Part -1:

Objective:

This lab will introduce the student to the basics of data recovery, from a disk that's been formatted. Please note that the procedures in this document are not forensically sound, but illustrate the basic concepts of data recovery. They will be built on in the next lab.

Introductory questions:

What happens when a drive is formatted using default operating system formatting tools? Your answer should discuss what happens in terms of the actual activity at the disk level.

Quick format _____________________________________________________________

Low-level or long format _________________________________________________________

Why can data be recovered after a basic (quick) formatting operation?

What can be done to completely erase data? What type of activity at the disk level is required?

Name at least one software tool that can completely erase a disk. _________________________

Procedure:

This lab will be done on the lab machine or your own PC, not in a VM.

- Obtain one thumb drive image from the instructor (sent via SendTo).

- Download one of wxHexeditor, hXd or Hexplorer, freeware hex editors. Unzip it to a temporary folder on the hard drive. You can use a different hex editor if you prefer.

- Download testdisk from cgsecurity.org. Use the 32 or 64-bit version for Windows, as appropriate (lab computers use 64 bit). You can use the stable version or the WIP version. Unzip it to a temporary folder on the hard drive.

- Use the hex editor to open the disk image you received. Find the File Allocation Table, and highlight the start of the FAT. Take a screenshot and insert it here.

- Use photorec, a command-line tool from the testdisk folder to scan the disk image. Run this tool twice, once on only the unused (free) space on the drive, and once on the full disk. Be sure to save the output of these runs in separate folders.
Insert a screenshot of the contents of the folder containing the files recovered by scanning only free space here.

Insert a screenshot of the contents of the folder containing the files recovered by scanning the full disk here.

How many files were found by scanning free space? _____________________________

How many files were found by scanning the full drive? ___________________________

- Open a file (of a different type, preferably) that was recovered by photorec in your hex editor, and find the magic bytes of the file. Highlight these, and take and insert a screenshot.

- Use the hex editor to find a .jpg file on the disk, using the magic bytes (ffd8 hex) for that file type. Copy from those start bytes to the end of file marker (ffd9), and paste the results into new empty hex editor file. Then, save that file to disk. Last, open the file in an image viewing tool like paint or Windows Image Viewer, and insert a screenshot here.

Note: The other tool, testdisk, that is included in the photorec download, can recover deleted partitions, among other things. If you ever have partitions go missing on a drive, try this tool first.

Part -2:

Data Recovery - part 2

Objective:

This lab will introduce the student to a number of tools to both recover data and investigate the recovered content. Please note that the procedures in this document may not be forensically sound, but can be adapted for forensic soundness by employing a write blocker, and meticulously documenting the findings.

Credentials:

For the SIFT workstation, the login is IT357, and the password is forensics. For the Windows machine, the password is ab12cd34. For the Windows FTP server, the username is IT357, and password is ab12cd34.

Procedure:

Part 1:
- For this portion of the lab, we will use the SIFT machine. This machine has several hundred open source forensics tools, including memory dump tools, disk image acquisition tools, data recovery tools, and artifact analysis tools. Some of the more notable tools are Autopsy / Sleuthkit, efwacquire, log2timeline, and a new tool called MantaRay that wraps most of the tools in a pretty GUI. More information is at: http://sift.readthedocs.org/en/latest/index.html. A few videos, which WON'T be helpful for today, are at https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A .
- In the SIFT machine, the home folder has a number of disk images (USB & SD cards) in the images directory. There is also a full partition mounted at /cases which stores the metadata about the recovery. Finally, please place your output in the ~/output directory.
- Analyze any ONE of the disks in the ~/images folder using the MantaRay tool. A tutorial is in the slide attached to this HW assignment, starting at slide 40. Run the tool from a command prompt by typing "mantaray".
- When you get to the step about selecting tools, use the values shown in the screenshot. All other tools can use the default options, until you get to the time zone. Choose "NO" to that question.

- After completion use sudo nautilus to launch the file manager as root, and then browse the output directories.

- Insert documentation of your findings into below. Include both text and screenshots as appropriate. These need to be YOUR INTERPRETATION of the logs, not just screenshots of the logs.

- What was found?
- Did bulk extractor find any data not related to pictures? (Please be sure to actually look at the content of the files, some are empty!) ____________________________________________________________

- If so, what? __________________________________________________

- What did the EXIF_Tool find? __________________________________

- What did the Foremost tool find?

- Filetypes? ___________________________________________________

- Were any files found with GPS EXIF info found? ___________________

- What does the timeline.csv file show? Interpret the results. Hint: the first and last columns are the most relevant to us. ___________________________________________________________

Insert a screenshot of the contents of a directory full of files that Foremost found.

If there were any files with GPS info, please load the .KML file into Google Maps or Google Earth, and insert a screenshot here.

Part 2:

Download a different disk image (inside SIFT workstation) from one of the following sites. The disks are very different, but have good descriptions. Please do not use any floppy disk images. Run the MantaRay tool on the chosen disk image, choosing the tools that make the most sense for your particular disk, (take a screenshot of the tools you chose and insert here) and answer the questions below.

Sites:
- https://www.honeynet.org/challenges/2011_7_compromised_server
- http://dftt.sourceforge.net/
- http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
- http://dfrws.org/2008/rodeo.shtml
- http://dfrws.org/2009/rodeo.shtml
- http://dfrws.org/2011/challenge/index.shtml
- http://linuxleo.com/
- http://digitalcorpora.org/corpora/disk-images
- https://onedrive.live.com/?cid=5694a755c9c6a175&id=5694A755C9C6A175!106
- (Less useful) http://www.forensickb.com/search?q=practical
- (Less useful) http://old.honeynet.org/challenge/images.html
- (Not as useful) http://wiki.sleuthkit.org/index.php?title=Case_Studies
- (Not useful, but interesting!) https://www.cs.cmu.edu/~enron/
- If you'd like to try a memory or a Mac dump, talk to me.

For each tool you used, interpret what was found.
- Tool ____________________________________________

- Interpretation _____________________________________

- Tool ____________________________________________

- Interpretation _____________________________________

- Tool ____________________________________________

- Interpretation _____________________________________

- Tool ____________________________________________

- Interpretation _____________________________________

- What filetypes were found? ___________________________________________________

- Were any files found with GPS EXIF info found? ___________________

- If any files of type PDF, Microsoft or OpenOffice were found, zip them, email them to yourself, and run the tool MetaExtractor on the host machine or your own PC. (Doesn't run under XP). Run the tool on at least 15 documents, at least 5 of each type. MetaExtractor is available at http://www.4discovery.com/our-tools/.

- If none were found, there are some documents available at http://www.itk.ilstu.edu/faculty/gsagers/docs.zip. Run the MetaExtractor tool on at least 15 of them, 5 of each type. Insert screenshots below as indicated.

Insert a screenshot of the contents of directory full of files that Foremost found.

If there were any files with GPS info, please load the .KML file into Google Maps or Google Earth, and insert a screenshot here.

Give a summary of what MetaExtractor found about the documents. ______________________

Suspend the Sansforensics VM for now.

Part 3:
Network Forensics
- Power on the XP Forensics VM.
- In your XP VM, download a network trace from one of the sites below. The traces are all different, and some may not have much information. If that is the case, try a different trace. If you know of a different source for forensic network traces, you may use them
- http://www.forensickb.com/2008/01/forensic-practical.html
- http://digitalcorpora.org/corpora/network-packet-dumps
- http://www.forensicswiki.org/wiki/Forensic_corpora#Network_Packets_and_Traces
- http://traces.cs.umass.edu/index.php/Main/HomePage
- https://github.com/markofu/pcaps

- Run Network Miner against the trace.
- Summarize what was found by Network Miner. ________________________________

_______________________________________________________________________

_______________________________________________________________________

Part 4:
Perform one of the cases at www.cfreds.nist.gov, under the "Current Data Sets" case. The cases are very different, and you will require some web searches to complete the data sets. Some of the cases have solutions posted, you may still use them, but you must document your work via screenshots and text.