CHFI Lab Manual Understanding Hard Disks and File Systems Module 03TCON KEY © Vauable F Tessar Inowiedge FA Web exercise BD Workbook review Stools demonstrated in this lab are available in CACHFI- Tools\CHFIVv9 Module 03 Understanding Hard Disks and File Systems ‘Module 03 - Understanding Hard Disks and File Systems Understanding Hard Disks and File Systems A hard disk drive is a non-volatile, random access digital data storage device used in most computer systems, A file system is a set of data types that is employed for storage, hierarchical categorization, management, navigation, access, and recovery of data, Lab Scenario Sam, a security professional at a company discovered that one of the company’s ‘employees was gathering crucial, confidential information about the company and saving it on his/her computer so that he/she could use it later for an illicit purpose. Sam immediately started checking each of his employee's computers in order £0 identify the dishonest employee. In order to escape from being caught, the culprit ‘employee permanently deleted the gathered information, Sam called a forensics investigator to launch an investigation. Sam explained the situation to the investigator, After listening to the story, the investigator decided to analyze the file systems and recover the deleted files to catch the dishonest employee. Lab Objectives The objective of this lab is to help the students understand how to: = Recover files deleted from a hard disk, = Analyze the file systems. Lab Environment This lab requires: = A computer running Windows Server 2012. + Aweb browser with an Internet connection. = Administrative privileges to run tools, Lab Duration Time: 55 Minutes Overview of Understanding Hard Disks and File Systems While investigating a compucer-based crime, itis most important to understand hard disks and file systems, as these are the major sources of data storage. People usually CAPT Lab Manual Pag Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.Brask 1 CHET Lab Manual Page ‘Module 03- Understanding Hard Disks and File Systems delete their tracks after committing a crime using a computer in order to avoid being traced, Therefore, recovering the deleted files of hard disks and analyzing file systems is important when investigating a computer-based crime. Lab Tasks Recommended labs to assist you in understanding hard disks and file systems: Recovering Deleted Files from Hard Disks Using WinHex. ‘Analyzing File system Types Using The Sleuth Kit (TSK). = Analyzing Raw image using Autopsy. Lab Analysis Analyze and document the results relared 0 the lab exercise. Give your expert opinion on the crime. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUE: RELATED TO THIS LAB Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems Recovering Deleted Files from Hard Disks Using WinHex WinHecx inspects and edits all kinds of files and recover deleted files or lost data from hard drives with corrupt file stems. on key Lab Scenario © Vausbie The forensic investigators started scanning the computers for deleted data to atch — MU the perpetrator, who has been collecting the company’s private data for harmful FF Teseyour purposes. To avoid identification, the perpetrator had deleted the dara from the sowed: __gystem. However, the investigators were able to trace the system used by the EL Websense perpetrator by analyzing the file systems and recovering deleted data using the a WinHex tool. DB Workbook review As a computer forensic investigator you should know how to recaver files that have ‘been permanently deleted and also the tools that can be used for recovering them. Lab Objectives ‘The objective of this lab is to help you understand how to recover files thar have een permanently deleted using the WinFlex tool, Lab Environment Z=Teols This lab requires: acon * Winkiex, which is located at GACHFI-ToolsIGHFIV@ Module 03 Understanding Hard Disks and File Systems\File System Analysis Tools\WinHex. + A computer running Windows Server 2012. Module 03 Understanding * You ean also download the latest version of WinHex fom ttps:lwwwx- Hard Disks and ways.netiwinhexl. je Systems * Kindly note that if you decide to download the latest version, then the sereenshots shown ia the lab might be slightly different. * Administrative privileges to install and run tools. CHET Lab Manual Pag 6 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems = Aweb browser with an Internet connection, Lab Duration ‘Time: 15 Minutes Overview of WinHex WinHex inspects and exits all kinds of files, recovers deleted files or lost data from hard deives with corrupt file systems, or fiom digital camera cards, It is a universal hexadecimal editor, particularly helpful ia the realm of compurer forensics, dara secovery, low-level data processing, and IT security. Lab Tasks 1. Navigate to CCHFI-Tools\Evidence Files\Raw - DD Image for the evidence files. Draka 2. Navigate t0 C:\CHFL-Tools\CHFiv? Module 03 Understanding Hard Disks = and File SystemsiFile System Analysis Tools\WinHex. Launching Winttex 3. Double-click setup.exe to launch the setup and follow the wizard- driven installation instructions, 4. Once you complete the installation WinHex application launches automatically. Cawintes eames seplaadon progamming Eerice (APD and seating FIGURE 11: Winktexearep window > Open to add the evidence file. FIGURE 12 Wintla Tle mans CHET Lab Manual Page Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 6. In the Open Files pop-up window, navigate to C:\CHFI-Tools\Evidence Fites\Raw - DD Image, select All Files fom the Files of type drop-down list, and then select TestRawimage.dd, Nest Click Open. secos'1 [[]fewODinese _—v) @ PEP E+ Oe aus ede) Deven | “s [Hsiiaiagea]annerran one] Diaper a eiptoet Senses along ASCH a Disrnes wipes cons es heey nett Setoanoe res enue: [TerRovcase LIGURE 13.Wiatiex Open Fils window 7. WinHex evaluation pop-up subsequently appears, click OK With this evaluation version you cannot save files bree chances that ae larger then 200 KB. Hewever, you can, ANSI ASCH ‘reste backups of such files at anytime for Future + as asc Use with the full version, [De not display this kind of message again 9K FIGURE 1aNWintex entsion opp CHET Lab Manual Page 70 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.Caines cavers ‘benceea biace, hex ASCII, Jntel Hes, al Sowzola 8 Srask 3 Recovering Deleted Files COwinttes festures dota ierpeter that knows ‘Dida ype. ‘Module 03- Understanding Hard Disks and File Systems 8 WinFlex will process the image file and display the following window with a Data Interpreter pop-upat the lower right corner of the window. eee, sends eeeegeey Tower n > EBs x teh aes men TRGURE 15 WhHacenjaing expe DD image 9. Navigate to Tools > Disk Tools > File Recovery by Type... aa cee ; FIGURE 16 Winter Toole rmena 10, A WinFlex pop-up appeats, click OK Please note that Refine Volume Snapshot | File Header Signature Search is mote powerful and flexible, Please save your files on 2 different drive in ‘order to avoid overwriting other deleted or lost files. Check recovered files carefully for ‘consistency. [C10 not display this kind of messege again Ce FIGURE 17, WinHex pop-up window ‘CHET Lab Manual Page 71 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 11, File Header Search on TestRawimage.dd window appears. In the left pane it will categorize the file types that you want to extract as shown in the screenshot. 12, In this lab we are going to extract the Pletures folder, click on # node to ‘expand the pictures folder. Deewntie of coaity Een oe Steger Siovter Brennan Ei peadincen FIGURE 18: fe Heder Sesh on Tettarkmigedd vinden 13, Select the file types of the target files that you want to recover in Pictures folder from the left pane as shown in the screenshot and then click OK. Note: Similarly, you can also choose other file types for the investigation process, Screenshot may differ if you have selected other file types. ewes) > cj same. Sar haa TD 1 PRS tom) Bare (rumen ng cme Dipaiein inerrention Sih werneresants tase RAID. sywume and © Det ima) ‘Saami disks Pane Siop Pe oso pseragt SBemrs LS cna apie Bremen feces | Core Photo-Peint Coot tb eaten and splits files, unifying and (contin Mette cng Bass a apuaned nets, (Gogh sietchilp (stp th aBicheon ata Qaceiencemaet Beara FIGURE 19: Winkie fe eater each ‘CHET Lab Manual Page 7 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 14, It will display a new Select Target Folder window. Navigate to the location where you want to save the retrieved files. Create a folder, give it a name, select the folder, and then click O. (Here we created a new folder called Brask 4 Retrieved Files on the Desktop.) Selecting the Target Folder Bivins pons ts port iGh nies FIGURE 1.10: Winkle Selec Tage Foe winden 15, Le will display the following window. Click OK. Cowinttes feuuses RAM ‘eltoe, peoviding aecets 10 Peyacs! RAM and other Jrosesee vital memory FIGURE 11: Winkiex elec ge folder ‘CHET Lab Manual Page 75 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.Dwinttes anaiyzes and compares les Braice apport Brecs2 rar, Sinn sass, Ors. Ubr rasK 5 Viewing Retrieved Files Dakss dou servouses sing templates ‘Module 03- Understanding Hard Disks and File Systems 16, To start the recovery process, click OK on the File Header Search tab. Ie will close the window and start recovering the delered hard disk files based on the chosen type. FIGURE L12Ninkiereeorenpenessing window 17. After the recovery process is complete, click OK in the File Recovery by Type pop-up window to close the processing window. £202 file headers were found. 797 files were retrieved. FIGURE 115 Tile Reeorery by Type opp winder 18, To see the recovered files, open the destination folder where you saved the documents. + [De kaweatie a = Saemearas | pe ces 1B tonnes coMsAi Pn mae Sirens Sesateaisaa sone ewok ene FIGURE 1.34 Reval ls flee ‘CHET Lab Manual Page 7 Gonputer Hacking Faxensic Investigator Copyodhe by E-COmnell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems Lab Analysis Check recovered files that have been deleted from the hard disk. Investigate those recovered files and document the results related to the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. How do you clone a disk using WinHex? 2. How do you make partition backups using WinHex? eth YNo Platform Supported © Classroom HiLabs CHET Lab Manat Pa 7S ‘Gonspoies Hacking Faxcnsic Tnvengavor Copyouhe by E-COmell [Al Rigs Renewed, Repro Srey ProbieON KEY © valuable A Test your Inowledge Fh Web cxereise DB Workbook review ‘Module 03- Understanding Hard Disks and File Systems Analyzing File System Types Using The Sleuth Kit (TSK) The Steuth Kit (TSK) is a library and collection of command-line tools that allow you to investigate volume and file system data, Lab Scenario Sam had called investigators to catch the criminal, who was leaking the company’s secret information. The investigators faced the challenge of scanning large aumber of systems for identifying the culprit, In order to simplify che search, the investigators used The Sleuth Kit (TSK)to determine the volume and file system data, which reduced their work and helped in finding the culprit in time In order to investigate a hard disk, as a forensic investigator you must know the types of file systems and how to analyze them using various tools. Lab Objectives The abjective of this lab is to help investigators learn and perform file system ‘analysis. The Sleuth Kit (TSK) is used to obtain: “ile system type. = Metadata information, "© Content information, Lab Environment This lab requires: = The Sleuth Kit (TSK), which is located at CACHFI-Tools\CHFIv9 Module 03 Understanding Hard Disks and File Systems\File System Analysis Tools\The Sleuth Kit (TSK). = You can also download the larest version of The Sleuth Kit from this link http:/www.sleuthkit.org/sleuthkit/download.php. * Ifyou decide to download the latest version, then the screenshots shown in this lab might differ slightly. CHFT Lab Manual Pag 76 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems = A computer running Windows Server 2012. = Administrative privileges to execute the commands, = A.web browser with an Internet connection. Lab Duration Time: 15 Minutes Overview of The Sleuth Kit (TSK) The Sleuth Kit (TSK) is a library and collection of command-line tools that allow you to investigate volume and file system data. The libeary can be incorporated into larger digital forensics tools, and the command-line tools can be used directly to find evidence. Lab Tasks 1, Navigate to €ACHFI-Tools\CHFIv® Module 03 Understanding Hard Disks and File SystemsiFile System Analysis Tools\The Sleuth Kit (TSK). Gras 4 Select bin folder, press Shift + Rightelick on keyboard and select Open command window here from che context menu to open command Open command prompe window, window here © + [ls Fine tno » Teh 89 » +e] [a 2 a 1 Frome aa 2 = Cite astm wok fp mbar (ibn you to examine [PB Downease Le | Om me of 4 suspect eaetpics ears Opemne proces compous in a nos ned Obennnewenden rut fshion wine 0) AIGURE 21; Windows Sener 2012Comimad Window Here 3. Now type fsstat f ntfs “C:\CHFL-Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd”and then press Enter to see the file system details. FIGURE 22: fists showing lesycem Jess CHET Lab Manual Page 77 Gonputer Hacking Faxensic Investigator Copyodhe by E-COmnell All Rights Reserved: Reproduction is Sty Probe,‘Module 03- Understanding Hard Disks and File Systems aE. Use the istat tool of the sleuth kit to view the details of a structure. Viewing the Meta- Data Structure Details To view the MFT File Overview, type istat ntfs " Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” 0 MPa Corie TEE disk abel), Bae es free 1GUR Note: Master File Table (MPT) has an eatzy for every file and directory; hence it is required to find all other files. The layout of the MET is derermined by processing entry 0 in the MET. 6. To view MPTMirr File Overview, type Istat -f ntfs "CACHFI- Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” 1 REIS CCC seme = The Seu supports the NTFS, FIGURE 24: MFTMie Fe Over Note: MFT entry 1 is for the MFTMirr file, which has a non-resident attribute that contains a backup copy of the first MFT entries CHET Lab Mana P Gonputer Hacking Fasenric Investigator Copyoghe® by E-COmnellModule 03- Understanding Hard Disks and File Systems, To view the Boot File Overview, type istat 4 ntfs “C:\CHF! ToolsiEvidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd" 7 NIST NSM Ha Kenge PO eee pene tregt t-| Se er eee : FIGURE2 5 Boot fe overview fle system metadata file is loca! of the file system. ed ia MPT entry 7 and Corsk aipiass NIVS creibure, 8. To view the File Volume Overview, type istat f ntfs "CACHFI- Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” 3 D with rs som es such a8 the NIST NSRL, Hash Keeper, and FIGURE 26: Fite Note: The Volume file system metadata file is located in MFT entry 3 and ss the volume kbel and other version informatic cont go © by EEComnell CHET Lab Maral Page 79 Conpuser Hacking Ferenc Investgae Righss Reserved RepsD tok is writes in € Module 03- Understanding Hard Disks and File Systems, 9. To view AtuDef File Overview, type istat -fintfs " Tools\Evidence Files\Disk Partition Raw image\DiskPartitionRawimage.dd” 4 ete FIGURE 27; AusDef fe overview Note: The MFT entry for AnrDef filesystem metadata file is 4. It defines cd type identifiers for each type of. names 2 sibute. 10. To view Bitmap File Overview, type istat - ntfs “CCHF ToolsiEvidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” 6 FIGURE ple veri Note: The MFT e1 cermines the status of metadata file that y of the Bimap file sy Je cluster is 6 CFT Lab Maral Page 80 ‘Garuputer Hacking Forensic Tnvestgan Righss Reserved Reps go © by EEComnellaire Autopsy Foceasic eowsee is a praphca ierface © che tools TSK. an. c of TSken be incorporate © Tsk can be sun om a fe Windows ae UNIX Ate iivrary of TSK Module 03- Understanding Hard Disks and File Systems, LL. To view the BadClus File Overview, type istat - ntfs " Tools\Evidence Files\Disk Partition Raw image\DiskPartitionRawimage.dd” 8 Cre : ps Pa erator stirs) FIGURE 29: Baal fe veri Note: NTFS keeps track of the damaged clusters by allocating them to a SDATA attribute of the Bad Clus file system metadata file. The MFT entry is 8 12, To view the Secure File Overview, type Istat -f ntfs "CACHFI- Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” 9 eta CAF Lab Manual Page Gonputer Hacking Fasenric Investigator Copyoghe® by E-COmnell Righss Reserve. Re ‘Scty Pr‘Module 03- Understanding Hard Disks and File Systems stores the security descriptors that for a file or directory. The MFT entry for Note: Secure file metadata file syster define the access control polic this is 9 ST = — 13. Use the fis command-line tool of TSK to list the files and directory names. Type fis-f ntfs "C:CHFI-Tools\Evidence Files\ Listing the Files Raw Image\DiskPartitionRawimage.dd" and then pres: and Directory Names SARC RRR nats IGURE 2.11 Listing les and dcecony names 14, To see only the deleted entries, type fis -d “C:ICHFL-Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawimage.dd” FIGURE 212: Viewing dele Use the img_stat command to see the details of an image. Type imgstat | “CACHFI-Tools\Evidence Files\Disk Partition Raw Bras 5 Viewing the Image File Details CHET Lab Manual Ps Gonputer Hacking Fasenric Investigator Copyoghe® by E-COmnell‘Module 03- Understanding Hard Disks and File Systems Lab Analysis Analyze the file ateributes and file systems of the disk partition image and document ‘the results related to the lab exercise. Give your opinion of your rarger’s file system. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1, Determine the other options of istat command-line tool. 2. Determine the other options of fls command-line tool. pei cas Togo Oyes EINo Platform Supported © Classroom BiLabs CHET Lab Manual Page Conputer Hacking Forenric Investigator Copyrhe by E-Counell [Al Rigs Renewed, Repro Srey ProbieON KEY © vauabie infomation F eseyour lowiode SB Wed cercise BD Workbook review ‘Module 03- Understanding Hard Disks and File Systems Analyzing Raw image using Autopsy Autopsy is a digital forensics platform used by law enforcement, military, and corporate examiners 10 investigate what happened on a computer. You can even se it to recover photos from your camera's memory card. Lab Scenario Aa inspector, who is probing a murder incident, has found a dead system as a part of investigation in a crime scene and suspects that the system is related to the incident and could provide clues about it, When he brings the system to eyber forensics department, the forensic investigator uses Autopsy to replicare the hard disk. On further analysis of the file systems they found some obscene videos and pictures that could have been the cause of the murder. In order 10 investigate a hard disk, as a forensic investigator you must know the -ypes of fle systems and how to analyze them using vatious tools. Lab Objectives The objective of this lab is to help investigators learn and perform file system analysis using Autopsy: = File system type. "Metadata information, = Content information. ‘CHET Lab Manual Page B Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems Lab Environment This lab requires: = Autopsy, isan inbuilt ol in Kali Linux. = You can also download the Windows based version of Autopsy from the ink httpuwww.sieuthkitorg/autopsy/. = Kindly note that if you decide to download the larest version, then the screenshots shown in this hb might differ slightly. = A computer running Kali Linux. = A Computer cunning WindewsServer2012 machine to access CHFI-Tools directory. = Administrative privileges to execute the commands, = Aweb browser with an Internet connection. Lab Duration ‘Time: 25 Minutes Overview of Autopsy Autopsy was designed to be intuitive out of the box. All results are found in a single tuce. Autopsy was designed to be an end-to-end platform with modules that come with it our of the box and others that are available from third-parties. Lab Tasks 1. To launch Autopsy, navigate 10 Applications > 11 - Forensics > Launch Autopsy Sey reer fer of local fies, Disk images can be in thee fa lor E01 format. EL fuppox provided by lew igure 3.1: Launching Autopsy in Kali Linwse CHET Lab Manual Page Gonputer Hacking Faxensic Investigator Copyodhe by E-COmnell All Rights Reserved: Reproduction is Sty Probe,‘Module 03- Understanding Hard Disks and File Systems 2, Terminal window opens once you click on Autopsy icon fiom the Applications menu 3. In the terminal window it will instruct to open a browser and browse the URL. hurp:/slocalhos9999/ autopsy, copy the given URL as shown in the screenshot. Note: Do not close the terminal window uatil the process is completed. ile Edt View Search Terminal Help Dderopey hasan conensible reporting ‘efsrtucture thet allows ‘aidonal mpas of ceports for invessgations be ccented, By default, an HIM, XLS, and Bod file separ aeeavalable ito: //Locathost :3999/autopsy (Open Terminal Cony Figure 32: Autopsy Terminal window 4. Onee the link is copied, now click leeweasel icon from the task bar to opena web browser. we Paste the copied link in the Iceweasel browser’s address bar and press Enter. el Unum an Ofensioe > Tap RecaoreboF Tar Brat Vind Ofer Secanty “Kalix “YKaliDocs Kal Toots Exot D8 Warring Figure 3.3: Accessing Autopsy linkin Browser CHET Lab Manual Page 86 Case + Hacking Forensic Investigator Copy All Rights Reserved: Reproduction is Sty Probe,‘Module 03- Understanding Hard Disks and File Systems 6. Autopsy main window appears as shown in the screenshot, click NEW Brask 2 CASE button to start the investigating process. Creating New Note: Ignore the Warning message in autopsy main window. Case (6 Mo Foe Bam + 2 ea 5 we os > nnd (lofesne sec | \ralinee Qrahoner NrahTest Mle arcng Doses ‘WARMING: Your bromeer currently hae java Seri en=blod. ou do not need Java Scrip to use Autopsy an itis recommended that it be tumed off for secur “The lefehand side window oases es fous main options ‘Autopsy Forensic Browser 224 Discetogy Sesh Fie Name Search Hide / Expiod Divectvies Siow All Deleted Fes Figure 3.4: Autopsy main window 7. CREATE A NEW CASE page subsequently appears, fill the required details. 8. In this lab we have given this case a numerical case name as 400, and description as Test, and Investigator name as Johnathan, and click NewCase. ae weotne td MMe Say NAL Fat Do abot a S8 WA CCneATE ANEW CASE ei Tis ae ofthis investigation. Ran contain ony 2, Description: Ar optional ona line description ofthis 2s 4 tnveetcator Names Ths optional nance with ne ear) ene investigator or tiv ent c= Figure 3.5 Creating a New Case CHET Lab Manual Page #7 Case 1 Hacking Forenic Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 9. Once you dick on "NewGase" bution in the previous scteen, it will redirect you to the Greating Gase webpage De 10, Now, click ADDHOST button, Adding Host Pig comscuesse + Far an ted” Beni Secity “Kaiti ka Dce abode KISS Ring ating Case 100 ier arin at costed panguration No (winavi rend must nom conte a Hos fortis asm, eae alactyour nam fom the Hi scat Figure 3.6: Adding 2 Host 11, ADDA NEW HOST webpage next appears where you need to fill the details, and click ADDHOST button. ere ge ee ed 2, DRS STAT ATES or ok sort ie Cris screen simpy constant res ur Ge came of the o Cie, were the cate be aT 4. Time zone: A op S200 mat gren an nn Eae Dlolemung netstat on ene 8 tad whote ts eonigron co fe wil be sumed 4 Timeskew Adjustment: An optiona| value to describe now many (c/s aces (00cm Scittae Street teal tren he 6-Path of nore Host Database: A option! hash detabas of Haown sod ue Figure 3.7: Host Details CHET Lab Manual Page 8 Case 1 Hacking Forenic Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.Gi TASK 4 Adding Image Dhorps; wit sat aye tee Una ce SH Bie de tse Si send ewe Thies dg prompt pou w confige Boned aoc CDs sea nao west de was Tron ul cane wethe ron' ner en iets doe Top aut Tee sek Se SSS crconmen pay it ag ienperieend topat ey Eape SES, at a ‘Module 03- Understanding Hard Disks and File Systems 12, fier successfully adding host to autopsy, it will appear as shown in the sereenshor. 13, Now, we need to add an image for investigation, Click ADDIMAGE button, pevancy Moin sii Nan es Xp ote Qe Renny poreuration He eivsesecrennt a) conot Figure 3.8: Add Image 14, Click ADD IMAGE FILE bucton to add an image for investigation, edt hese Figure 39: Adding and Image 15, ADD A NEW IMAGE page appears; here we need to provide the location of the image in the Location field, Type of the Image, and Import Method, Shuma eartno rity oie inmoe fe AMBeooze me mace nara aera one part pina ee ie ce yeaa Seen, eee ears = Figure 3.10 Add a New Image CHET Lab Manual Page 8 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 16, Minimize the browser window, double-click ehfi-tools on 10.0.0.12 oa desktop and navigate to EvidenceFiles > Disk Partition Raw Image and copy DiskPartionRawimage.dd file and paste it on desktop. Note: 10.0.0.12 is the IP Address of Windows Server 2042virtual machine. IP Addresses may differ as per your network infrastructure Figure 3.11: Sample Image fle on Desktop 7, Maximize the Autopsy browser, and drag DiskPartionRawimage.dd file in the Location field. 18. In Type section choose Partition radio button, leave the other settings to defaule, and click NEXT, Note: While you are dragging the image file, the path will be showa as file: delete fit Berweie Sey Nein aes Neato lence, Naomy er he ul pals (starting with) to toe mage He tthe wages spit (other Faw oc Bncass), ben near forthe Autnpss Kit are un from @ CL 2 ustested eameoai This & frecuenty used shea en re = i being Bigeee select tts mage fleis fre disk or single partition. ise Elvarsnsn confi. confirmed, he system te aechiced ard a dead 4, mport Motnod ‘To anaes te image con's lapattad aon iy eurvatiocation ung seqmbole Unk by Copying tor by moving, Nate hat ia system talus o-care during netnone then the age cous become creupe Simin ‘cops Cae) Figure 3.12: Image Added for Investigation CHET Lab Manual Page 90 Gonputer Hacking Fasenric Investigator Copyoghe® by E-COmnell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 19. Image click apD, Details webpage next appears, leave the settings to defaule and paed Wofnhe Sey fain Natu Toe PEGS Ws Image File Dotatle [bata moor a 08 nae G3 be weed sory near ot mage hh acinager ne nests torte Amage Arh gia the nah aise for te nae [sult he natn vk or ne mae. {2 the lng MDS har val or thi rage ‘sec nae ans nrtingr Pile Systom Dotalls ‘nals ore nage me ss toning partons neta (rye) Mount Poe Alm gieia Tse: Figure 3.13 Image File Derails 20, Testing partitions pave appears, click OK. pee [tone sm Stina Qratous Nb Tods pice Keer gel) ts exons eter Figure 3.14 Testing partitions page Grarx s 21, Once the image is added to Autopsy database, you can analyze the image. = ‘To analyze the image click ANALYZE. Analyzing Added ron nas Horne eeny cine \ians a as PPS Watecnp Solos s ore to ana or saa new imagen RseGAWERY | _HOSTGALLERY | HOGTMANAGER Siete ao ie Figure 3.15: Analyzing the Added Image CHET Lab Manual Page 97 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 22, To start analyzing the added disk image, you can choose the analysis mode from the above tabs as shown in the screenshot No Vaid, Moti Sooty SXalthan lcs altos Mgo-08 Wark a a aR BD RET Figure 3.16: Analysis Method 23. To do file analysis, click FILEANALYSIS button that allows you to analyze an image fiom the file and directory perspective. 24, File Analysis is used co examine the directories and files for evidence. Ie also performs basic binary analysis to extract the ASCII strings. GDF Linings Analyze the ‘pii0828 zoloe28 140629 2011.00.78 les and lrertores, Goasavicnm tezsa7iom Oozs27(Gvn [9.2847 (GMm Including the names of miioas wllosz liceas 2013-0028, deta fee and se ith taaad7(eam deana7{avm Geant? (Gum 29.2829 (20m Uaicode-ived names. woi10028 2010028 lt co23 | 2011.0028, Gozea7iexm) ceasa7(awn Goze7 (Gen o02847 (een) File Browsing Mode In this mao, youcan view fle and directory conten, ls contants wl be shown nthe window, Mora a details canbe fue Using the Metadata eat tha ofthe La [on tha 3h. Mu can alist he Mss using the cel eases Figure 3.17: Analysis of the Added Image CHET Lab Maral Pose 92 Conputer Hacking Forenric Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems 25, To generate MD3 hashes of the contained files, click GENERATE MDS LIST OF FILES butraa, it will open in a new tab of the browser with the list of Hash values of image. % Bepitac-olimeans «+ wtees Motrnrssomny Nat tnon Si ooer ka Tode Bot 8 Ares Figure 3.1 26. Click IMAGEDETAILS Lu:ton to view the complete File system of the added image, where you can view FILE SYSTEM INFORMATION, METADATA INFORMATION, and CONTENT INFORMATION. MDDS Hash values of che contents Moe vend Mote Seay attr “aor rat Teel Mgr bs Raters Pesos reer ai_ General File System Details Figure 3.19: Image Details ‘Thus, you can go through the all the required options of the Autopsy in derail requited for your investigation. Lab Analysis Analyze the file attributes and file systems of the disk partition image and document the results related to the lab exercise. Give your opinion of your targets file system. CHET Lab Mans Page 9S Case 1 Hacking Forenic Investigator Copyrhe by E-Counell ‘Al Righes Reserved, Reprddcton is Src Probie.‘Module 03- Understanding Hard Disks and File Systems PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Internet Connection Required O Yes No Platform Supported @ Classroom ‘CHFT Lab Manual Page 9 “Computes lacking Fasensic Investigator Copyaghe © by EMCounell [Al Righce Renewed Reproduction Sri Probe.