Examiners of Digital Forensics Report

This is a forensic report that entailed extracting some data from a hard drive. The hard drive included some information, some of which were to be extracted at the request of the police, who had been granted permission by the judge to do so.

The suspicious drive was subjected to a logical digital forensic investigation and analysis using Linux. A digital forensic examination and analysis of the suspect image was conducted in order to identify any possible illegal hacking activity per the search warrant (password hacking).

Care was to be taken so that incase of secondary illegal activities apart from the one ordered to conduct, reporting was to be done so as to be given afresh permission to conduct further forensics into the hard drive so as to involve new finding.

2.0 Task Summary

The following resources were used during the forensic exercise:

NIXFOR01, A Linux Forensic VM (Virtual Machine).

Linux virtual machine

Hard Drive

Forensic work station. (lab for this case)

Additional storage device for storing of evidence copied from the evidence hard disk.

FTK (Forensic Toolkit) imager installed.

The window system was WINFOR01.

The task was conducted using varied facilities and the below procedure using the above stated resources.

Case Examination Assumptions:


The file “UpdatedLab.dd” was downloaded from the project resources download page to lab virtual machines “Downloads” folder as instructed in using the command “~/Downloads/lab2” running on the command line prompt. Thereafter, all workings were done from the “Downloads” folder of lab Virtual Machine “NIXATK01”, as the evidence folder.

Emphasis was put on running the date command before running each command identified in the assignment as a way of coming up with valid results.


Access to Virtual Lab Environment

Virtual Machine Credentials

Username: StudentFirst

Password: Cyb3rl@b

Steps to access the Linux Virtual Machine

Forensic Procedures

1. Evidence was received

In the NIXFOR01 VM:

Compare your hash value number above to the Original file hash value below for the

“UpdatedLab.dd” file image;

Original 42ba069b68620a8c0ea6c4804c9e371d1bb358ba “UpdatedLab.dd”

b. Verify that lab2 directory exists

5. Mount the image on the new directory:

Verify that the image mounted is properly by running, :

Change directory to lab2:

Create a hash set for all the files on the hard drive (mounted image).

Repeat Steps 8 and Step 8a above to locate the following hash value strings:

only one was found 13f26a0a1


Identify where each hash value you found is located?

Report your hash value findings in your notes!

To display the content of “john.stat” type the following command while still in the “run” directory shown above:

Note the different file date and time stamps above (access, modify, change).

List the file changes below:

John.exe was changed on __2012_07_26 at 06:51:10.

John.exe was last accessed on _____2012_07_25 at 20:00:00.

Explain what this date and date stamp data means? The data shows that the time of access and time of change vary in that changes were made after they have been accessed meaning that the changes are self-generated and not direct manipulation by the one accessing

The John.exe password cracking program saves passwords it has cracked to a file called ‘john.pot.’ See if the “john.pot” file exists using the following command to list all files in a long listing format.

If you find that the “john.pot” does exist in the file list, you can view the text file contents of the “john.pot” file using the following command in terminal while still in the “run” directory:

Explain what you found?

When command less john.pot is entered, the above information is displayed. This shows how the step search has not been completed and there are still steps to be done to finish the cracking process.

View the date and time stamps for all other password crackers you found by Repeating Steps 9a through 9d above for the following password cracker program strings:

a. Is there any indication that the programs were used? Explain.

The programs of cracking password were used as they contain similarities with what we have achieved in our practical as shown in the photo below:

Password Hash Search

Now, search for password hash strings. Password hash strings for a md5 hash are formatted as follows:

Review the output list above and make a note of your observations..


List the md5 - related files you found here

____________________________________________________ Where were the file(s) located?

What is the password for the following Users?


Showe?__________________________________ iii. Damad?__________________________________

12. Continue to search for evidence of password hacking (authorized in your original warrant).

Search for Graphic Files

Now, let’s search for graphics files.

Make a “graphics” file directory under “~/Downloads”. Call it ‘graphics’.

Change directory to the “graphics” directory and run the file command on each file:

b. Review and describe whether all file types match the file extensions displayed? _______________________________________________

Examining Graphic Files

Go to the Applications menu >Click Graphics> Click and open “gThumb”

In “gThumb”, view the files contained in the in the “graphics” directory.

a. Do you see anything that might make is necessary for you to request another search warrant to expand your authority to conduct a broader examination of the suspect hard drive? (Hint- You can refer to the list in Part I. Possible Illegal Activity Clues You May Find above) ________________________ If no, proceed to the next step.

Apart from the primary file in the hard disk, there was another file that I find it interesting and therefore I find the need to copy it to another folder for evidence purpose

Make a new directory called “compressed” in the Downloads directory.

Copy the “interesting” compressed file above into that newly created “compressed” directory.

The hard disk drive seems to contain more additional file and therefore I had no otherwise but to request for permission for secondary searching.

g. What happened?

You can do one of two things,

Password was guessed by searching the most common passwords used since the suspect could definitely not cooperate.

Note: What password worked for you? The password that worked zipped file is password

After being granted permission to search further for the other information in the hard drive, below were the findings:

This regular grep search looks for Visa or MasterCard number formats.

Command less creditcards.txt was used and the following less credit cards were displayed.

There are several credit cards contained in the file and some are working while others are dormant.

6.0 Chain of Custody

The hard drive for investigation was handed over for processing by me. Thereafter, it was stored and probably locked drawer where evidences are stored. Filling of the chain of custody form was then completed by the receiver of the document for forensic examination [1].

7.0 Opinions

Based on the above results, it is evident that the hard drive contained a lot of illegal activities and it is fair to say the hacking activities have been done. There are also files liked the zipped file that had the information of cards of victim

Useful info: Enhance your academic success with our professional lab report writing services.

8.0 References

Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press.

Technical Working Group on Biological Evidence Preservation. (2013). The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology.

Sammons, J. (2015). The basics of digital forensics: The primer for getting started in digital forensics.

Lab Manual

Deadline is approaching?

Wait no more. Let us write you an essay from scratch

Receive Paper In 3 Hours
Calculate the Price
275 words
First order 15%
Total Price:
$38.07 $38.07
Calculating ellipsis
Hire an expert
This discount is valid only for orders of new customer and with the total more than 25$
This sample could have been used by your fellow student... Get your own unique essay on any topic and submit it by the deadline.

Find Out the Cost of Your Paper

Get Price