Scribd Logo
Upload

Welcome to Scribd!

  • Lab 01 - Apply

    Uploaded by

    dgl20138
    14 views6 pages
    Cybersecurity lab

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cybersecurity lab

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views6 pages

    Lab 01 - Apply

    Uploaded by

    dgl20138
    Cybersecurity lab

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    CITC 287 – Cybersecurity Incident Response

    Module 01 – Understanding of Digital Forensics

    Lab 01 – A
    The case in this project involves a suspicious death. Joshua Zarkan found his girlfriend’s dead body in her
    apartment and reported it. The first responding law enforcement officer seized a USB drive. A crime
    scene evidence technician skilled in data acquisition made an image of the USB drive with FTK Imager
    and named it C1Prj01.E01. Following the acquisition, the technician transported and secured the USB
    drive and placed it in a secure evidence locker at the police station. You have received the image file
    from the detective assigned to this case. He directs you to examine it and identify any evidentiary
    artifacts that might relate to this case. To process this case, follow these steps to evaluate what’s on the
    image of the USB drive:

    Steps/Questions Notes/Comments/Answers
    1. Download and install Autopsy for
    Windows:
    https://www.autopsy.com/download/
    2. Download the C1Prj01.E01 hardrive
    image from D2L
    3. Start Autopsy for Windows, and click the
    Create New Case icon. In the New Case
    Information window, enter C1Prj01 in the
    Case Name text box, and click Browse
    next to the Base Directory text box.
    Navigate to and click your work folder,
    and then click Next.
    4. In the Additional Information window,
    type C1Prj01 in the Case Number text box
    and your name in the Examiner text box,
    and then click Finish.
    5. In the Select Data Source window, click
    the Select data source type list arrow,
    and click Disk Image or VM file. Click the
    Browse button next to the “Browse for an
    image file” text box, navigate to and click
    your work folder and the C1Prj01.E01 file,
    and then click Open. Click Next.
    6. In the Configure Ingest Modules window,
    click Select All. Click Next and then Finish.
    7. In the Configure Ingest Modules window,
    click Select All. Click Next and then Finish.
    8. Examine each subfolder under Suicide1.txt
    Documents. Determine which folder
    might contain files of interest to this
    case.
    Q. Which folder(s) are of interest?

    9. If you found any files related to the case,


    select the files as a group, right-click the
    selection, and click Extract File(s). In the
    Save dialog box, click Save to save the
    files automatically in Autopsy’s case
    subfolder: Work\Chap01\Projects\
    C1Prj01\Export.
    10. Write a short report of no more than two Case C1Prj01 was an emotional rollercoaster.
    paragraphs, including facts from any Opening up the file in Autopsy We entered the
    content you found. When you’re finished, file views, under data sources > File Types > By
    leave Autopsy running for the next Extension > Documents I saw that there was a
    section. plain text entry.

    Upon opening up the Plain text section I saw that


    there was a single .txt file with a name of
    suicide1.txt. The text was concerning. A suicide
    note. This will be escalated to the proper
    authorities.

    LAB 01-A REPORT

    Lab 01 – B
    In this project, you work for a large corporation’s IT Security Department. Your duties include conducting
    internal digital investigations and forensics examinations on company computing systems. A paralegal
    from the Law Department, Ms. Jones, asks you to examine a USB drive belonging to an employee who
    left the company and now works for a competitor. The Law Department is concerned that the former
    employee might possess sensitive company data. Ms. Jones wants to know whether the USB drive
    contains anything relevant.

    In addition, she tells you that the former employee might have had access to confidential documents
    because a co-worker saw him accessing his manager’s computer on his last day of work. These
    documents consist of nine files containing the word “confidential.” She wants to know whether the
    USB’s bit-stream image file has these documents.

    To process this case, make sure the C1Prj02.001 file has been extracted to your work folder, and then
    follow these steps:

    Steps/Questions Notes/Comments/Answers
    1. Start Autopsy for Windows, if you exited
    it at the end of the previous project. If
    the previous project is open, click Case,
    Close Case from the menu. Click the
    Create New Case icon. In the New Case
    Information window, enter C1Prj02 in the
    Case Name text box, and click Browse
    next to the Base Directory text box.
    Navigate to and click your work folder,
    and then click Next.
    2. In the Additional Information window,
    type C1Prj02 in the Case Number text box
    and your name in the Examiner text box,
    and then click Finish.
    3. In the Additional Information window,
    type C1Prj02 in the Case Number text box
    and your name in the Examiner text box,
    and then click Finish.
    4. In the Configure Ingest Modules window,
    click Select All. Click Next and then Finish.
    5. Click the Keyword Search button at the
    far upper right, type confidential in the
    text box, and then click Search.
    6. In the Result Viewer pane, a new tab
    named Keyword search 1 opens. Click
    each file to view its contents in the
    Content Viewer pane.
    7. Ctrl+click to select the files in the
    Keyword search 1 tab. Right-click this
    selection, point to Tag File, and click Tag
    and Comment. In the Create Tag dialog
    box, click the New Tag Name button, type
    Recovered Office Documents in the Tag
    Name text box, and then click OK.
    8. Click Generate Report at the top. In the
    Generate Report window, click the
    Results - Excel option button in the
    Report Modules section, and then click
    Next.
    9. In the Configure Artifacts Report
    window, click the Tagged
    Results button, click
    the Recovered Office
    Documents check box, and then
    click Finish.
    10. In the Report Generation Progress
    Complete window, click the Results
    - Excel pathname to open the Excel
    report. This Excel file should have
    several tabs of information about
    the files you tagged for this project.
    11. In the Report Generation Progress Ms. Jones, on the flash drive that was recovered
    Complete window, click Close, and from your ex-employee there are 10 different hits
    then exit Autopsy. Write a memo to for keyword “Confidential”. Each portraning to a
    confidential email. Below are the names of the
    Ms. Jones listing the filenames
    files listed:
    where you found a hit for the
    keyword. List the cluster numbers First test results.ods
    for hits that occurred in message_h972x.msg
    unallocated space. Include the message_o081x.msg
    Excel spreadsheet with the report. message_s528x.msg
    message_a193x.msg
    message_j465x.msg
    message_l890x.msg
    message_i432x.msg
    message_l841x.msg

    LAB01-B MEMO

    Lab 01 – C
    You’re an IT security specialist for Superior Sailmakers, a company making sails for sloops and yawls. It
    sells rigging and sails to many sailboat makers who are competing against one another. Ms. Olsen in the
    Human Resources Department notifies you that she got an anonymous letter with an old USB drive. The
    letter states that a former employee, Ralph Williams, had photos belonging to ACE Sailboats that
    contained trade secrets from April 2006. The letter also states that after Mr. Williams ended his
    employment at Superior Sailmakers in January 2007, he used the photos on the USB drive to get hired
    by Smith Sloop Boats, a competitor of ACE Sailboats. Both sailboat manufacturers are customers of
    Superior Sailmakers.

    Ms. Olsen tells you that another specialist has already made an image of the USB drive in the Expert
    Witness format (with an .E01 extension). She wants you to examine its contents for any photograph files
    to determine whether the anonymous complaint is true. After your examination, you need to generate a
    report that Ms. Olsen will send to the Legal Department. The Legal Department will then determine
    whether any violations of trade secret or intellectual property laws might have occurred.

    Steps/Questions Notes/Comments/Answers
    1. Start Autopsy for Windows, and click the
    Create New Case icon. In the New Case
    Information window, enter C1Prj03 in the
    Case Name text box, and click Browse
    next to the Base Directory text box.
    Navigate to and click your work folder,
    and then click Next.
    2. In the Additional Information
    window, type C1Prj03 in the Case
    Number text box and your name in
    the Examiner text box, and then
    click Finish.
    3. In the Select Data Source window,
    click the Select data source
    type list arrow, and click Disk
    Image or VM file. Click
    the Browse button next to the
    “Browse for an image file” text box,
    navigate to your work folder and
    click the C1Prj03.E01 file, and then
    click Open. Click Next.
    4. In the Configure Ingest Modules
    window, click Select All. Click Next
    and then Finish.
    5. Because you’re looking for photos In this case about stolen IP, I was able to identify
    of sailboats that were copied to the 8 different photos of sailboat related material. 3
    USB drive sometime during April of these were modified during the month of April
    2006 although 5 other ones did not have an
    2006, perform the following steps:
    access creation or modified time.

    5A. In the Tree Viewer pane,


    expand Views, File Types, By
    Extension, and Images.

    5B. In the Result Viewer pane,


    scroll to the right, if necessary,
    until the Modified Time column is
    in view. Sort the column by
    clicking the Modified Time header.

    5C. Scroll down until you find the


    first file with a starting month of
    April 2006, and then click the file to
    view it in the Content Viewer. Press
    the down arrow on the keyboard to
    view all files created or modified in
    April 2006.
    5D. Ctrl+click every file that has a
    photo of a boat or part of a boat.
    Right-click this selection, point
    to Tag File and then Quick Tag,
    and click Follow Up.

    5E. In the Tree Viewer pane, scroll


    down and expand Tags, Follow Up,
    and File Tags.

    5F. In the Result Viewer pane, click


    the Thumbnail tab to view the
    tagged photos.

    5G. To create a report, click


    Generate Report at the top. In the
    Generate Report window, click the
    Results - HTML option button in the
    Report Modules section, and then
    click Next.

    5H. In the Configure Artifacts


    Report window, click the Tagged
    Results button, click the Follow Up
    check box, and then click Finish.

    5I. In the Report Generation


    Progress window, click the Results -
    HTML pathname to view the
    report. When viewing the report,
    click the links to examine the
    tagged files. When you’re finished,
    click Close in the Report
    Generation Progress window.

    5J. Exit Autopsy, and write a short


    memo to summarize your findings.

    LAB01-C MEMO

    You might also like