Imaging and hashing digital evidence

UMGC INFA650 Computer Forensics Lab 1

Forensic Imaging and Hashing In your virtual lab desktop environment, you will create a forensic image and use hashing to verify it’s authenticity. The use of hashes is a methodology that is highly respected and used when presenting evidence and reports in a court of law. It is important to understand the role of a Digital Forensic analyst includes using tools to capture and analyze digital evidence as well as report out what you found, how you found it, and verify the information. Utilize online guides (you will need to Google for these – YouTube is also a very good resource)--to create a bitwise forensic image of the Lab1 file in the appropriate folders (in the Lab Resources folder on the Virtual Machine (VM)) using the forensic tool FTK_Imager. You will document and discuss the steps you took in the lab, and then answer the lab questions found at the end of the document. Virtual Machine Credentials Username: StudentFirst Password: Cyb3rl@b

Important Points to Remember 1. Discussing and illustrating the process is the most important part of this lab. Make

certain you intersperse your screenshots within the discussion and label them appropriately.

2. You must complete this lab within your virtual machine environment. Remember that the image may reset when you log off, so be sure you complete the steps for one of the images and take your screenshots (saving them outside of the VM to your host system) before logging out.

3. Use the Windows Snipping tool to take a screenshot of the appropriate Windows and not the entire desktop.

4. Microsoft Office is installed within your VM within the VCL. You can to create your PDF file.

5. All labs have a set due date and time. Labs can be turned in up to a week after the due date and time, but with a penalty for each day it is late.

6. As we progress through the labs for this course, the virtual environment will keep your work from prior labs, so you may need to destroy nodes or clear you cache to enable smoother connections.

Deliverable Filename: lastname-lab1.pdf (this is how you should title your lab report submission) In the dropbox folder under Lab1, submit your documentation via a PDF document with your last name and page number at the bottom right of each page. Use an appropriate filename: yourLastName-Lab1.pdf. Using pdf format ensures that screenshots will be visible, as it is common for other formats to lose graphics.

Preliminary Steps Launch the UMGC virtual environment by following the “Accessing the Virtual Lab Environment” instructions. Instructions can be found under Content > Session 3: Computer Investigations > Accessing Lab 1. 1. Start the Windows virtual machine and open resources. If this is the first time in the environment, or you have cleared your browser cache, you will need to first click on Nodes:

Once the Nodes are launched, click on Allocate Lab > Connect:

If you see the pop-up asking about PowerShell, click on Open Windows PowerShell:

If you see a security pop-up, check “Don’t ask me again for connections to this computer” and click Connect:

Enter credentials, check the box next to “Remember me”, and click OK:

Virtual Machine Credentials Username: StudentFirst Password: Cyb3rl@b

Lab 1 Description In this lab, you will be conducting Forensic Imaging. We will use a common tool, FTK Imager, to image a directory folder on your machine. Typically, Computer Forensic Investigators will image (i.e. make a bit-by-bit copy) a whole drive to make a duplicate of it. Once they have a copy of a drive, they can use tools and techniques to analyze folders, files, and fragments of data for digital evidence. For this lab, we only want to image a single directory folder and its contents due to time and space constraints. Over the next few steps, you will select to image a disk directory, choose the directory in the tool interface options, and then select the output of that image. You will then mount the resulting image and explore its contents to verify that it was in fact a captured image of the directory you had specified. This final step in verification is extremely important to the integrity of any investigation.

Part I Steps 1. Now that you are in the virtual environment, start by accessing and downloading the file to be imaged. From the desktop go to Lab Resources > Project Resources and click to open and download the file Lab1.exe.

2. Click once on “Lab1.exe” and then go to the right of the address bar of the browser window, and right-click on the three cascading dots to get a dropdown menu. Locate and click on Downloads:

3. If you get this message, click Keep:

And then Keep anyway (remember, this is a virtual machine, so your machine is safe):

To view where your downloaded file is saved, click on Show in folder. Note the full address of the location of this file – you will need it in later steps.

You can close and return to the Desktop > Lab Resources.

Part II – Image a Directory File 1. On the virtual desktop, open Lab Resources > Applications > FTK Imager. This is the Digital Forensic tool we will use for this Lab:

2. Select the View tab > Evidence Tree:

3. To make all drives and folders visible, go to File and select Add All Attached Devices:

4. Once ‘All Attached Devices’ are loaded, the system will scan the MFT for all files and folders. At this point in the investigation, you can choose any folder or files under the Evidence Tree to image. For this lab, we will select a picture that is in a system directory and alter the original. In a DF investigation, this process would illustrate the originality of the picture through both file contents and hashing (which we do in Lab #2). Now, select a picture from the ‘Sample Pictures’ folder using the path C > NTFS > root > Users > Public > Pictures > Sample Pictures:

You can see file information in the File List window, including size of file, type, and last date modified. At this point you could use the FTK Imager to image a drive, however as we are limited in available storage space, we will complete the imaging process and verification with a file.

5. For this lab, you need to capture an original picture file and its corresponding hash report. To do this, choose a picture and right click to both save the image and hash file to your machine.

6. Next, open the image file you saved, alter the image and save this new file to your machine. 7. Finally, you should have 4 files saved to your virtual desktop; the original picture, the altered pictured, and the two hash files corresponding to the two pictures.

Lab Report In the Lab Report that you will submit for this lab, you need to document the steps you took, the original picture file you selected and altered, and compare the File Hash Lists for the two picture images. Be sure that you have met the following expectations:

• Capture screen shots of each step. • Include the File Hash List for both picture images.

Part III – Image an Imported File In this part, you will image the file you downloaded and saved, in Part I. Finally, in the lab analysis, you will compare the two methods you used (Parts II and III) for imaging and hashing files using the FTK Imager tool. 1. On the virtual desktop, open FTK Imager and go to File > Create Disk Image:

2. Choose Image File and click Next:

3. Browse and locate the “Lab1.exe” you downloaded and click Finish. I had saved the file to Computer > Local Disk (C:) > Users > StudentFirst > Downloads:

Select the file (Lab1.exe) and click Open.

In the Select File box, the Lab1.exe file should populate the Evidence Source Selection. Click Finish.

4. In the Create Image box click on Add…:

5. You will be asked to type in evidence Information and click Next. Put in values, as with example (the Examiner must be you):

Select Next >

6. In the ‘Select Image Destination’ dialogue, use Browse to save the image (I chose StudentFirst > My documents), name the image file, and select Finish:

7. Back in the ‘Create Image’ dialogue, select Start:

Once the imaging is complete, you will see the Drive/Image Verify Results report – make sure and take a screenshot of this information!

Lab Report For this lab, you need to complete a Lab Report, which includes the following requirements:

1. Screen shots of each step in Part II and Part III,

2. The two File Hash Lists from Part II, and

3. Answers the following questions: o How did you alter the original picture in Part II?

o What information can you retrieve from the File Hash List?

o What information can you capture from the FTK Imager tool to identify a file?

o What information can you capture to validate the authenticity of a file/image? The following rubric will be applied for grading this lab: