Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

Self-Practice

advertisement 
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
 Part I: Validating Forensic Data With Hexadecimal Editor
A. File Hash Value Generation
In this part you will learn how to generate the hash value of a file using Hex workshop
and how it woroks.
1. Start Word, and in a new document, type a sentence or two, and save the file as
test_hex.doc in your work folder. When you’re finished, exit Word.
2. Start Hex Workshop. Make sure that you use Run as administrator. From Hex
Workshop Open the file «test_hex.doc» that you have created in the previous step.
3. To obtain an MD5 hash value of this file, click Tools, select Générâtes Checksum
from the menu.
4. In Generate Checksum dialogue box, select MD5 Under Select Algorithmes List box,
and then click the Generate buttons to see the MD5 hash value in the results at the
lower right pane at checksum result window.
5. Copy the hash value to a new text file (notepad) by Right-clicking on it and select
copy. Save the text file as « test_hex_hashvalue.txt » in your work folder. exit
Notepad. Close the main pane and leave Hex Workshop running for the next activity.
6. Open and update the word file created in step1 (test_hex.doc), save the modifications,
and then repeat the same steps to generate the new hash value file. Compare both
MD5 hash values you have created. When you are finished, exit Notepad and Hex
Workshop.
B. Specific Sector Hash Value Generation
In this section you will learn how to generate a hash value for specific part of the file.
1. In Hex Workshop, open the Jeffersonian quotes.doc file from your work folder
(2_hash).
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
2. Place the mouse pointer at the beginning of the byte address 00000000; the cursor
should be positioned on the hexadecimal D0 because you’re examining the first sector
of the file.
3. Now drag to select a complete sector 0x1E6 (512 bytes). To know when you have
selected the sector, watch the Offset counter at the lower right in the status bar. It
should display “Sel: 0x00000200” when you have highlighted the entire sector.
4. Click Tools, Generate Checksum from the menu.
5. In the Select Algorithmes List box, scroll down and click MD5, click to enable the
Selection option button (if necessary), and the click Generate.
6. Right-click the hash value in the results pane and click Copy. Start Notepad, and the
paste the hash value into a new text document. Save the file
as «Quotes_hashvalue.txt » in your work folder, and the exit Notepad and Hex
Workshop.
 Part II: splitted image file validation:
In this part you will learn how hash value is useful in validating image splits.
Chris Murphy, a Superior Bicycles employee suspected of industrial espionage, had a Windows
XP system formatted in NTFS that was seized as part of the investigation. You will use the
GCFI-NTFS image files for this project (provided in content folder Chap09 in your folder),
which consist of several .zip files. Extract them to your work folder, if necessary. You need at
least 9 GB of storage space for these files.
1. In this excersize use the sheet provided to you to compare it with your results later in this
project.
2. Start Notepad, and open GCFI-NTFS.pds (included with the GCFI-NTFS image files).
Read this document, which tells ProDiscover how to reassemble the image file from the
segments. When you’re finished, exit Notepad.
3. In Hex Workshop, open GCFI-NTFS.eve from your work folder.
4. Click Tools, Generate MD5 Checksum for the image file.
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
5. When the checksum process is finished, check the MD5 hash value in Hex Workshop’s
lower-right pane, and compare it to the one in the document provided to you.
6. Repeat Steps 3 through 5 for each remaining GCFI-NTFS file.
7. After you have verified all the files, make a note in your log listing the files you
examined and their hash values, and then exit Hex Workshop.
 Part III: Data-Hiding Techniques
A. Bit Shifting :
In this part you will learn how bit shifting technique works.
1. Start Notepad, and in a text document, type: “TEST FILE. Test file is to see how
shifting bits will alter the data in a file.”
2. Save the file as Bit_shift.txt in your work folder, and exit Notepad.
3. Start Hex Workshop. Click File, Open from the menu. Navigate to your work folder,
and the double-click Bit_shift.txt.
4. To set up Hex Workshop for the bit-shifting exercise, click Options, Toolbars from
the menu.
5. In the Customize dialogue box, click the Data Operations check box, and the click
OK.
6. Click the Shift Left button (<< icon) on the Data Operations toolbar. The Shift Left
Operation dialogue box opens, where you specify how you want to treat the data, the
ordering scheme to use for bytes, and whether you shift bits for selected text or the
entire file.
7. Click OK to accept the default settings and shift the bits in Bit_shift.txt to the left.
8. Save the file as Bit_shift_left.txt in your work folder.
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
9. To return the file to its original configuration, shift the bits back to the right by clicking
the Shift Right button (>> icon) on the Data Operations toolbar. Click OK to accept
the default settings in the Shift Right Operation dialogue box. The file is displayed in
its original format.
10. Save the file as Bit_shift_right.txt in your work folder, and leave Hex Workshop open
for the next activity.
B. Hiding Data with bit-shifting :
In this part you will learn how to use bit shifting in hiding data.
1. With Bit_shift_right.txt open in Hex Workshop, click File, Open to open
Bit_shift.txt, and then repeat to open Bit_shift_left.txt.
2. Click the Bit_shift.txt tab in the upper pane to make it the active file.
3. Click Tools, Generates Checksum to generate MD5 hash value of Bit_shift.txt, as
shown in the lower-right pane, copy and paste the hash value in a new text document
in Notepad.
4. Repeat Steps 2 and 3 for Bit_shift_left.txt and Bit_shift_right.txt, pasting their hash
values in the same text file in Notepad.
5. Compare the MD5 hash values to determine whether the files are different. When you
are finished, exit Notepad and Hex Workshop.
 Part IV: (Use S-Tools4- steganography) Hide text in image :
In this project, you will use S-Tools4 to create a steganography file for hiding an image.
(note : S-Tools4 can be downloaded from www.stegoarchive.com), install the software, and
then follow the steps below:
1.
In Windows Explorer, navigate to where you install S-Tools4, and start the program
by double-clicking S-Tools.exe.
2.
Drag Rushmore.bmp from the given folder in the Blog (part 4) to the S-Tools window.
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
3. To hide text in the Rushmore.bmp file, drag findme.txt from your work folder to the
Rushmore.bmp image.
4. In the Hiding 99 bytes dialog box, type FREEDOM in the Passphrase and Verify
passphrase text boxes, and then click OK. A hidden data window opens in the STools window.
5. Right-click the hidden data window and click Save as. Save the image as Steg.bmp in
your work folder.
6. Close the Steg.bmp and Rushmore.bmp windows, but leave S-Tools open for the next
project.
Self-Practice:
1. Start Notepad and type the following in a new text document: “This document contains
very sensitive information. We do not want the competition to be able to read it if they
intercept the message.”
2. Save the file as correspondence.txt in your work folder, and then exit Notepad.
3. Start Hex Workshop, and open the correspondence.txt file.
4. In lab practice, you used the Shift Left and Shift Right buttons on the Data Operations
toolbar. Notice as you move your cursor over the toolbar buttons to the right that Rotate
Left, Rotate Right, Block Shift Left, and Block Shift Right are also available. Click the
Rotate Right button. As shown in the Operand section of the Rotate Right Operation
dialog box, the data can be treated as an 8-, 16-, 32-, or 64-bit unsigned long. Write down
which one it is (assuming little endian is the byte ordering), and then click OK.
5. Click the Rotate Left button. In the Rotate Left Operation dialog box, make sure the
same setting is listed in the Treat Data As text box as for the Rotate Right operation, and
then click OK. The file should return to its original form. In a rotated shift operation, the
bits that “fall off” one end of the number as it’s rotated appear on the other end of the
number. In this way, no bits are lost, and the process can be reversed to restore the
original message.
King Saud University
College of Computer and Information Sciences
Department of Information Technology
IT 454 (Computer Forensics)
Second Semester – 2014/2015 (1435/1436)
Lab #7
6. Save the file.
7. Click the Shift Right button and click OK twice, noting how the data is being treated.
Click OK.
8. Finally, click the Block Shift Left button.
9. Attempt to reverse the procedure by doing the following: Click Block Shift Right, click
Shift Left twice, and click OK as needed.
10. Notice that the message is garbled. In a normal (nonrotated) shift operation, the bits that
fall off one end of the number when it’s rotated are discarded; therefore, the original data
is lost or modified. Click File >> Close. When prompted to save, click No.
11. Open the file again in Hex Workshop, and repeat Steps 7 and 8. Save the file as
correspondence2.txt in your work folder. If you’re prompted to create a backup, click
Yes.
12. Attempt to undo the procedure by working in reverse, as in Step 9.
13. Write a short paper stating whether you think this method is a reliable one for encrypting.
Leave Hex Workshop running for the next project.
Related documents
Travels, Initiatory journeys, exile
Travels, Initiatory journeys, exile
Lecture 2 - Health Computing: Pitt CPATH Project
Lecture 2 - Health Computing: Pitt CPATH Project
5.2.Preserving_Evidence
5.2.Preserving_Evidence
Subatomic Structure and Nuclear Stability Graphing
Subatomic Structure and Nuclear Stability Graphing
Gardens - de tuinen van kasteel Hex
Gardens - de tuinen van kasteel Hex
Thursday Folder Parent Log - Mrs
Thursday Folder Parent Log - Mrs
Basic Web Page
Basic Web Page
Historical Fiction Independent Reading Project
Historical Fiction Independent Reading Project
Jeopardy
Jeopardy
Rotational Hex Design
Rotational Hex Design
Download
advertisement