The deliverables for this project are as follows:
- Digital Forensics Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.
- I will provide the Lab document, I will attach it here and a word document outlining the assignment.
Project 5 Resources
The deliverables for this project are as follows:
1. Digital Forensics Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.
This project will provide an introduction to digital forensic analysis.
Digital forensic analysis is used to review and investigate data collected through digital communications and computer networks. The National Institute for Standards and Technology (NIST) has defined four fundamental phases for forensic analysis: collection, examination, analysis, and reporting. You will learn more about these concepts as you navigate throughout the steps of this project and read the literature and links found in each step.
There are four steps that will lead you through this project. Begin with Step 1: "Methodology." The deliverables for this project are as follows:
1. Digital Forensic Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.
Step 1: Methodology
The methodology for digital forensics follows a systems process. Identify the requirements, purpose, and objectives of the investigation. Click the links below to review information that will aid in conducting and documenting an investigation:
Secure Programming Fundamentals
It is important that programmers follow secure coding methods and adopt safe practices in the development stage, rather than trying to implement them at a later stage.
One of the fundamental secure programming practices is input validation, which is performed to prevent attacks from external sources. The National Institute of Standards and Technology (NIST) also emphasizes its importance for safe programming in its "Guide to Secure Web Services":
Write all web service code in languages that automatically perform input validation, such as Java and C#, or if writing in C or C++, ensure that all expected input lengths and formats are explicitly specified, and that all inputs received are validated to ensure that they do not exceed those lengths or violate those formats. Error and exception handling should be expressly programmed to reject or truncate any inputs that violate the allowable input lengths/formats (Singhal et al., 2007).
Another fundamental practice to ensure security is access control, which is implemented to prevent unauthorized access, resulting in intentional or unintentional changes to the code. In addition it is important to include security tools and architectures that can detect code errors and prevent attacks. Finally, it is useful to develop mitigation strategies by modeling possible threats and testing the code.
References
Singhal, A., Winograd, T., & Scarfone, K. (2007). Computer security: Guide to secure web services: Recommendations of the National Institute of Standards and Technology (Special Publication 800-95). http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
Forensics Fundamentals
Digital forensic analysis is performed to review and investigate data collected through digital communications and computer networks. In Guide to Integrating Forensic Techniques into Incident Response, the National Institute of Standards and Technology (NIST) has defined four fundamental phases for forensic analysis: collection, examination, analysis, and reporting.
During collection, data related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved. In the second phase, examination, forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity.
Examination may use a combination of automated tools and manual processes.
The next phase, analysis, involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. (Kent et al., 2006).
Forensic analysis is used by organizations and businesses for several purposes, such as applying internal actions, managing legal matters, maintaining network security, and detecting and preventing cyberthreats.
References
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Computer security: Guide to integrating forensic techniques into incident response: Recommendations of the National Institute of Standards and Technology: Special Publication 800-86. http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
Learn about the investigation methodology. Consider secure programming fundamentals. Define the digital forensics analysis methodology and the phases of the digital forensics fundamentals and methodology, including the following:
1. preparation
2. extraction
3. identification
4. analysis
This information will help you understand the process you will use during an investigation.
Step 2: Tools and Techniques
Forensics Analysis Tools
Forensic analysis is performed with tool kits designed for various platforms, including Windows, Linux, and Mac. The tool kits have several functions created to perform specific tasks, such as disk imaging, file recovery, e-mail parsing, hash and image analysis, memory capture, password recovery, P2P analysis, string search, etc., with technical parameters.
An extensive catalog of forensic tools, compiled by the National Institute of Standards and Technology (NIST), is being updated by "adding new functions based on the work of the Computer Forensics Tool Testing (CFTT) project" (NIST, 2014).
References
National Institute of Standards and Technology. (2014). Computer forensics tool catalog. http://toolcatalog.nist.gov/index.php
Web Log and Session Analysis
Log and session analysis is used to collect information about accessibility of web servers and use of websites. According to Quirk (2010):
Log-file analysis software reads the records, called log files, on the webserver, which record all clicks that take place on the server. Web servers have always stored all the clicks that take place in a log file, so the software interprets data that have always been available. A new line is written in a log file with each new request. For example, clicking on a link, making an Ajax call, or submitting a form will each result in a new line being written.
While logs record clicks on the server, sessions emphasize user time spent on the websites. Quirk (2010) defines session as "interaction by an individual with a website consisting of one or more page views within a specified period of time." Both logs and sessions are useful for deriving analytics about user behaviors and patterns.
References
Quirk eMarketing. (2010). Online marketing essentials. http://2012books.lardbucket.org/books/online-marketing-essentials/s18-web-analytics-and-conversion-o.html
Hash Analysis
Hashing is a method used to change data characters into keys so that they are indexed and can be accessed quickly. The method is also used for data encryption and decryption by authenticating digital signatures.
The Forensic Tool Taxonomy from the National Institute of Standards and Technology (NIST) provides details of hash analysis and algorithms for different systems including Windows, Mac, and Linux (NIST, 2014). The algorithms are used for several applications, including computing, creating and managing hash sets, searching and filtering files, and eliminating duplicate files.
References
National Institute of Standards and Technology. (2014). Forensic tool taxonomy. In Computer forensics tool catalog. http://toolcatalog.nist.gov/taxonomy/index.php?ff_id=16
Step 3: Explore Forensic Tools
I will provide the lab document.
This hands-on lab will introduce you to FTK Imager, a forensics tool. You will use your lab findings in the last step when you compile your research paper.
Step 4: Digital Forensics Research Paper
Now that you have learned the basics of digital forensics analysis and methodology, and have experienced one of the common forensic tools, use the material presented in this project as well as research you have conducted outside of the course materials to write a research paper that addresses the following:
1. digital forensics methodology
2. the importance of using forensic tools to collect and analyze evidence (e.g., FTK Imager and EnCase)
3. hashing in the context of digital forensics
4. How do you ensure that the evidence collected has not been tampered with (i.e., after collection)? Why and how is this important to prove in court?
The deliverables for this project are as follows:
2. Digital Forensics Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.
,
THE REQUIRED LAB QUESTIONS
|
Act as a forensic analyst charged to assist lead forensic investigators of XPD, you have been able to assist the lead investigators to examine and analyze computer and digital evidence for the purpose of identification, collection, preservation of evidence, and possibly prosecution of crime suspects. Based on the knowledge and experience gained from the lab about the use of BitLocker encryption, answer the following questions. |
|
|
PART 2—TASK 2, TASK 3: Creating a Physical Disk Image, Image Loading, Verification, and Forensic Analysis |
|
|
1. What forensic and disk information can you determine from the summary or the content of the text file? In the summary section of the disc content, valid information such as the case number, evidence number, and the investigator among other drive information are found. These are important because they show where the information was obtained, and other information is required to validate the evidence without having to read through the entire report. See the figure below for this case: 2. How does this forensic information tell you about the case information you provided in the Evidence Item Information earlier? The summarized information shows that this case was being investigated by the XYZ police department and the examiner is XY. The information can also help me keep track of the chain of custody. I am also able to verify that the information was collected over a physical drive as instructed for this case. 3. Acting as a forensic analyst to assist lead forensic investigators at XPD (i.e. XYZ police department), how will the knowledge gained hep you examine digital evidence for the purpose of identification, collection, preservation of evidence, and possibly prosecution of crime suspects? Be reminded that it is the policy of XPD to use all proven legal means and methodologies to minimize incidence of computer crimes. During this exercise, I conducted a series of activities which are shown in annex section at the end of this document. One of the valid information acquired involves procedures of imaging which begins from firing up the tool, creating partitions, and mining data. The information is equipped with the desired knowledge of how to carry out complete data and evidence acquisition while ensuring that data integrity is always maintained. I will be able to assist the XYZPD with all the forensic analysis processes. 4. What happens to a fragment of an image file larger than the fragment size of 1500 MB (e.g. 1 TB)? Also, in our case, how many chunks of image files can you get should the fragment size be changed to 200 MB during the imaging process? A fragment size larger than 1500MB, which is the standard unit for most fragments, must be further defragmented into bits smaller than 1500 until the last partition is realized. In this case, the disk image was smaller than 1500MB. See figure below: 5. Review the unpartitioned space and comment on what you find. Did you find anything suspicious yet? I reviewed the un-partitioned space during this lab and recovered information that may have been deleted. In this case, I recovered an image file show in the figure below, however, the image did not appear to have embedded messages or information: 6. As you can see from above, there is only one partition and one unpartitioned space. In your opinion, what implication(s) can this have on the forensic investigation processes? Having only one partition means that the file paths are not affected as it would be with multiple partitions. This means that forensic analysis is not made more complex and the analysts can easily recover deleted information from unallocated or hidden disc space. 7. Does the unpartitioned space have any practical forensic significance? Why or why not? Yes, they do. In most forensic investigations, unpartitioned space often has data or files that may have been hidden by the user. PART 3—TASK 1: Loading the Given PCAP file into Wireshark for Analysis From the packet detail pane, examine the packet capture between the source IP address (192.168.15.4) and the destination IP address (140.247.62.34). What do you see about the hardware/MAC address of the two endpoints and what does it tell you about the two vendors of the devices involved? In this section, after loading the PCAP file, I looked through the packet information in the middle row of the window. I noticed that the hardware or MAC address of the source was 00:17:f2:e2:c0:ce and it is popularly associated with Apple company. The destination IP had a hardware or MAC address of 00:1d:d9:2e:4f:60 which belongs to a vendor known by the abbreviation HonAir . See the figure below: 1. Why do you think the host points to http://www.sendanonymousemail.net website? Access the site and determine if this represents a harassing message. In my opinion, the host is pointing to this website because it resides on a server that is not secure. For instance, while on the website, there is a warning at the top left corner that notifies the users that the site is not secure: 2. Considering the source IP of 192.168.15.4, and the destination IP of 69.80.225.91 in IPv4 packet, what is the MAC address and hardware vendor? Determine if this information can help you identify the attacker and how? In the packet analysis, I discovered a MAC address of 00:04:5A:4F:5B:59 while the information revealed that the vendor is 3Com. The information is relevant because it reveals the vendor and MAC of the switch that the attacker is using. 3. From your search with mailchat apply filter string in the search box of the Follow HTTP Stream window, how many email addresses did you find? Filtering with the mail chat only revealed two email addresses which are [email protected] and [email protected]. 4. Is there any indication of a harassing message? Determine if this information can help you identify the attacker and how? From the email messages, there was no evidence of harassing messages. Although helpful, this information could not help me identify an attacker. 5. In your opinion, what information of the HTTP/TCP stream can tie to a particular web browser or email address? The identification of the HTTP/TCP streams help shed light on which browser, email address or IP address was used. For instance, in the image bellow, the IP address 145.254.160.237 is tied to Mozilla. 6. Identify the other HTTP traffic or TCP connections that can possibly ID the attacker. To further understand how to run an analysis, I investigated how to filter for flag as these are some of the ways to identify attackers or threats. See the figure below: |
|
|
NOTE : Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report. |
SUMMARY OF THE LAB EXPERIENCE REPORT
Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.
In summary, I conducted the lab on a windows virtual machine and used the FTK software to create an image. I also investigated how to verify the image and evidence using MD5 and SHA1 hash values which are vital components of data forensic. I was able to analyze the unpartitioned space from which I recovered an image that was deleted. In the second part of the lab, I loaded a PCAP file for analysis and I was able to figure out how to analyze the packets based on the different components such as MAC addresses, IP addresses, and the protocols.