CSEC650 Lab Assignment 1
Transcript of CSEC650 Lab Assignment 1
Disclaimer/Caveat/Disclosure/Whateveryouwouldliketocallthis:
You are more than welcome to use my lab work below as a reference. But, please be smart and do not simply copy and paste because your Prof. or TA will know. Justlike you, they have access to this website as well. So be nice and smart and don't set yourself up for a failure, at the very least you should rephrase/paraphrase/reword/Whateveryouprefertocallthis.Just a suggestion, but at the end of the day, it will be your decision. :)
Also, I have got at the very least 90% in each of my lab work, but that DOES NOT guarantee that you will get the same. It depends almost exclusively on how yourprofessor looks at your response and how s/he grades. The ones that I got were awesome professors and my workand my points went across to them, hence the higher grade. So, basically what I am trying to say here is that if you score less than 90% while using my lab workas reference or as a whole, don't curse me out, you just got a stricter professor. :)
(PS. This is the graded paper with my professor's comments on the right. Thanks)
Part I: Lab Deliverables (30 points):
A. Screenshots (10 points):
Capture and paste the following five screenshots you captured during your lab work in this order. Give a one-sentence short description at the beginning of each screenshot to describe what it is about.
1. A screenshot of Device Info similar to (may not be exactly thesame as) the illustration in Step 10 of the Lab1-Write-up.
The screenshot shows the details of the drive, including the make, model, size, and the interface of the drive.
2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the illustration in Step 16 of the Lab1-Write-up.
The system is verifying the data from the VMware drive.
3. A screenshot of Verification Success similar to (may not be exactly the same as) the illustration in Step 18 of the Lab1-Write-up with a “Verify Successful” message.
The system successfully verified the data on VMware drive.
4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as) the illustration in Step 19 of the Lab1-Write-up.
This screen shot gives out the Evidence Chain of Custody form forthe VMware drive.
5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same as) the illustration in Step 20 of the Lab1-Write-up.
The screen shot confirms that the pdf file, COC-201327701.pdf, has been created for the VMware drive and is saved in the /media/sdb1/ folder.
Screen shot below shows that three files (log, pdf and dd) were created:
B. Log of Forensic Analysis (10 points):
Create a numbered list or table to document the important step-by-step actions taken by the examiner sequentially for the digital forensic work in this case. Include date, time, devices, tools, data files, and any logs generated. You only need to describe the data files and logs; no need to attach them.
1. Log in to Adepto using your username and the case number.
(If you dont have a personal case number, leave it to the
default case number).
2. Choose the device from the drop down menu and wait till it
imports the details of the device in the fields below the
drop down menu.
3. Note that the Make, Model and the Serial number fields can
be modified by the user. Size, sectors, and bus type are
imported directly and cannot be modified.
4. Next, select the "Acquire" tab on the top and choose the
fields accordingly. In this case, we will be choosing DCFLDD
image type, with MD5 Hash and 1024 (MB) Segments for the
image file, named lab1CSEC650.dd.
5. Click on Start to start the process of image creating.
Depending on the size of the media, the process can take
from a few seconds to a few minutes. Wait till the process
ends and gives "Verify Successful" at the bottom.
6. Click on the "Restore/Clone" tab on the top if it is desired
to restore or clone the drive. To Restore a file or a
device, the user can choose the image file and either save
it on a different device or in a separate file. To clone a
device, the user can choose the source device from the drop
down menu and the destination device where the source is to
be cloned at.
7. Click on the "Log" tab on the top to see the log of all of
the activities performed in the acquiring process. The log
will show the information of the media device as well as the
device the media is connected to, including the information
about the CPU, Motherboard, RAM and other hardware component
attached to the device.
8. Click on the "Chain of Custody" tab on the top to see the
main information of the device and the user that has
accessed the device and the images that were created. In the
same tab, the user can create a pdf file of the Chain of
Custody that can be used later in device examination.
C. Report Letter to the Professor (10 points):
Write a letter to the Professor listing and explaining clearly and concisely what was attempted, what failed, what was successful, and what was learned through the lab work.
October 6th 2013
Professor
University
Dear Mr. Professor,
The reason for this letter is to inform you about the lab
test that ran on the VMware Virtual drive. The letter will give
you a detail of the steps taken and results that came out of the
test.
The test was performed using Adepto imaging program in Helix
Live CD. The test was performed on e 279MB VMware drive that was
connected using the SCSI bus. The image was created in the DCFLDD
format using the MD5 Hash.
The test was started at 09:14:34pm on October 4th 2013, and
was verified at 09:14:52pm. The test stopped at 09:14:56pm after
the successful verification of the image. After the image was
created, a Chain of Custody form was created, showing the details
about the drive, the Hash, the user and image file format, along
with its name. Once confirmed that all of the information was
valid, a pdf file was created for the Chain of Custody form for
future references.
The lab gave an opportunity to perform tests on the VMware
drive using the Adepto imaging program in the Linux environment.
This lab was helpful in understanding the uses and functions of
Adepto, which will be useful in performing forensics on the other
media devices in the future.
Sincerely,
My Name
Part II: Lab Questions (70 points):
Give your answer to each of the following questions based on yourlab work and relevant readings. The original question must be visible. Each answer should be within one or two paragraphs and should be clear and correct in grammar. Any citations of sources should follow proper APA format with a reference section at the end of your Part II answers.
1. What types of forensic image formats does Adepto support?
Adepto is a graphical user interfaced imaging program found
on Helix Live CD. It is used to acquire drive images and files by
creating forensic sound images from hard drive and other media.
Adepto supports two forensic image formats. DCFLDD and AFF.
DCFLDD, or Department of Defense Computer Forensics Lab DD, is
an enhanced version of gnu dd with features useful for forensics
and security. Key features include on-the-fly hashing, status
output and faster disk wiping (Sourceforge, 2013).
AFF, or Advanced Forensic Format, is an open and extensible,
and unencumbered by patents and trade secrets. Its open-source
implementation is distributed under a license that allows its
code to be freely integrated into other open-source and propriety
programs (Garfinkel et all, 2013)
2. What kind of write blocking does Helix provide?
Helix provides "read-only" write blocker by default, like
most of the Linux based forensic imagers. Also, Helix is a Linux
Live CD based forensic, which does not support auto media access,
making it an ideal write-blocker. A common problem with other
LiveCDs is that they mount swap partitions when they boot,
possibly altering data. Helix will not mount any swap partitions
(any auto-mounted partitions are read-only), which preserves
data, MAC (Modified, Accessed, Changed/Created) times and other
such file metadata. This allows Helix to acquire evidence without
the use of a hardware write-block device (Harris, nd).
3. Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging.
There are two main types of write blocking, software write-
blocking and hardware write-blocking.
Software write-blocking:
Advantages:
The software write blocker is directly installed on your
image acquisition workstation and additional hardware is not
necessary (lightens the load, one less thing to fail, etc).
Generally able to use any interface available on your
imaging workstation (and any interface that could be added
down the road) – prevents an additional purchase when a new
storage interface is needed.
Disadvantages:
Generally still needs an external adapter of some sort to
provide an interface to the drives that you are imaging
(thus negating the pro of not having to carry around a
physical write blocker).
Can be more difficult to explain to a non-technical person
(and thus more difficult to explain that the write blocker
is actually functioning, if challenged).
Reliant on underlying and complex hardware and/or software
(i.e. operating systems). Interaction between these
components creates additional complexity and introduces the
possibility of failure through updates, upgrades, etc.
Hardware write-blocking:
Advantages:
Is not reliant on an underlying operating system or
software-based subsystem.
Is easier to explain and generally makes more “sense” to
non-technical people.
Clear visual indication of function through physical
lights/switches.
Generally provides built in interfaces to a number of
storage devices (IDE, SATA, etc.).
Appears to be more accepted in the general forensics
community.
Disadvantages:
An additional piece of kit to carry around with you.
An additional piece of hardware that needs to be maintained
and could fail.
Generally restricted to the available storage interfaces
built into the device (additional interfaces cannot be
added) (Newton, 2010).
4. Why would a forensic examiner possibly select a different cryptographic hash type from MD5?
MD5 (Message-Digest algorithm 5) is a cryptographic one-way
hash function. Hash functions output a short, fixed-length value
called a hash -- an MD5 hash is typically expressed as a 32-digit
hexadecimal number -- based on a piece of data such as a file or
message. Hash functions have many uses in cryptography because
any change to the original input, accidental or otherwise, will
change the resulting hash value. They're used in many forms of
authentication, such as digital signatures and message
authentication codes, as well as for verifying file integrity,
because even the slightest change to the data will change its
hash value. For example, many software publishers provide the MD5
hash value of their down-loadable software so that users can
verify that the file is authentic and has not been tampered with.
However, because hash algorithms create a short, fixed-
length hash value to represent data of any size, it means that
there are far more possible input values than there are unique
hash values. This means there have to be multiple input values
that will produce the same hash value. This is known as a
collision and for a hash function to be deemed cryptographically
secure and collision resistant, it has to be hard to find two
inputs that hash to the same output (Cobb, 2005). The security of
the MD5 hash function is severely compromised. A number of
projects have published MD5 rainbow tables online, that can be
used to reverse many MD5 hashes into strings that collide with
the original input, usually for the purposes of password
cracking.
5. What is the MD5 hash value of your image in Lab 1?
MD5 Hash value = f71625daed269ba7145a6e6b27fcb89a
6. What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?
Helix is an incident response and computer forensics toolkit
based on the popular Knoppix Live bootable CD. It contains dozens
of tools for incident response on Windows and Linux systems.
Helix facilitates centralized incident response, imaging of
drives and volatile data and also enables scans and searches of a
user’s internet history and documents on any computer which has
had the Helix Agent pre-installed on it. The integrity of data in
transit and within the Helix database is ensured through 256-bit
AES encryption (Krause, 2013).
Helix is easy to use; the user can use it by simply
inserting the Helix Live CD into a machine and boot from the CD
drive. The Helix CD provides the OS and tools to audit and copy
data from a suspect machine. Booting into Helix provides a
graphical menu for accessing forensics tools. The tools allow for
bit-for-bit copies of data to other media, providing the ability
to recover deleted files, detect viruses (hacked systems are
often booby-trapped to destroy evidence), search out root-kits
(used to hide hacker tracks) and look for hidden data using
stegonographic methods (Sidel, 2007).
7. What is the significance of the Chain of Custody PDF form fromAdpeto? Why is it needed?
Chain of Custody form from Adepto is a legal document that
provides the information of the investigators that had access to
the data and the media. It contains information of the media, the
date and time the evidence was collected, name of the image file,
name of the investigator that created the image file, the MD5
Hash value and the type of the image that saved.
During an investigation, one of the crucial step is to make
sure that the integrity of the data is intact, or otherwise, the
data acquired from the media will not be considered hold no value
in a court. The Chain of Custody form can help the investigators
to identify who was in contact with the media and the data found
on that media, and would make it easier for them to track back if
need arises and if the integrity of the data has been
compromised.
8. What is the significance of the Adepto logs? Why are they needed?
Adepto logs is useful in storing information that will help
the forensic examiners. The log is keeps track of the information
retrieved from the media that a forensic examiner can revert back
to in to verify his/her findings and can also help them find any
mistakes that they may have made during an investigation.
9. What is the significance of the forensic investigator’s individual reports and logs?
The reports and logs of the investigation includes a list of
all the evidence gathered, a copy of printed documents listed as
appendices, and an executive summary. In certain cases, (e.g., to
obtain a search warrant or make a criminal charge), auditors may
need to create interim reports. These reports are updated as new
information is gathered and until the investigation is completed.
Reports and logs can help the investigator explain his/her
findings in the court, if needed. For instance, reports can
explain what made the company or auditor suspicious of the hard
drive, how the hard drive was imaged, how the data was handled
prior to the analysis, where within the hard drive the evidence
was found, and what the evidence means (Purita, 2006).
10. Why are cryptographic hashes such as MD5 and SHA1 needed? Whywould an investigator not use a CRC or some other value?
MD5 (128 bit) and SHA1 (160 bit) are cryptographic hash
functions used to encrypt information by generating a hash based
on the passed byte structure.
Although MD5 is not a very secure hashing algorithm, since
it is vulnerable to collision attacks, it is still widely used to
check the file integrity. It was demonstrated that it is possible
to create two different files that will have the same MD5 hash.
SHA1 is a much more secure hashing algorithm, although its
principles are somewhat based on those of MD5. For general use,
both MD5 and SHA1 are very efficient and most likely will be used
for a little while more (Dzone, 2010). MD5 and SHA1 provides the
forensic investigator with the opportunity to detect very
negligible variations within a message that CRC and other values
cannot detect.
References:
Cobb, M. (May 2010). MD5 security: Time to Migrate to SHA-1 Hash
Algorithm? Retrieved from,
http://searchsecurity.techtarget.com/answer/MD5-security-Time-
to-migrate-to-SHA-1-hash-algorithm
DZone. (June 2010). Generating MD5 and SHA1 Checksums for a File.
Retrieved from, http://dotnet.dzone.com/articles/generating-
md5-and-sha1
Garfinkel et al. (2013). Advanced Forensic Format: An Open,
Extensible Format for Disk Imaging. Retrieved from,
http://cs.harvard.edu/malan/publications/aff.pdf
Harris, S. (nd). To Catch a Thief. Retrieved from,
http://www.logicalsecurity.com/resources/ToCatchaThief.html
Krause, J. (2013). Helix 3 Enterprise Review. Retrieved from,
http://www.forensicfocus.com/helix-3-enterprise-review-
150909
Newton, D. (May 2010). Write Blockers – Hardware vs Software.
Retrieved from, http://dereknewton.com/2010/05/write-
blockers-hardware-vs-software/
Purita, Ryan. (September 2006). Computer Forensics: A Valuable
Audit Tool. Retrieved from,
http://www.theiia.org/intAuditor/itaudit/archives/2006/september/
computer- forensics-a-valuable-audit-tool-1/
Sidel, S. (May 2007). Digital forensics tool Helix 'does no
harm'. Retrieved from,
searchsecurity.techtarget.com/tip/Digital-forensics-tool-
Helix-does-no-harm
Sourceforge. (2013). Retrieved from,
http://sourceforge.net/projects/dcfldd/