This is a forensic report that entailed extracting some data from a hard drive. The hard drive included some information, some of which were to be extracted at the request of the police, who had been granted permission by the judge to do so.
The suspicious drive was subjected to a logical digital forensic investigation and analysis using Linux. A digital forensic examination and analysis of the suspect image was conducted in order to identify any possible illegal hacking activity per the search warrant (password hacking).
Care was to be taken so that incase of secondary illegal activities apart from the one ordered to conduct, reporting was to be done so as to be given afresh permission to conduct further forensics into the hard drive so as to involve new finding.
2.0 Task Summary
The following resources were used during the forensic exercise:
NIXFOR01, A Linux Forensic VM (Virtual Machine).
Linux virtual machine
Hard Drive
Forensic work station. (lab for this case)
Additional storage device for storing of evidence copied from the evidence hard disk.
FTK (Forensic Toolkit) imager installed.
The window system was WINFOR01.
The task was conducted using varied facilities and the below procedure using the above stated resources.
Case Examination Assumptions:
IF YOU FIND EVIDENCE OF ANY OF THE ABOVE-LISTED ADDITIONAL CRIMINAL ACTIVITIES, YOU MUST ACKNOLEDGE IT IN YOUR NOTES AND IN YOUR LAB REPORT AS A BASIS FOR REQUESTING A SEARCH WARRANT.
The file “UpdatedLab.dd” was downloaded from the project resources download page to lab virtual machines “Downloads” folder as instructed in using the command “~/Downloads/lab2” running on the command line prompt. Thereafter, all workings were done from the “Downloads” folder of lab Virtual Machine “NIXATK01”, as the evidence folder.
Emphasis was put on running the date command before running each command identified in the assignment as a way of coming up with valid results.
Required:
Access to Virtual Lab Environment
Virtual Machine Credentials
Username: StudentFirst
Password: Cyb3rl@b
Steps to access the Linux Virtual Machine
Forensic Procedures
1. Evidence was received
In the NIXFOR01 VM:
Compare your hash value number above to the Original file hash value below for the
“UpdatedLab.dd” file image;
Original 42ba069b68620a8c0ea6c4804c9e371d1bb358ba “UpdatedLab.dd”
b. Verify that lab2 directory exists
5. Mount the image on the new directory:
Verify that the image mounted is properly by running, :
Change directory to lab2:
Create a hash set for all the files on the hard drive (mounted image).
Repeat Steps 8 and Step 8a above to locate the following hash value strings:
only one was found 13f26a0a1
________________________________________
Identify where each hash value you found is located?
Report your hash value findings in your notes!
To display the content of “john.stat” type the following command while still in the “run” directory shown above:
Note the different file date and time stamps above (access, modify, change).
List the file changes below:
John.exe was changed on __2012_07_26 at 06:51:10.
John.exe was last accessed on _____2012_07_25 at 20:00:00.
Explain what this date and date stamp data means? The data shows that the time of access and time of change vary in that changes were made after they have been accessed meaning that the changes are self-generated and not direct manipulation by the one accessing
The John.exe password cracking program saves passwords it has cracked to a file called ‘john.pot.’ See if the “john.pot” file exists using the following command to list all files in a long listing format.
If you find that the “john.pot” does exist in the file list, you can view the text file contents of the “john.pot” file using the following command in terminal while still in the “run” directory:
Explain what you found?
When command less john.pot is entered, the above information is displayed. This shows how the step search has not been completed and there are still steps to be done to finish the cracking process.
View the date and time stamps for all other password crackers you found by Repeating Steps 9a through 9d above for the following password cracker program strings:
a. Is there any indication that the programs were used? Explain.
The programs of cracking password were used as they contain similarities with what we have achieved in our practical as shown in the photo below:
Password Hash Search
Now, search for password hash strings. Password hash strings for a md5 hash are formatted as follows:
Review the output list above and make a note of your observations..
--------------------------------------------------------------
List the md5 - related files you found here
____________________________________________________ Where were the file(s) located?
What is the password for the following Users?
Vilkp?___________________________________
Showe?__________________________________ iii. Damad?__________________________________
12. Continue to search for evidence of password hacking (authorized in your original warrant).
Search for Graphic Files
Now, let’s search for graphics files.
Make a “graphics” file directory under “~/Downloads”. Call it ‘graphics’.
Change directory to the “graphics” directory and run the file command on each file:
b. Review and describe whether all file types match the file extensions displayed? _______________________________________________
Examining Graphic Files
Go to the Applications menu >Click Graphics> Click and open “gThumb”
In “gThumb”, view the files contained in the in the “graphics” directory.
a. Do you see anything that might make is necessary for you to request another search warrant to expand your authority to conduct a broader examination of the suspect hard drive? (Hint- You can refer to the list in Part I. Possible Illegal Activity Clues You May Find above) ________________________ If no, proceed to the next step.
Apart from the primary file in the hard disk, there was another file that I find it interesting and therefore I find the need to copy it to another folder for evidence purpose
Make a new directory called “compressed” in the Downloads directory.
Copy the “interesting” compressed file above into that newly created “compressed” directory.
The hard disk drive seems to contain more additional file and therefore I had no otherwise but to request for permission for secondary searching.
g. What happened?
You can do one of two things,
Password was guessed by searching the most common passwords used since the suspect could definitely not cooperate.
Note: What password worked for you? The password that worked zipped file is password
After being granted permission to search further for the other information in the hard drive, below were the findings:
This regular grep search looks for Visa or MasterCard number formats.
Command less creditcards.txt was used and the following less credit cards were displayed.
There are several credit cards contained in the file and some are working while others are dormant.
6.0 Chain of Custody
The hard drive for investigation was handed over for processing by me. Thereafter, it was stored and probably locked drawer where evidences are stored. Filling of the chain of custody form was then completed by the receiver of the document for forensic examination [1].
7.0 Opinions
Based on the above results, it is evident that the hard drive contained a lot of illegal activities and it is fair to say the hacking activities have been done. There are also files liked the zipped file that had the information of cards of victim
Useful info: Enhance your academic success with our professional lab report writing services.
8.0 References
Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press.
Technical Working Group on Biological Evidence Preservation. (2013). The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology.
Sammons, J. (2015). The basics of digital forensics: The primer for getting started in digital forensics.
Lab Manual
