Prodiscover

Advanced Computer Forensics

Windows ProDiscover Forensics Lab

This lab is a replacement for the EnCase lab (122) for students who have been unable to access EnCase through RLES. In order to do this lab, you will need to download and install ProDiscover Basic (make sure to pick 32-bit or 64-bit depending on your version of Windows) from this URL: http://www.techpathways.com/desktopdefault.aspx?tabindex=8&tabid=14 (scroll down until you see the download links at the bottom of the page). You will also need to download a copy of the image files for this lab, 123img.zip. These image files are distributed under the GPL and were originally created by Brian Carrier.

Instructions appear as bullet points, questions are numbered and bolded.

Instructions & Questions

Start ProDiscover Basic.

Create a new project for this laboratory. Give it a unique number and name.

Click “Add” then “Image File” and add “123img1.dd”.

Click the “Action” menu then generate “OS Info”. This adds some information about the image to the report, which you can view at any time during your examination by clicking on “View” then “Report”.

What is the file system of this image file?

What is the volume name?

Go to “Cluster View” and click on the image.

How many clusters are used on this image file?

Go to “Content View” and click on the image.

List all the Deleted files recovered by ProDiscover in a table – and calculate the MD5 hash value for each deleted file.

Is there anything special about any of the files?

ProDiscover will use the time zone setting of your examiner workstation if no time zone is set for the evidence. When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.)

Where does the Time Zone information reside in a Windows system?

Set the timezone by clicking on File, then Preferences. The timezone should be US Central Time in this particular case (the image file has been extracted from a computer in that timezone although it is not an image of the system partition so there is no way to find the computer's actual timezone from the image itself).

What is the latest file creation time on the image?

Which files are resident files? Hint: you can right-click on a file and say “Show Cluster Numbers” to see the cluster/s in which the file is stored – you can do this for the $MFT of the disk image to see which clusters are allocated to the $MFT.

Add the second image to the case - “123img2.dd”

Go to the “Content View” and click “All Files”.

Go to the “View” menu and select “Gallery View”.

Which files display a thumbnail in Gallery View?

Are there any files with mismatching file extensions? If so, which ones? Identify their types according to their extension versus their actual type and explain how you have identified the actual type.

Disable Gallery View.

Extract all JPEG files from the image by selecting each of them. You will be prompted to add a comment about the file for the report. Record “JPEG file” and whether the file has been hidden, deleted, mislabelled or is in any other way special.

Right-click on a file and click “Copy All Selected Files”. Save them in a temporary directory on your computer.

Paste each JPEG file from your temporary directory into your submission document as an embedded image.

Do you think you have identified every JPEG file in the image? Hint: You can search for the JPEG file header by clicking on “Search”, selecting “Hex” and searching for the pattern FFD8. Do any files contain the pattern which do not appear in your temporary directory? If so, which ones?

Create a table for all files on the second image, listing each file's name and MD5 hash value.

Your answers to all questions should be stored in a LibreOffice document, Word document or PDF, and uploaded to Dropbox in the “EnCase Lab” folder as this exercise replaces the EnCase lab.