ECE/CIS 387: Digital Forensics I Fall, 2013 Department of Electrical and Computer Engineering, University of MichiganDearborn Instructor: Haz

z Malik

Lab Assignment #1, Wednesday September 18, 2013

Lab Report Due on: Tuesday September 24, 2013 Physical Memory Imaging with EnCase, DD, Nigilant32, and WinHex Scenario You are a computer forensics investigator who has seized a running computer system with a UBS drive mounted on one USB port. As a forensics expert Im interested in process memory (Physical Memory). It is a standard practice that a forensics analyst should never work with the original evidence, therefore you will create an image of physical memory. Cloning the physical memory will create a bit-stream image le that is an exact replica, bit-for-bit, of the original data on the disk. The EnCase, dd, and Nigilant32 software let you image physical memory. The EnCase, WinHex, and Nigilant32 also have many other features for analyzing and recovering evidence that we will explore in future homework assignments. Generate Physical Memory Image using EnCase 1. Make images with and without compression options. 2. Record your observations? Include a snapshot of EnCase GUI to support your answer. Generate Physical Memory Image using DD for example c : \ tools\ > ddif = \\? \ Device \ Harddisk 2 \ DR5of = ram1.imgbs = 4096conv = noerror (I used this command to create Physical Memory Image on my system) 1. How many records were copied? Include snapshot of command prompt to support your answer. 2. Repeat the above step with dierent block size value (bs) but keep in mind it should be multiple of 512.

 Generate Physical Memory Image using the Nigilant32 Software Close command prompt (type exit then hit ENTER or use brute force approach) (Make sure you name both image les dierently) 1. Record your observations? Include a snapshot of Nigilant32 GUI to support your answer. Open and Authenticate the Disk 1. From the Tools menu in WinHex, select Open Disk. 2. Select image le (e.g. ram1.img) and click OK. 3. From the Tool menu, select Calculate Hash. This will give you a digital ngerprint of the image. Copy and paste the results (the hash) into your report. the Hash value for ram1.img, 4. From the Tools menu, select Calculate Hash. This will give you a digital ngerprint of the image. Record the Hash value for ram2.img and ram.E01 images obtained using Nigilant32 and EnCase, respectively. 5. Are three hash values are dierent? Justify your answer. Make a Quick Analysis of the Physical Memory Image 1. In WinHex, scroll down in the window for your image le. Do you see any readable text? Note down a few examples in your report. 2. Note down free memory location range. 3. Repeat step 1 and 2 using Encase. Submission Submit your activity log electronically on Canvas.