| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Assignment 1

Page history last edited by Patrick 6 months, 3 weeks ago

CET4861

Advanced Digital Forensics
Assignment 1 - Tool Validation

 

Assignment Description:

 

Federal Judge Harry T. Stone has requested your help. There are two forensic examiners working as expert witnesses on a case in which Judge Stone is presiding - one for the prosecution and one for the defense. Each examiner was provided verified forensic duplicates of the original evidence. Upon examination, the two forensic examiners reported producing different SHA1 hashes for the same evidence; the prosecution used FTK Imager while the defense used Pro Discover.

 

Judge Stone is perplexed by the conflicting results and has brought you in as an independent and neutral third party to provide your opinion on the tools used.

 

Reading:

 

 

Your Task:

  • You will use both Windows and Linux for this assignment 
  • Windows:
  • Linux
    • dd and sha1sum
  • Your task is to validate the tools used by the forensic examiners and to report back to the Judge your findings
  • From your experience in Linux, I decided for you, that you want to add a third tool, dd, since you have used dd and sha1sum in the past to create forensic duplicates
  • The primary forensic question you are to answer is:
    • Do the three tools produce consistent results with respect to forensic copy and the original evidence?  
    • If not, explain any discrepancies that may have occurred.
  • You are to use one of your own USB flash drives for this assignment
    • Use the smallest drive you have
    • Populate the drive with files of your choosing 
  • Use FTK Imager, ProDiscover Basic, and Linux utilities to create a forensic copy of the USB, and hash it.  
  • Compare your results regarding consistency
  • Put your resulting SHA1 hashes of original evidence and forensic copies in a table

 

How I would do this assignment:

 

1. Get a small thumb drive, the smaller the better, and place a few files on the drive of varying file types e.g., a JPG, PDF, DOC, TXT, etc.

 

The goal is to validate the tools and do they each produce the same or different results. You're not trying to make hashes match to the evidence, so it doesn't matter what you use.

 

Using this image below is a completely extraneous step; it's only there as an option.

 

If you'd like to overwrite a larger drive with a smaller partition, you can use this image from Spring's CET4860:

 

Forensic Image

 

 

This is the current image I am using in 4860:

 

SHA1 Image Hash: 35e6017ac06747d21af9c696d641838166a5ebfa  4860.sp23.a1.dd

SHA1 Partition Hash: 6bbbccf862c0ad5a31a919abab58dfa7a7696754  /dev/sdb1

 

If your USB drive is assigned as /dev/sdb, you can overwrite 1GB worth of your drive with:

 

sudo dd if=4860.sp23.a1.dd of=/dev/sdb bs=1024000

 

Make sure to remove the drive and reinsert it so Linux will reread the partition table since you're overwriting the previous table.

 

Using that image above is a completely extraneous step; it's only there as an option.

 

2. Run Linux and open a terminal.   

 

3. Make sure you turn off 'automount' as it may change the evidence. How you do it depends on what version of Linux you are running. Here's a PDF with a step-by-step guide I made to stop automounting in Mint 17 which seems to work in Mint 18 as well. Make sure the box above mount point contains only 'nosuid,nodev,nofail,noauto'; the noauto is the most important, but the rest is good housekeeping.

 

4. Proceed to validate your tools. Use dd, FTK Imager, and ProDiscover to create a forensic copy and SHA1 hash. ProDiscover has an option for SHA1 in the preferences menu.


5. Do the hashes all match? Do any differ? Write a great report about that!

 

Deliverables:

  A written report either .doc or .pdf (preferred) format written in two sections.

  • First a non technical overview labeled "Non Technical Overview"
    • Explains, in non technical terms, how you conducted the testing and the results, as well as a conclusion.
    • NO TECHNICAL TERMS may be used
  • The second section should be a technical section
    • You must use the SWGDE test validation template
      • Starts on page 7 of the SWGDE guidelines document
    • Put your results (hashes) in a table and label the tools appropriately

 

Examples and Template

 

 

Writing a non technical summary

 

Your non technical summary should use little-to-no technical terms. This can be difficult, but not impossible, to do when a technical event is involved. Here is an excerpt from the Washington Post about the Heartbleed SSL issue. Note that they do a fantastic job of explaining the technical issue with mostly every day, non-technical terms

 

Q: What is SSL?.

A: It stands for Secure Socket Layer. It is the technology for establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private. “Open” SSL simply means that the code is freely available.

It’s the “s” in “https” that is supposed to stand for “secure.” Unlike Web sites that begin with “http,” “https” sites have a lock in browser address bars.

“That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher,” explains Vox’s Timothy Lee. “If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.”

 

All Course Lectures  

 

 

Comments (0)

You don't have permission to comment on this page.