CS 693 Lab 2

docx

School

Boston University *

*We aren’t endorsed by this school

Course

693

Subject

Computer Science

Date

Apr 3, 2024

Type

docx

Pages

18

Uploaded by CoachRook2818

Report
MET CS 693_Lab2_Jimin Choi MET CS 693 Digital Forensics and Investigations (Fall 2023) Laboratory Report 2 Forensic Examiner – Jimin Choi 10/12/2023 Table of Contents: Hardware and Software used 2 Purposes 2 Step-by-Step instructions with- 3 Screenshots and Comments Summary 15 Review Question and Answers 16 References 18 1
MET CS 693_Lab2_Jimin Choi Hardware and Software used Hardware: - Model: 11th Gen Intel® Core (TM) i7-11800H @ 2.30GHz (16 CPUs) ~2.3GHz - Memory: 32.0GB - Devices: LENOVO Legion 5 Pro 82JF, Kingston DT101 G2 16.0GB USB - Citrix Workspace with Windows 10 Pro 64-bit Software - Operating System: Windows 11 Home 64-bit (10.0, Build 22621) - BIOS: H1CN33WW, 7/18/2021, mode UEFI, BaseBoard Product LNVNB161216 - Virtual Machine: Windows 10 Pro 64-bit (10.0, Build 19045), Memory 8GB, Processor Intel® Xeon® Platinum 8272CL CPU @ 2.60GHz (2 CPUs) ~2.6 GHz, HD 100 GB, Network Microsoft Hyper-V Purposes Lab 2-1 The primary purpose of this lab is to explore and learn how to securely and adequately format a storage device, USB, in this case. Deleting files and emptying the recycle bin in the computer does not mean files are permanently erased from the system. The information and its fragments can remain in the file system and be recoverable through the process known as data carving (Nelson, 2018). Lab 2-2 During the digital forensic investigation, it is critical to protect the evidence to avoid any damages and alterations (Nelson, 2018). Directory Snoop allows the creation of a bit-stream copy of the original storage media. Then, investigators can analyze the storage media and recover evidence safely. Lab 2-3 This lab aims to explore the features of a digital forensics tool, FTK Imager, it provides additional functions than the non-forensics tool, Directory Snoop (Nelson, 2018). FTK Imager validates a copy of the storage media with an MD5 and SHA-1 hash, which has a better security function (Nelson, 2018). It also compresses data to reduce the file size. Additionally, FTK can convert the bit-stream copy from Directory Snoop to an E01 format file, which is compressed to a much smaller size so investigators can easily handle it. Lab 2-4 According to the Nelson (2018), FTK Imager allows investigators to recover deleted files, passwords, and encrypted files by examining Registry files. In this lab, I will create a .E01 image file of the USB drive after deleting some existing files. 2
MET CS 693_Lab2_Jimin Choi Lab 2-5 The primary purpose of this lab is to analyze the image file created in Lab 2-4 to see if I can restore deleted files from the Registry viewer in FTK Imager to readable files. Step-by-Step instructions with screenshots and comments Module 2 Lab Activities: Lab 2.1 Wiping a USB Drive Securely (Skips steps 1 to 6 as Directory Snoop is already installed in the virtual machine.) 7. Download random files in Emulated USB (U:) folder. Then delete all files. *Make sure the folder is empty. 8. From the desktop, double click DS-NTFS (DSNOOP) icon to launch Directory Snoop 5.11 program. Then select U: drive on the select drive toolbar. * There are two types of programs: DS-NTFS and DS-FAT. NTFS and FAT are types of file systems. If you look at the properties of Emulated USB (U:), the file system is NTFS. To launch the program in this particular virtual environment, I needed to get administrative access. I launched the program with a given administrator account. 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab2_Jimin Choi 9. From the upper icon tabs, click wipe icon , then select ‘ free drive space .’ 10. In the Wipe Free Drive Space window, select Simple 1-pass for Wipe method then click Ok to wipe all data. * There are four types of wiping methods: Simple 1-pass, DoD 3-pass, DoD 7-pass, and Gutmann 35-pass. The higher the number of passes, the more secure the wiping process, and it takes longer time to be done. It overwrites the existing data to make it unrecoverable through the number of steps of passes. For example, DoD stands for the Department of Defense, and the DoD pass method uses a media sanitization standard called DoD 5220.22-M. DoD 3-pass refers to using DoD 5220.22-M three times to overwrite with verification (Mehta, 2022). It only took 30 seconds to complete the process using the simple 1-pass method in this lab. If I had larger files, it would take longer. 4
MET CS 693_Lab2_Jimin Choi 11. Open the Disk Management program and right-click on the drive (Emulated USB (U:)), select Format . *Again, I needed administrative access to format the drive in this virtual environment. I launched CMD with the administrator account and then typed diskmgmt.msc to open the Disk Management program. 12. In the Format dialog box , I changed the volume label to Evidence and the file system to NTFS . 5
MET CS 693_Lab2_Jimin Choi 13. I downloaded and extracted the C2Proj1 file and moved all files to the Evidence (U:) folder. Lab 2.2 Using Directory Snoop to Image a USB Drive 1. Launch the DS-NTFS program. Select your drive. In the lower right corner, select the very last cluster under the Drive Clusters panel. *The last cluster of 11 files was 261886, that means there are 261886 clusters. 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab2_Jimin Choi 2. Click Cluster from the drop-down menus on the top bar, select copy to file . 3. In the Select Cluster Range window , I changed the first cluster to 0 , and select All clusters to include all clusters in that range. Click Ok . *To make the bit-stream image of the entire drive, you need to select the range from 0 to the last cluster. 4. In the window, click Browse , then select the lab work folder, type C2Proj2.001 for the filename, then click Save and Ok . 7
MET CS 693_Lab2_Jimin Choi *It took roughly 30 seconds to save the clusters. I noticed that the cluster size (C2Proj2.001) is about 1.00 GB. The size of the original files was only 364 KB. 1.00 GB is equal to 1,000,000 KB. 2.3 Converting a Raw Image to an .E01 Image 1. From the Desktop , double click FTK Imager – Shortcut to launch the FTK Imager 3.1.1.8 program. Then click File from the drop-down menus from the top bar, and select Create Disk Image . 2. In the Select Source window, select Image file , Click Next . Browse the bit-stream file from Lab 2-2, C2Proj2.001 . Select the E01 image type by adding in the Create Image window. Fill out the information of E01 file as shown in screenshot below, type ‘ 0 ’ for the Image Fragment Size and ‘ 9 ’ for the compression level. 8
MET CS 693_Lab2_Jimin Choi 3. Finally, in the Create Image window, select the Verify Images after they are created and Create directory listing of all files in the image after they are created , and then click Start . 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab2_Jimin Choi 4. Examine the results. *As shown in the results, .E01 image file of the bit-stream file is successfully created, with two types of hashes, MD5 and SHA1 hash. It verified that there are no bad sectors of the drive, Evidence (U:). Comparing the file size of the bit-steam file and the E01 image, I noticed that the E01 image was much smaller because it was compressed when created by the FTK image software. It is worth noting that working with the E01 image will be much easier in the real scenario due to the size of the file. 2.4 Imaging Evidence with FTK Imager Lite 1. In the Evidence (U:) folder, delete the Qtr 1 Emp.xlsx and Online.docx files. Open the FTK Imager 3.1.1.8 program. Create the disk image, select the Logical Drive instead of E01 this time. *I had to run the program with the authorized user account to access the Evidence drive. 10
MET CS 693_Lab2_Jimin Choi 2. Select the EVIDENCE [NTFS] drive in the Select Drive window, and select E01 for the image type. Provide information for the E01 file as shown screenshot below. Create the image file. 3. Examine the results. 11
MET CS 693_Lab2_Jimin Choi *In this lab, I directly created an E01 image file of the emulated USB drive, Evidence (U:), via FTK program. At the beginning I deleted two small files, about size of 41 KB, the size of the new E01 image file (3,099 KB) was actually bigger than the previous file, C2Proj3.E01 (3,082 KB). I thought it happened because I did not change the value of the image fragment size and the compression level. Therefore, I created another file matching with the previous settings; however, the file size was still larger by 1 KB. 2.5 Viewing Images in FTK Imager Lite 1. In the FTK program, click File from the top bar, and select Add Evidence Item . 2. In the Select Source window, select the Image File , then browse and select the C2Proj4.E01 file created from the Lab 2-4. Click Finish . 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab2_Jimin Choi 3. Under the Evidence Tree panel, expand the C2Proj4.E01 by clicking + sign next to the file name. Expand ‘Evidence [NTFS]’ and [root] folder. Look for deleted files. * In this lab environment, we used the volume that emulates a USB drive instead of the actual physical USB storage device. When we delete the files, they go to the Recycle Bin, creating the $RECYCLE.BIN directory in the E01 image, which has different results from the instructions. After emptying the Recycle Bin, I made an additional image file, C2Proj4-3.E01, which is shown in the screenshot below. The files that do not even exist in the Recycle Bin, display a red X mark in the file icon. The files displayed different names; I could identify them by those extensions. I am not sure whether this information would be useful for the investigation in this case. 13
MET CS 693_Lab2_Jimin Choi 4. Export those deleted files by right-clicking those files. *I was able to open $IKCY173.xls and obtained the original name of the file. However, I could not restore the data. I could not even open the $ILH9IQZ.docx file. 5. Export hashes from those deleted files and review their MD5 and SHA1 hashes. 14
MET CS 693_Lab2_Jimin Choi Summary Lab 2 provided insightful information on creating different bit-stream copies of removable portable storage media such as a USB drive by comparing two programs: Directory Snoop and FTK Imager. While Directory Snoop is not a forensics tool and only creates a copy in raw data format, FTK Imager provides a variety of bit-stream formats with hash validation and size compression. However, Directory Snoop allows users to securely wipe and format disk drives through four different pass methods. Although I did not successfully restore the deleted data due to its virtual environment, which has limited accessibility, I was able to explore the functions and differences between the two programs. I learned the importance of using forensics tools like FTK Imager to secure and find evidence during investigations. 15
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
MET CS 693_Lab2_Jimin Choi Review Questions & Answers Lab 2-1 1. A 2. True 3. D 4. B 5. B Lab 2-2 1. B and D 2. False 3. C 4. A 5. B and C Lab 2-3 1. B 2. False 3. According to Nelson (2018), “Splitting a forensic image into separate files enables to store data on CDs, DVDs, or smaller USB drives.” Those portable storage medias have size limitations, therefore splitting data enables to transfer those files. 4. False 5. True Lab 2-4 1. D 2. B 3. True 4. A and B 5. B Lab 2-5 1. B 16
MET CS 693_Lab2_Jimin Choi 2. A 3. C 4. B 5. B 17
MET CS 693_Lab2_Jimin Choi References Mehta, P. (2022, December 27). DOD 5220.22-M – the secure wiping standard to get rid of data . BitRaser. https://www.bitraser.com/blog/dod-wiping-the-secure-wiping-standard-to- get-rid-of-data/ Nelson, B., Phillips, A., & Steuart, C. (2018). Guide to computer forensics and investigations: Processing digital evidence (6th ed.). CENGAGE LEARNING. 18
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Javascript-Developer-I V12.35.pdf
SE471 Exam 1 - Part II - 2024 - Tagged (1).pdf
CHAPTER 3 MCQ.docx
networking.docx
CS 693 Lab 5.docx
CS 693 Lab 3.docx
Cyber Security Essay Ernesto Gonzales.docx
decision_tree_classifier_visualization.py
Project 4 Introduction W22.pptx
data_repairing_and_priming_lab.py
understanding_k_means.py
introduction_to_nlp.py
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781305082168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Text book image
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
SEE MORE TEXTBOOKS