首页 > > 详细

CSC4450讲解、辅导C/C++编程语言、讲解Java、Python 讲解Python编程|辅导留学生Prolog

Digital Forensics
Exercise #1:

Please submit all answers on Blackboard!

Materials and Programs:
Villanova_CSC4450_Forensics virtual machine – all objectives should be done within your virtual environment.
EnCase Imager (Needed for Objective #2) (download link)
OPTIONAL EXERCISE - Kali Linux Boot CD (download link)

Objective #1 - Creating a forensic image of a local device:
Be sure the virtual machine is turned off before adding the following virtual drives.
Add a 1GB virtual hard drive to your Villanova_CSC4450_Forensics virtual machine. I would recommend the following settings:
oHard disk file type = VDI
oStorage on physical hard drive = Dynamically allocated
oFile location and size = FAT32.vdi & 1 GB
oFormat this virtual drive as a Master Boot Record, FAT32 volume
Add a 2GB virtual hard drive to your Villanova_CSC4450_Forensics virtual machine. I would recommend the following settings:
oHard disk file type = VDI
oStorage on physical hard drive = Dynamically allocated
oFile location and size = NTFS.vdi & 2 GB
oFormat this virtual drive as a Master Boot Record, NTFS volume

Copy two small files, any files (i.e. text files, graphic files, Adobe files, Office document, etc.) to your 1GB FAT32 virtual hard drive
Delete one of the files you just copied to the 1GB FAT32 virtual hard drive.
Using FTK Imager, create an E01 and a raw (DD) forensic image of your 1GB FAT32 virtual hard drive. You can save the forensic image file to the desktop of your virtual machine.
Once complete, open and compare the acquisition log files.
1.What is the MD5 hash value of the E01 forensic image?
2.What is the file size of the E01 forensic image?
3.What is the MD5 hash value of the DD forensic image?
4.What is the file size of the DD forensic image?
Open the forensic image files (E01 or DD) in FTK Imager and explore the contents.
5.Did you find your deleted file in the root folder?

Objective #2 - Preparing target/destination media for forensic use (i.e. sanitizing and/or wiping):
Verify that you don't need any files on your 1GB FAT32 virtual hard drive!
Double check that you don't need any files on your 1GB FAT32 virtual hard drive!
Triple check that you don't need any files on your 1GB FAT32 virtual hard drive!
Wipe your 1GB FAT32 virtual hard drive using Guidance Software's EnCase Imager.
oLaunch EnCase Imager
oClick on TOOLS
oSelect WIPE DRIVE
oSelect NEXT
oSelect the physical 1GB virtual hard drive (Be sure to choose the correct drive when wiping devices in a real scenario!)


(example of what you should see)

oSelect VERIFY WIPED SECTORS
oProvide a WIPE CHARACTER in HEX (default is 00) – choose 0xDF
oSelect FINISHED
oType YES
Now it is time to “second-guess-yourself” that you actually selected the right drive to wipe!
Launch FTK Imager
Add the physical 1GB drive as an evidence item
Verify that all sectors are reporting the value of 0xDF (or whatever hex value was used in the wiping processing).
Create an E01 forensic image of your 1GB FAT32 virtual hard drive. You can save the forensic image file to the desktop of your virtual machine.
6.What is the MD5 hash value of the E01 forensic image?
7.What is the file size of the E01 forensic image?
8.Why is it important to wipe all staging media that will be used for forensic analysis?
9.Forensic investigators work with hard disk forensic images because?
A.The image files are smaller than the actual hard disk files
B.Only the image files contain forensic evidence
C.The image file can be safely examined without damaging the original evidence
D.The original storage device cannot be analyzed without the original computer

Objective #3 (OPTIONAL) – Create a forensic image using Kali Linux Boot CD
Follow the steps detailed in the following link: http://nest.unm.edu/files/2713/9251/5584/Tutorial_5_-_Kali_-_dcfldd_Imaging.pdf



Objective #4 (OPTIONAL) - Create a forensic image over the network using Kali Linux Boot CD
You can use two physical machines as long as they are on the same network or use two virtual machines.
Create two new virtual machines:
oSuspect
1 GB virtual hard drive
256 MB RAM or 512 MB RAM depending on your laptop's capabilities
Configure the network adapter to “Bridged"
Configure the CDROM to use a copy of the Kali Boot CD.
oTarget
3 GB virtual hard drive
256 MB RAM or 512 MB RAM depending on your laptop's capabilities
Configure the network adapter to “Bridged"
Configure the CDROM to use another copy of the Kali Boot CD.
Boot each virtual machines.
Configure the SUSPECT virtual machine
oOpen Terminal
oConfigure the Target's IP address to 192.168.0.2
ifconfig eth0 192.168.0.2
oPartition the 1 GB hard drive
fdisk -l (this command will list all of the hard drives attached to the VM. There should only be one (i.e. /dev/sda)).
fdisk /dev/sda
n (for new partition)
p (for primary)
ENTER (accept the default value)
ENTER (accept the default value)
w (for write new partition to disk)
oFormat the newly created partition with an NTFS volume
mkntfs /dev/sda1
Configure the TARGET VM Open Terminal
oOpen Terminal
oConfigure the Target's IP address to 192.168.0.1
ifconfig eth0 192.168.0.1
oPartition the 3 GB hard drive
fdisk -l (this command will list all of the hard drives attached to the virtual machine. There should only be one (i.e. /dev/sda)).
fdisk /dev/sda
n (for new partition)
p (for primary)
ENTER (accept the default value)
ENTER (accept the default value)
w (for write new partition to disk)
oFormat the newly created partition with an NTFS volume
mkntfs /dev/sda1
oMount the newly created volume
Create a mounting point
mkdir /media/hd
Mount the volume
mount /dev/sda1 /media/hd
Start netcat listener on TARGET
oOpen Terminal
onc -nlvp 3333 | dcfldd of=/suspect.dd
Start netcat listner of SUSPECT
oOpen Terminal
odcfldd if=/dev/sda1 | nc 192.168.0.1 3333
The acquisition process will start and you should start seeing activity on the TARGET virtual machine.

When you see the following on the SUSPECT virtual machine, hit CONTROL-C to stop the process.
You should see the following on the TARGET virtual machine after hitting CONTROL-C on the SUSPECT’s virtual machine.

联系我们 - QQ: 99515681 微信:codinghelp
程序辅导网!