Digital Forensics Analysis and Validation | My Assignment Tutor

BN309 Computer Forensics Laboratory 10 and 11: Digital Forensics Analysis and Validation Submission Due: End of laboratory class, submit the file on Moodle at least 10 minutes before the end of laboratory class. Total Marks   = 10 marks for 10 weeks (DIT and BNet)                         = 5 marks for 10 weeks (GDNet and MNet) Marks will be given only to students who attend and participate during 2 hours laboratory class. Submission on Moodle is mandatory as an evidence of participation. Description of the laboratory exercise: In this lab, you will use Sleuth Kit and Autopsy. You will find these software under “Software for Labs” folder in Moodle. Download the necessary image file from the following link: https://drive.google.com/a/academic.mit.edu.au/file/d/0B1mNQzaOkGFuN1JkUHpNazhaZ3M/view?usp=sharing Activity 1: In this project, you perform bit-shifting on a file and verify that the file can be restored. Start Notepad and type the following in a new text document: This document contains very sensitive information. We do not want the competition to be able to read it if they intercept the message.Save the file as correspondence.txt in your work folder, and then exit Notepad.Start Hex Workshop, and open the correspondence.txt file.Click the Rotate Right button. As shown in the Operand section of the Rotate Right Operation dialog box, the data can be treated as an 8-, 16-, 32-, or 64-bit unsigned long. Write down which one it is (assuming little endian is the byte ordering), and then click OK.Click the Rotate Left button. In the Rotate Left Operation dialog box, make sure the same setting is listed in the Treat Data As text box as for the Rotate Right operation, and then click OK. The file should return to its original form. In a rotated shift operation, the bits that “fall off” one end of the number as it’s rotated appear on the other end of the number. In this way, no bits are lost, and the process can be reversed to restore the original message. 6. Save the file. 7. Click the Shift Right button and click OK twice, noting how the data is being treated. Click OK. 8. Finally, click the Block Shift Left button. 9. Attempt to reverse the procedure by doing the following: Click Block Shift Right, click Shift Left twice, and click OK as needed. 10. Notice that the message is garbled. In a normal (nonrotated) shift operation, the bits that fall off one end of the number when it’s rotated are discarded; therefore, the original data is lost or modified. Click File, Close from the menu. When prompted to save, click No. 11. Open the file again in Hex Workshop, and repeat Steps 7 and 8. Save the file as correspondence2.txt in your work folder. If you’re prompted to create a backup, click Yes. 12. Attempt to undo the procedure by working in reverse, as in Step 9. 13. Write a short paper stating whether you think this method is a reliable one for encrypting. Leave Hex Workshop running for the next project. Activity 2: In this project, you validate the files used in Hands-On Projects 9-3 and 9-4. Chris Murphy, a Superior Bicycles employee suspected of industrial espionage, had a Windows XP system formatted in NTFS that was seized as part of the investigation. You use the GCFI-NTFS image files for this project, which consist of several .zip files. Extract them to your work folder, if necessary. You need at least 9 GB of storage space for these files. . 1. Start Microsoft Word, and open the GCFI-NTFS hash values.doc file from your work folder. Print the file so that you can compare it with your results later in this project, and then exit Word. 2. Start Notepad, and open GCFI-NTFS.pds (included with the GCFI-NTFS image files). Read this document, which tells ProDiscover how to reassemble the image file from the segments. When you’re finished, exit Notepad. 3. In Hex Workshop, open GCFI-NTFS.eve from your work folder. 4. Click Tools, Generate Checksum from the menu. In the Select Algorithms list box, click MD5, and then click the Generate button. 5. When the checksum process is finished, check the MD5 hash value in Hex Workshop’s lower-right pane, and compare it to the one in the document you printed in Step 1. 6. Repeat Steps 3 through 5 for each remaining GCFI-NTFS file. 7. After you have verified all the files, make a note in your log listing the files you examined and their hash values, and then exit Hex Workshop. Activity 3: In this project, you search the GCFI-NTFS drive image that belonged to Chris Murphy. You should have completed Hands-On Project 9-2 before beginning this one. 1. Start ProDiscover Basic with the Run as administrator option (if you’re using Vista), and start a new project. Enter C9Prj03 for the project number and Chris Murphy for the project filename. In the Description text box, type suspected of industrial espionage at Superior Bicycles, and then click OK. 2. In the tree view, click to expand Add, and then click Image File. Navigate to your work folder. Because this image file is segmented, ProDiscover needs the .pds file to reassemble the image. Click GCFI-NTFS.pds (in Windows Vista, the .pds extension might not be displayed), and then click Open. In the message box prompting you to verify the checksum, click Yes. This process takes several minutes. 3. After this process is finished, save the project with its default name in your work folder. 4. In the tree view, click to expand Project, if necessary, and then expand Content View and Images. 5. Click GCFI-NTFS.eve and then click to expand it, and then click the Delorme Docs folder in the tree view. Browse through this folder in the work area, and mark any files of interest. 6. Chris is known to be a sports fan, and his manager believes the espionage he engaged in was done to support his gambling habit, betting on games’ outcomes. Using search terms for the most common U.S. sports—baseball, football, and basketball—ascertain whether any evidence exists to support this claim. 7. Next, examine his Internet history. If necessary, use terms such as “ESPN” during this part of the search. 8. Finally, Chris has been sightseeing in Washington, D.C., so search for terms such as White House, Lincoln Memorial, George Washington University, Washington Convention Center, and National Museum of Women in the Arts. Exit ProDiscover Basic, saving the project when prompted. 9. Write a short memo to Ileen Johnson, the lead investigator in this case, summarizing your findings and what they indicate. Activity 4:  In this project, you determine what tools Chris used to take pictures of kayak prototypes and smuggle them out of the office. Make sure you have completed Activity 2 before starting this one. 1. Start ProDiscover Basic with the Run as administrator option (if you’re using Vista), and start a new project. Enter C9Prj04 for the project number and Chris Murphy for the project filename. Enter suspected of industrial espionage at Superior Bicycles in the Description text box, and then click OK. 2. In the tree view, click to expand Add, and then click Image File. Navigate to your work folder. 3. Because this image file is segmented, ProDiscover needs the .pds file. If you didn’t load this case in Hands-On Project 9-3, perform this step: Click GCFI-NTFS.pds, and then click Open. In the message box prompting you to verify the checksum, click Yes. This process takes several minutes. After it’s finished, save the project with its default name in your work folder. 4. As mentioned, Chris is suspected of taking pictures of the new kayak prototypes, and you need to determine what type of camera he used. If necessary, click to expand Project in the tree view. 5. Next, expand Content View and then Images. Click the GCFI-NTFS.eve file, and then expand it. 6. Click the Special Files folder, and examine the files in it. You should see some files with the .sxc and .sxw extensions. They were created in Open Office 1.x, but you can open them in Open Office 2.x, too. 7. Using ProDiscover’s Search function, search the GCFI-NTFS.eve file, using the keyword kayak. Right-click any .jpeg files you find and click View EXIF Data. (EXIF data is metadata that includes the camera’s make and model.) Copy this information to a text file in your work folder. 8. To export any .zip files you find, right-click them and click Copy File. In the dialog box that opens, create a folder for this case and save the files there. Then you can expand them with a standard zip utility. 9. When you’re finished, exit ProDiscover Basic, and write a one- to twopage report explaining what you found and how this evidence is relevant to the case.

QUALITY: 100% ORIGINAL PAPER – NO PLAGIARISM – CUSTOM PAPER

Leave a Reply

Your email address will not be published. Required fields are marked *