Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Ftk live search

17/12/2020 Client: saad24vbs Deadline: 7 Days

Advanced Computer Forensics


Windows FTK Forensics Lab

Read the ENTIRE document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.


Lab Setup for using RLES vCloud


This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT . You have created a vApp in your previous labs. Now, you will add the vApp template, 841_Win_Forensics_Updated , from the Public Catalogs, to the same vApp following the instruction of Add Virtual Machines to a vApp without a network required (see RLES vCloud User Guide).


FTK software including FTK 1.8, Registry Viewer and FTK Imager are install in the 841_Win_Forensics_Updated VM. The EnCase evidence file, WinLabEnCase, is located in the local E:\ drive in RLES VM. Please read FTK 1.80 User Manual, posted in RLES, for FTK details.


The 841_Win_Forensics_Updated VM login


Username: Administrator


Password: netsys


NOTE: If you are not able to open the VM, please reset the VM’s mac address (right click on the VM, choose property, then click on the Hardware tab, click on the drop down arrow of mace address to reset the mac address)


PART I: Familiar with FTK Imager


Bonus Exercise 1 (5 points): Assume that you have a write-protected USB device.


Image a USB device or a floppy disk to create an image in a DD format. (Note: You are not able to use the 841_Win_Forensics_Updated VM to perform this bonus exercise. You have to use your own computer for this exercise).


Provide a snapshot from FTK Imager.


Requires: a USB device or a floppy disk


Launch FTK Imager


Click File > Create Disk Image


Click Physical Drive and Next


Select the device and select Raw (dd) Image Type


Exercise 2: View images


Click File > Add Evidence Item


Select Image file and then click Next


Browse to your WinLabEnCase.E01 image and click Finish


View the image in the Evidence Tree view


Question 1: What is the VBR file used for? How to export this file? How to export a file Hash?


Exercise 3: Convert the WinLabEnCase image to a DD image


In the Evidence Tree view, select the WinLabEnCase image


Click File > Export Disk Image


In the Create Image dialog, click Add


Select the raw image type and name it as converted.


Exercise 4: Verify images


Select the Encase Image and click File > Verify Drive/Image


Add in the converted raw image to the FTK Imager and click File > Verify Drive/Image.


Question 2: What are the results of verification? Comparing both hashes, are they same or not?


PART II: Working with FTK 1.8x


All exercises and questions in this part are designed for FTK 1.8x.


NOTE: If you choose to use FTK 4 instead of FTK 1.8x, please follow PART III.


Objective: Based on the experience you have in the previous lab, you will utilize FTK to conduct an analysis of an incident. This project will help you tie all of the pieces and techniques together, so that you have a better understanding of the whole picture of forensics investigation.


Requires: FTK and a windows’ disk image provided by your instructor.


Descriptions: In this lab you will be given a scenario and a disk image to go along with it. You will use FTK to analyze the disk image, retrieve deleted files and terms that have been purposefully hidden, and then use FTK to create a report about this incident.


Scenario: ACME Industries develops custom software for the aviation industry. Its main competitors are companies Raytheon and Boeing and a few smaller contractors.


Pat Smith has worked for ACME Industries for 5 years. His supervisor has noted that after being past over several times for a promotion, Pat has become quite disgruntled. The company fears that Pat may be offering proprietary company information to a competitor in exchange for a job.


The first investigator has created an Encase image of Pat’s computer’s hard drive. Your job is to examine it and extract all pertinent information to the investigation. You are to make no assumptions of innocence or guilt, just to gather information.


Steps involved:


1) Locate the EnCase evidence file “WinLabEnCase.E01”


2) Create a new case and add the EnCase evidence file to FTK for investigation.


3) Analyze the image.


Show the activities such as recovering deleted files; finding information that have been purposefully hidden; analyzing MAC time, signatures and Hash sets; searching keywords; gathering pertinent information from compound files such as outlook express .dbx files and registry files; examining IE history file, searching recycled files though the hidden Recycled folder and printer’s spool files located in WINDOWS\system32\spool\PRINTERS etc.


4) Generate a report


Note: All information in your report needs to be verified and repeatable in order to be admissible in court.


DETAILED PROCEDURES THAT MAY HELP YOU TO GO THROUGH THE FTK SOFTWARE


Exercise 1: Starting a New Case

Click File > “New Case” to begin a new case.


Name the case “FTK Case 1”


Enter your name as the examiner.


Enter your information as the forensic Examiner Information


Question 3: What information is required to create a new case using the FTK New Case Wizard?


In the Case Log Options window, leave all options marked. Try to understand each of the options.


In the Processes to Perform window, leave all options marked. Try to understand each of the options.


In both the Refine Case Default and the Refine Index Default windows, leave all options marked. Try to understand each of the options.


Add an Image to the exist case

In the Add Evidence to the Case window click “Add Evidence”, choose “Acquired Image of Drive”


Question 4: What are the types of evidence that can be added to a case in FTK?


Select the “WinLabEnCase.E01” file.


Set the Time Zone


When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.)


To set the time zone in FTK, in the Local Evidence Time Zone Selection window, choose your local time zone.


Exercise 2: Working with FTK


Click the OVERVIEW tab; note the numbers for each type of file.


Question 5: How to make the number of the Checked Items to go up? How to make the number of Flagged Thumbnails to go up?


File Signatures

A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header.


Question 6: Click on Bad Extension from Overview tab. Do you find any signature mismatch? What are they?


Data Carved Files:


Question 7: Check the number of Data Carved Files, what is the number?


Click on Tools > Data Carving…


Select only GIF Files to perform date carving.


Highlight all the files in the filelist and add them to the case.


Question 8: Check the number of Data Carved Files from Overview, how many files added to the case by data carving?


Question 9: What are those files found by performing data carving process? Why is this process so important?


Explore Tab


Check mark List all descendants.


Question 10: What is the file system of this Image?


Question 11: Right-click a folder and select File Properties, What information do you get?


Question 12: Select a file, and right-click on that file and select File Properties, What information do you get?


Question 13: Select Documents and Settings\psmith\Recent, what kind of files contain in this folder? Select each file in this folder, what kind of information do you get from the up-right window?


Question 14: Select Documents and Settings\psmith\Local Settings\History\History.IE5\index.dat, what kind of files contain in this file? Select each file, what kind of information do you get from the up-right window?


Question 15: Select Documents and Settings\psmith\Favorites, what are psmith’s favorite links?


Question 16: Looking into the Recycled folder, which files are currently in the recycler? Select the INFO2 file from the Recycled folder, what information do you get from that file?


Question 17: Looking into WINDOWS\System32\spool folder, what information can you get from this folder?


Windows Registry

Locate ntuser.dat from the Documents and Settings\psmith folder


Export the ntuse.dat; then launch the AccessData Registry Viewer to include this file in the Registry Viewer. (You may also right click the file and choose View in Registry Viewer


In the Registry Viewer, explore the list.


Action 18: List any interesting results


Graphics Tab

The Graphics Tab allows you to quickly see all the pictures in the case.


Check mark List all descendants.


You will now see all of the pictures contained on all of the devices in the case.


Question 19: If a file’s extension has been changed to a non-graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? Provide one example to support your statement. Does EnCase work in the same way?


Bookmarking

Bookmarks allow you to mark folders, files, or parts of a file for later reference and for inclusion in reports.


Highlight (or checkmark) three graphics in the file list; right click the graphics and select Create Bookmark.

In the Create New Bookmark menu, name the bookmark Highlighted Graphics. Then select All highlighted items (or Checked Graphics) and click OK. Go to the Bookmark Tab to verify the bookmark.


Flag five graphics to green by clicking on the red circles. Go to the Overview tab and select the Flagged Thumbnails container to verify that the graphics you just flagged are included.


Export and Copy Special


Export these five graphics to your desktop.


Use Copy Special to copy a list of the dates and times associated with the exported files to the clipboard. Then paste this data into Microsoft Excel.


Question 20: What is the major difference between Export a file and Copy Special a file?


Keywords and Searching

Searching evidence for information pertaining to a case can be one of the most crucial steps in the examination. FTK support two kind of search, indexed and live searches. An indexed search uses the index file to find a search term while a live search involves an item-by-item comparison with a search term. The index file could be generated during the creation of a case or be indexed later.


Question 21: What is the advantage to use indexed search vs. the live search?


Click the Search > Indexed Search tab. In the Search Term box, type some keywords, for example “Job”; then click Add.


Click View Cumulative Results if you add multiple keywords or click “view item results”


Expand the search results.


Select one file and find the instances of “Job” in the file.


Create a bookmark to keep a couple of important files in the bookmark called Search Bookmark.


Examining the Options and Import feature in the indexed Search


Question 22: What are these two features used for?


In the Search tab, select Live Search


Click Regular Expression and click the arrow to view the available regular expressions


Choose Edit Expressions to view the default regular expressions.


Select US Phone Number and Search.


Question 23: Do you find any files containing US Phone numbers? List two files that in the result list.


Email

Email processing is one of the most important steps in forensics investigation. FTK supports powerful email feature to help you process emails.


Question 24: Read the manual and find out what kind of email formats do FTK support?


Click on the E-Mail tab


Navigate to Deleted items.dbx, Inbox.dbx and Sent Items.dbx, check for each message and bookmark some important messages to support your final report.


Question 25: Did anything happen? Do you find any important information? If so, what kind of information you got?


Case Report

After performing a thorough forensic investigation, it is critical that you are able to publish and present your findings. FTK has a sophisticated report wizard that allows you to assemble and publish case information. The final report generated by the FTK wizard is in HTML format.


Click File > Report Wizard


Fill in the Case information which will appear on the Case Information page of the report.


Create a report to include the following:


a) all bookmarks and export all bookmarked files


b) Export full-size graphics and link them to the thumbnails


c) Include the Date and Time file Properties for the Bookmarked Files


d) Include only graphics flagged green in the Graphics View


e) Group 6 thumbnail per row


f) Include Bad Extension files in the report and export the files to the report along with its data and time property


g) Add one or more of your own file to the report that support your statement


h) Create a custom graphic for the report.


Action 26: Include two screenshots of this report in your submission.


PART III: Working with FTK 4 (Bonus)


FTK 4 is install on the Windows 7 w/FTK 7 EnCase VM that is used in your EnCase lab. Please read FTK 4 User Manual, posted in RLES, for FTK details.


FTK 4 on Windows 7 w/FTK 7 EnCase login:


Username: Student


Password: student


Bonus question 1: (10 points): Follow the procedure defined in PART II and answer all appropriate questions from PART II using FTK 4. If a question from RART II does not work in FTK 4, please leave “N/A” in your answer.


Be aware that FTK imager and Registry Viewer are not installed on the Windows 7 w/FTK 7 EnCase VM.


Bonus question 2: (10 points): What new FTK4 features did you use to investigate this case (Include detailed steps and screenshots to support your answer)?


PAGE


9


Computer Forensics - FTK


Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Best Coursework Help
Homework Guru
Top Essay Tutor
University Coursework Help
Helping Hand
Writer Writer Name Offer Chat
Best Coursework Help

ONLINE

Best Coursework Help

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$100 Chat With Writer
Homework Guru

ONLINE

Homework Guru

Hi dear, I am ready to do your homework in a reasonable price and in a timely manner.

$102 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$105 Chat With Writer
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$102 Chat With Writer
Helping Hand

ONLINE

Helping Hand

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$100 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Operations management simulation answers - Examples of social interaction in everyday life - Percy jackson and the lightning thief part 1 - Discuss: Why is it critical for company managers to have a clear strategic vision regarding their organization? - Free online skills audit - Policies - The total variable cost of producing 5 units is - Freemind tutorial youtube - Heavy use of off balance sheet financing will tend to - How to agree to job plan - Probability and statistical inference pdf hogg download - Systematic and Unsystematic Risk Discussion Questions - 3.5 Nonprofit Fundraising Case Study: Part I - Write the number that makes each number sentence true - Lms curtin edu au blackboard - Quality at the ritz carlton hotel company case study - Igcse physics june 2012 mark scheme - Ap biology flashcards pdf - Independent worksheet - Nissan recovering supply chain operations - Enable flash so all content renders in mindtap - Looking for a Manuscript Editor - Sherman alexie dear john wayne - Egg drop newton's laws - Amphenol aerospace connectors catalog - Art - Na s h2o l naoh aq h2 g - Classical regression model assumptions - Koch and co coupon - DISCUSSION POST 6 - Dresser masoneilan control valve handbook - APA assignment - What might happen if business strategy was not the driver - The golden compass background - Linear alkyl benzene process flow diagram - Isobutane condensed structural formula - African American History - Helix ultra extra 5w 30 - Kitkat sales per year - U mad truck mounted attenuator - Abbreviated Quantitative Research Plan Overview - Hertfordshire grid for learning - Schroder international selection fund annual report - Meticulously planned movie scene crossword - Arm's reach concepts beautiful dreamer cocoon swing toffee natural - What are narrative conventions - Explain genre theory - Negotiations - A very safe investment that attracts conservative investors - Nottingham university malaysia jobs - Operations management final exam questions and answers - Entity integrity and referential integrity constraints - Icem cfd tutorial pdf - 1 page only- deliver in 10hrs - HRM671 LEARNING THEORIES AND TECHNOLOGY - Gas and sand y8 - Beer and johnston mechanics of materials - Selecting a statistical test decision tree - Endeavor air safety record - Walt disney company strategic goals - Nottingham human computer interaction - Marine radio operators handbook - Bikini body guide meal plan pdf - Project Plan Overview - Wordly wise 3000 book 10 lesson 12 answer key - Discuss what talent management is and why it is a consideration addressed by a growing number of employers. - Characteristics of youth culture - Mee wong sushi man print - Define useful capacity measures for a brewery - Personality Theory Blog - Op art movement in squares - Arimidex side effects steroids - 3-4 Paragraph Discussion - Vector equation of a line - Tweak growing up on summary - Cosmic ferro alloys ltd credit rating - Weighted average contribution margin per unit - Information system - John lesa and tabir form a limited liability company - Security Overview Presentation - I am dragon english subtitles - BComm7 - Construction expert - Chcprt001 forum - Conjugar provide the correct form in present of each verb in parentheses. - Notice for breach of duty to landlord - Principles of everyday behavior analysis 4th edition pdf - Lewis dot structure of butane - 1 finsbury avenue ec2m 2pp - Wk7 DQ1 Discussion Question 1 – CLO 1, CLO 2, CLO 3, CLO 4, CLO 5, CLO 6, CLO 7, CLO 8 - Phet solar system simulation lab answers - Community Resource - Written assignment - Continuous skills in badminton - 7h15 m3554g3 53rv35 answer - Thickness of aluminum foil - Adjusting entries expired insurance - Ted rogers leadership style - P4s3 ionic or covalent - Biology 34 study design