Uploaded by jim allen

Lab Instructions

advertisement
Forensic Analysis with Encase
Forensic Analysis with EnCase
1
Introduction
Students’ Role: Digital Forensics Examiner for the Cyber Action Team (CAT).
Request for Digital Forensic Analysis
Suspect: Mantooth, Wes
Seizure Date: 17 March 2018
Case Number: 20180317-Mantooth
Requesting Organization: Fox Molder, Cyber Crime Division
Mr. Mantooth’s computer was seized under search warrant pursuant to case number 20180318_Mantooth. This is a
request to process the seized hard drive to look for evidence that may advance the investigation of this case.
We are specifically interested in having you perform the following:
1) Write a Case Narrative Digital Forensics Examiner Report
2) Document and describe your Investigative process and any errors or difficulties you encountered
3) Document the Mantooth image hash values
4) Document and describe User Accounts with last login and Security ID and any associated registry comments.
5) Document any network, removable or local drives (Device name and serial number) that may have been connected
to the Mantooth computer and note how many files may have been viewed from each connected device you identify.
6) Document describe the contents, if any, of the recycle bin
7) Document the link files. Try to find these files and determine what type of information may be useful to your
investigation. Also document and describe what a link file is and the significance of locating a link file in this case .
8) Document the company manufacturer brand of the HDD seized from Mantooth’s computer.
9) Document the processor model and family of the processor seized from Mantooth’s computer.
10) Document the most visited Internet domain and how many times it was visited.
11) List and describe at least 3 user Internet searches that may be consistent with possible evidence of criminal activity.
12) Document and describe the number of login failures and the date.
13) Document the DHCP address associated with the Mantooth computer.
14) Document and describe the computer OS version and Product ID, the existing time zone settings and note whether
Mantooth’s computer is set on daylight savings time.
15) Document and describe whether there is encryption software installed on the Mantooth computer.
16) Document and describe the notable names you identify and include for each name, a representative number of the
files, if any, you locate that were downloaded through email.
17) Document and describe the number of “.jpg “files you locate on the Mantooth evidence image file.
18) Document and describe at least two email messages that may be consistent with possible evidence of criminal
activity
Forensic Analysis with EnCase
2
Evidence Items Provided: Mantooth.E01 (evidence image file)
Tag #01: Digital Image of Suspect Drive File Name: Mantooths_HDD.E01
MD5 Hash Value 31217210a1a69f272079a3bde3d9d8fc
SHA1 Hash Value: 12e4ac047e328ca2bd63a4d65df25b3ecba55769
General Instructions: Log into the UMUC Virtual Lab and perform the following steps utilizing Encase. Make sure to
document your findings and provide the appropriate screen shots/bookmarks as part of your Lab 1 Digital Forensics
Examiners Report. Your report should be submitted to the assignment section as one document in .pdf format and
named with the following convention “Lab1-YourFirstInitial-LastName”. Make sure your report has an overview with
labeled captions such as Investigation Referral, Steps Taken, Notable Files, Findings and Conclusion, etc. and each
investigation step should be documented, described and supported with one or more artifacts such as file names and
screenshots necessary to demonstrate your work..
Deliverables & Lab I Questions to be answered:
General Instructions: Preview the lab deliverables and the grading rubric before starting your Lab 1 work. Then, log into
UMUC Virtual Lab and follow the step by step instructions and illustrations. Make sure you include a copy of the Request
for Digital Forensic Analysis in your final report as this is your authorization to perform the investigation. The Lab 1
deliverables are noted in the Request for Digital Forensic Analysis and they are also listed near the end of the following
technical instructions.
Forensic Analysis with EnCase
3
Technical Instructions:
Launch Encase from the “Lab Resources” folder of your Lab VM
Once EnCase starts up, create a new case named “Date_Mantooth”. (Date should be today’s date in yyyymmdd format)
Forensic Analysis with EnCase
4
Choose the Basic Template and enter Case Number, Examiner Name, and Description in the Case Information area. In
the Name and location area enter the case name in the Name field. Use the defaults on the Base case folder, Primary
evidence cache, and Backup location – then click OK.
Practice Note: In a formal case investigation environment you would store backups on a separate drive. In our Lab 1, we
will default to the same drive so click “Yes” if you get a warning about storing the case and backup on the same drive.
Forensic Analysis with EnCase
5
Same action with the Backup location and Primary evidence cache - so click Yes if you get a warning about storing the
backup and primary evidence cache on the same drive.
Since you are creating new folders simply click “Yes”.
You are now ready to add evidence to the case, so click Add Evidence in the middle of the screen.
Forensic Analysis with EnCase
6
We are adding evidence that is already created in a .E01 image file format, so choose Add Evidence File.
Forensic Analysis with EnCase
7
Browse to Mantooth.E01 image file in the Desktop folder for the Lab 1 as illustrated below.
Desktop>Computer>Local Disk D:>Lab Resources>Lab Images> Mantooth.E01
You will also find a “Mantooth.E01.txt” file that contains the FTK Imager image report information for the Mantooth
image. Within the “Mantooth.EO1.txt file you will find the MD5 and SHA-1 hashes to note for your examination. These
hashes should match your hash values when you access the image in EnCase. If they don’t, make a note in your case
report.
Forensic Analysis with EnCase
8
Example of the FTK Imager Mantooth.EO1.txt file information
Forensic Analysis with EnCase
9
If you receive an Error message about the Header being more than 12 characters just click OK. This does not impact case
processing.
Typically, you may find the “Tree-Table “view below easier to work in. Click the menu selection highlighted below to use
Tree-Table view.
Forensic Analysis with EnCase
10
You are now ready to begin processing the Mantooth.EO1 image file in Encase. Click on “Process Evidence” and choose
just the “Process”… option.
Forensic Analysis with EnCase
11
Within case “Process” Options there are a few things to remember. Some of the options have a red exclamation point
to their left. These options can only be chosen the first time you process case evidence. Therefore, you typically choose
them every time on the first process procedure(s) for your case. All of the other options you can select on a subsequent
attempt at processing evidence. On a large image sometimes you may decide to choose only a few options the first time
so that you can see some results sooner or perhaps you may not be sure what options you need because it is unclear for
your initial instructions or search authorization what investigative direction is best to take.
In this case, Mantooth. EO1 is a small image, so we are going to select all of our needed options on the first attempt at
evidence processing. Note all of the blue checked areas below, which indicate that those options have been chosen for
processing in our case.
The processing options include everything except Prioritization and Search for keywords. It is a little hard to see in the
interface, but the Modules option is actually a drop down menu. Click to the left of Modules to expand it. Select System Info Parser, Windows Event Log Parser, and Windows Artifact Parser. It is worth noting that each of the blue
options is actually a hyperlink where you can specify more detail for each option.
Forensic Analysis with EnCase
12
If you click “System Info Parser” you will see the following window appear. We will choose all of the standard artifacts
but nothing from the advanced artifacts tab.
Forensic Analysis with EnCase
13
Click OK and begin the case processor. You may need to maximize the case processor window to see the OK button.
Forensic Analysis with EnCase
14
Any time an operation is running within EnCase you will see the progress in the lower right micro help area of the
window.
Forensic Analysis with EnCase
15
Note that the Acquisition and Verification MD5 hashes should match in the lower portion of the evidence screen (you
may need to scroll). One of the menu items in EnCase is Verification. You may want to do this to Verify the hashes.
Any time you do something substantial in the case make sure to perform a save. By default EnCase saves every 30
minutes which is not frequent enough in the scheme of things. A good practice is to manually save every 5 minutes.
EnCase is not intuitive in showing evidence processing results. You must navigate to see the results that interet you. The
View menu is used to toggle the display of other tabs. We are interested in the Artifacts tab.
Forensic Analysis with EnCase
16
The processing options you choose at the outset of the case determine what shows up in the Artifacts tab. We will see
items like email and Internet artifacts.
Forensic Analysis with EnCase
17
There is another area that is rich in evidence case information. Click on the home icon. You will likely return to the Add
Evidence window.
Forensic Analysis with EnCase
18
From the Add Evidence window click the back arrow to
go to the base home screen.
From the base home screen select Case Analyzer.
Forensic Analysis with EnCase
19
Then click on Case.
After things compile, you will be at the “Case tab” in Case Analyzer. Navigating through the various folders under the
Reports folder is where you will find many evidence artifacts. Using this area and the Artifact tab we just navigated from
prior to running the Case Analyzer is where you will find most of the evidence artifacts needed to complete this digital
forensics case examination.
Forensic Analysis with EnCase
20
Your Lab 1 objectives are to develop a Lab1 Digital Forensics Examiners Report that addresses and answers the following
case investigation items:
1) Write a Case Narrative Digital Forensics Examiner Report
2) Document and describe your Investigative process and any errors or difficulties you encountered
3) Document the Mantooth image hash values
4) Document and describe User Accounts with last login and Security ID and any associated registry comments.
5) Document any network, removable or local drives (Device name and serial number) that may have been connected
to the Mantooth computer and note how many files may have been viewed from each connected device you identify.
6) Document describe the contents, if any, of the recycle bin
7) Document the link files. Try to find these files and determine what type of information may be useful to your
investigation. Also document and describe what a link file is and the significance of locating a link file in this case .
8) Document the company manufacturer brand of the HDD seized from Mantooth’s computer.
9) Document the processor model and family of the processor seized from Mantooth’s computer.
10) Document the most visited Internet domain and how many times it was visited.
11) List and describe at least 3 user Internet searches that may be consistent with possible evidence of criminal activity.
Forensic Analysis with EnCase
21
12) Document and describe the number of login failures and the date.
13) Document the DHCP address associated with the Mantooth computer.
14) Document and describe the computer OS version and Product ID, the existing time zone settings and note whether
Mantooth’s computer is set on daylight savings time.
15) Document and describe whether there is encryption software installed on the Mantooth computer.
16) Document and describe the notable names you identify and include for each name, a representative number of the
files, if any, you locate that were downloaded through email.
17) Document and describe the number of “.jpg “files you locate on the Mantooth evidence image file.
18) Document and describe at least two email messages that may be consistent with possible evidence of criminal
activity
You may notice that there is a “Report” function in Case Analyzer. The artifacts that you find that answer many of the
Lab 1 investigation questions can be “selected” and “added to a report” to help you with this Lab 1 Exercise. This will
give you a much more professional report appearance than taking a series of screen shots. Take a few minutes to see
how the report feature works and consider using it as part of your overall report. If you have significant difficulty with
the Encase Report method, and everything you want doesn’t show up in the Encase Report, you can try adding/pasting
those screen shot items into your Encase report; or stick with using the screen shot method for your entire report for
consistency.
Forensic Analysis with EnCase
22
The Case Analyzer report can be saved as a pdf.
As a refresher, Email can be found in the Artifacts tab. One other hint – use the Evidence tab to find how many .jpg files
are contained in the Mantooth.EO1 evidence image file.
Once you have completed your investigation, close EnCase and exit.
Forensic Analysis with EnCase
23
Download