Basic Forensic analysis:

Scenario:

Last week University police arrested a student, Billy Badguy, for selling cocaine. During the pursuit the student threw a USB drive into a storm drain. The Office of the Phyical Plant (OPP) was contacted and they were able to recover the USB drive. The Police department has asked you to perform a forensic analysis on this USB drive. You have created an image and left it on your desktop.

Objectives:

Create a case in Autopsy. Locate deleted/hidden files Perform a dirty word search Create a case report with any evidence you find.

Remember to read the report requirements at the end of this document to see what is necessary to hand into the instructor.

Logon On to VM Ware

Step 1 Open the VMWare Infrastructure Client from the “Start > VMWare” program. Type in “vslvc.ist.psu.edu” for the IP address. Then enter your team user ID and password given to you by your instructor.

Page 1 of 22

Navigate to View > Inventory > Virtual Machines and Templates

Step 2 Locate the virtual machine folder that has been assigned to you (contact your instructor if you don’t have one), and select IST454.

Step 3 Highlight your machine and click the Console icon to launch the Virtual Machine Console to your virtual machine.

Page 2 of 22

Note: If you see a black screen, you need to “power on” the virtual machine by clicking the green arrow at the top.

Step 4 Logon to the machine with the user name “ISTForensics”. Click twice on ISTForensics to get the password field. The password is “password” (no quotes).

Page 3 of 22

Welcome to your Virtual Machine.

Task 1 - Create a case in Autopsy

Step 1 Open a terminal window. Go to Applications > Forensics > Autopsy.

Page 4 of 22

You will be required to enter a password. Type in the word: password. (The password is not visibile as you type it.)

This is what you will see when you have successfully entered the password. Leave this window open.

Page 5 of 22

Step 2 Open the Firefox Web Browser by going to Applications > Internet > Firefox Web Browser.

Autopsy is set as the home page.

Step 3 Scroll down if necessary and click on the “New Case” button.

Page 6 of 22

Step 4 Fill in the fields as follows:a. “Case Name” – Type: USBcase1b. “Description” - Add a short sentence describing the case. Reread the scenario at the

beginning of this document for help with your short description.c. “Investigator Names” - Type in your name and the names of the members of your team.

Click the “New Case” button.

Page 7 of 22

Step 5 Leave the default and click the “Add Host” button at the bottom.

Step 6 Click another “Add Host” button.

Page 8 of 22

Step 7 Click “Add Image.”

Step 8 Click “Add Image File.”

Page 9 of 22

Step 9 Fill in the fields in the “Add a New Image” screen.”a. “Location” Type /home/administrator/Desktop/usbimage1.ddb. “Import Method” select copy.

Click “Next.”

Page 10 of 22

Step 10 Select “Volume Image” on the right, ensure the “dos” is selected in the drop down of “Volume System Type”. Click “OK.”

Step 11 Select “Calculate” under the topic, “Data Integrity” and check “Verify hash after importing”. Click the “Add” button.

Page 11 of 22

Step 12 Once the calculations are done, click the “OK” button.

Page 12 of 22

Task 2: Locate deleted/hidden files

Step 1 Click the “Analyze” button.

Step 2 Select “File Analysis”

Page 13 of 22

Step 3 The files labeled in red are the deleted files. They also are the ones with a checkmark under the DEL to the left of the filename. a. Click on the files and examine them in the window below. b. If data appears, click report next to ASCII and get a screenshot of the report to use in

your report later. (Clicking on “display” does not give you the report. You must click on the word “report”.) “X” out of this tab.

c. Then click “Export” to export the file from the image to the Downloads folder.

Page 14 of 22

i. Once the files are saved outside the image open them and get a screen shot of the data in the file for your report to the police.

Step 4 Follow the same procedure for the files listed in blue. These are files that exist openly on the drive. If the file does not work when you open it, examine the “magic number” as seen in the magic number chart to ensure that the file is labeled correctly. The Magic Number is the first few bytes as seen in hex. A file that has been mislabeled won’t open properly but can still hold data uncorrupted. The magic number can be seen in Autopsy if you examine the file in hex. It will be the first few bytes. The mp3 file will work just not with the movie player. You won’t be able to hear it in this lab.

Task 4: Perform dirty word search

A dirty word search is a search through all of the bytes in the image looking for specific strings or words. Look at the information listed in the case summary, and consider what words a drug dealer might use. This search takes a some time. Normally a forensic analyst would have a long list of dirty words ready. Because of time constraints just use the key words from the scenario at the beginning of the lab.

Page 15 of 22

Step 1 Click on the “Keyword Search” button.

Step 3 Ensure ASCII , and Case Insensitive are selected. Type in a dirty word from your list. Click the “Search” button.

Page 16 of 22

Step 4 When you get a hit, make a note of the sector the hit was in. You will be able to determine what file the hit was located in by comparing the sector the word was found in with the sectors listed in the file reports you made during the file analysis.

Step 4 Click the hex link next to the sector number.

Page 17 of 22

Step 5 Click on report next to hex at the top of the screen.

Step 5 Click on the previous/next buttons to ensure you have all relevant data. If you find more data, click the Hex report again and get another screen shot.

Page 18 of 22

Task 4: Answer questions. Create a Case report.

The police want to know:

1. What is the name of Billy’s supplier?2. When and where is the next meet?3. Who else on campus is involved?4. Were there any secret messages if so in which file were they located?

Extra credit: How was the secret message made, or how could it have been made?

Write a Forensic Report

You should have the following parts:

A forensic report is a step by step list of everything you have done and what the results were. You don’t need to actually list all of the failed attempts or crowd it with non-relevant facts. Keep it accurate, relevant and simple.

Grading Rubric

Credit for each section is as follows.

1. Forensic Report (100%):

Note

Be sure to include your name and email address in the report. The report should be turned in before class on the specified due date. Late submissions will be issued a grade deduction especially if permission is not obtained from the instructor. The instructor reserves the right to grant or reject extra time for report completion.

Page 19 of 22

Links:

Magic Numbers:http://www.garykessler.net/library/file_sigs.html

Building a Low Cost Forensics Workstationhttp://www.sans.org/reading_room/whitepapers/incident/building_a_low_cost_forensics_workstation_895

Computer Forensics - We've Had an Incident,Who Do We Get to Investigate?http://www.sans.org/reading_room/whitepapers/incident/computer_forensics_weve_had_an_incident_who_do_we_get_to_investigate_652

COMPUTER FORENSICS LABSMaking a Digital Difference

Page 20 of 22

What the FBI has achieved with computer forensicshttp://www.fbi.gov/page2/august09/rcfls_081809.html

Department of Justice, Electronic Crime Scene Investigation: A Guide for First Responders. http://www.ojp.usdoj.gov/nij/publications/ecrime-guide-219941/welcome.htm

SANS Computer Forensics, http://computer-forensics.sans.org/

Forensic Focus, Computer Forensics News, Information and Community, forum. http://www.forensicfocus.com/

2600 Article: Don’t steal music (or how to catch an iPod thief using forensics), http://www.frameloss.org/2009/05/09/2600-article-dont-steal-music-or-how-to-catch-an-ipod-thief-using-forensics/

The Sleuthkit/Autopsy free forensics tool. http://www.sleuthkit.org/

What happens when you delete a file? http://www.youtube.com/watch?v=g8tEjW243OI

what is learned during a Sans computer forensics course. http://www.youtube.com/watch?v=9JoX4uxES7Q&feature=related

Magic Number Chart

Here are a few magic numbers, These are of image files.

File typeTypical

extensionHex digits

xx = variable

Ascii digits. = not an ascii

char

Bitmap format .bmp 42 4d BM

Office2007 Documents .xlsx 50 4B 03 04 14 00 06 00 PK

GIF Format .gif 47 49 46 38 GIF8

MP3 .mp3 49 44 33 ID3

Page 21 of 22

PDF .PDF 25 50 44 46 %PDF

JPEG File Interchange Format .jpg ff d8 ff e0 ....

NIFF (Navy TIFF) .nif 49 49 4e 31 IIN1

PM format .pm 56 49 45 57 VIEW

PNG format .png 89 50 4e 47 .PNG

Postscript format .[e]ps 25 21 %!

Sun Rasterfile .ras 59 a6 6a 95 Y.j.

Targa format .tga xx xx xx ...

TIFF format (Motorola - big endian) .tif 4d 4d 00 2a MM.*

TIFF format (Intel - little endian) .tif 49 49 2a 00 II*.

X11 Bitmap format .xbm xx xx

XCF Gimp file structure .xcf 67 69 6d 70 20 78 63 66 20 76 gimp xcf

Xfig format .fig 23 46 49 47 #FIG

Page 22 of 22