Scribd Logo
Upload

Welcome to Scribd!

  • CSE 469 In-Class Lab1 Names: Steven Tran, Kshitiz Singh, Jason Truong, ID: 1210776512

    Uploaded by

    Steven Tran
    42 views4 pages

    Original Title

    InClassExercise1.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    42 views4 pages

    CSE 469 In-Class Lab1 Names: Steven Tran, Kshitiz Singh, Jason Truong, ID: 1210776512

    Uploaded by

    Steven Tran

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    CSE 469 In-Class Lab1

    Names: Steven Tran, Kshitiz Singh, Jason Truong , ID: 1210776512


    Overview
    1. Create a 128MB - 256MB partition on a portable hard drive.
    2. Create several images files in different formats from different tools.
    3. Explore the created image files with FTK.
    Pre-requisite: Windows 10 compatible, 32 or 64 bits
    Download DD.exe from Piazza or Canvas, under “General Resources”
    Install FTK imager “AccessData_FTK_Imager4.2.1.exe” from Piazza or Canvas, under “General
    Resources”.
    Install Autopsy from Piazza or Canvas, under “General Resources”.
    USB memory 128MB +,
    Submit this file as pdf to Gradscope https://www.gradescope.com/courses/79694/ by 5:00 pm today.

    Part 1: Creating Partitions


    Section A:
    - Insert a portable hard drive into the computer and open up the Windows Disk Management
    tool which can be accessed through the Computer Management menu.
    - Right click on the memory indicator for the portable hard drive and select “Delete Volume”
    which should deallocate the space for that disk.
    - Once deleted, right click on the memory indicator again and select “New Simple Volume”.
    Here you can specify the size of the new volume you’re creating in MB. Try to create a 128 -
    256 MB volume with the label (i.e.,“CSE-469”).

    - If you were not able to delete the volume in the Disk Management tool, you will need to use
    the Diskpart command line tool to clear the portable hard drive:

    1. Open an elevated command prompt window by running it as administrator.


    2. Enter in “Diskpart”.
    3. Enter in “list disk”.
    4. Enter in “select disk X” where X is the disk number of the portable hard drive – It is very
    important that you’ve selected the correct disk!
    5. Once selected enter “clean”.
    6. You should now be able to use the Disk Management tool to create a new volume.

    Q1: What is the name and size of your partition? Name: NEW VOLUME (Q:) Size: 127 MB

    Section B:
    - Once the partition has been created, open Notepad and create a simple txt file (Your
    name.txt) and type “This is the test.”, and save it to the partition.

    Q2: What is the name and size (KB) of the text file that you generated? Name: Steven_Tran.txt Size:
    1KB

    - After saving it to the partition, find the file in the partition and delete it.
    Part 2: Using Imaging Tools
    Data Dump:
    - Navigate to the Piazza’s Resources and download the dd.exe file located under “General
    Resources”.
    - Once downloaded, open a command prompt and navigate to the location of dd.exe.
    - Enter “dd --list” to see a list of all available partitions, and find which partition is the one you
    just created. (You can usually tell by the drive letter.)
    - Enter in “dd if=\\.\x: of=c:\Users\user\Desktop\$$.img bs=1M --size --progress” where “x” is
    the drive letter of the partition, “$$” is the image name, and “user” is the user you’re logged
    in as. This should create a raw image file and save it to the Desktop.

    Q3: What is the image’s name and checksum (SHA-1)?


    (hash: https://emn178.github.io/online-tools/sha1_checksum.html)
    Image name: 001.img
    Checksum: 66ada344eb436d0e224a97e696c6b58fff0294d8

    FTK Imager:
    - Open up FTK Imager and go to File -> Add Evidence Item.
    - Select “Logical Drive” and the partition that you had created.
    - Once opened, go to File -> Export Disk Image.
    - Click to add an image destination and select E01 for the image type.
    - Enter some text for the fields in the Evidence Item Information and click Next.
    - For the Image Destination folder, select the Desktop, and type in a file name.
    - Once everything is entered click “Finish” and then “Start” on the next screen.

    Q4: What is the image’s name and checksum (SHA-1)?

    Name: 002.E01
    Checksum: 66ada344eb436d0e224a97e696c6b58fff0294d8
    Part 3: Using Autopsy
    - Launch Autopsy from the desktop
    - Click on New Case, type your case name (ex. 001). 
    - Choose your Base Directory. (ex. Desktop)
    - Click on Next. And use case number 001 and fill out the name of the examiner. Click on
    Finish. 
    - Adding data source (images).  Click on Disk Images or VM File. Click on Next, click on
    Browse. Choose the image you made, Click on Open and Next to finish.
    - Go ahead and select Data Sources. Click on the plus sign, click on the plus next to image name
    (ex. cse469.e01), select any volume, and you can see the files inside that volume.
    - X marks mean that the files have been deleted

    Q5: Try to extract (export) the file you deleted to the Desktop. List the files that you recovered.

    Extracted file: Steven_Tran.txt

    Q6: Try to find all the files that contain a text “test”. List the all date/time and the contents of the file.

    * Contained many other files from reformatting *


    File: Steven_Tran.txt
    Modify date: 2020-03-17 15:55:18 MST
    Contents: [steven_tran.txt; This is a test.]

    Q7: Try to auto-generate a report. And attach the snapshot of the first page.

    You might also like