Add to collection(s) Add to saved
  1. No category

2 - BasicForensicAnalysisAutopsy

advertisement 
Basic Forensic analysis:
Scenario:
Last week University police arrested a student, Billy Badguy, for selling cocaine. During the pursuit the
student threw a USB drive into a storm drain. The Office of the Phyical Plant (OPP) was contacted and
they were able to recover the USB drive. The Police department has asked you to perform a forensic
analysis on this USB drive. You have created an image and left it on your desktop.
Objectives:




Create a case in Autopsy.
Locate deleted/hidden files
Perform a dirty word search
Create a case report with any evidence you find.
Remember to read the report requirements at the end of this document to see what is necessary to
hand into the instructor.
Logon On to VM Ware
Step 1
Open the VMWare Infrastructure Client from the “Start > VMWare” program. Type in
“vslvc.ist.psu.edu” for the IP address. Then enter your team user ID and password given to you
by your instructor.
Page 1 of 22
Navigate to View > Inventory > Virtual Machines and Templates
Step 2
Locate the virtual machine folder that has been assigned to you (contact your instructor if you
don’t have one), and select IST454.
Step 3
Highlight your machine and click the Console icon to launch the Virtual Machine Console to
your virtual machine.
Page 2 of 22
Note: If you see a black screen, you need to “power on” the virtual machine by clicking the
green arrow at the top.
Step 4
Logon to the machine with the user name “ISTForensics”. Click twice on ISTForensics to get
the password field. The password is “password” (no quotes).
Page 3 of 22
Welcome to your Virtual Machine.
Task 1 - Create a case in Autopsy
Step 1
Open a terminal window. Go to Applications > Forensics > Autopsy.
Page 4 of 22
You will be required to enter a password. Type in the word:
not visibile as you type it.)
password. (The password is
This is what you will see when you have successfully entered the password. Leave this
window open.
Page 5 of 22
Step 2
Open the Firefox Web Browser by going to Applications > Internet > Firefox Web Browser.
Autopsy is set as the home page.
Step 3
Scroll down if necessary and click on the “New Case” button.
Page 6 of 22
Step 4
Fill in the fields as follows:
a. “Case Name” – Type: USBcase1
b. “Description” - Add a short sentence describing the case. Reread the scenario at the
beginning of this document for help with your short description.
c. “Investigator Names” - Type in your name and the names of the members of your team.
Click the “New Case” button.
Page 7 of 22
Step 5
Leave the default and click the “Add Host” button at the bottom.
Step 6
Click another “Add Host” button.
Page 8 of 22
Step 7
Click “Add Image.”
Step 8
Click “Add Image File.”
Page 9 of 22
Step 9
Fill in the fields in the “Add a New Image” screen.”
a. “Location” Type /home/administrator/Desktop/usbimage1.dd
b. “Import Method” select copy.
Click “Next.”
Page 10 of 22
Step 10 Select “Volume Image” on the right, ensure the “dos” is selected in the drop down of “Volume
System Type”. Click “OK.”
Step 11 Select “Calculate” under the topic, “Data Integrity” and check “Verify hash after importing”.
Click the “Add” button.
Page 11 of 22
Step 12
Once the calculations are done, click the “OK” button.
Page 12 of 22
Task 2: Locate deleted/hidden files
Step 1
Step 2
Click the “Analyze” button.
Select “File Analysis”
Page 13 of 22
Step 3
The files labeled in red are the deleted files. They also are the ones with a checkmark under
the DEL to the left of the filename.
a. Click on the files and examine them in the window below.
b. If data appears, click report next to ASCII and get a screenshot of the report to use in
your report later. (Clicking on “display” does not give you the report. You must click on
the word “report”.) “X” out of this tab.
c. Then click “Export” to export the file from the image to the Downloads folder.
Page 14 of 22
i. Once the files are saved outside the image open them and get a screen shot of
the data in the file for your report to the police.
Step 4
Follow the same procedure for the files listed in blue. These are files that exist openly on the
drive. If the file does not work when you open it, examine the “magic number” as seen in the
magic number chart to ensure that the file is labeled correctly. The Magic Number is the first
few bytes as seen in hex. A file that has been mislabeled won’t open properly but can still
hold data uncorrupted. The magic number can be seen in Autopsy if you examine the file in
hex. It will be the first few bytes. The mp3 file will work just not with the movie player. You
won’t be able to hear it in this lab.
Task 4: Perform dirty word search
A dirty word search is a search through all of the bytes in the image looking for specific strings or words.
Look at the information listed in the case summary, and consider what words a drug dealer might use.
This search takes a some time. Normally a forensic analyst would have a long list of dirty words ready.
Because of time constraints just use the key words from the scenario at the beginning of the lab.
Page 15 of 22
Step 1
Click on the “Keyword Search” button.
Step 3
Ensure ASCII , and Case Insensitive are selected. Type in a dirty word from your list. Click the
“Search” button.
Page 16 of 22
Step 4
When you get a hit, make a note of the sector the hit was in. You will be able to determine
what file the hit was located in by comparing the sector the word was found in with the
sectors listed in the file reports you made during the file analysis.
Step 4
Click the hex link next to the sector number.
Page 17 of 22
Step 5
Click on report next to hex at the top of the screen.
Step 5
Click on the previous/next buttons to ensure you have all relevant data. If you find more data,
click the Hex report again and get another screen shot.
Page 18 of 22
Task 4: Answer questions. Create a Case report.
The police want to know:
1.
2.
3.
4.
What is the name of Billy’s supplier?
When and where is the next meet?
Who else on campus is involved?
Were there any secret messages if so in which file were they located?
Extra credit: How was the secret message made, or how could it have been made?
Write a Forensic Report
You should have the following parts:
A forensic report is a step by step list of everything you have done and what the results were. You don’t
need to actually list all of the failed attempts or crowd it with non-relevant facts. Keep it accurate,
relevant and simple.
Grading Rubric
Credit for each section is as follows.
1.
Forensic Report (100%):
Note
Be sure to include your name and email address in the report. The report should be turned in before
class on the specified due date. Late submissions will be issued a grade deduction especially if
permission is not obtained from the instructor. The instructor reserves the right to grant or reject extra
time for report completion.
Page 19 of 22
Links:
Magic Numbers:
http://www.garykessler.net/library/file_sigs.html
Building a Low Cost Forensics Workstation
http://www.sans.org/reading_room/whitepapers/incident/building_a_low_cost_forensics_wor
kstation_895
Computer Forensics - We've Had an Incident,
Who Do We Get to Investigate?
http://www.sans.org/reading_room/whitepapers/incident/computer_forensics_weve_had_an_i
ncident_who_do_we_get_to_investigate_652
COMPUTER FORENSICS LABS
Making a Digital Difference
Page 20 of 22
What the FBI has achieved with computer forensics
http://www.fbi.gov/page2/august09/rcfls_081809.html
Department of Justice, Electronic Crime Scene Investigation: A Guide for First Responders.
http://www.ojp.usdoj.gov/nij/publications/ecrime-guide-219941/welcome.htm
SANS Computer Forensics, http://computer-forensics.sans.org/
Forensic Focus, Computer Forensics News, Information and Community, forum.
http://www.forensicfocus.com/
2600 Article: Don’t steal music (or how to catch an iPod thief using forensics),
http://www.frameloss.org/2009/05/09/2600-article-dont-steal-music-or-how-to-catchan-ipod-thief-using-forensics/
The Sleuthkit/Autopsy free forensics tool. http://www.sleuthkit.org/
What happens when you delete a file? http://www.youtube.com/watch?v=g8tEjW243OI
what is learned during a Sans computer forensics course.
http://www.youtube.com/watch?v=9JoX4uxES7Q&feature=related
Magic Number Chart
Here are a few magic numbers, These are of image files.
File type
Typical
extension
Hex digits
xx = variable
Ascii digits
. = not an ascii
char
Bitmap format
.bmp
42 4d
BM
Office2007 Documents
.xlsx
50 4B 03 04 14 00 06 00
PK
GIF Format
.gif
47 49 46 38
GIF8
MP3
.mp3
49 44 33
ID3
Page 21 of 22
PDF
.PDF
25 50 44 46
%PDF
JPEG File Interchange Format
.jpg
ff d8 ff e0
....
NIFF (Navy TIFF)
.nif
49 49 4e 31
IIN1
PM format
.pm
56 49 45 57
VIEW
PNG format
.png
89 50 4e 47
.PNG
Postscript format
.[e]ps
25 21
%!
Sun Rasterfile
.ras
59 a6 6a 95
Y.j.
Targa format
.tga
xx xx xx
...
TIFF format (Motorola - big endian) .tif
4d 4d 00 2a
MM.*
TIFF format (Intel - little endian)
.tif
49 49 2a 00
II*.
X11 Bitmap format
.xbm
xx xx
XCF Gimp file structure
.xcf
67 69 6d 70 20 78 63 66 20 76
gimp xcf
Xfig format
.fig
23 46 49 47
#FIG
Page 22 of 22
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
The History of Forensics - The Center For Creative Scholars
The History of Forensics - The Center For Creative Scholars
Computer and Digital Forensics Industry Overview
Computer and Digital Forensics Industry Overview
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
Download
advertisement