Keterangan:Font DotumChe menunjukkan nama software, tool, menu pilihan pada suatu software atau nama direktori(lokasi) folder dan nama file.Font NSimSun menunjukkan perintah/command yang diketik.Sesi ke-1

Persiapan

Membuat partisi pada USB flash disk dengan volume 32MBKeterangan : langkah ini dimaksudkan hanya untuk menghemat waktu dan menghemat

media penyimpanan Pada menu bar VM Virtualbox pilih Devices>USB Devices>FlashdiskAnda

Ket : Menambahkan USB flashdisk dalam Guest Operating System (OS yang dijalankan pada VM Virtualbox)

1

Klik start menu (pojok kiri bawah), pilih DEFT>Gparted kemudian klik. Masukkan password Admin, yaitu root.Ket : Memulai software Gparted

Pada pojok kanan atas pilih /dev/sdbKet : memilih drive yang akan dipartisi

Klik pada daerah seperti ditunjuk pada tanda panah di atas, Pada menu bar Partition klik Delete atau klik iconKet : menghapus partisi yang ada.

Pada menu bar Partition klik New dan pastikan pilihan seperti gambar berikut:

2

Klik pada icon Ket : membuat partisi dengan volume 32MB dengan file system fat32

Pastikan operation pending seperti gambar berikut kemudian klik tanda

Ket : mengeksekusi perintah yang masih pending

Pada menu bar VM Virtualbox pilih Devices>USB Devices>FlashdiskAndaKet : “mencabut” USB flashdisk dari Guest Operating System.

Pada Host Operating System akan muncul kembali USB flashdisk anda.

Meng-copy dan menghapus file pada USB flashdisk Copy folder “File diCopy” Hapus folder “File diCopy”

Imaging/Acquisition Pada menu bar VM Virtualbox pilih Devices>USB Devices>FlashdiskAnda

Ket : Menambahkan USB flashdisk dalam Guest Operating System Pada start menu klik DEFT>Carving tools>TestDisk kemudian masukkan password root.

3

Pilih Flashdisk anda, pilih Proceed kemudian tekan Enter. pilih Intel, tekan Enter. Pilih Advanced, tekan Enter . Pilih Image Creation, tekan Enter. Tekan ‘C’. Ket : Untuk menggeser pilihan, dilakukan dengan cara menekan tanda panah pada

keyboard.

Ket : meng-akuisisi/membuat image dari partisi aktif pada flashdisk anda dan meletakkan hasilnya pada folder /home/deft/ dengan nama file image.dd.

Recovery Dobelklik LXTerminal pada desktop.

Ket : membuka/menjalankan LXTerminal (semacam command propmt pada OS Windows)

Ketik photorec image.dd , tekan Enter. Pilih Proceed, tekan Enter. Pilih Search, tekan Enter. Pilih Other, tekan Enter. Tekan ‘C’Ket : me-recovery file-file dari image yang telah dibuat dan meletakkan hasilnya pada folder /home/deft/ berupa file-file pada folder recup_dir.1

4

5

Sesi ke-2

Story Line

• “Oh god” is the first thought running through your mind as you crack open the door. An odious wafting of day old vomit, sweat, and stale cigar washes across you as the door moves from cracked to ajar. The room is pitch black, a dirty and exposed hallway light bulb does nothing to cut into the dark abyss of the room. Peering inside you see only shapes, but deep down you know it isn’t going to be pretty.

• “Oh god” is the first thought running through your mind as you crack open the door. An odious It’s been three weeks since the PaulDotCom crew went missing. Through extensive research and cyberstalking, millions of PDC fans gathered information relating to their disappearance and hired you to find them. This is John Strand’s safe house, and a quick Google image search was all you needed to know about his seedy life. Who knows what’s in this room? Donning rubber gloves you feel for a light switch with your left hand, both intensely afraid and curious for what you are about to see. Wincing in anticipation you flick the switch with a “click”.

• Nothing happens. “Why do I always get the messed up jobs” you whisper to yourself, digging around in your black bag. Corporate espionage isn’t a clean game, but usually the tech jobs involve threatening geeks in suburban houses, not sneaking around what looks to be North Dakotan project housing. Pulling a sleek Pelican flashlight from the bag, you click it on and begin to survey the damage. Starting from the left you identify the location of the puke smell; there’s day old vomit trailing its way down peeling wallpaper toward a box of empty tequila bottles. Smell one located.

• Further to the right you spot a human shape on a couch. You freeze with the flashlight beam aimed at the shape. It’s Larry, wrapped in a dirty pink blanket almost too small to cover him, rocking back and forth and muttering something unintelligible. What’s he saying? You suspect it’s key. His fingers are pale as he grips a WRT54G router which appears to have twenty-four overlapping bites taken out of it. Seconds tick by. Nothing happens; he pays no attention to your entry. Smells two and three probably located. Your light continues its sweep as you spot a table hosting two 24” monitors surrounded by miscellaneous cables. Jackpot.

• Ignoring the rest of the room you step over martini glasses and other unidentified objects, making a beeline to the desk. The little voice in your head shouts “Damn! Damn! Damn!” There is evidence that someone left only recently. The scene is almost out of a second rate Hollywood movie, being so incredibly obvious:a puddle of spilled cosmopolitan makes apparent the distinct outlines where a laptop and external hard drive once sat.

• Disheartened, you rummage though the desk, hopeful of finding a forgotten USB drive or other storage device. No dice. You slide a few sticky quarters off of the desk (it’s not like you’re getting a per-diem) and continue the search– wait. One of the quarters…

6

splits a little. You pick it up and play with it. Viola! A small micro SDHC card lies inside the quarter. Your heart starts beating faster. You have a clue.

• As a matter of habit you go through the rest of the room, quietly, as the eerie sound of Larry chanting in the background never stops. Old coffee mugs, a dirty microwave, hundreds of empty frozen food wrappers, and magnetic buckyballs cover the floor like a sort of 21st century urban underbrush…and then you see something peculiar. A stack of hard drives sits in the corner. The top drive looks like someone shot it 7 or 8 times, a strange method for data destruction, but certainly an effective one. Rummaging through the stack of drives you find one at the bottom looking as if it survived the data massacre. Grabbing it, you give one last look around as you walk to the door. The sounds of Larry go from muffled to silent as you shut the door and make your exit.

Pertanyaan :1. In his conversation with Larry, how old does juniorkeyy initially say she is? 2. What was the filename of the file that had the following SHA256 sum:

e56931935bc60ac4c994eabd89b003a7ae221d941f1b026b05a7947a48dc9366?3. What is the SHA1sum of the photo from the “dd” image that shows Larry taking a bite out of a

wireless router? 4. What is the SHA1sum of the image that shows zombie Larry taking a bite out of a cat?

7

Jawaban No.1

Klik Start Menu>DEFT>Analysis Tools> DFF. Masukkan password root, klik OK

Pada menu bar, klik File>Open Evidence File(s) Klik

Klik , klik

Dobelklik home, dobelklik deft Kemudian dobelklik file quarter-SDHC-snippet.dd, klik Open, Klik OK Klik pada bagian Logical Files, dobelklik pada quarter-SDHC-snippet.dd

8

Jika muncul peringatan, klik Always k k Dobelklik lagi pada quarter-SDHC-

snippet.dd

Dobelklik pada partition

Dobelklik pada Partition1

Jika muncul peringatan, klik Always Dobelklik lagi pada Partition1

Dobelklik pada NONAME

Dobelklik pada [root]

9

Dobelklik pada chatlog2.txt

Jawaban No. 2

Double-klik LXTerminal Ketik photorec quarter-SDHC-snippet.dd , tekan Enter hingga muncul sebagi

berikut:

Pilih Proceed tekan Enter, pilih Search tekan Enter, pilih Other tekan Enter, pilih Whole tekan Enter, tekan “C” hingga muncul sebagai berikut :

10

Buka LXTerminal, ketik sha256sum home/deft/recup_dir.2/* , tekan Enter . Pastikan yang dicetak tebal dan digarisbawahi merupakan folder dimana anda menyimpan file hasil recovery

11

12

Jawaban No. 3 dan 4 Buka LXTerminal, ketik sha1sum home/deft/recup_dir.2/*

13