Lab 2: File Analysis

When you're done with this lab you will have done the following things:

  1. Recover files from forensic images
  2. Determine file type from File Signatures
  3. Find files in a forensic image that have been deleted
  4. Carve (extract) deleted and partial files from a disk image

Expectations

Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson). If you are not using the RHIT-supplied image, the steps may be slightly different. Your instructor is available for help.

As you work on the lab, you must document your process in an "event log" so the validity of the evidence and your analysis is never in question. For each section of the lab, be sure to follow the provided template and then sign (or write your name) and date your notebook entry.

Keep in mind as you work on this lab that your efforts must be:

  1. Repeatable -- If you perform the steps again on the same equipment, you must end up with the same results. You must document enough so that you can repeat your lab quickly (with the same results) if asked.

  2. Reproducible -- someone else in a different lab with the same tools and evidence must be able to follow your steps and end up with the same results. You must document the results so someone else is able to repeat your lab (with the same results) if asked.

When you acquire evidence or artifacts, you must document:

If you do something with the evidence, you must document:

For a basic example, see the Sample Forensics Log Entry.

If you perform steps in the workbook, you may reference the steps (with page number and/or chapter number) in your writeup without repeating the text of the steps. Mainly, you must make it clear what actions you took and what results you saw.

Document your work as you do it. At the end of each part (chapter), be sure to update your lab notebook with a short summary or conclusion, then sign (or write your name) and date it.

Chapter 9: File Signature Analysis

Read chapter 9 and follow the instructions it contains.

NOTE: When you obtain WinHex, it will be a zip file. Decompressing it will result in lots of files. It is recommended you create a folder, put the zip file in that folder, then decompress the zip file.

PASSWORD: If you need a password for a dataset, look on page 5 of your lab manual.

VPN: If you are not on campus, you will need to use the VPN to access the mirrored copies of the data set (all mirror.csse.rose-hulman.edu links).

Do Activity 9-1

(do not complete the Additional Exercises)

From File_Signature-Examples.zip mentioned in the book

For each of the following files contained in the zip archive: identify and document the file signature, file type, and file extension associated with it.

File4
File5
File6
File7

Download File_Signature-Examples-2.zip and extract the files.

For each of the following files contained in the zip archive: identify and document the file signature, file type, and file extension associated with it.

File20
File21
File22
File23
File24
File25
File26

Lab Exercise 2A: Recovering Files from Forensic Images

This walks you through installing Autopsy and using it.

Be sure to document your actions so your work is repeatable and reproducible.

DO Lab Exercise 2A, Part 1.

NOTE: Obtain Autopsy version 4.22.1 from the Classes Server. If you cannot get that version to work (or are not using 64-bit Windows), then use the URL in the book.

DO Lab Exercise 2A, Part 2.

NOTE: You'll need the image you created in lab 1.

DO These steps using the image ingested by Autopsy:

  1. Search for, and document, in your report any files you find that were deleted (if there are any). Find a listing of the deleted files and take a screenshot of the Autopsy window showing how you found them. Include this in your report.

  2. For each file, find (and document how you found):

    • What was the name of the file?
    • What metadata (create/modified/deleted times and other information) can you extract from the file?
    • What type of file was it?
    • What does the file contain? (take a screenshot)

Chapter 17: File Carving

Read chapter 17 and follow the instructions it contains.

Do activity 17-1

IMPORTANT: Do not download raw_image2.dd from the book web site! Instead, download raw_image.dd.bz2 from the CSSE Mirror. The .bz2 file is 1.6MB and you can decompress it using WinRar or a similar program. WARNING: it will decompress into a 1GB file.

Step 29 and later have a typo: they reference a line ending for PDFs (25 25 45 4F 46 0A). If you squint carefully, Figure 17-10 shows 0D and the words in the steps 29 and later use 0A. The last byte 0A could also be 0D and still be valid. When you search, you will have to look for both.

Do the additional exercises in 17-1

Hint: all the files are in the first unallocated chunk; the rest are empty.

Do activity 17-2

NOTE: If Carver Recovery is not available at the web site in the book, you can obtain it from the Class Server.

Do activity 17-3

NOTE: The URL for "Bulk Extractor" is incorrect in the lab manual. You can obtain version 1.5.5 from the Classes Server or from the author's website..

TIP: To run the Bulk Extractor GUI, you will need to click the start menu and search for BEViewer with Bulk Extractor 1.5.5 (64-bit) Run that program to get the GUI shown in the lab manual.

Extra resources:

Do the associated exercises in 17-3

Verify you get the same answers as the lab workbook.

Finishing This Lab

When you're done with this lab, read over your lab report and ensure you've properly documented what you've done and with what you've worked.

Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.

Grading Rubric

Grading for this lab is based on:

item points
Ch 9 Complete 15
Part 2A Complete 15
Ch 17 Complete 20
Procedure (documentation clarity/correctness) 20
Presentation of Results (clarity/correctness) 20
Interpretation of results 10
Total 100