Lab 1: Preliminaries

When you're done with this lab you will have done the following things:

Used a (software) write blocker to avoid altering evidence
Created a forensic image
Identified attributes/filesystem info from an image
Mounted and scanned a forensic image

Expectations

Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson). If you are not using the RHIT-supplied image, the steps may be slightly different. Your instructor is available for help.

As you work on the lab, you must document your process in an "event log" so the validity of the evidence and your analysis is never in question. For each section of the lab, be sure to follow the provided template and then sign (or write your name) and date your report/notebook entry.

Keep in mind as you work on this lab that your efforts must be:

Repeatable -- If you perform the steps again on the same equipment, you must end up with the same results. You must document enough so that you can repeat your lab quickly (with the same results) if asked.
Reproducible -- someone else in a different lab with the same tools and evidence must be able to follow your steps and end up with the same results. You must document the results so someone else is able to repeate your lab (with the same results) if asked.

Chapter 2: Software Write Blocking

Read chapter 2 and follow the instructions it contains. Your instructor will provide you with a USB drive to examine.

Be sure to document your actions so your work is repeatable and reproducible.

When you acquire evidence or artifacts, you must document:

What the evidence item is (e.g., usb drive or a file)
Where the evidence came from
How the evidence was acquired

If you do something with the evidence, you must document:

Who is taking the action
When you take the action
What the action is
What you find or learn from the action

For a basic example, see the Sample Forensics Log Entry.

At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then sign (or write your name) and date it.

Chapter 3: Creating Forensic Images

Read chapter 3 and follow the instructions it contains.

Obtain FTK Imager from the Mirror Copy. If you cannot get that version to work, then use the link in the book.

Do activity 3-1 using the USB drive provided by your instructor.

Save the file with the name "testimage.E01".

Do activity 3-2 using the USB drive provided by your instructor.

Save the file with the name "testimage.dd".

Disable software write blocking!

Don't forget to turn off write blocking as you enabled earlier (using regedit).

SKIP activity 3-3.

SKIP activity 3-4.

At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then write your names (or sign it) and date it.

Chapter 4: File System Identification

Read chapter 4 and follow the instructions it contains.

NOTE: Forensic_Images.zip does not exist. Instead, you should download the necessary files from the Data Sets Mirror or the book's Data Sets website.

Repeat steps 7-12 (in the workbook) for these five files:

drive1.E01
drive2.E01
drive3.E01
testimage.E01: The Image you made of the USB drive with FTK Imager
testimage.dd: The Image you made of the USB drive with dd

NOTE: fsstat may not work correctly with drive3.E01. Do your best.

fsstat with dd images: If you leave out the 'i' argument (-i ewf) when executing fsstat, it should be able to process the .dd image.

At the end of each part (chapter), be sure to update your lab report with a short summary or conclusion, then write your names (or sign it) and date it.

Chapter 5: Mounting Forensic Images for Scanning

You will need two large images for this lab. I recommend you DO NOT download them from the Data Sets web page (off campus) but DO get them here (on campus):

drive12.E01 (4.7GB)
drive10.E01 (2.9GB)

NOTE: drive12.E01 and drive10.E01 are giant. It may take a while to download them and you will need a good amount of free space on your computer.

Read the first page of chapter 5.

SKIP activity 5-1

Mounting and virus scanning with OSFMount exposes you to viruses, so we probably don't want to do that today.

Do activity 5-2

Step 20 may vary: Your results for step 20 may not exactly match the book. Most of it should be the same, but a few things may be different.

Complete the additional exercises at the end of chapter 5 using drive10.E01.

Additional Exercises Typo: Step f should say HKEY_LOCAL_Machine or HKLM instead of HKEY_Current_User.

Finishing This Lab

When you're done with this lab, read over your lab report and ensure you've properly documented what you've done and with what you've worked. If you haven't done it yet, don't forget to turn off write blocking as you enabled earlier (using regedit).

Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.

You may delete the huge drive10.E01 and drive12.E01 files from your computer after you have submitted your lab report -- we will probably not use them for future labs.