CS 4273/6273 
Introduction to Cyber Crime and Computer Forensics

Lab Manual Ver. 2.0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Forward

 

These exercises assume an understanding of various computer concepts. Some individuals will need independent research to complete the exercise. “Introduction to Computer Forensics” is a multidisciplinary course, and the knowledge of some concepts may have been taken for granted by the author. Therefore, do not put these exercises off to the last minute! If you get lost or do not understand a concept, seek help. For example, in the exercise “Email Tracing” specific instructions on how to use get to a UNIX prompt or how to download and install SamSpade are not given. The author is assuming that these are basic skills that should be known by someone taking an upper-class computer-based course.

 

Lab Equipment          

 

            Some exercises can be performed outside the laboratory, but most will require special equipment that will be set up before each exercise is assigned. We are privileged to have access to this equipment. Therefore, always return equipment back to the state you found it in so that we may continue using it. Please report any problems with the lab equipment to the lab TA, system administrator, or your instructor.

 

Worksheets

 

            Along with the exercise folders, there is a folder called “worksheets.” This folder contains various worksheets created for this course. When completing a worksheet make sure to fill out all appropriate blanks. If you are not sure what something is or means please ask. The deliverables will tell you which worksheets are to be filled out for each exercise.

 

Exercise Format

 

            The following lists the sections each exercise contains and a brief explanation of each:

 

Introduction: A brief statement about what the exercise is about

Objectives: A statement(s) pertaining to the things a student is expected to accomplish

Instructions: Details about the tools you are expected to use in the exercise

Problem Statement: Exactly what you are expected to do for the exercise

Deliverables: What your final submission package should contain

Analysis Questions: Subject matter questions to be answered

 

 


 

 

 

Contents

 

 

Exercise 1

Imaging

1

Exercise 2

Email Tracing

3

Exercise 3

Storage Media

6

Exercise 4

Investigating Windows

8

Exercise 5

NTI Suite

10

Exercise 6

Encryption and Decryption

12

Exercise 7

Data and Steganography

15

Exercise 8

EnCase/Forensic Toolkit

17

Exercise 9

Hostile Code

19

Exercise 10

Unix I  

21

Exercise 11

Unix II 

24

Exercise Final

Scavenger Hunt

27

 


Introduction to Computer Crime and Forensics

Exercise1

Imaging

 

Introduction:

 

One of the first and most important things to do when conducting an investigation is to create several images of the media so that the content can be analyzed without altering the original. We have two tools available for this procedure. We have the software Safe Back and we have several Solo Image Massters. This exercise will require you to image using both.

 

Objectives:

 

  • To become familiar with the imaging process
  • To gain experience using the software Safe Back
  • To become familiar with a Solo Image Masster imaging tool

 

Instructions:

 

Safe Back

 

There are two small logical drives located on one of the forensic computers.  Use these two partitions to conduct the procedures below. First, both partitions should be wiped. Use MSPRO or scrub for this.

 

WARNING: Do not under any circumstances wipe any other drives. If you have any doubt as to which two small partitions this exercise refers to, seek guidance before conducting the exercise!!!!!!!

 

1.         Restart in DOS mode.

2.         Change to the NTI directory and type the command MSPRO.

3.         In the cleaning box type the drive letters, separated by a space, for the two drives to be wiped. Make sure to remove the C from the cleaning box!!!!!

4.         Select clean.

5.         On completion, return to Windows.

 

Now create an image file for the partition containing the evidence and restore the image onto the other partition.

 

6.         Create your evidence disk by placing some files from the c drive into your chosen partition.

7.         Restart in DOS mode.

8.         Change to the Safe Back directory and use the command MASTER.

9.         Hit enter and place the cursor over the drive representing the evidence disk and hit the space bar to mark the partition for back up.

10.       Follow all other prompts accordingly.

11.       Now restore this image onto the other partition using the restore option.

 

Now use the CRCMD5 or DISKSIG NTI tool to create hash values, verifying that the partitions are identical. (See Exercise 5 if instructions are needed for this.)

 

Image Master

 

Check out the following from your TA, lab manager, or system admin:

 

·        Two hard drives

·        Image master

·        Image master manual

 

Review the manual to discover how to connect the drives, wipe drives, and how to do a single capture. (A bit-for-bit copy from the external to the internal drive.)

 

Connect the drives as directed and wipe the internal drive (the drive that is not the suspect drive.) Now begin a single capture from drive to drive. You do not have to complete the capture. Both drives are blank. Include some information that the Image Master gave you about the drives as part of your report.

 

Warning: Be exceedingly careful and make sure to follow the directions exactly. If you have any doubts or questions, ask someone in charge!!!

 

Problem Statement:

 

            Follow the instructions above, recording the appropriate information. When finished, return the equipment to the state you found it in, including returning it to whom-ever you checked it out from. The exercise is not complete until you return the equipment.

 

Deliverables:

 

  • Safe Back Image Worksheet
  • SoloMaster Duplication Worksheet (see page one “Worksheets”)
  • Report on Safe Back and Image master that at least includes
    • Safe Back report
      • Md5 has values
      • A description of the data placed on the partition  prior to imaging
    • Image Master report
      • Time it took to wipe the drive
      • Some other information from the image master screen
  • Answers to the analysis questions

 

 

Analysis Questions:

 

  1. How do these types of backups differ from commercial type backups?
  2. When would it be appropriate to use Safeback/Image Master?
  3. Where in the process of acquiring evidence would this backup need to be done?
  4. How many images would you need to make of the suspect’s drives?

Introduction to Computer Crime and Forensics

Exercise 2

Email Tracing

 

Introduction:

 

Emails have become a popular medium for conducting personal and business matters. When investigating a suspect’s PC, it is very likely that large amounts of email will be discovered. Using common tools an investigator can trace these emails back to an ISP, a person, or even the originating machine. This exercise will demonstrate how this tracking can be done. This exercise does not have to be performed in the forensic lab; it can be done on any computer with internet access.

 

Objectives:

 

  • To become familiar with email headers and their contents
  • To be able to use software tools to trace emails back to their source

 

Instructions:

 

            On first examination of an email it may just appear to be a text message. However, when you “view source” or when you examine the document with a text editor, the header information becomes apparent. This header is what email servers use to route the emails to their destination. Every time an email passes through one of these servers, additional header information is added to the top of the email. Take, for example, this email header:

 


Received: from mwweb08la (unverified [10.1.9.10]) by

    mwsmtp03la.mail2world.com

 (Rockliffe SMTPRA 4.5.6) with ESMTP id

    <B0113070067@mwsmtp03la.mail2world.com> for <victim@cse.msstate.edu>;

 Tue, 18 Nov 2003 09:09:02 -0800

Received: from [130.18.206.39] by mail2world.com with HTTP; 11/18/2003

    9:09:02 AM PST

thread-index: AcOt9qo53VbtvWWpRtOg1ttolVJwPg==

Thread-Topic: Greetings from Blackhat Joe

From: "Blackhat Joe" <blackhatjoe@mail2world.com>

To: <victim@cse.msstate.edu>

Subject: Greetings from Blackhat Joe

Date: Tue, 18 Nov 2003 09:09:02 -0800

 

 

Every time you see a new “Received:” it represents a different server the email passed through. Therefore, the received line directly above the “From” field will be the most important. This line will be as close as you can get to the originating machine because the additional headers are placed on top of the existing ones. How close this information is to the source depends on several factors: what email client was used, the mail server of the ISP, etc.

 

Note: Although the first received line is the most important, be careful. It is easy to spoof this line. The real first line might be further up than you think.

 

Look closer at the received line from above.

 

Received: from [130.18.206.39] by mail2world.com with HTTP; 11/18/2003

    9:09:02 AM PST

 

It appears to have been sent from a machine with the IP address 130.18.206.39 using a HTTP-based email client. (See your text book for more information on IP addressing.) These are both important facts. For example, we know the email was sent with an HTTP client like yahoo or hotmail. Which means the header will not reveal what the machine name was. That makes it harder to get back to the originating machine.

           

We can however trace the ip address. There are several tools that can be used in IP address tracing, such as ping, nslookup, tracert, whois, and finger. Some of these tools can be used from DOS, while others must be executed from a UNIX prompt. To backtrack the IP address 130.18.206.39, nslookup should be used from a DOS prompt or any of several websites (http://cc-www.uia.ac.be/ds/nslookup.html or http://www.infobear.com/cgi-bin/nslookup.cgi, for example). After running nslookup on the above IP, the following information is obtained:

 

Server:  radius.net.msstate.edu

Address:  130.18.78.2

 

Name:    cssl039.cse.msstate.edu

Address:  130.18.206.39

 

The first two lines show where the information is coming from. The next two lines show the results. Now we can research to discover who msstate.edu is using the UNIX command whois. If the ISP is willing to cooperate it is also possible to find out who was using the above IP address at the time an email was sent. Also we must consider if DHCP is in use. If it is, that address might have been a temporary assignment.

The above directions outlined a few things that can be done to trace emails. The process used was a manual one. If you are not familiar with the above commands or DOS and UNIX prompts, then try the program SamSpade at http://www.samspade.org/ssw/. It automates the process with a graphical interface as well as providing other useful commands.

 

 

 

 

Problem Statement:

 

Using SamSpade or manual commands examine all the emails in the EmailTracing/evidence folder. Gather all the information you can about the receiver and sender. Try to determine all of the following possible for each email:

 

  • The name of the machine the email was sent from
  • The IP address of the machine the email was sent from
  • The user’s ISP

 

Deliverables:

 

  • Case Examination Worksheet
  • A chart neatly organizing what was discovered from each email
  • Answers to the analysis questions

 

Analysis Questions:

 

1.                  What is DHCP? Does it make email tracing easier or more difficult?

2.                  What is the IP address for yahoo.com? What tool did you use to find this out?

3.                  What domain name is associated with 66.135.192.87? What tool did you use to discover this?

4.                  Besides nslookup, ping, or whois, describe another useful tool/command that can be used when investigating networks.


Introduction to Computer Crime and Forensics

Exercise 3

Storage Media

 

Introduction:

 

If you are going to search media for hidden data, you need to understand the structure of media. This assignment examines media both physically and logically.

 

Objectives:

 

  • To understand the physical structure of a hard drive
  • To understand the logical structure of a 3.5 floppy

 

Instructions:

 

In the folder “StorageMedia” there is a program called diskedit. This program will allow you to view the logical structure of a hard drive in several different ways. First, either boot to a DOS prompt or open a DOS window. Then, change to the directory containing diskedit and type “diskedit”. Make sure you are looking at drive a:  by clicking on object->drive-> a:  drive. If you booted to a DOS prompt, the mouse will not work, but you can hold the ctrl button down and press the first letter of the menu you want to pull down. Then, use the arrow keys to navigate.

 

Problem Statement:

 

There are two disks in the lab, a hard drive with broken seals and a 3.5 in. floppy disk. First, examine the hard drive and sketch/label all the parts you can identify. Make sure to sketch the platters and the read/write head. Now explore the functions of diskedit by using it to examine the floppy. Your main objective is to become familiar with the diskedit program.

During your examination try the following:

 

  • Find the FAT table. What file system was the disk formatted under?
  • Examine the disk as a FAT table. What could EOF mean?
  • View the disk as text. Find anything interesting?
  • Perform a search for txt files. List at least three of them.
  • Do a search for deleted files by finding sigmas. List at least three of them.
  • Somewhere on the disk is the beginning of a chapter from a popular children’s book. Try to locate it and report what the book is.

 

Note: Using the find utility for the last three items will help greatly!

 

Now change to the c: drive and look around. Describe some differences in your report.

 

 

Deliverables:

 

  • Removable Media Evidence Worksheet
  • Report detailing your findings from the problem statement section
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. Can you really erase a hard drive? Explain.
  2. What would be some circumstances where a program like diskedit would be useful?
  3. Why are you still able to recover data after formatting a hard drive?

 


Introduction to Computer Crime and Forensics

Exercise 4

Investigating Windows

 

Introduction:

 

            This exercise concentrates on examining the Windows operating system without the use of any special forensic tools.

 

WARNING: Do not change anything when examining the registry!!!

 

Objective:

 

  • To become familiar with the Windows registry
  • To be able to investigate a Windows machine without the use of any forensic tools

 

Instructions:

 

The registry is a great place to look for information. To examine the registry, click start, then run, and use the command “regedit.” A window similar to a Window’s explorer window will appear. You can expand and collapse the folders in the same manner as Explorer. Here are some things you can find in the registry.  (You may encounter some differences as you explore different versions of Windows. Just report these differences and keep going.)

 

Open the following directories

 

HKEY_CURRENT_USER

            Software

                        Microsoft

                                    Windows

                                                Current Version

                                                            Explorer

 

Now try to locate the most recent searches made on this machine. Look for DocFindSpecMRU.

 

We can also see the most recently run commands in RunMRU.

 

Now go up one level and locate the Internet Explorer folder.

 

The last-typed URL can be found in TypedURLs.

 

            These are just a few examples of the types of information that can be found in the registry.

 

Problem Statement:

 

             This exercise can be performed on the lab computers or on a personal PC. Follow the instructions from above and report what you find in each location. Additionally, try to locate at least three other pieces of information found in the registry that could be useful in an investigation.

            Now, continue the investigation. Leave the registry behind and explore other ways to look for evidence on a Windows PC. Look for things like cookies and programs. If possible, perform the investigation on someone else’s machine. (Obtain their permission, of course.) Try to think of common things that could be useful for an investigator, but that are usually not thought of as sources of investigation.

 

Deliverables:

 

  • Computer Evidence Worksheet for each computer examined
  • Report detailing what you found in the registry and beyond
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. Why would it be a good idea to examine the registry for information instead of looking through the computer itself? (For example, looking in the registry for recently typed URLs instead of opening Explorer)
  2. Name three places you found information, excluding the registry.
  3. In what kind of situations would it be important to know how to find information without using forensic tools? 

 


Introduction to Computer Crime and Forensics

Exercise 5

NTI Suite

 

Introduction:

 

The NTI Incident Response Suite is a set of DOS-based forensic tools produced by New Technologies, Inc. On the lab computers, there is a folder labeled NTI containing these tools. You will utilize these tools and a provided floppy to complete this exercise.

 

Objectives:

 

  • To be able to use multiple NTI tools to examine a 3.5 floppy
  • To be able to reconstruct a deleted text file

 

Instructions:

 

Locate the NTI tools on the lab machine. Each one of these tools is a DOS based utility. Therefore, to use each one, simply go to a DOS prompt and change to the directory containing the tools. Then, enter the name of the tool you wish to use along with the appropriate parameters. If the appropriate parameters are not known, simply enter the name of the tool, and a small set of instructions, including the parameters, will be displayed. Each executable also has a readme file containing detailed information about that executable. See this file if more information about the tool is needed.

 

Problem Statement:

 

In the lab, there should be an evidence floppy. Treat this floppy as if it were found near a suspected drug dealer’s computer. Let us say he has admitted to his crimes but is refusing to reveal his contacts. On his desktop was found an encrypted text file we suspect contains his contacts. Breaking the encryption will take time, and there is a concern that once his imprisonment becomes public his contacts will flee. We think that the floppy may have contained some or all of his contacts. Use the NTI tools on the lab computer to examine the floppy and try to find all the contacts you can. (Hint: there are 8 of them.)  Treat this like an image given to you for examination. Therefore, the first step is creating a hash for your evidence so that you can prove later that it was not tampered with. Use DISKSIG.EXE to hash the drive and redirect the output to a file to include in your report. Use “ > filename” at the end of the command to redirect the output.

 

The form of the DISKSIG command is as follows:

 

     DISKSIG </b> drive:...drive:


Now examine the disk using some of the other tools. Make sure to at least use the following tools.

 

  • GETFREE
  • GETSLACK
  • FILELIST
  • One other executable not already used

 

The usage of these tools should be similar to DISKSIG. There are text files in the NTI folder that explain what each is and how to use each one.

 

Hint: the filter switch (/f) can make your life much easier

 

Note: Everything we are doing can just as easily be done on a hard drive.

However, a hard drive would take much longer.

 

Deliverables:

 

  • Completed Removable Media Worksheet
  • A report containing all the contacts you found
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. Describe the differences in free space, slack space, and swap space.
  2. What is the purpose of FILTER_I?
  3. Why would someone want to use MSPRO or scrub instead of just formatting or erasing a hard drive?
  4. What are some of the advantages you see of using DOS-based tools like these over a Windows-based forensic tool?

Introduction to Computer Crime and Forensics

Exercise 6

Encryption and Decryption

 

Introduction:

 

            When analyzing a computer, it is likely that at some point you will encounter files that have been encrypted. This is a two-part exercise. Two tools will be examined. First, Gnupg will be used to encrypt and decrypt files. Then, a Windows password-cracking tool will be used to crack a few files.

 

Note: Included in the “Tools” folder are a demo version of the program from Part II; a copy of gnupgp, and a version of winzip that will allow for the cracking of passwords using the demo password cracker. The demo version will not be sufficient to complete the exercises. 

 

Objectives:

 

·        To understand the encryption and decryption process

·        To be able to encrypt and decrypt files using gnupg

·        To be able to use Password Recovery to discover the passwords on encrypted office documents

·        To be able to judge the difference in the security levels of different passwords

 

Instructions:

 

Gnupg

 

Gnupg is a command line program similar to the popular encryption program PGP. It does not use the same patented algorithm and therefore can be distributed as freeware. (See http://www.gnupg.org for further detail.)  Follow the steps below to create an encrypted message.

 

1.                  First, create the directory c:\Gnupg.

2.                  Now, unzip gnupg-w32cli-1.2.2.zip into this directory.

3.                  Before being able to encrypt or decrypt it will be necessary to create a public and a private key by typing the command “gpg --gen-key.”

4.                  Answer the question with the default values: enter 1 -> 1024 -> 0.

5.                  To construct the user id, use your real name followed by your email address followed by your first name or nickname.

6.                  Now, enter a paraphrase that can easily be remembered but cannot be easily guessed.

7.                  The program will now generate its keys. If it has trouble generating a key, start opening and closing programs and moving the mouse. The program will use this as random data.

8.                  Now, you have a public and a secret key. In theory, you would want to publish your public key on a key server so that everyone will have access to it.

9.                  Create a text file to encrypt inside the gnupg directory.

10.              Now, to encrypt and sign the file, use the command “gpg -s file.” This will create a file.gpg. (file is the name of the file you created)

11.              Try to examine the file in notepad. Can you access it? What does it look like?

12.              Now, use the command “gpg --verify file” to check the signature of the file. The command “gpg file” will check the signature against your public keys and decrypt it.

13.              Examine the readme file in the gnupg directory to see the other functions associated with gnupg. Find out how to send someone else a message encrypted with their public key and report the findings.

14.              After completing this part of the exercise, please remove all files and directories you created and nothing else. You have not completed the assignment until this is done. Do not modify the gnupg zip file so that the next student can use it exactly as you did!

 

Password Recovery

 

Breaking encryption can be very difficult, but it can be done. Lengths of passwords and encryption level can be a significant determining factor. Located on the lab machines is a windows password recovery program called “Password Recovery.” This program requires a USB key. If the key is not in the lab computer, see the lab manager or admin for its use. The program is self-explanatory. Simply drag the files you want to crack and drop them in the window. When the file has been cracked, the program will report the password in the same window.

 

Problem Statement:

 

Gnupg

 

            Follow the instructions above to create your own public and private key. Then encrypt a text file using your public key. Open the file to confirm it is now unreadable. Decrypt it with your private key and confirm that it is back to normal.

 

Password Recovery

 

            In the Encryption/Decryption exercise folder, there are several Microsoft Office files. Use Password Recovery to discover what the passwords are for these files. Now, run a few experiments of your own. Test a few different passwords to see how changing their length and adding numbers or special characters affects the password recovery time. See the below instructions on how to add a password to a Word document if you need a method for doing this.

 

 

 

Adding a password to a Word document

 

1. Select tools, then options.

 

 

2. Select the “Security” tab and enter your password in the “Password to open” box.

 

 

Deliverables:

 

  • From gnupg
    • Printout of encrypted file
    • Printout of unencrypted file
    • Public Key
    • Private Key
  • Completed worksheet “Computer Evidence” using one of the lab machines as your computer. Include the files with passwords as sub items. Include the passwords in the remarks section.
  • A short report detailing the passwords you created. Include your observations about cracking lengths vs. password complexity.
  • Answers to the analysis questions.

 

Analysis Questions:

 

  1. What does the term “computationally infeasible” mean when applied to cryptography?
  2. Explain public key/private key encryption.
  3. What is the easiest way to break encryption?
  4. Would you recommend using gnupgp in your company? Explain.

 


Introduction to Computer Crime and Forensics

Exercise 7

Data Hiding and Steganography

 

Introduction:

 

There are numerous ways to hide files. Some are easy, like changing file extensions, but others can be more complicated, like hiding files within other files. This exercise has two parts: hiding files by changing the file extension and hiding files by embedding the information inside of images. Located in the folder DataHidingAndStego are several files that are not what they appear to be. Your job will be to use the instructions below to find the book chapter hidden inside one of the jpeg files.

 

Objectives:

 

·        To understand that files can be identified by their first byte signatures

·        To be able to reestablish correct file extensions using a hex editor

·        To be able to use jphide and jpbreak to retrieve information hidden using steganography

 

Instructions:

 

File extensions

 

One of the easier ways to hide a file is to change its file extension. Windows associates files with programs based on their file extension, so if you alter the extension the operating system will associate the file with a different program. This changes its icon and the program used to open it.  There is a way around this hiding technique. Files can be identified by their first two bytes. Included in the DataHidingAndStego folder is a program called xvi32. This is a hex editor. xvi32 allows for the viewing of files at the byte level. Simply open the program and drag and drop the desired file into the xvi32 window, and it will be displayed.

 

Steganography

 

After classifying all the files to their correct extensions, you will see that d1 and d2 are jpg files. Open these files. Can you tell any difference in them by just looking? One of these files contains another jpg inside it. Steganography is the art of hiding data within data. Stegdetect and jphide are two programs that deal with steganography in jpg files. Stegdetect is a command-line-based program that allows you to check for hidden data. It is located in the “DataHidingAndStego\tools\stegdetect_windows” folder. Also located in this folder are pdf documents with instructions on stegdetect usage. Below are instructions on how to use these tools. Read the instructions in the tools folder for more detailed information.

 

Step one: Use the following command to determine if a file possibly contains data.

 

                               stegdetect -t p filename

 

The output should indicate the presence or absence of hidden data and tell you what program was most likely used to hide the data. However, this program works on probability. If the data is small enough, it might not be detected. You might try adjusting  the sensitivity level parameter.

 

Step two: Use the following command to perform a brute force dictionary attack and crack the password on the file.

 

stegbreak -f english.txt -r rules.ini filename

 

Jphide and jpseek are programs used to hide and reveal stego data. Double click on jphswin.exe in folder DataHidingAndStego\tools\jphs_05 to start a shell that uses both programs. Now, click on “Open jpeg” then “seek” to attempt to uncover the data. Use the password obtained earlier.

 

Problem Statement:

 

File Extensions

 

Located in “DataHidingAndStego/evidence” are some files with mismatched extensions. Open several known file types with xvi32 and record what their first two bytes are. Now, create a working directory and copy all the files to be identified into it. Attempt to identify all the files based on your previous research.

 

Steganography

 

After completing part I, several jpg files should have been uncovered. Some or all of these files contain hidden data. The goal of part II is to uncover that data. Use the tools described above to examine these files for hidden data. Try to find the hidden book chapter.

 

Deliverables:

 

  • Report containing the following
    • List of files with original extensions
    • Byte code research results
    • List of files with correct extensions
  • Report containing your results from the stego, include the following
    • File name and correct extension
    • Stegdetect results
    • Stegbreak results
    • Data found if any was found (all files may not contain hidden data)
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. Why does changing file extensions to hide data not work in a Unix environment? Name a way a file can be hidden in Unix.
  2. What are two ways Stego protects data?
  3. During your search, you probably found some file extensions that did not match even though the file types were the same. What are some possible reasons for this mismatch?

Introduction to Computer Crime and Forensics

Exercise 8

EnCase/Forensic Tool Kit

 

Introduction:

 

This exercise is an introduction to EnCase and Forensic Tool Kit (FTK), both Windows-based forensic programs. These programs are loaded on the lab computers or the portable forensic machine. Located in the EnCaseFTK folder is a hard drive image. Use this image for analysis.

 

Note: Few instructions are given here on these two programs. Use the manuals or your TA if you need help.

 

Objectives:

           

  • To be able to examine media using forensic examination tools
  • To become familiar with EnCase and Forensic Tool Kit

 

Instructions:

 

EnCase

 

Note: EnCase requires the use of a USB key to run. If this key is not present, please see your lab TA.

 

Double click on the EnCase 4 icon located on the desktop to start the program. Then, create a new case and examine the evidence file. The evidence file has to be added with the “Add Device” button. The EnCase manual’s Chapter 12 contains the information needed to perform these procedures.

 

FTK

 

Note: FTK requires the use of a USB key to run. If this key is not available, please see your lab TA.

 

Double click the FTK icon to start the program.  Select the load image option and load the same image you used for the EnCase procedure.

 

Problem Statement:

 

These two programs are fairly self-explanatory. They work similar to a Windows explorer. You just have a lot more options for viewing the files. Your only objective is to explore the image using these two programs. Make sure to explore all the different views of each program, and for each try to discover the following:

 

 

·        EnCase

o       How do you automatically hash all files?

o       How do you do a first byte signature check?

o       What are all the different ways you can view a file?

o       How do you know if a file is a file that was deleted?

o       How do you recover a deleted file?

 

·        Forensic Tool Kit

o       What are the different types of images you can load?

o       What are a few of the different views?

o       How can you locate deleted files?

o       Can you recover deleted files?

o       What kind of files did you find?

 

 

Deliverables:

 

  • EnCase Image Worksheet
  • Report containing answers to the questions from the problem statement and any other observations you have to make
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. Compare and contrast EnCase and FTK.
  2. Describe some ways EnCase and FTK make investigation easier.
  3. When would you want to use EnCase or FTK compared to DOS tools like the NTI suite?

 

 


Introduction to Computer Crime and Forensics

Exercise 9

Hostile Code

 

Introduction:

 

No computer security course would be complete without the inclusion of hostile code. We will look at two ways to remove hostile code from PCs. This exercise will require the use of your own PC or a friend’s PC. See your lab TA if you have any questions about how to use the programs you choose for this exercise.

 

NOTE: If you do not have a personal pc and an internet connection, choose a partner who does or see the instructor.

 

Objectives:

 

  • To become familiar with hostile code removal

 

Instructions:

 

SpyWare

 

Spyware or adware is code that has been installed on your computer, usually without your knowledge, for the purpose of monitoring and reporting your internet use. There are several programs out on the web for removing spy and adware. A simple web search will turn up freeware. I recommend Ad Aware from Lavasoft. One of the places it can be downloaded from is www.majorgeek.com. However, any removal program that reports detailed results will work fine for this exercise.

 

Anti-virus Software

 

Most computers come with some anti-virus software already installed. If the PC you are examining does not try www.grisoft.com for a free-to-download virus program. If it is your personal computer, you can download and install your free student Norton AnitVirus program from:

 

http://www.its.msstate.edu/Services/Software/introsymantec.php.

 

Problem Statement:

 

            Select a computer for spyware and virus analysis. Install a spyware program and scan for any resident programs. Report your findings. Select one of these programs and research what it actually does. Report these findings also. Next, perform the same tasks with an anti-virus program. If no virus is found, do some research on your own to find one and report what it does.

 

Deliverables:

 

  • Computer Evidence Worksheet
  • Report of what you discovered from above
  • Answers to the analysis questions

 

Analysis Questions:

 

  1. What is your definition of hostile code?
  2. Explain the differences in worms, viruses, and Trojan horses.
  3. In addition to loss of privacy what damage can spyware do?

Introduction to Computer Crime and Forensics

Exercise 10

Unix I

 

Introduction:

 

            A forensic investigator must be familiar with any OS he/she might encounter. The next two exercises introduce commands and techniques that could be helpful in a Unix environment. However, any complete investigation would need to be conducted by a Unix expert.

 

Note: This exercise assumes a basic understanding of Unix.

Note: This exercise was written so it can be performed through a telnet session.

Note: This exercise assumes you have a Unix account. If you do not, notify the instructor  

          and/or team up with someone who does.

Note: In the next two labs “” indicate that whatever is in them must be replaced with the

         correct text.

 

Objectives:

 

  • To be able to use a telnet prompt to explore some basic Unix commands
  • To become familiar with some Unix commands that can be used in an investigation
  • To observe a common Unix data hiding technique

                                     

Instructions:

 

Read each paragraph in the problem statement section and try it for yourself. If you are already familiar with the command, feel free to skip the section, but you still need to include it in your report.

 

Problem Statement:

 

Man

 

Information on almost anything can be obtained by viewing the man pages (man short for manual). If you want more information on a command, you need only view the man page by simply using the command:

 

man “command”

 

 

 

 

 

 

“…” a common trick

 

First, log onto your Unix account and create a text file to examine. Use the command pico to activate a text editor. (You could also use vi, which is more common but harder to use.) Then, type a couple of sentences. When you are done, use ctrl +x to exit and save. Then, name the file. Now use ls and confirm that the file is now in your working directory.

 

Unix is a lot more generous than Windows when it comes to naming files. One common trick in Unix is to name a file “…” Take the text file you just created and name it “…” using the command:

 

 mv “filename” …

 

Now use ls to examine the directory. Do you see the new file? Now type the command pico … to confirm that the file “…” is truly there.

 

Permissions

 

Every file has a set of permissions associated with it. Those permissions are rwx (read, write, execute). If an individual does not restrict these permissions, they could leave their files open for access by everyone. From the command line type cd .. to regress to the parent directory. Now use ls to view the contents of the directory.  What is now shown should be a list of every user’s home directory. Examine their permissions with the command ls –l and try to find someone who has left their read permission on. Examine the contents of their directory including the permissions on the directory content and report on your results if any.

 

Warning: Nothing on our servers is considered private property, but do not under any circumstances abuse this by changing the contents of anyone’s home directory. VIEW ONLY!!

 

Script Command

 

When conducting an investigation, it is helpful and often necessary to record everything you do. There is a Unix command that can help with this. script allows for the recording of all activity from the command line. Return to your home directory if you have not already. Now type the command:

 

script screenout

 

 

Next, run a couple of commands. When you are finished, use ctrl +d to stop recording. Now, do a directory listing (“ls”). As you can see, there is now a file called “screenout.”  Now view the file with the command:

 

cat screenout

 

The File Command

 

In a previous exercise, the problem of file extensions was examined. Unix, with a few exceptions, does not deal with file extensions. The command file can show information concerning a file. Type the command:

 

file screenout

 

 Now, try the command on several other files and report your findings.

 

The Grep Command

 

Among other things, grep allows you to search for patterns of letters within files. Rename the “…” file back to its original name using mv … “filename.” Now, pick a word or phrase from that file and use the command:

 

            grep “pattern” “filename”

 

The dd command

 

A demonstration will not be given of dd because we are working through a telnet interface.  However, dd is worth mentioning. The command dd can be used to image hard disks. Examine the man page and report a brief summary on how to use this command.

 

Deliverables:

 

  • A report detailing the results from each of the above paragraphs. Include the following:
    • A short description of the command
    • Did you successfully use the command?
    • What were a few of the results?
    • How would the command be useful in an investigation?
  • Answers to the analysis questions

 

 

 

Analysis Questions:

 

  1. How would searching based on permissions be useful?
  2. Above permissions were discussed, but not how to change the permissions of a file. Discover the command on how to change file permissions and report it.
  3. Research and describe another Unix command that might be useful in investigation. Make sure to explain how it would be useful.

Introduction to Computer Crime and Forensics

Exercise 11

Unix II

 

Introduction:

 

            While a Unix expert should perform any complete investigation of a Unix-based system, there are many times when a guru is not at hand.  This exercise extends the “Intro to Unix” exercise by providing more background on Unix systems and introducing some more useful commands and techniques.

 

Objectives:

 

  • To be able to use a telnet prompt to explore some more basic Unix commands
  • To become familiar with some more Unix commands that can be used in an investigation
  • To observe a method for foiling common Unix data hiding techniques

 

Instructions:

 

Read each paragraph in the problem statement section and try it for yourself. If you are already familiar with the command, feel free to skip the section, but you still need to include it in your report.

 

Problem Statement:

 

Piping and Redirection

           

            Throughout this exercise, we will be using the concept of pipes and redirection to chain commands, specify alternate inputs, and create text files of the output of commands.  Piping is done using the pipe character “|”, and is used for taking the output of one program and using it as the input for the next program.  For example, we can use a command we learned in “Unix I,” grep, to filter the output of ls.  Try this:

 

            ls | grep “e”

 

     This command will take the directory listing and only display the entries that result in a sub-string match of grep’s argument (in this case, all filenames with the letter “e”).

 

            Redirection is a similar concept, except it deals with files.  The standard input of a program can be redirected from the keyboard to be taken from an input file.  For example, if you have a program that takes interactive input from the keyboard, you can script that program by writing out what you would normally type into it into a file.  Then, use a command similar to:

 

            programname < input.txt

 

     The program will then run as usual, outputting to your terminal window, only taking input from the file rather than your keyboard.

 

            More often, redirection is used in the other direction, sending the output from a command to a file, to be viewed, edited, or otherwise used later.  This works in the same way as redirection of input, but with the opposite angle brace.  Try this command:

 

            ls > laboutput1.txt

 

     The command did not output anything to your terminal because the output was redirected to the laboutput1.txt file.  View this file with the cat command (cat does more than simply view files. Check the man page):

 

            cat laboutput1.txt

 

     There, you can see the output of the previous ls fly past on your terminal.  You can also edit this in your favorite text editor in Unix pico is one example and vi or vim are some more.  If the output went too fast, you can pipe the output of the command into a “paging” program such as more or less:

           

            cat laboutput1.txt | more

 

Foiling “a common trick”

 

            In the previous Unix exercise, you learned how one could hide files by using period characters as the first characters in the filename.  As with any trick, there is a way to work around it.  Create a new file with the touch command:

           

            touch labhiddenfile

 

     Now show that the file exists using the ls command:

 

            ls lab*

 

     Now, hide the file as you did in the previous exercise, and verify that the ls command does not list its presence:

           

            mv labhiddenfile ...

 

     ls lab*

 

     Now add ‘a’ and ‘l’ command line switch:

 

            ls –al

 

     See how you can clearly see the “…” entry in the list now?  You may need to pipe output into a paging program to view it, if the output scrolls too fast.

 

Snooping on People

 

            The finger command is another of the useful tools available on Unix systems for keeping tabs on the other users of a system.  Try finger’ing your own username:

 

            finger “username”

 

     Using finger will provide a relatively large amount of information on a user, including the real name (if it is listed on that system), their home directory, shell used, and where they last logged in from.  If the user is currently logged in, it shows where they are logged in from, as well as the amount of time that they have been idle.  Use finger on  your friend’s usernames and see where they are at/have been. 

            Another similar command is last, available on some Unix systems, which will list the times and locations a user has logged in from.  Try this on some usernames as well and report the results.

            If a user is logged on, you can also see what they are running.  Try this with your own username, or that of someone else logged in at the current time:

 

            ps –u <username>

 

     This command may be pretty limited if you just have one session on the Unix machine running.  Try connecting several times at once, running different programs and seeing how the ps output changes.

 

            If you wish to know about all the processes running on a system, use the –ef switches to ps. 

 


Deliverables:

 

  • A report detailing the results from each of the above paragraph. Include the following:
    • A short description of the command
    • Did you successfully use the command?
    • What were a few of the results?
    • How would the command be useful in an investigation?
    • Sample outputs (copy them from the telnet session.)
  • Answers to the analysis questions

 

 

 

Analysis Questions:

 

  1. What is cat short for?  How do you think it would be useful if you had a hard drive image backed up across multiple CDs?
  2. What do the “-al” switches to ls stand for, and what is their purpose?  How can they help you find hidden files and directories?
  3. Why would an investigator be interested in the output of “ps –ef”?

 

Introduction to Computer Crime and Forensics

Final Exercise

Scavenger Hunt

 

Introduction:

 

            This concludes the lab exercises. Use the tools and knowledge obtained from previous exercises to complete this assignment.

 

Objectives:

 

  • To be able to locate evidence with a minimal set of instructions
  • To be able to use previously learned techniques together to conduct an investgation

 

Instructions:

 

See previous instruction sets if instructions are needed for a particular tool.

           

Problem Statement:

 

            In the lab, clearly labeled, is a stack of disks. Each disk contains a survey broken into pieces and hidden. Use previous tools to put the survey back together. When the survey is completed, fill it out to the best of your ability and turn it in. The questions and answers can be turned in separately if anonymity is desired.

           

Hint: One piece will let you know how many total pieces there are.

 

Deliverables:

 

  • Create a report with the following information about each survey question you locate
    • Where it was found
    • What tool you found it with
  • Removable Media Evidence Worksheet
  • Completed survey and survey answers

 

Analysis Questions:

 

No questions