CSEC650 Lab Assignment 1

Disclaimer/Caveat/Disclosure/Whateveryouwouldliketocallthis:

You are more than welcome to use my lab work below as a reference. But, please be smart and do not simply copy and paste because your Prof. or TA will know. Justlike you, they have access to this website as well. So be nice and smart and don't set yourself up for a failure, at the very least you should rephrase/paraphrase/reword/Whateveryouprefertocallthis.Just a suggestion, but at the end of the day, it will be your decision. :)

Also, I have got at the very least 90% in each of my lab work, but that DOES NOT guarantee that you will get the same. It depends almost exclusively on how yourprofessor looks at your response and how s/he grades. The ones that I got were awesome professors and my workand my points went across to them, hence the higher grade. So, basically what I am trying to say here is that if you score less than 90% while using my lab workas reference or as a whole, don't curse me out, you just got a stricter professor. :)

(PS. This is the graded paper with my professor's comments on the right. Thanks)

Part I: Lab Deliverables (30 points):

A. Screenshots (10 points):

Capture and paste the following five screenshots you captured during your lab work in this order. Give a one-sentence short description at the beginning of each screenshot to describe what it is about.

1. A screenshot of Device Info similar to (may not be exactly thesame as) the illustration in Step 10 of the Lab1-Write-up.

The screenshot shows the details of the drive, including the make, model, size, and the interface of the drive.

2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the illustration in Step 16 of the Lab1-Write-up.

The system is verifying the data from the VMware drive.

3. A screenshot of Verification Success similar to (may not be exactly the same as) the illustration in Step 18 of the Lab1-Write-up with a “Verify Successful” message.

The system successfully verified the data on VMware drive.

4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as) the illustration in Step 19 of the Lab1-Write-up.

This screen shot gives out the Evidence Chain of Custody form forthe VMware drive.

5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same as) the illustration in Step 20 of the Lab1-Write-up.

The screen shot confirms that the pdf file, COC-201327701.pdf, has been created for the VMware drive and is saved in the /media/sdb1/ folder.

Screen shot below shows that three files (log, pdf and dd) were created:

B. Log of Forensic Analysis (10 points):

Create a numbered list or table to document the important step-by-step actions taken by the examiner sequentially for the digital forensic work in this case. Include date, time, devices, tools, data files, and any logs generated. You only need to describe the data files and logs; no need to attach them.

1. Log in to Adepto using your username and the case number.

(If you dont have a personal case number, leave it to the

default case number).

2. Choose the device from the drop down menu and wait till it

imports the details of the device in the fields below the

drop down menu.

3. Note that the Make, Model and the Serial number fields can

be modified by the user. Size, sectors, and bus type are

imported directly and cannot be modified.

4. Next, select the "Acquire" tab on the top and choose the

fields accordingly. In this case, we will be choosing DCFLDD

image type, with MD5 Hash and 1024 (MB) Segments for the

image file, named lab1CSEC650.dd.

5. Click on Start to start the process of image creating.

Depending on the size of the media, the process can take

from a few seconds to a few minutes. Wait till the process

ends and gives "Verify Successful" at the bottom.

6. Click on the "Restore/Clone" tab on the top if it is desired

to restore or clone the drive. To Restore a file or a

device, the user can choose the image file and either save

it on a different device or in a separate file. To clone a

device, the user can choose the source device from the drop

down menu and the destination device where the source is to

be cloned at.

7. Click on the "Log" tab on the top to see the log of all of

the activities performed in the acquiring process. The log

will show the information of the media device as well as the

device the media is connected to, including the information

about the CPU, Motherboard, RAM and other hardware component

attached to the device.

8. Click on the "Chain of Custody" tab on the top to see the

main information of the device and the user that has

accessed the device and the images that were created. In the

same tab, the user can create a pdf file of the Chain of

Custody that can be used later in device examination.

C. Report Letter to the Professor (10 points):

Write a letter to the Professor listing and explaining clearly and concisely what was attempted, what failed, what was successful, and what was learned through the lab work.

October 6th 2013

Professor

University

Dear Mr. Professor,

The reason for this letter is to inform you about the lab

test that ran on the VMware Virtual drive. The letter will give

you a detail of the steps taken and results that came out of the

test.

The test was performed using Adepto imaging program in Helix

Live CD. The test was performed on e 279MB VMware drive that was

connected using the SCSI bus. The image was created in the DCFLDD

format using the MD5 Hash.

The test was started at 09:14:34pm on October 4th 2013, and

was verified at 09:14:52pm. The test stopped at 09:14:56pm after

the successful verification of the image. After the image was

created, a Chain of Custody form was created, showing the details

about the drive, the Hash, the user and image file format, along

with its name. Once confirmed that all of the information was

valid, a pdf file was created for the Chain of Custody form for

future references.

The lab gave an opportunity to perform tests on the VMware

drive using the Adepto imaging program in the Linux environment.

This lab was helpful in understanding the uses and functions of

Adepto, which will be useful in performing forensics on the other

media devices in the future.

Sincerely,

My Name

Part II: Lab Questions (70 points):

Give your answer to each of the following questions based on yourlab work and relevant readings. The original question must be visible. Each answer should be within one or two paragraphs and should be clear and correct in grammar. Any citations of sources should follow proper APA format with a reference section at the end of your Part II answers.

1. What types of forensic image formats does Adepto support?

Adepto is a graphical user interfaced imaging program found

on Helix Live CD. It is used to acquire drive images and files by

creating forensic sound images from hard drive and other media.

Adepto supports two forensic image formats. DCFLDD and AFF.

DCFLDD, or Department of Defense Computer Forensics Lab DD, is

an enhanced version of gnu dd with features useful for forensics

and security. Key features include on-the-fly hashing, status

output and faster disk wiping (Sourceforge, 2013).

AFF, or Advanced Forensic Format, is an open and extensible,

and unencumbered by patents and trade secrets. Its open-source

implementation is distributed under a license that allows its

code to be freely integrated into other open-source and propriety

programs (Garfinkel et all, 2013)

2. What kind of write blocking does Helix provide?

Helix provides "read-only" write blocker by default, like

most of the Linux based forensic imagers. Also, Helix is a Linux

Live CD based forensic, which does not support auto media access,

making it an ideal write-blocker. A common problem with other

LiveCDs is that they mount swap partitions when they boot,

possibly altering data. Helix will not mount any swap partitions

(any auto-mounted partitions are read-only), which preserves

data, MAC (Modified, Accessed, Changed/Created) times and other

such file metadata. This allows Helix to acquire evidence without

the use of a hardware write-block device (Harris, nd).

3. Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging.

There are two main types of write blocking, software write-

blocking and hardware write-blocking.

Software write-blocking:

Advantages:

The software write blocker is directly installed on your

image acquisition workstation and additional hardware is not

necessary (lightens the load, one less thing to fail, etc).

Generally able to use any interface available on your

imaging workstation (and any interface that could be added

down the road) – prevents an additional purchase when a new

storage interface is needed.

Disadvantages:

Generally still needs an external adapter of some sort to

provide an interface to the drives that you are imaging

(thus negating the pro of not having to carry around a

physical write blocker).

Can be more difficult to explain to a non-technical person

(and thus more difficult to explain that the write blocker

is actually functioning, if challenged).

Reliant on underlying and complex hardware and/or software

(i.e. operating systems). Interaction between these

components creates additional complexity and introduces the

possibility of failure through updates, upgrades, etc.

Hardware write-blocking:

Advantages:

Is not reliant on an underlying operating system or

software-based subsystem.

Is easier to explain and generally makes more “sense” to

non-technical people.

Clear visual indication of function through physical

lights/switches.

Generally provides built in interfaces to a number of

storage devices (IDE, SATA, etc.).

Appears to be more accepted in the general forensics

community.

Disadvantages:

An additional piece of kit to carry around with you.

An additional piece of hardware that needs to be maintained

and could fail.

Generally restricted to the available storage interfaces

built into the device (additional interfaces cannot be

added) (Newton, 2010).

4. Why would a forensic examiner possibly select a different cryptographic hash type from MD5?

MD5 (Message-Digest algorithm 5) is a cryptographic one-way

hash function. Hash functions output a short, fixed-length value

called a hash -- an MD5 hash is typically expressed as a 32-digit

hexadecimal number -- based on a piece of data such as a file or

message. Hash functions have many uses in cryptography because

any change to the original input, accidental or otherwise, will

change the resulting hash value. They're used in many forms of

authentication, such as digital signatures and message

authentication codes, as well as for verifying file integrity,

because even the slightest change to the data will change its

hash value. For example, many software publishers provide the MD5

hash value of their down-loadable software so that users can

verify that the file is authentic and has not been tampered with.

However, because hash algorithms create a short, fixed-

length hash value to represent data of any size, it means that

there are far more possible input values than there are unique

hash values. This means there have to be multiple input values

that will produce the same hash value. This is known as a

collision and for a hash function to be deemed cryptographically

secure and collision resistant, it has to be hard to find two

inputs that hash to the same output (Cobb, 2005). The security of

the MD5 hash function is severely compromised. A number of

projects have published MD5 rainbow tables online, that can be

used to reverse many MD5 hashes into strings that collide with

the original input, usually for the purposes of password

cracking.

5. What is the MD5 hash value of your image in Lab 1?

MD5 Hash value = f71625daed269ba7145a6e6b27fcb89a

6. What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?

Helix is an incident response and computer forensics toolkit

based on the popular Knoppix Live bootable CD. It contains dozens

of tools for incident response on Windows and Linux systems.

Helix facilitates centralized incident response, imaging of

drives and volatile data and also enables scans and searches of a

user’s internet history and documents on any computer which has

had the Helix Agent pre-installed on it. The integrity of data in

transit and within the Helix database is ensured through 256-bit

AES encryption (Krause, 2013).

Helix is easy to use; the user can use it by simply

inserting the Helix Live CD into a machine and boot from the CD

drive. The Helix CD provides the OS and tools to audit and copy

data from a suspect machine. Booting into Helix provides a

graphical menu for accessing forensics tools. The tools allow for

bit-for-bit copies of data to other media, providing the ability

to recover deleted files, detect viruses (hacked systems are

often booby-trapped to destroy evidence), search out root-kits

(used to hide hacker tracks) and look for hidden data using

stegonographic methods (Sidel, 2007).

7. What is the significance of the Chain of Custody PDF form fromAdpeto? Why is it needed?

Chain of Custody form from Adepto is a legal document that

provides the information of the investigators that had access to

the data and the media. It contains information of the media, the

date and time the evidence was collected, name of the image file,

name of the investigator that created the image file, the MD5

Hash value and the type of the image that saved.

During an investigation, one of the crucial step is to make

sure that the integrity of the data is intact, or otherwise, the

data acquired from the media will not be considered hold no value

in a court. The Chain of Custody form can help the investigators

to identify who was in contact with the media and the data found

on that media, and would make it easier for them to track back if

need arises and if the integrity of the data has been

compromised.

8. What is the significance of the Adepto logs? Why are they needed?

Adepto logs is useful in storing information that will help

the forensic examiners. The log is keeps track of the information

retrieved from the media that a forensic examiner can revert back

to in to verify his/her findings and can also help them find any

mistakes that they may have made during an investigation.

9. What is the significance of the forensic investigator’s individual reports and logs?

The reports and logs of the investigation includes a list of

all the evidence gathered, a copy of printed documents listed as

appendices, and an executive summary. In certain cases, (e.g., to

obtain a search warrant or make a criminal charge), auditors may

need to create interim reports. These reports are updated as new

information is gathered and until the investigation is completed.

Reports and logs can help the investigator explain his/her

findings in the court, if needed. For instance, reports can

explain what made the company or auditor suspicious of the hard

drive, how the hard drive was imaged, how the data was handled

prior to the analysis, where within the hard drive the evidence

was found, and what the evidence means (Purita, 2006).

10. Why are cryptographic hashes such as MD5 and SHA1 needed? Whywould an investigator not use a CRC or some other value?

MD5 (128 bit) and SHA1 (160 bit) are cryptographic hash

functions used to encrypt information by generating a hash based

on the passed byte structure.

Although MD5 is not a very secure hashing algorithm, since

it is vulnerable to collision attacks, it is still widely used to

check the file integrity. It was demonstrated that it is possible

to create two different files that will have the same MD5 hash.

SHA1 is a much more secure hashing algorithm, although its

principles are somewhat based on those of MD5. For general use,

both MD5 and SHA1 are very efficient and most likely will be used

for a little while more (Dzone, 2010). MD5 and SHA1 provides the

forensic investigator with the opportunity to detect very

negligible variations within a message that CRC and other values

cannot detect.

References:

Cobb, M. (May 2010). MD5 security: Time to Migrate to SHA-1 Hash

Algorithm? Retrieved from,

http://searchsecurity.techtarget.com/answer/MD5-security-Time-

to-migrate-to-SHA-1-hash-algorithm

DZone. (June 2010). Generating MD5 and SHA1 Checksums for a File.

Retrieved from, http://dotnet.dzone.com/articles/generating-

md5-and-sha1

Garfinkel et al. (2013). Advanced Forensic Format: An Open,

Extensible Format for Disk Imaging. Retrieved from,

http://cs.harvard.edu/malan/publications/aff.pdf

Harris, S. (nd). To Catch a Thief. Retrieved from,

http://www.logicalsecurity.com/resources/ToCatchaThief.html

Krause, J. (2013). Helix 3 Enterprise Review. Retrieved from,

http://www.forensicfocus.com/helix-3-enterprise-review-

150909

Newton, D. (May 2010). Write Blockers – Hardware vs Software.

Retrieved from, http://dereknewton.com/2010/05/write-

blockers-hardware-vs-software/

Purita, Ryan. (September 2006). Computer Forensics: A Valuable

Audit Tool. Retrieved from,

http://www.theiia.org/intAuditor/itaudit/archives/2006/september/

computer- forensics-a-valuable-audit-tool-1/

Sidel, S. (May 2007). Digital forensics tool Helix 'does no

harm'. Retrieved from,

searchsecurity.techtarget.com/tip/Digital-forensics-tool-

Helix-does-no-harm

Sourceforge. (2013). Retrieved from,

http://sourceforge.net/projects/dcfldd/