Lab 1
Lab 1
Lab 1
25 Jan 11
You will receive a suspect floppy disk and a Chain of Custody form from the instructor. You will need a blank floppy disk for this assignment. Keep a file called Lab1.doc throughout this assignment, there are numbered questions. You are to place the question and your answer in the Lab1.doc file to turn in electronically. Take notes of all actions performed in a file called Report.xls remember to make your notes detailed enough so that anyone can duplicate your work. This will be submitted for review. You will also create an image acquisition report of the suspect floppy, floppy_img.001.txt, to turn in. A portion of your grade depends upon the evidence floppy not having been altered in any way.
A. Obtain the Evidence. Obtain the suspect's floppy disk from the evidence custodian, FBI SuperAgent Finnegan. Be very careful with your evidence. If you lose the evidence, the replacement will cost you points from this assignment. B. Chain of Custody. Fill out the Chain of Custody (CoC) form that you will receive with the suspect's disk from SuperAgent Finnegan. He expects the original evidence and an appropriately filled out CoC form to be returned to him by the end of class. An incorrectly documented CoC form may cost you points on the assignment. C. Set up your Forensics Lab. Create a folder on your desktop and call it Forensics Lab. For this assignment, you will use several software tools. Download wipe.exe and dd.exe from the Blackboard site into this folder. The other tool, FTK Imager, is available from the programs menu. FTK Imager from Access Data Corporation. This is a widely-used forensic tool for: Making an exact copy of a drive or folder Taking an MD5 or SHA-1 digital signature of a drive or file. Determining properties of drives, folders or files Viewing files
dd.exe -- This program allows you to create an exact image of a logical partition or entire disk drive. The disk imaging reading discusses dd and how to use this Windows version of dd. wipe.exe -- This program forensically sterilizes a disk making it suitable as a target for acquisition.
D. Examiner's Notebook Every step that you perform on the evidence in this case, original or copy, should be described in this document. The document must start with a brief description of the case and your role as Computer Forensics Investigator. Your full name must appear. Then you will have a list of entries. Each entry must have a unique number, the date and time (to the second in 24 hour military time) of start and completion of each activity, the tool used, and the result. Here is an example entry: Entry 6: Sept 27, 2006 14:14:50 EST started copy of suspect diskette serial number 1234-567 to diskette serial number X599-239F. Windows dd tool used on Dell workstation with Windows XP Service Pack 2 serial number 51873-005-9359797-09855. Completed at 14:17:48 EST. No errors evident. E. Protect The Original Evidence. The best way to ensure that the suspect's original floppy (evidence) is preserved is to physically block all writing to the floppy--if the floppy cannot be written to, it cannot be changed. Question 1 (Make sure that the floppy is write protected before investigating the answers to these questions). How many files are there on the floppy? How many bytes of the floppy have been used? F. Copy The Evidence. Use FTK Imager's menu file->create disk image. In the resulting dialog box, choose the logical drive radio button. In the resulting drop down box, choose the floppy drive (A:). Question 2: In the drop down box described above, what other options are there? What does the thing in square brackets next to each option mean? In the next dialog box, click Add . This will pop up another dialog box asking for the image type, choose the Raw (dd) radio button. In the next dialog box, for the folder, browse to your forensics lab folder (see Part C), and for the file, name it floppy_img (it will add the file extension). In the next dialog box, click the start button. The imaging should take about two minutes and you will probably hear the floppy drive clicking or see the drive light on. After the imaging is complete, there will be two files in your forensic lab folder:
o o floppy_img.001 This is the floppy disk image. floppy_img.001.txt This is the log of the imaging process.
Question 3 What is the size in bytes of the image file floppy_img.001 as found by right clicking the file icon and choosing properties? Why is it larger than the size reported in Question 1? Question 4 How many bytes per sector and how many sectors are there on the floppy (as reported by FTK imager in the floppy_img.001.txt file)? How many bytes is this total? How does this relate to the answer from Question 3? Why? Question 5 The log file reports an MD5 digital signature twice. What is each MD5 digital signature for? Why is it reported twice? What do you notice about these digital signatures? Why? G. Sterilize The Target Disk.
Remove the suspect's original floppy from your floppy disk drive. Then, insert another floppy disk into the floppy disk drive. Make sure that this new floppy is not write-protected. Open the Windows command prompt. To open the command prompt, go to Start>Run and type in "cmd" (if "cmd" doesn't work, type "command" instead). Navigate to the folder to which you downloaded dd.exe and wipe.exe (the rest of this assignment refers to this folder as your "forensics lab folder)". Execute the wipe program by typing
wipe \\.\A:
This should take a couple of minutes and you should hear your floppy drive and/or see its light flashing. H. Make an Exact Duplicate of the Suspect's Original Floppy Disk.
You should be in your forensics lab folder after Step G. Use the dd.exe program to perform the bit-by-bit copying from the image file to the new floppy. At the command prompt type:
dd if=floppy_img.001 of=\\.\a:
backslash backslash dot backslash a colon). The creation process should take a couple of minutes and you should hear the floppy drive clicking as it writes the image. Note that this requires that the image file floppy_img.001 be in the forensics lab folder with the dd program, which is how Part F specified you were to save the image file.
Question 6. What is the MD5 digital signature of the new floppy? To get this, use FTK imager. Add the floppy as evidence as we did before, and use FTK's file>verify drive/image menu. Take a screenshot of the resulting screen with the MD5 signature and place it in your Lab1.doc file next to Question 6. Is this signature the same as the one generated by FTK imager on the suspect's original floppy? Why? At this point, return the original evidence and filled out CoC form to SuperAgent Finnegan . I. Search for Evidence On The Copy. Remember that all steps you perform must be recorded in your running notes. Step 1. Examine the contents of the copied floppy disk. Using Windows Explorer (Start->Run->"explorer"), look at the contents of the copied floppy disk. Open folders, but don't open any files. Question 7. What is the MD5 digital signature of this disk after you looked around in Step 1? Is this signature the same as the one generated by FTK imager on the suspect's original floppy? Why? Step 2. Search the Floppy Disk for Evidence. Search the un-write-protected floppy using the Windows search program (Start->Search->For Files or Folders), search the A: drive for files of any name (leave the field blank) containing the text "bomb". Question 8. What is the MD5 digital signature of the floppy after the search in Step 2? Is this signature the same as the one generated by FTK imager on the suspect's original floppy? Why? Step 3 Restore, if necessary . If the signature in Question 8 is different, then restore the original by using dd to copy the image in the forensics lab folder on your hard drive to your floppy. Step 4. Open a file. Open a file that contained the text "bomb" by double clicking on the file. Question 9. What is the MD5 digital signature of this floppy after opening the file in Step 4? Place a screenshot of the resulting FTK verification screen in your Lab2.doc file next to Question 9. Is this signature the same as the one generated by FTK imager on the suspect's original floppy? Why? Step 5 Restore, if necessary . If the signature in Question 9 is different, then restore the original by using dd to copy the image in the forensics lab folder on your hard drive to your floppy.
Step 6. Edit a file. Open a file that contained the text "bomb" and add a space character between bomb and -ing. Save the file. Question 10. What is the MD5 digital signature of this floppy after the editing in Step 6? Is this signature the same as the one generated by FTK imager on the suspect's original floppy? Why? Question 11. How does the above process change if we are duplicating a hard disk rather than a floppy disk? J. Use FTK to discover anything new. Question 12. Describe anything new you found with FTK.
Report.xls
Note: do not place the actual floppy image (floppy_img.001) in the archive. Call the archive file <group_name>_lab1.zip
Upload . Upload the zip file to Blackboard site. Turn in a forensically sound copy of the original evidence disk upon completion of the lab.