EE6012 � Laboratory Assignment by 4eWw494H

VIEWS: 93 PAGES: 14

									              EE6012 – Laboratory Assignment

D. Heffernan 12/April.2010

These laboratories assignments will take place during Week-11 and Week 12 of term.
Students can do these exercises either during the laboratory classes or on their own computers
outside of the classes. However, students must attend the Week-11 laboratory.


SUBMISSION OF LABORATORY RESULTS

The completed laboratory will be submitted by email by Friday, 17:00 hours, of week 12
(23/April/2010). The email is to be addressed to: donal.heffernan@ul.ie and the subject title is
to be: EE6012-ASSNG. The submitted Word file will be named ee6012-assign. The student
name and ID number will be on the front page of the Word file. On request, a student can be
asked to demonstrate his/her work.

Content of the word file:

The Word document will contain the following (note Prodiscover can export text files):

    -   The LAB-1 report text
    -   The LAB-2 report text, including the picture.
    -   A brief summary stating that you completed all aspects of the laboratory – or if you
        could not complete any aspects note the difficulties encountered.

Laboratory assessment weighting:
Assignment-1 5% of module


Module’s Shared folder: \\ecenotes\EE6012\

=================================================================

OBJECTIVES:

LAB 1

1) Present an overview of the common forensics tools
2) Install the Prodiscover forensic tool
3) Learn how to navigate the Prodiscover tool
4) Add disk images to the Prodiscover tool for investigation
5) Analyse the disk, disk images and files
6) Develop a forensic report

LAB 2

Use the Prodiscover tool to carry out a forensic investigation on a disk image.




EE6012 – Labs                                  1
LAB 1 – STEPS



1) Present an overview of the common forensics tools

This information will be presented during the lab.

2) Install the Prodiscover forensic tool

The Prodiscover files are in the modules shared folder in the LABS folder. Simply click on
the Prodiscover (navy) icon and follow a normal Windows installation procedure.

You can also install Prodiscover on your laptop or other home computer if you wish.
No licence procedure is necessary.

3) Learn how to navigate the Prodiscover tool

Use the HTCIA2006-ProDSiscoverBasic.pdf document, available in the module’s shared
folder in the folder LABS/Support folder. A hard copy is also available. (Note, the USB
evidence thumb drive referred to in this document will not be available to you so, to get
started, experiment on the native C: drive to get started).

In particular familiarise yourself with the following:
:
Create a new project.
Browse through the Help files.
Explore Content View and Cluster View modes.
Read your report to see any output information – note you can clear the report easily if you
want to start again at any time.

4) Add disk images to the Prodiscover tool for investigation

In the module’s shared folder you will find the following disk images in the LABS/Support
folder:

    -   Hunter XP.E01
    -   image24.dd

The Hunter X.E01 file is an image of 4GB disk drive with an NTFS file system. The image
is in EnCase image format.

The image24.dd file is an image of a 1.44 MB floppy disk drive with a FAT-12 file system.
The image is in DD image format.

Optionally you can also capture an image of your own USB key and add this as an image.

In all, now you show have the following disk and images for investigation:

    -   PhysicalDrive 0 (which contains the C: volume and possible a Z: volume)
    -   Hunter XP.E01 disk image
    -   image24.dd disk image
    -   your own USB key disk image (optional)



EE6012 – Labs                                  2
5) Analyse the disk, disk images and files

Browse through your disk and images.

To familiarise yourself with the process of viewing a particular file – let’s choose a particular
file. In Content View find the folder:

C:\Program Files\Technology Patheways\Prodiscover\Sample Pics

Find the JPG file called RudyProfile-1.jpg.

Tick the tick box on this file to so that it is added to the report as an Evidence of Interest file.
Right click on the file and view the EXIF information. Right click on the file and view the
picture. (If you cannot view the picture you can copy the file to the desktop and try various
picture readers to see the picture).


6) Develop a forensic report

Generate a LAB-1 forensic report. The report will include:

    -   Summary information for all drives and images, including Volume name, file system
        type, total capacity, hidden sectors, etc. etc.

    -   Summary information for the RudyProfile-1.jpg file

    -   Operating system information, including comprehensive information on the operating
        system i.e. the OS version numbers, licence number. Important Registry keys, install
        dates, owner’s name etc. etc. Note you will use the OSInfo action entry to get this
        operating system information.


LAB 2 – STEPS

See separate document “Case Study Investigation” for information on this (this is attached to
this document).

Follow the steps in the “Case Study Investigation” document and capture the output as a
LAB-2 report.




EE6012 – Labs                                    3
LAB- 2:            CASE STUDY INVESTIGATION
D.H. 12/April/2010

A case study is based on The Honeynet Project ‘Scan of the Month Scan 24’ [1]. It is
presented here as a demonstration of a forensic investigation case. The disk involved is a
simple floppy disk (1.44 Mbyes). Although the floppy disk is these days considered to be a
very small and aging storage device, it does provide us with a simple example, almost ‘toy’
example, which is useful to demonstrate the procedures and techniques in investigating a
suspicious disk. The Prodiscover tool is used to analyse the disk with the aim to discover
information, including information that may be deliberately hidden, to answer the following
questions in relation a person called Joe Jacob who is a suspected supplier of marijuana to
high school students.

1. Who is Joe Jacob’s supplier of marijuana and what is the address listed for the supplier?

2. What crucial data is available within the ‘cover page.jpg’ file and why is this data crucial?

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

4. For each file, what processes were taken by the suspect to mask them from others?

5. What processes were used to successfully examine the entire contents of each file?


Answers to these investigation questions are given in Addendum 2 of this document.

Background

The extract from the police report below provides some background information. This
extract is shown in Addendum 1 of this document.

A note on Prodiscover’s screen layout

Addendum 3 shows the screen layout. In this document the left pane is Pane A, the right
top pane is Pane B and the right bottom pane is Pane C.


EVIDENCE LOCKER

Set up a temporary folder as your Locker folder.




EE6012 – Labs                                  4
DEATAIL ON FILE EXAMINATION

On exploring the image in Prodiscover, in Pane B you will see three files of interest which
will be investigated here. These thre files are:

     -   cover Page.jpgc
     -   Scheduled Visits.exe
     -   Jimmy Jungle.doc


The recovery of the ‘cover Page.jpgc’ file

1) In Content View see the cover page.jpgc file in the Pane B. This file looks suspicious. It
   will not open. The Pane C indicates that the file does not seem to hold meaningful data.

2) If we guess that this file might be a JPEG file, we can explore that guess. With
   knowledge of file signatures it is known that all JPEG files should have the ‘JFIF’
   signature in the sixth byte of the first cluster. A possibility for this file is that the meta
   data might have been changed to point to an incorrect first sector so as to hide the file.

3) Using the Search button from the Button bar, search for the key word ‘JFIF’ on the entire
   disk image, searching the used and unused clusters. Set the Search dialogue for: Cluster
   Search; ASCII; Select All Matches. The Add Comment dialogue box appears, add a
   comment and click OK.

4) Your search will show that in pane B cluster 49hex (73decimal) is found to contain the
   ‘JFIF’ string in its sixth byte so this looks like it might be the first cluster of a JPEG file.
   Click in the Pane B on cluster 73 and the C pane shows the ‘JFIF’ string in blue
   highlighted text.

5) Now we will attempt to confirm that this is a JPEG file by attempting to recover the file.
   The file is probably 15,585 bytes in length as this is the reported size of the ‘cover
   page.jpgc’ file in the Content View. If we assume that 15,585 bytes is the length then the
   number of clusters (cluster = 1 sector on this drive) is 15,585/512 which is some 31
   clusters. So next we will attempt to recover a file which will start at cluster number 73
   and which will include the subsequent 31 clusters. Our first attempt will assume that the
   clusters are contiguously allocated. We make this guess as the cluster range73-103 and
   beyond appears to be allocated in looking at the Cluster View, i.e. the clusters are green.

6) In Cluster view, in Pane B, click on cluster 73 and highlight as far as cluster 103 by
   dragging the cursor across these clusters, i.e. you are selecting clusters 73 to 103
   inclusive. Now click on this highlighted range of clusters, now a dialogue box appears,
   and click ‘Recover’. The ‘Recover Clusters’ dialogue box appears. Click “Recover all
   clusters to a single file”. Click “Recover Binary”. Choose your Locker folder as a
   destination. You have now recovered the 31 clusters (73 to 103) to a file.

7)       You can check to see if your recovered file is indeed a real JPEG file, by attempting
     to open this file with a JPEG viewer e.g., use ‘Windows Picture and File Viewer’. Now
     you should see an interesting picture, as below!




EE6012 – Labs                                    5
8) To confirm that the recovered JPEG file is properly terminated you can inspect the final
   cluster carefully. It is known that JPEG images use an end-of-file signature of 0ffd9 hex.
   Click on cluster 103 in the Pane B and you can confirm in Pane C that the cover
   page.jpgc file has this signature as seen in cluster 103. The 0ffd9 code is seem at location
   0cedf to 0ceeo hex. This confirms that only 31 clusters is the correct size for this file as
   guessed earlier. However, on inspecting cluster 103, you will also note that the cluster
   contains the text sting ‘pw=goodtimes’. You note this carefully and this might be a
   password.

To investigate a bit further, you might ask yourself if only 31 clusters (73 to 103) are used by
the cover page.jpgc file as there are a further 13 clusters (104 to 116 clusters seen in green)
that appear to be allocated. Is there further information of interest available?




Investigating the ‘Scheduled Visits.exe’ file

In the Content View mode, look at the Scheduled Visits.exe file in Pane B and examine this
file. Right click on the file and in the dialogue box click “Show Cluster Number” to see the
cluster information and you will see that there are two clusters allocated: 104 and 105.

In Cluster View mode, in Pane B, click on cluster 104 to see the hex dump in Pane C and you
will see that the string ‘PK’ at the start of this file. This can be a signature to indicate a
compressed file, typically a .zip file.

In inspecting the hex dump (Pane C) further for cluster 104 we note a string “Scheduled
Visits.xls” in the cluster. We ask ourselves if there could be a file called Scheduled Visits.xls
that is the compressed archive file. Maybe this is the Scheduled Visits.exe file that we saw in
the displayed list of files above.

So we now guess that the Scheduled Visits.exe file might really be an archived (zip) file and
it is two clusters in length, clusters 104 and 105. We guess two clusters as the file size is listed
as 1000 bytes. As before, by highlighting the clusters in Pane B and right clicking on
“Recover”, selecting “Binary” option, we recover the file from these two clusters and
attempt to open this file (unzip) this file. We try the password “goodtimes” but it is of no use.
So this does not seem to be a valid file at all.




EE6012 – Labs                                    6
We now guess the file might extend beyond the two clusters so we inspect the content (hex
dump in Pane C) of the clusters 106 to 116. We note two interesting things as follows:

    -   Cluster 108 contains the string “Scheduled Visits.xls” so this might be a valid cluster
        of the suspect Scheduled Visits.exe file.
    -   Clusters 109 to 116 appear to all be filled with ‘F6’ bytes.

Following the above observations we guess that the file might use clusters 104 to 108. So we
now select these clusters and recover a file from these clusters. We attempt to unzip this file
using the password “goodtimes”. Success is at hand. A Microsoft Excel file appears on
opening this file we discover the information as seen below.

The ‘Scheduled Visits.xls’ file contains a list of dates and school names, as shown below.

Note, if the “goodtimes” password above did not work, then the investigator could have tried
to use a password cracker tool.


Month DAY                HIGH SCHOOLS
Year

April
        Monday (1)       Smith Hill High School (A)
        Tuesday (2)      Key High School (B)
        Wednesday (3)    Leetch High School (C)
        Thursday (4)     Birard High School (D)
        Friday (5)       Richter High School (E)
        Monday (1)       Hull High School (F)
        Tuesday (2)      Smith Hill High School (A)
        Wednesday (3)    Key High School (B)
        Thursday (4)     Leetch High School (C)
        Friday (5)       Birard High School (D)
        Monday (1)       Richter High School (E)
        Tuesday (2)      Hull High School (F)
        Wednesday (3)    Smith Hill High School (A)
        Thursday (4)     Key High School (B)
        Friday (5)       Leetch High School (C)
        Monday (1)       Birard High School (D)
        Tuesday (2)      Richter High School (E)
        Wednesday (3)    Hull High School (F)
        Thursday (4)     Smith Hill High School (A)
        Friday (5)       Key High School (B)
        Monday (1)       Leetch High School (C)
        Tuesday (2)      Birard High School (D)

May
        Wednesday (3)    Richter High School (E)
        Thursday (4)     Hull High School (F)
        Friday (5)       Smith Hill High School (A)
        Monday (1)       Key High School (B)
        Tuesday (2)      Leetch High School (C)
        Wednesday (3)    Birard High School (D)
        Thursday (4)     Richter High School (E)
        Friday (5)       Hull High School (F)
        Monday (1)       Smith Hill High School (A)
        Tuesday (2)      Key High School (B)
        Wednesday (3)    Leetch High School (C)
        Thursday (4)     Birard High School (D)



EE6012 – Labs                                  7
       Friday (5)      Richter High School (E)
       Monday (1)      Hull High School (F)
       Tuesday (2)     Smith Hill High School (A)
       Wednesday (3)   Key High School (B)
       Thursday (4)    Leetch High School (C)
       Friday (5)      Birard High School (D)
       Monday (1)      Richter High School (E)
       Tuesday (2)     Hull High School (F)
       Wednesday (3)   Smith Hill High School (A)
       Thursday (4)    Key High School (B)
       Friday (5)      Leetch High School (C)

June
       Monday (1)      Birard High School (D)
       Tuesday (2)     Richter High School (E)
       Wednesday (3)   Hull High School (F)
       Thursday (4)    Smith Hill High School (A)
       Friday (5)      Key High School (B)
       Monday (1)      Leetch High School (C)
       Tuesday (2)     Birard High School (D)
       Wednesday (3)   Richter High School (E)
       Thursday (4)    Hull High School (F)
       Friday (5)      Smith Hill High School (A)
       Monday (1)      Key High School (B)
       Tuesday (2)     Leetch High School (C)
       Wednesday (3)   Birard High School (D)
       Thursday (4)    Richter High School (E)
       Friday (5)      Hull High School (F)
       Monday (1)      Smith Hill High School (A)
       Tuesday (2)     Key High School (B)
       Wednesday (3)   Leetch High School (C)
       Thursday (4)    Birard High School (D)
       Friday (5)      Richter High School (E)




EE6012 – Labs                                8
The recovery of the ‘Jimmy Jungle.doc’ file


In the Content View mode you will see the Jimmy Jungle.doc file in the Pane B. In the
‘Deleted’ column you will see that this file has been deleted. However, Prodiscover allows
this file to be seen and opened – so the file is easily recovered – as long as its clusters have
not been already assigned to other files.

Note – for NTFS files Prodiscover handles deleted files in a different manner. The
deleted files are listed in a special “Deleted Files” folder.

Right click on the Jimmy Jungle.doc file and it is seen that there are a range of clusters 21 to
48 assigned to this file. If you go to the Cluster View mode you will see their clusters in blue
to indicate that these clusters are unused – this is true as the file is a deleted file.

In the Content View mode we can simply copy this file to your evidence locker folder and
open the file using Microsoft Word. See the text from this file below:

-------------------------------------------------------------------------------------------------------

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

Jimmy:

Dude, your pot must be the best - it made the cover of High Times Magazine! Thanks for
sending me the Cover Page. What do you put in your soil when you plant the marijuana
seeds? At least I know your growing it and not some guy in Columbia.

These kids, they tell me marijuana isn’t addictive, but they don’t stop buying from me. Man,
I’m sure glad you told me about targeting the high school students. You must have some
experience. It’s like a guaranteed paycheck. Their parents give them money for lunch and
they spend it on my stuff. I’m an entrepreneur. Am I only one you sell to?

Maybe I can become distributor of the year!

I emailed you the schedule that I am using. I think it helps me cover myself and not be
predictive. Tell me what you think. To open it, use the same password that you sent me
before with that file.
Talk to you later.

Thanks,

Joe
--------------------------------------------------------------------------------------------------------------


References

1)
The Honeynet Project. The Honeynet Project Scan of the Month 24. Available from:
http://www.honeynet.org/scans/scan24/.




EE6012 – Labs                                          9
                                     ADDENDUM 1
              Case Study EE6012-01 - Police Report and help required

The scenario is: Joe Jacobs, 28, was arrested yesterday on charges of selling illegal drugs to
high school students. A local police officer posed as a high school student was approached by
Jacobs in the parking lot of Smith Hill High School. Jacobs asked the undercover cop if he
would like to buy some marijuana. Before the undercover cop could answer, Jacobs pulled
some out of his pocket and showed it to the officer. Jacobs said to the officer "Look at this
stuff, Colombians couldn't grow it better! My supplier not only sells it direct to me, he grows
it himself."

Jacobs has been seen on numerous occasions hanging out at various local high school parking
lots around 2:30pm, the time school usually ends for the day. School officials from multiple
high schools have called the police regarding Jacobs' presence at their school and noted an
increase in drug use among students, since his arrival.

The police need your help. They want to try and determine if Joe Jacobs has been selling
drugs to students at other schools besides Smith Hill. The problem is no students will come
forward and help the police. Based on Joe's comment regarding the Colombians, the police
are interested in finding Joe Jacob's supplier/producer of marijuana.

Jacobs has denied selling drugs at any other school besides Smith Hill and refuses to provide
the police with the name of his drug supplier/producer. Jacobs also refuses to validate the
statement that he made to the undercover officer right before his arrest. Upon issuing a search
warrant and searching of the suspect's house the police were able to obtain a small amount of
marijuana. The police also seized a single floppy disk, but no computer and/or other media
was present in the house.

The police have imaged the suspect's floppy disk and have provided you with a copy. They
would like you to examine the floppy disk and provide answers to the following questions.
The police would like you to pay special attention to any information that might prove that
Joe Jacobs was in fact selling drugs at other high schools besides Smith Hill. They would also
like you to try and determine if possible who Joe Jacob's supplier is.

Jacob's posted bail set at $10,000.00. Afraid he may skip town, the police would like to get
him locked up as soon as possible. To do so, the police have asked that you have the results
fully completed and submitted within a short space of time. Please provide the police with a
strong case consisting of your specific findings related to the questions, where the findings are
located on the disk. Try to discover any processes and techniques used, and any actions that
the suspect may have taken to intentionally delete, hide and/or alter data on the floppy disk.

Any names, locations, and situations presented are completely fabricated to create a fictitious
case study for educational purposes. Any resemblance to any name, locations and/or situation
is purely coincidence.




EE6012 – Labs                                  10
                                     ADDENDUM 2
                         Answers to the investigation questions


1. Who is Joe Jacob’s Supplier of marijuana and what is the address listed for the
supplier?

The file ‘Jimmy Jungle.doc’ was recovered from sectors 33 to 72, and this indicated that the
supplier was:

Jimmy Jungle
626 Jungle Ave, Apt 2
Jungle, NY 11111

2. What crucial data is available within the ‘cover page.jpg’ file and why is this data
    crucial?

In the slack space at the end of the files of the ‘cover page.jpg’ file, the string
‘pw=goodtimes’ was found.This string was discovered to be the password for the ‘Scheduled
Visits.exe’ password protected file.

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

The ‘Scheduled Visits.exe’ file was an password protected Excel spreadsheet file ‘Scheduled
Visits.xls’… where the password was “goodtimes” as discovered in 2) above.The file listed
dates for the following schools in addition to Smith Hill High School:

• Key High School
• Leetch High School
• Birard High School
• Richter High School
• Hull High School


4. For each file, what processes were taken by the suspect to mask them from others?

‘cover page.jpgc’
This file’s metadata was wrongly pointing to sector 451 on the disk for its data clusters,
instead of the correct pointing to 73. A normal attempt to open the file would not have been
able to access the real data.


The ‘Jimmy Jungle.doc’
The investigation tool showed that this file had been deleted, but was easily recovered by the
Prodiscover tool.
.

‘Scheduled Visits.exe’
The length for this file was indicated to be just 1000 bytes – but the actual length was 2560
bytes. The file was also password protected. The extension of the file did not match the file
type. It turned out that there was an archived file which contained a Microsoft Excel file that
exposed the list of high schools.



EE6012 – Labs                                  11
5. What processes were used to successfully examine the entire contents of each file?

The Prodiscover tool was able to retrieve information about the files. The detail of the
investigation process is described in the main text of this report.




EE6012 – Labs                                 12
                                   ADDENDUM 3
                                Prodiscover’s screen layout

The screen layout is shown below. There are three main panes. The left pane is referred to as
the Tree-view, called Pane A in this document, the right top area is referred to as the Work
area called Pane B in this document, and the right bottom pane is referred as the Data View
area, called Pane C in this document.

                                                                   Work Area
                                                                    Pane B



   Button Menu




  Tree View Area
      Pane A




                                                              Data View Area
                                                                  Pane B




Below is shown the Button bar – sometimes called a Toolbar.




EE6012 – Labs                                13
EE6012 – Labs   14

								
To top