation Guide

Primavera P6 Professional Windows 8 Installation Instructions. Primavera P6. Installation Instructions. For Windows 8 Users

Call Recorder Quick CD Access System

SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

Install MS SQL Server 2012 Express Edition

Seagate NAS OS 4 Reviewers Guide: NAS / NAS Pro / Business Storage Rackmounts

Instructions for accessing the new TU wireless Network

1. Product Information

Online Backup Client User Manual Linux

Table of Contents. OpenDrive Drive 2. Installation 4 Standard Installation Unattended Installation

PGP Desktop Quick Start Guide version 9.6

Altor Virtual Network Security Analyzer v1.0 Installation Guide

EMC Documentum Repository Services for Microsoft SharePoint

Unitrends Virtual Backup Installation Guide Version 8.0

A Crash Course in OS X D. Riley and M. Allen

Working With Your FTP Site

Server & Workstation Installation of Client Profiles for Windows

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

CITY OF BURLINGTON PUBLIC SCHOOLS MICROSOFT EXCHANGE 2010 OUTLOOK WEB APP USERS GUIDE

eyeos Web System User Manual

Thinspace deskcloud. Quick Start Guide

You can find the installer for the +Cloud Application on your SanDisk flash drive.

INTRODUCTION TO WINDOWS AND FILE MANAGEMENT. Windows 7

WA1826 Designing Cloud Computing Solutions. Classroom Setup Guide. Web Age Solutions Inc. Copyright Web Age Solutions Inc. 1

Table of Contents. Table of Contents

X Series Application Note 43:

AccXES Account Management Tool Administrator s Guide Version 10.0

Identity Finder: Managing Your Results

A Guide to the Tufts Network School of Arts and Sciences School of Engineering Fletcher School of Law and Diplomacy

CLC Bioinformatics Database

Guide how to protect your private data with Rohos Disk Encryption

Configuring your client to connect to your Exchange mailbox

WA2192 Introduction to Big Data and NoSQL. Classroom Setup Guide. Web Age Solutions Inc. Copyright Web Age Solutions Inc. 1

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

Installing the Microsoft Network Driver Interface

User Manual. User Manual Version

Online Master of Science in Information Technology Degree Program User s Guide for Students

WatchDox for Windows. User Guide. Version 3.9.5

User Guide. Version R91. English

Installation Guidelines (MySQL database & Archivists Toolkit client)

First Time On-Campus VLab Setup Windows XP Edition

Hosting Users Guide 2011

SECURE USER GUIDE OUTLOOK 2000

Verizon Remote Access User Guide

RecoveryVault Express Client User Manual

Understanding Files and Folders

Outlook Web Access (OWA) User Guide

Setting Up a Windows Virtual Machine for SANS FOR526

GP REPORTS VIEWER USER GUIDE

2. Installation Instructions - Windows (Download)


BillQuick Agent 2010 Getting Started Guide

Creating an itunes App Store account without a credit card

CDUfiles User Guide. Chapter 1: Accessing your data with CDUfiles. Sign In. CDUfiles User Guide Page 1. Here are the first steps to using CDUfiles.

BULLGUARD BAckUp GUIDE

A guide for students. OneDrive. Cloud Storage, Office Online

Business Objects InfoView Quick-start Guide

Global Image Management System For epad-vision. User Manual Version 1.10

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

SATO Network Interface Card Configuration Instructions

Online Backup Linux Client User Manual

Seagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide for Use With Your FreeAgent Drive 1

AKCess Pro Server Backup & Restore Manual

Introduction to MS WINDOWS XP

Inventory Web Pro Version User Guide

ControlPoint. Advanced Installation Guide. Publication Date: January 12, Metalogix International GmbH., All Rights Reserved.

Online Backup and Recovery Manager Setup for Microsoft Windows.

PC Instructions for Miller LiveArc Software

Online Backup Client User Manual

Acronis Backup & Recovery 11

Transcription:

DIGITAL FORENSICS Practice Exercise March 7, 2016 Prepared by Leidos CyberPatriot Forensics Challenge 1 Forensics Instruction Guide

Introduction The goal of this event is to learn to identify key factors of the digital forensics field while engaging your creativity and sense of adventure. This is a Digital Forensics treasure hunt which may include various encryption/encoding methods using cipher, codes, crypto, and Autopsy. You must find the answer to the clues, which will lead you to the next clue. Answers will be hidden in various sources. Please read this document entirely it contains Three (3) Exercises to be executed for practice. Getting Started 1. Download the Forensics Virtual Machine zip from the website: https://www.leidos.com/commercialcyber/cybernexs/cyberpatriot 2. To open the zip file, you will need to enter a password. The password for this exercise is 2016CBPg03s4th 3. After downloading an image, use the MD5 hash to calculate the image checksum. Instructions for using this software can be found in the document labeled Install MD5 located on the download site. If the checksum matches the one provided in the email, you have successfully downloaded the zip file. If it does not, re download the file. If the checksum does not match after several redownloads, try using a different browser, computer, or network. The video link below will help you through the verification process of the zip file. https:// ww w.yo utube.com/ watch?v =Mo d9tz858au 4. For the purposes of this practice exercise, answers will not be submitted to a scoring engine. This exercise is for practice and familiarization only. CyberPatriot Forensics Challenge 2 Forensics Instruction Guide

Exercise 1 Objective The objective of this exercise will be to run Autopsy on the provided Virtual Machine (VM) available for download at https://www.leidos.com/commercialcyber/cybernexs/cyberpatriot. Once the Autopsy exercise has been executed, you will examine the existing case provided. Familiarization with Autopsy Autopsy is a (free) front end application for the Sleuth Kit (TSK), which is a collection of Unix and Windows based tools for forensic analysis of computer systems. A good introduction may be found at https://en.wikipedia.org/wiki/the_sleuth_kit for some background. Detailed Autopsy user documentation can be found here: http://www.sleuthkit.org/autopsy/docs/user docs/4.0/. Digital forensic evidence must be processed (detected, collected, and preserved) in special ways (preserving the chain of custody and data/evidence integrity, thus guaranteeing evidence is not tampered, destroyed, or modified during handling/analysis/storage) in order for cases to be successfully litigated. Autopsy is a tool that wraps analysis and reporting capabilities around a case management framework. This framework helps the analyst meet these rigorous handling requirements, as well as perform detection and analysis work. For this reason, Autopsy requires you first open a case before allowing you to do anything else. Within an open case, Autopsy allows you to specify a data source like a digital image file, or an attached drive on your computer. It will allow you to pick all or a select number of analyses that it performs as it populates a database with results. Digital image files are usually captured from actual disk drives (or memory) from computers seized for evidence. These images are not necessarily just pictures but the whole disk structure and content, and are made using other tools (like dd in unix) and stored on separate media so as not to contaminate or modify the original drive. In this spirit, Autopsy inputs data using images of evidentiary drives or analyzes a local drive without modifying or writing to the original. All results (extracted or recovered files/records) are saved in the export directory where the case is maintained. If you wonder why Autopsy is making your life difficult, keep in mind the requirements for evidentiary preservation of data integrity and chain of custody. There s a big tradeoff between ease of use/analysis and proper forensic processing evidence in the real world. This exercise will introduce and illustrate to you to some of these concepts and processes. Exercise Instructions 1. Setup the Forensics Virtual Machine a. A Windows 7 virtual machine (VM) was prepared with Autopsy already installed, and a test case with some simple results. You fill first need to start downloading the VM from the Leidos CyberNEXS site: https://www.leidos.com/commercialcyber/cybernexs/cyberpatriot. The file name is Win7_Forensics_VM.7z. You will need to unzip the file with 7zip (free) from http://www.7 zip.org/ if you don t already have it. Run 7z. In the file navigation bar, go to CyberPatriot Forensics Challenge 3 Forensics Instruction Guide

where Win7_Forensics_VM.7z is. Highlight the file, Win7_Forensics_VM.7z. click on Extract. Supply the decryption key. The extracted directory is Windows 7Baseline. b. You will also need VM Player (free) to run this VM. If you don t already have this, you will need to download and install it. VM Player was recently repackaged and included with VM Workstation12 as VM Workstation Player ( non player workstation requires a license) so you currently need to install VM Workstation but when the install finishes, just find and run VM Player (needs no license). If you want to try the latest, go to: https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workst ation_player/12_0. c. Start VM Player (or VM Workstation Player). Note where you put the downloaded VM from Leidos. Click Open a Virtual Machine. Navigate to where you placed the extracted Windows 7Baseline directory. Click on it and highlight Windows 7 Misconfigured Baseline.vmx. Click on Open. In the left hand column, note the link to WIN7 Forensics. Highlight WIN7 Forensics and click Play virtual machine. d. The forensics Windows 7 machine is now running. No login is required. Note on the desktop, the existing Autopsy case directory, testcase2. If you choose to create your own case, you can save them anywhere you choose. e. Start Autopsy by clicking on the Autopsy 4.0.0 shortcut icon. You ll see the following screen: CyberPatriot Forensics Challenge 4 Forensics Instruction Guide

f. Click on Open Recent Case. Click on testcase2 and then select Open. This case has two data sources, both are captures of the same disk called data which is drive E: on the virtual machine. Each capture is a separate image of the same E: drive, but the second is after some changes were made to the original drive. This drive contains some forensic artifacts you will search for and investigate (not necessarily with Autopsy). At this point, Autopsy will show: CyberPatriot Forensics Challenge 5 Forensics Instruction Guide

The screen capture below shows the Windows 7 disk volumes on this machine. Analysis is being done on Data (E:) which is static (do not make any changes here). The C: drive is the system drive and is dynamic. In real life, you would want to inhibit any changes to the C: drive of a seized computer to preserve evidence and data integrity. This is an important yet complicated step that is out of scope and is not covered here. Instead we limit analysis only to the static E: drive, and possibly image files captured by other means from this or other machines. g. When the E: drive was attached to the case as a data source, it was analyzed and the results were populated in the Autopsy database. To look at some results, click on Views and expand on File Types and Deleted Files in the Autopsy left hand navigation panel. Click on File Types > Images. You should see the image below. Autopsy has found some image files in that disk volume that could potentially contain evidence or other artifacts of interest. If present, Autopsy can also find deleted files, file fragments, videos, audio, archive, executable, document files and more. Make a note of this result for later. Check out http://www.sleuthkit.org/autopsy/docs/user docs/4.0/ for particulars. CyberPatriot Forensics Challenge 6 Forensics Instruction Guide

Exercise 2 Objective Find and retrieve a deleted file from an externally obtained disk image. Exercise Instructions 1. Restart Autopsy and open a new case (Create New Case in diagram below), using case names, analyst names, and numbers of your own choosing. 2. On your own computer (Not the Forensics VM), open a Web browser (IE or FireFox, etc.) and go to http://www.cfreds.nist.gov/dfr test images.html, go the bottom of the page and find Test Image Links. Click on the NTFS link for Test Case DFR 01 RECYCLE, which is an image file of a drive where a file has been deleted and the Recycle Bin emptied. Download the compressed file, dfr 01 recyclentfs.dd.brz2, to your desktop. Use WinZip or 7 Zip to extract the image file, dfr 01 recycle ntfs.dd to your desktop (may be in its own directory). 3. Copy/paste or drag and drop dfr 01 recycle nfs.dd to the desktop of the Forensics VM running in VM Player (This works in VM Workstation Player v. 12, unchecked in earlier versions of Player). See diagram below: CyberPatriot Forensics Challenge 7 Forensics Instruction Guide

4. Autopsy should be showing the Enter Data Source Information Wizard page as shown below. For Select source type to add:, select Image File (default). Click Browse. Click Desktop and then click on dfr 01 recycle ntfs.dd, as shown below. Click Open, and then Click Next. 5. Autopsy opens to the Configure Ingest Modules wizard where you can pick specific analyses to employ. Click Next, which selects all modules (default) if none were changed. CyberPatriot Forensics Challenge 8 Forensics Instruction Guide

6. Click Finish and ignore the error applet. The source has now been analyzed and added to the local database. Click on Views > Deleted Files > All (3) in the left hand navigation window. Autopsy now looks like this: These three files with red x es flag either recoverable or non recoverable files that have been permanently deleted from the target drive (the recycle bin emptied). If disk data clusters from a deleted file are reused (re allocated) to a new file, that cluster s data is lost and the intact file is unrecoverable, though fragments may be found and analyzed. This underscores why a drive must be made static or image captured as soon possible when a computer is seized for investigation. 7. Recover the Castor.txt: a. In Autopsy Directory Listing window, mouse over Castor.txt, and right click. A drop down menu opens. See diagram below. Click on Extract File(s). CyberPatriot Forensics Challenge 9 Forensics Instruction Guide

8. Click Finish and ignore the error applet. The source has now been analyzed and added to the local database. Click on Views > Deleted Files > All (3) in the left hand navigation window. Autopsy now looks like this These three files with red x es flag either recoverable or non recoverable files that have been permanently deleted from the target drive (the recycle bin emptied). If disk data clusters from a deleted file are reused (re allocated) to a new file, that cluster s data is lost and the intact file is unrecoverable, though fragments may be found and analyzed. This underscores why a drive must be made static or image captured as soon possible when a computer is seized for investigation. 9. Recover the Castor.txt: a. In Autopsy Directory Listing window, mouse over Castor.txt, and right click. A drop down menu opens. See diagram below. Click on Extract File(s). CyberPatriot Forensics Challenge 1 Forensics Instruction Guide

b. Save the recovered file in the Export directory of the case you opened. In this example, a case was opened called Deleted File Recovery which created a directory by the same name as shown in the diagram below: c. Navigate to the Export directory of your case and find the recovered file. CyberPatriot Forensics Challenge 1 Forensics Instruction Guide

Exercise 3 Objective Answer the questions associated with the Autopsy case. Exercise Instructions After you have used Autopsy to find the artifacts check the artifacts for steganography files and file carving files. The Challenges are encrypted and hidden in the VM image. Find and decrypt each encrypted challenge you find. Each encryption challenge is titled Encryption challenge 1, 2, etc. FOR THE PURPOSES OF THIS PRACTICE EXERCISE THERE ARE ONLY 11 ENCRYPTION CHALLENGES TOTAL AND THEY ARE NOT IN ANY SPECIFIC ORDER. Once you complete all the encrypted challenges you find in the VM, answer the questions below. The phrases are sentences and quotes, plus some challenges will be encrypted more than once. The answer is the word that does not fit within the sentence. Several of the answers are compound words that make no sense such as BOOKTV. This is your indicator that you ve successfully found the answer. Answer the following questions: 1. What are the names of the file carving files? 2. What are the names of the files you found on the stenography challenge? CyberPatriot Online Forensics Challenge 1 Forensics PR Instruction Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information