CS 693 Lab 2

.docx

School

Boston University *

*We aren’t endorsed by this school

Course

693

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

Uploaded by CoachRook2818

MET CS 693_Lab2_Jimin Choi MET CS 693 Digital Forensics and Investigations (Fall 2023) Laboratory Report 2 Forensic Examiner – Jimin Choi 10/12/2023 Table of Contents:  Hardware and Software used 2  Purposes 2  Step-by-Step instructions with- 3 Screenshots and Comments  Summary 15  Review Question and Answers 16  References 18 1

MET CS 693_Lab2_Jimin Choi Hardware and Software used Hardware: - Model: 11th Gen Intel® Core (TM) i7-11800H @ 2.30GHz (16 CPUs) ~2.3GHz - Memory: 32.0GB - Devices: LENOVO Legion 5 Pro 82JF, Kingston DT101 G2 16.0GB USB - Citrix Workspace with Windows 10 Pro 64-bit Software - Operating System: Windows 11 Home 64-bit (10.0, Build 22621) - BIOS: H1CN33WW, 7/18/2021, mode UEFI, BaseBoard Product LNVNB161216 - Virtual Machine: Windows 10 Pro 64-bit (10.0, Build 19045), Memory 8GB, Processor Intel® Xeon® Platinum 8272CL CPU @ 2.60GHz (2 CPUs) ~2.6 GHz, HD 100 GB, Network Microsoft Hyper-V Purposes Lab 2-1 The primary purpose of this lab is to explore and learn how to securely and adequately format a storage device, USB, in this case. Deleting files and emptying the recycle bin in the computer does not mean files are permanently erased from the system. The information and its fragments can remain in the file system and be recoverable through the process known as data carving (Nelson, 2018). Lab 2-2 During the digital forensic investigation, it is critical to protect the evidence to avoid any damages and alterations (Nelson, 2018). Directory Snoop allows the creation of a bit-stream copy of the original storage media. Then, investigators can analyze the storage media and recover evidence safely. Lab 2-3 This lab aims to explore the features of a digital forensics tool, FTK Imager, it provides additional functions than the non-forensics tool, Directory Snoop (Nelson, 2018). FTK Imager validates a copy of the storage media with an MD5 and SHA-1 hash, which has a better security function (Nelson, 2018). It also compresses data to reduce the file size. Additionally, FTK can convert the bit-stream copy from Directory Snoop to an E01 format file, which is compressed to a much smaller size so investigators can easily handle it. Lab 2-4 According to the Nelson (2018), FTK Imager allows investigators to recover deleted files, passwords, and encrypted files by examining Registry files. In this lab, I will create a .E01 image file of the USB drive after deleting some existing files. 2

MET CS 693_Lab2_Jimin Choi Lab 2-5 The primary purpose of this lab is to analyze the image file created in Lab 2-4 to see if I can restore deleted files from the Registry viewer in FTK Imager to readable files. Step-by-Step instructions with screenshots and comments Module 2 Lab Activities: Lab 2.1 Wiping a USB Drive Securely (Skips steps 1 to 6 as Directory Snoop is already installed in the virtual machine.) 7. Download random files in Emulated USB (U:) folder. Then delete all files. *Make sure the folder is empty. 8. From the desktop, double click DS-NTFS (DSNOOP) icon to launch Directory Snoop 5.11 program. Then select U: drive on the select drive toolbar. * There are two types of programs: DS-NTFS and DS-FAT. NTFS and FAT are types of file systems. If you look at the properties of Emulated USB (U:), the file system is NTFS. To launch the program in this particular virtual environment, I needed to get administrative access. I launched the program with a given administrator account. 3

MET CS 693_Lab2_Jimin Choi 9. From the upper icon tabs, click wipe icon , then select ‘ free drive space .’ 10. In the Wipe Free Drive Space window, select Simple 1-pass for Wipe method then click Ok to wipe all data. * There are four types of wiping methods: Simple 1-pass, DoD 3-pass, DoD 7-pass, and Gutmann 35-pass. The higher the number of passes, the more secure the wiping process, and it takes longer time to be done. It overwrites the existing data to make it unrecoverable through the number of steps of passes. For example, DoD stands for the Department of Defense, and the DoD pass method uses a media sanitization standard called DoD 5220.22-M. DoD 3-pass refers to using DoD 5220.22-M three times to overwrite with verification (Mehta, 2022). It only took 30 seconds to complete the process using the simple 1-pass method in this lab. If I had larger files, it would take longer. 4

MET CS 693_Lab2_Jimin Choi 11. Open the Disk Management program and right-click on the drive (Emulated USB (U:)), select Format . *Again, I needed administrative access to format the drive in this virtual environment. I launched CMD with the administrator account and then typed diskmgmt.msc to open the Disk Management program. 12. In the Format dialog box , I changed the volume label to Evidence and the file system to NTFS . 5

MET CS 693_Lab2_Jimin Choi 13. I downloaded and extracted the C2Proj1 file and moved all files to the Evidence (U:) folder. Lab 2.2 Using Directory Snoop to Image a USB Drive 1. Launch the DS-NTFS program. Select your drive. In the lower right corner, select the very last cluster under the Drive Clusters panel. *The last cluster of 11 files was 261886, that means there are 261886 clusters. 6

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Related Questions

Please with the question on the pic

Just how does the TPC's purview contrast to that of the SPEC's?

What metric does Eigrp used

List down 5-6 Low KD, High volume keywords batches for the service category in the finance industry. Requirement: Through Ahrefs free keyword research tool One focus keyword, and 5 secondary keywords. For example; Keyword KD Volume monitor stand 2 14k dual monitor stand 1 3.4k monitor stand for desk 3 2.3k monitor stand riser 2 1.1k triple monitor stand 4 1k

Explain the concept of data hazards in pipeline processing. What techniques are used to mitigate data hazards?

Computer science In what ways data backup is being implemented?

QUESTION 16 Consider the following two tables: Table1: Products productID productName unitPrice entryDate expiryDate P1 Dell Laptop 350 16-10-2016 30-10-2016 P2 Apple mobile 420 17-02-2018 02-03-2018 P3 Samsung Mobile 330 20-08-2020 30-08-2020 P4 HP Printer 80 21-09-2019 05-10-2019 P5 Canon Printer 150 15-05-2020 20-06-2020 Table2: Orders orderID Quantity Price productID 1 10 3300 P3 2 5 1800 P1 3 20 1600 P4 4 20 3000 P5 5 9 1100 P7 6 8 2250 P10 Draw three tables that can result by executing each of the following SQL statements. (Put your answer in a document word then upload it). 1. SELECT p. productName, p. unitPrice, p. expiryDate, o. Quantity, o. price FROM Products AS p INNER JOIN Orders AS o ON p. productID = o. productID; 2. SELECT p. productName, p.…

Q2: build Reaching Definition. Analysis (DFA) table B₁ d6: a : = 42 d1: i:= m-1 d2: j := n d3: a = 4¹ d4: i:=i+1 d5: j = j-1 B3 d7: i := a+j B₂ B4

BookId Title PublisherName DatePublished B1 Himu Onnyoprokash 1997 B2 Ami Topu Ananya 2005 B3 Ma Pearl 2003 B4 Harry Potter Times 1995 B5 Machine Learning Dimik 2018 BookId AuthorName B1 Humayun Ahmed B2 Jafar Iqbal B3 Anisul Haque B4 JK Rowling B5 Nafis Neehal PublisherName Address Phone Onnyoprokash Nilkhet 9153752 Ananya Mohammadpur 8163743 Pearl Dhanmondi 2163856 Times London 4234714 Dimik Azimpur 4644454 BookId BranchId NoOfCopies B1 Br1 10 B2 Br2 20 B3 Br3 05 B4 Br2 07 B5 Br3 11 BranchId BranchName Address Br1 Shokal Mohakhali Br2 Dupur Uttara Br3 Shondha Moghbazar Find the books published before 2008. Find the book names authored by JK Rowling. Show the phone numbers of publishers which published the book of Anisul Haque…

DO NOT COPY FROM OTHER WEBSITES (not even from already given answers in bartleby) Detailed and correct and detailed answer will be Upvoted. Thank you!!! Question Investigate a contemporary digital signal processor and compare its Instruction Set Architecture (ISA) with general-purpose processors. A writeup accompanying appropriate block diagrams explaining instructions of the selected digital signal processor. And compare any 5 instruction of both processor Please Give Answer In Details.

Who created the first nonrelational data store, and what was its name?

SEE MORE QUESTIONS

Recommended textbooks for you

Fundamentals of Information Systems

Computer Science

ISBN:9781305082168

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Fundamentals of Information Systems

Computer Science

ISBN:9781337097536

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Database Systems: Design, Implementation, & Manag...

Computer Science

ISBN:9781305627482

Author:Carlos Coronel, Steven Morris

Publisher:Cengage Learning

Database Systems: Design, Implementation, & Manag...

Computer Science

ISBN:9781285196145

Author:Steven, Steven Morris, Carlos Coronel, Carlos, Coronel, Carlos; Morris, Carlos Coronel and Steven Morris, Carlos Coronel; Steven Morris, Steven Morris; Carlos Coronel

Publisher:Cengage Learning

Principles of Information Security (MindTap Cours...

Computer Science

ISBN:9781337102063

Author:Michael E. Whitman, Herbert J. Mattord

Publisher:Cengage Learning

Systems Architecture

Computer Science

ISBN:9781305080195

Author:Stephen D. Burd

Publisher:Cengage Learning

SEE MORE TEXTBOOKS