King Saud University College of Computer and Information Sciences
advertisement
King Saud University College of Computer and Information Sciences Department of Information Technology IT 454 (Computer Forensics) First Semester – 2013/2014 (1434/1435) Lab Sheet #4 In this lab session, you will learn: 1. How to acquire and validate image using Access Data FTK Imager. 2. How to calculate and compare the hash value of a file using FTK Imager. 3. How the hash value works Part I: Image Validation with Access Data FTK imager In this part you will learn: A. Installing Access Data FTK Imager. B. Acquiring Image of USB Drive & Validating image with hash signature Algorithms (MD5 SHA1). A. Installing Access Data FTK Imager: Execute the setup file by double-clicking it. On the Welcome screen, click Next. Read and accept the License Agreement, then click Next. Do one of the following: Accept the default installation location. Browse to a different destination folder. Click Next. In the Ready to Install screen, click Next. Do one of the following: Mark the Launch AccessData FTK Imager box to force Imager to run immediately after the install is complete. Leave the box unmarked to run the newly installed program at a later time. Click Finish to complete the installation and close the wizard. King Saud University College of Computer and Information Sciences Department of Information Technology IT 454 (Computer Forensics) First Semester – 2013/2014 (1434/1435) B. Acquiring Image of USB Drive : 1- To create a forensic image Click File > Create Disk Image or Click the Create Disk Image button on the Toolbar. 2- In the Select Source dialog box, select the source you want to make an image of. (Choose the USB Drive (physical drive)). 3- Click Next. 4- Select the drive or click the drop-down list to choose the source of the image you want, and then click Finish. 5- In the Create Image dialog, make sure the verify images after they are created checkbox is checked. This will compare the stored hashes of your image content. If a file doesn’t have a hash, this option will generate one. 6- Then click Add. 7- Select the type of image you want to create. The raw image type is not compressed. If you select the Raw (dd) type, be sure to have adequate available drive space for the resulting image. If you are creating an AFF image type, choose AFF. The Image Destination Folder dialog box you see will be different than that seen when selecting any other image type. 8- Choose SMART Click Next. 9- Specify Evidence Item Information. All Evidence Item Information is optional, but it is helpful to have the information easily accessible in case it is called into question at any time after creation 10- Complete the fields in the Evidence Item Information dialog. 11- Click Next. 12- In the Image Destination Folder field, do one of the following: Type the location path where you want to save the image file. Click Browse to find and select the desired location. Note: If the destination folder you select is on a drive that does not have sufficient free space to store the entire image file, FTK Imager prompts for a new destination folder when all available space has been used in the first location. However, all related image files must be saved together in the same folder prior to being added to a case. 13- In the Image Filename field, specify a name for the image file but do not specify a file extension. King Saud University College of Computer and Information Sciences Department of Information Technology IT 454 (Computer Forensics) First Semester – 2013/2014 (1434/1435) 14- 15- 16- 17181920- Specify the Image fragment Size: Default Image Fragment Size = 1500 MB To save images segments that can be burned to a CD, specify 650 MB. To save image segments that can be burned to a DVD, specify 4000 MB. The .S01 format is limited by design to sizes between 1 MB and 2047 MB (2 GB). Compressed block pointers are 31-bit numbers (the high bit is a compressed flag), which limits the size of any one segment to two gigabytes. Select the compression level to use: 0=No Compression 1=Fastest, Least Compression (faster, and also slightly smaller than a 0compression file) 9=Slowest, Most Compression (smallest file, slowest to create). Numbers between 1 and 9 produce an image with varying levels of compression to speed ratio. Choose 1 for the compression level. To encrypt the image, choose the correct encryption box as explained below: To encrypt the new image with AD Encryption, mark the Use AD Encryption box. To encrypt the new image with AFF Encryption, mark the Use AFF Encryption box. Click Finish. If you choose the encrypt option in step 16, Ad Encryption credentials dialog box. Enter the password. Click Start to begin the imaging process. After the images are successfully created, the Drive/Image Verify Results box shows detailed image information, including MD5 and SHA1 check sums, and bad sectors. Note: The data displayed in the results box vary, according to the type of image created. 21- A progress dialog appears showing the following: The source that is being imaged The location where the image is being saved The status of the imaging process A graphical progress bar King Saud University College of Computer and Information Sciences Department of Information Technology IT 454 (Computer Forensics) First Semester – 2013/2014 (1434/1435) The amount of data in MB that has been copied and the total amount to be copied Elapsed time since the imaging process began Estimated time remaining until the process is complete Image Summary button. Click it to open the Image Summary window The Image Summary also includes the data you entered in the Evidence Item Information dialog. 22- Click OK to close the Image Summary. 23- Click OK to return to the Creating Image dialog. 24- Click Close to exit back to Imager. PART II: to learn how to calculate and compare the hash value of a file using FTK Imager. In this part you will create a file on a USB drive and calculate its hash value in FTK Imager. Then you change the file and calculate the hash value again to compare the files. You need a Windows computer and a USB drive. 1. Create a folder called C5Prj04 on your USB drive, and then start Notepad. 2. In a new text file, type “This is a test of hash values. One definition of a forensic hash is that if the file changes, the hash value changes.” 3. Save the file as hash1.txt in the C5Prj04 folder on your USB drive, and then exit Notepad. 4. Start FTK Imager, and click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Logical Drive option button, and then click Next. 5. In the Select Drive dialog box, click the Drive Selection list arrow, click to select your USB drive, and then click Finish. 6. In the upper-left pane, click to expand your USB drive and continue expanding until you can click the C5Prj04 folder. In the upper-right pane, you should see the hash1.txt file you created. 7. Right-click on the file and click Export File Hash List. Save the file as original hash in the C5Prj04 folder on your USB drive. (note: FTK Imager saves it as a .csv file).Exit FTK Imager, and start Notepad. 8. Open hash1.txt in Notepad. Add one letter to the end of the file, save it, and exit Notepad. 9. Start FTK Imager again. Repeat Steps 4 to 7 (but without starting Notepad again), but this time when you export the file hash list, save the file as changed hash. King Saud University College of Computer and Information Sciences Department of Information Technology IT 454 (Computer Forensics) First Semester – 2013/2014 (1434/1435) 10. Open the original hash and changed hash files on your USB drive in Excel(or another spreadsheet program). Compare the hash values in both files to see whether they are different, and then exit Excel. PART III: how the hash value works: In this project, you create a file on your USB drive and calculate its hash values in FTK Imager. Then you change the filename and extension and calculate the hash values again to compare them. 1. Create a folder called C5Prj05 on your USB drive, and then start Notepad. 2. In a new text file, type “This project shows that the file, not the filename, has to change for the hash value to change.” 3. Click File, Save As from the menu, and save the file as testhash.txt in theC5Prj05 folder on your USB drive. Exit Notepad, and start FTK Imager. 4. Click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Logical Drive option button, and then click Next. 5. In the Select Drive dialog box, click the Drive Selection list arrow, click to select your USB drive, and then click Finish. 6. In the upper-left pane, click to expand your USB drive and continue expanding until you can click the C5Prj05 folder. In the upper-right pane, you should see the testhash.txt file you created. 7. Right-click the file and click Export File Hash List. Save the file as original hash value in the C5Prj05 folder on your USB drive. FTK Imager saves it as a .csv file. 8. Click to select your USB drive in the upper-left pane, if necessary, and then click File, Remove Evidence Item from the menu. Exit FTK Imager. 9. Open Windows Explorer. Right-click the testhash.txt file on your USB drive, and rename it as testhash.doc. In the error message about the change in extension, click Yes. 10. Start FTK Imager. Follow Steps 4 to 7, but this time when you export the file hash list, right-click the testhash.doc file, and save it as changed hash value. Exit FTK Imager. 11. Open original hash value and changed hash value in Excel (or another spreadsheet program). Compare the hash values in both files to see whether they are different, and then exit Excel.
