Description
The instructions are posted within the “lab 3 instructions” doc fileYou will also need to use a VMWare virtual machine.
Unformatted Attachment Preview
Lab 3 instructions
•
All answers must be in complete sentences for full credit.
Reminder: Use these tools in VMware only.
Note: Windows may try to block some programs. You have to “add exception” and bypass the security
block.
OBJECTIVE:
•
The purpose of this exercise is to give you more experience with Windows forensics by having
you examine the Internet History, analyze the Windows Registry, and work with the Recycle Bin
and Event Logs.
INSTALL SOFTWARE
IN YOUR WINDOWS VMWARE:
•
Download and install an EXIF viewer program
o Exif Viewer: https://download.cnet.com/EXIF-Viewer/3000-2193_4-75912951.html
OR
• Exif Data Viewer: http://www.exifdataviewer.com/
•
Install Browser History viewer program
o NirSoft: http://www.nirsoft.net/
o Download and install the BrowsingHistoryView tool to pull your internet history, cache,
cookies, passwords, and searches
o Read the information provided on the website prior to downloading and installing the
programs
•
Install Browser Password Viewer
o NirSoft: http://www.nirsoft.net/
o Download and install WebBrowserPassView
o NOTE: There is a password on the website under the download link that you will need to
open the program
•
Install Typed URLs
o Typed URLs Chrome Extension: https://chromewebstore.google.com/detail/typedurls/iaeahfilfambhhdkjcccoaiejnbkfjip
o Download and install the extension
PART 1: HIDDEN FILES
IN YOUR WINDOWS VMWARE:
•
•
•
•
•
•
•
•
In your VMWare – make sure you are logged in as an admin account
Launch Chrome, Firefox, or Edge
Type in some URLs such as: www.gmu.edu www.cnn.com
Create a bookmark for a website
Go to Google and search for: extortion
Open Notepad and create a file called “exigent.txt” that contains this text: “I’ve done it before
and I’ll do it again. Save As… to save it to the Desktop and then Exit. Move this file to the Recycle
Bin and Empty the Recycle Bin.
Open Notepad and create a file called “scienter.txt” that contains this text: “I knew it was wrong
but I did it anyway!” Move this file to the Recycle Bin, but do not empty the Recycle Bin.
Change your settings so you can search for Hidden Files/Folders in Windows:
•
•
•
In the search bar next to your Window’s menu, type “File Explorer Options” in the Search
Box
Select Change Search Options for Files and folders from the options that appear
•
•
•
When the folder options window opens, go to the “View” tab and check “Show hidden files,
folders, or drives”
Uncheck the “Hide protected operating system files” box
ANSWER QUESTION 1
PART 2: INTERNET HISTORY
INTERNET HISTORY
•
•
First, we will examine the Internet History.
This is stored by user account in cache folders for each browser.
o For example, C:UsersDefaultAppDataLocalMicrosoftWindowsWebCache
o
•
Location and file names will depend on the OS and Browser
My Computer and Explorer will not display this complete path, but you can see it if you Go to
Start-> Run-> cmd and move to that directory.
GENERATE SOME WEB TRAFFIC
•
•
•
•
•
Generate some internet traffic using Edge, Firefox, or Chrome (searches, visit websites, log into
an account, etc.)
Use the NirSoft BrowsingHistoryView tool to view your internet history
ANSWER QUESTION 2
From the Lab 3 Datafiles, download and extract Google.zip
In the BrowsingHistoryView tool, go to Options – Advanced Options
PASSWORD VIEWING
•
•
•
Log into some accounts you have such as GMU or Google and save the password in your
browser
Use the WebBrowserPassView tool to see if you can recover any of the saved passwords
ANSWER QUESTION 3
TYPED URLs
•
•
•
Go to Chrome and type the full URL to some websites of your choice
Click on the Typed URLs extension
ANSWER QUESTIONS 4 & 5
PART 3: RECYCLED FILES
RECYCLE BIN
•
When files are sent to the $Recycle.Bin
o Note that you can delete a file by holding down the shift key while deleting to avoid
sending it to the Recycle Bin.
o $Recycle.Bin
$I08C8KJ.jpg
• Administrative file. This is actually a text file, despite the extension.
Forensic information includes the file size and date and time of deletion.
$R08C8KJ.jpg
• Actual file
•
Read the information here:
o
https://leahycenterblog.champlain.edu/2015/03/28/windows-10-recycle-bin-activityintroduction/
o
VIEW THE RECYCLER
•
•
•
•
Note: $Recycle.Bin%SID%, where %SID% is the SID
Launch AccessData Imager
o Add evidence item->Contents of a Folder->Next->Browse to $Recycle.Bin%SID%,
where %SID% is the SID
o Open and export the folders/files you see.
Now launch AccessData FTK or Autopsy
o Start a new case and enter dummy data
o Accept the defaults
o Choose Add Evidence->Individual file->Continue and browse to open the file(s) you
exported ->OK->Next->Finish
o The $I files should be the information about the original file
o $R files are the original file
ANSWER QUESTIONS 6 & 7
PART 4: LOG FILES
WINDOWS EVENT LOGS
•
•
•
•
•
•
The MMC, Microsoft Management Console, contains a number of tools for monitoring and
managing systems.
One of these is the Windows Event Viewer.
The Event Viewer displays 3 types of logs by default: Application, Security, and System.
All users can view application and system logs, but only administrators can view security logs
(which are turned off by default.)
o Application log: This log contains events generated by applications. For example, a
spreadsheet program might save a file missing or corrupted error in this log.
o Security log: The system administrator can specify which events to log. Login attempts
are commonly logged here. File management may also be logged.
o System log: This logs stores events relating to system components, such as errors
produced by drivers.
5 types of events are logged:
• Error – a serious problem, such as a service that fails to start or data that has been lost.
• Warning – a possible problem, such as low space.
• Information – an event that is new or successful, such as loading a new driver.
• Success Audit – a security event, such as a login attempt, that succeeds.
• Failure Audit – a security event, such as a login attempt, that fails.
Read the information here:
• https://techgenix.com/monitoring-troubleshooting-event-logs/
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
• https://support.microsoft.com/en-us/kb/824209
EVENT VIEWER
•
•
•
•
•
•
•
•
Go to your search and type Event Viewer
Click on “Windows Logs”
ANSWER QUESTION 8
Log out of your Windows account
Try to log back in with the wrong password
Log back in properly
Click on the Application, Security, and Setup logs
ANSWER QUESTION 9
PART 5: GRAPHIC FILE METADATA
EXIF DATA:
•
•
•
•
•
•
•
•
Exchangeable Image File (exif) is a protocol for storing information about digital image
files. Many applications can read this data.
It includes information about the camera or application used to create the image.
Make a folder on the desktop and name it Images
Then launch a browser and login to Blackboard and download the data files for lab 3 to this
folder
Use Exif Viewer to examine the exif data
o Open the files in the lab 3 folder
o Click the Info button or View->Info Pane for detailed information
o Spend a few minutes experimenting with this application
You can get some of this same information by checking the file properties. (Right click the file>Properties->Summary.)
Note that newer cameras (2004 and later) can record GPS location with the exif data in GPX
format (GPS eXchange Format).
ANSWER QUESTIONS 10-12
GEOTAGGING:
•
Read the following articles:
o http://www.forensichandbook.com/tag/geotagging/
o
http://articles.forensicfocus.com/2013/04/10/mobile-device-geotags-armed-forces/
THUMBS.DB/THUMBCACHE.DB:
Thumbs.db/thumbcache.db are files created by the operating system that are used to show thumbnails
of files or movies. A thumbs.db/thumbcache.db file may be present even if the original image has been
moved or deleted.
•
•
•
Open the Pictures folder with My Computer.
Under view, choose Large Icons.
This will generate the thumbnail images that are stored in the thumbcache.db.
METADATA:
Metadata is information about a file that is stored with a file. You can use your Hex editor or FTK Imager
to view file Metadata. Each file type has a consistent file header.
• See this document for a list of the common hex signatures:
https://sceweb.sce.uhcl.edu/abeysekera/itec3831/labs/FILE%20SIGNATURES%20TABLE.pdf
• Create a folder on the desktop called Office Documents
• Create two files, a word file and an excel file in office (save them as 97-2003 file versions) and
save them in this folder (Note – if you don’t have office installed on your VMWare, create the
documents and email them to yourself to open in VMWare)
• Open FTK Imager
o
o
o
o
Add Evidence Item->Contents of a Folder and browse to add the Office Documents
folder
Open the files and then click the Text icon on the toolbar
You should be able to find the author and application associated with the file
By clicking on the explorer tool (eyeglasses) you can see the Metadata.
LINK FILES/ RECENT
•
•
•
•
•
Files with a .lnk extension are created when files are opened in Windows.
Link files store the path to the file and the application used to create it. Link files may
sometimes be created by software at install time.
The creation date is when the original file was first opened.
If a file was opened after a .LNK file already exists, then the Creation Date of the .LNK file and
the Last Modified Date of the .LNK file can be considered the first and last time the file was
opened.
Open your Documents folder in Imager.
o Can you see any .lnk files?
Name:
G#:
Lab Questions: ANSWERS MUST BE IN COMPLETE SENTENCES FOR FULL CREDIT. USE YOUR OWN
WORDS. YOU WILL NOT RECEIVE CREDIT FOR QUESTIONS THAT ASK FOR DEFINITIONS OR EXAMPLES IF
YOU USE THE ONES GIVEN IN THE DIRECTIONS.
PART 1:
1. How do you find a “hidden file” using the Search tool?
PART 2:
2.
What types of information did you find using BrowsingHistoryView?
3.
What type of information was displayed when you opened WebBrowserPassView?
4.
Why is it important to look at the TypedURLs?
5.
Record the most recent Typed URL.
PART 3:
6.
What is the name of the recycle bin folder in Windows?
7.
What are the two files associated with each deleted file and what do they contain?
PART 4:
8.
When you click on “Windows Logs” how many application, system, and security events are
listed? Include a screenshot.
9.
log.
What type of audit is listed for your failed login attempt? Include a screenshot of your security
PART 5:
10.
What kinds of cameras were used to take the two images you examined with ExifPro? (List the
file names and the cameras associated with each one.)
11.
When was each pictures taken? (If there is something unusual here, explain.)
12.
Imagine that you are a forensic examiner and have found a jpeg created in 2011 that contains
what appears to be child pornography. What fields in the exif data might be important to the
investigation?
Part II
13. A file system is the protocol used to store and organize files on your system.
Directions:
Research the file system NTFS
Come up with a CREATIVE way to present and explain your file system to the class.
•
At the least, you need to cover:
o What uses your file system?
o Components of your file system
o
Anything that is unique about your file system
Purchase answer to see full
attachment
