Lab 2: File Analysis

When you're done with this lab you will have done the following things:

  1. Recover files from forensic images
  2. Determine file type from File Signatures
  3. Find files in a forensic image that have been deleted
  4. Carve (extract) deleted and partial files from a disk image

Expectations

Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson). If you are not using the RHIT-supplied image, the steps may be slightly different. Your instructor is available for help.

As you work on the lab, you must document your process in an "event log" so the validity of the evidence and your analysis is never in question. For each section of the lab, be sure to follow the provided template and then sign (or write your name) and date your notebook entry.

Keep in mind as you work on this lab that your efforts must be:

  1. Repeatable -- If you perform the steps again on the same equipment, you must end up with the same results. You must document enough so that you can repeat your lab quickly (with the same results) if asked.

  2. Reproducible -- someone else in a different lab with the same tools and evidence must be able to follow your steps and end up with the same results. You must document the results so someone else is able to repeat your lab (with the same results) if asked.

When you acquire evidence or artifacts, you must document:

If you do something with the evidence, you must document:

For a basic example, see the Sample Forensics Log Entry.

If you perform steps in the workbook, you may reference the steps (with page number and/or chapter number) in your writeup without repeating the text of the steps. Mainly, you must make it clear what actions you took and what results you saw.

Document your work as you do it. At the end of each part (chapter), be sure to update your lab notebook with a short summary or conclusion, then sign (or write your name) and date it.

Chapter 9: File Signature Analysis

Read chapter 9 and follow the instructions it contains.

NOTE: When you obtain WinHex, it will be a zip file. Decompressing it will result in lots of files. It is recommended you create a folder, put the zip file in that folder, then decompress the zip file.

PASSWORD: If you need a password for a dataset, look on page 5 of your lab manual.

VPN: If you are not on campus, you will need to use the VPN to access the mirrored copies of the data set (all mirror.csse.rose-hulman.edu links).

Do Activity 9-1

(do not complete the Additional Exercises)

From File_Signature-Examples.zip mentioned in the book

For each of the following files contained in the zip archive: identify and document the file signature, file type, and file extension associated with it.

File4
File5
File6
File7

Download File_Signature-Examples-2.zip and extract the files.

For each of the following files contained in the zip archive: identify and document the file signature, file type, and file extension associated with it.

File20
File21
File22
File23
File24
File25
File26

Chapter 6: Recovering Files from Forensic Images

Read chapter 6 and follow the instructions it contains.

Be sure to document your actions so your work is repeatable and reproducible.

SKIP activity 6-1

We do not have EnCase, so you will skip the part that uses it.

Do activity 6-2

Obtain Autopsy from the Mirror Copy. If you cannot get that version to work (or are not using 64-bit Windows), then use the URL in the book.

You'll also need drive2.E01, which you downloaded last week. If you deleted it, download it from the CSSE Mirror.

Do activity 6-3

Chapter 17: File Carving

Read chapter 17 and follow the instructions it contains.

Do activity 17-1

IMPORTANT: Do not download raw_image2.dd from the book web site! Instead, download raw_image.dd.bz2 from the CSSE Mirror. The .bz2 file is 1.6MB and you can decompress it using WinRar or a similar program. WARNING: it will decompress into a 1GB file.

Step 29 and later have a typo: they reference a line ending for PDFs (25 25 45 4F 46 0A). If you squint carefully, Figure 17-10 shows 0D and the words in the steps 29 and later use 0A. The last byte 0A could also be 0D and still be valid. When you search, you will have to look for both.

Do the additional exercises in 17-1

Hint: all the files are in the first unallocated chunk; the rest are empty.

Do activity 17-2

Do activity 17-3

NOTE: The URL for "Bulk Extractor" is incorrect. You can obtain it from the CSSE Mirror or from the author's website.

NOTE: When you open the raw_image.dd file, you will have to choose "all files" in the file open dialog so that bulk extractor can find it.

Do the associated exercises in 17-3

Verify you get the same answers as the lab workbook.

Finishing This Lab

When you're done with this lab, read over your lab report and ensure you've properly documented what you've done and with what you've worked.

Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.