Lab 1: Preliminaries
When you're done with this lab you will have done the following things:
- Used a (software) write blocker to avoid altering evidence
- Created a forensic image
- Identified attributes/filesystem info from an image
- Mounted and scanned a forensic image
Expectations
As you work on the lab, you must document your process in an "event log" so the validity of the evidence and your analysis is never in question. For each section of the lab, be sure to follow the provided template and then sign (or write your name) and date your report/notebook entry.
Keep in mind as you work on this lab that your efforts must be:
Repeatable -- If you perform the steps again on the same equipment, you must end up with the same results. You must document enough so that you can repeat your lab quickly (with the same results) if asked.
Reproducible -- someone else in a different lab with the same tools and evidence must be able to follow your steps and end up with the same results. You must document the results so someone else is able to repeate your lab (with the same results) if asked.
Chapter 2: Software Write Blocking
Read chapter 2 and follow the instructions it contains. Your instructor will provide you with a USB drive to examine.
Be sure to document your actions so your work is repeatable and reproducible.
When you acquire evidence or artifacts, you must document:
- What the evidence item is (e.g., usb drive or a file)
- Where the evidence came from
- How the evidence was acquired
If you do something with the evidence, you must document:
- Who is taking the action
- When you take the action
- What the action is
- What you find or learn from the action
For a basic example, see the Sample Forensics Log Entry.
At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then sign (or write your name) and date it.
Chapter 3: Creating Forensic Images
Read chapter 3 and follow the instructions it contains.
Obtain FTK Imager from the Mirror Copy. If you cannot get that version to work, then use the link in the book.
Do activity 3-1 using the USB drive provided by your instructor.
Save the file with the name "testimage.E01".
Do activity 3-2 using the USB drive provided by your instructor.
Save the file with the name "testimage.dd".
Disable software write blocking!
Don't forget to turn off write blocking as you enabled earlier (using regedit
).
SKIP activity 3-3.
SKIP activity 3-4.
At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then write your names (or sign it) and date it.
Chapter 4: File System Identification
Read chapter 4 and follow the instructions it contains.
NOTE: Forensic_Images.zip
does not exist. Instead, you should download the necessary files from the Data Sets Mirror or the book's Data Sets website.
Repeat steps 7-12 (in the workbook) for these five files:
- drive1.E01
- drive2.E01
- drive3.E01
testimage.E01
: The Image you made of the USB drive with FTK Imagertestimage.dd
: The Image you made of the USB drive with dd
NOTE: fsstat
may not work correctly with drive3.E01. Do your best.
fsstat with dd images: If you leave out the 'i' argument (-i ewf
) when executing fsstat
, it should be able to process the .dd
image.
At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then write your names (or sign it) and date it.
Chapter 5: Mounting Forensic Images for Scanning
You will need two large images for this lab. I recommend you DO NOT download them from the Data Sets web page (off campus) but DO get them here (on campus):
- drive12.E01 (4.7GB)
- drive10.E01 (2.9GB)
NOTE: drive12.E01
and drive10.E01
are giant. It may take a while to download them and you will need a good amount of free space on your computer.
Read the first page of chapter 5.
SKIP activity 5-1
Mounting and virus scanning with OSFMount exposes you to viruses, so we probably don't want to do that today.
Do activity 5-2
Step 20 may vary: Your results for step 20 may not exactly match the book. Most of it should be the same, but a few things may be different.
Complete the additional exercises at the end of chapter 5 using drive10.E01.
Additional Exercises Typo: Step f
should say HKEY_LOCAL_Machine
or HKLM
instead of HKEY_Current_User
.
Finishing This Lab
When you're done with this lab, read over your lab report and ensure you've properly documented what you've done and with what you've worked.
If you haven't done it yet, don't forget to turn off write blocking as you enabled earlier (using regedit
).
Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.
You may delete the huge drive10.E01
and drive12.E01
files from your computer after you have submitted your lab report -- we will probably not use them for future labs.