Lab Report 1: Investigating Digital Evidence with Prodiscover

Course ID: CPS 4498-01

Student: Joseph Sobanjo

Instructor: Dr. Jing-Chiou Liou

Description:

This lab demonstrates how to use the application ProDiscover to examine images
for evidence on multiple USB drive. it's mandatory to create a duplicate of digital
evidence before viewing and examine. We learn how to capture images for
evidence viewing, while assuring the integrity of evidence is protected. In digital
forensics. This activity can be replicated through the use of this report.

System Specifications

The system that was used for this lab is a custom PC with a 6700xt AMD Gpu and
a Ryzen 7 3700x. I am connected to WIFI using an ethernet cable.

My OS version is Windows 10 Home 10.0.19042 build 19042 running on AMD

Ryzen 3700x with 32gb of ram installed

Verizon Network adapter

Geolocation- Off campus, Newark New Jersey

ISP: Verizon

Procedure:

Lab 3.1 Installing ProDiscover and Creating a Work Folder

1. Install the ProDescover from the DVD included with the textbook. To run ProDescover,
you need to have root privileges. (See pages 39 for details)
2. Create a work folder for all forensics labs on your computer.
 a. Create a sub-directory for each lab. E.g., Lab1 for this laboratory

A folder for Lab 1 was created in order to set up the capture image process
3. To protect the original image, make sure the USB drive is write-protected. Most of the
USB flash drive does not provide write block switch. We will assume you will not write
any data into it during the lab procedures.

Lab 3.2 Acquiring an Image from a USB drive with ProDiscover

1. In Windows 7 or earlier, click “start,” “all Programs,” “ProDiscover Basic.” In Windows

8/10, click the “ProDescover” icon in the start screen.
a. If the “Launch Dialog” window appears, click “Cancel.”
2. In the main window, click “Action, Capture Image” from the menu.
3. In the “Capture Image” window, click the “Source Drive” list arrow, and select the USB
drive you will use (See Figure 1-14)
a. Click the >> button next to the “Destination” text box and click “Choose Local
Path.”
b. When the “Save as” window opens, find your work folder for the lab and enter a
name for the image you’re making, such as Lab1-usb. Click “Save”.
c. In the “Capture Image” window, type your name in the “Technician Name” and
Lab1-usb01 in the “Image Number.” Click “OK.”
This is an image of information typed to begin capture image command.
 These are images of the capture image process ongoing

4. When ProDiscover is finished, click “OK” in the completion message box. Click “File,”
“Exit” from the menu.
5. Acquire other USB drive with larger data capacity is illustrated in Chapter 3. If you are
interested, you may follow the procedures in pages 107 – 110 to learn more on acquiring
image from a USB drive.
Lab 3.3 Analyzing an Image from a USB drive with ProDiscover

Lab A. Analyzing Evidence with ProDiscover

1. Start ProDiscover Basic.

2. Click “File, New Project” from the menu to create a new case.
3. In the “New Project” window, type Lab1-usb in both the “Project Number” and the
“Project File Name” text boxes. Then click “OK.”

Screenshot of New project that was created

4. In the tree view of main window, click to expand the “Add” item, and the click “Image
File.”
a. In the “Open” window, find the folder containing the image Lab1-usb.eve file,
and click “Open.” Click “Yes” in the “Auto Image Checksum” message box, if
necessary.
 This eve file was created after the capture imaging process was completed.

5. In the tree view of main window, click to expand “Content View,” if necessary. Click to
expand “Images,” and click the image filename path C:\Work\Lab1\Lab1-usb.eve
 (Replacing the path with your actual one)

Screenshot of image filename path C:\Work\Lab1\Lab1-usb.eve

a. Click the “+” in front of the image file pathname, and then click “All Files” under
the image filename path.
b. When the “CAUTION” window opens, click “Yes” to load the Lab1-usb.eve file in
the main menu
I selected yes for this option

6. In the upper-right pane, click a file to view its contents in the data area. (See Figure 1-
19)
 a. Continue to navigate through the work and data areas and inspect the contents
of recovered evidence. Note that some files are deleted files that haven’t been
overwritten.

Screenshot of work and data areas. I believe there are less files on my drive
due to it being brand new.

Lab B. Searching for Critical Information from Evidence

1. In the tree view, lick “Search.”

Screenshot of“Content Search”

2. In the “Search” window, click the “Content Search” tab.
a. Click “Select all matches” check box, “ASCII” and “Search for the pattern(s)”
buttons.
Screenshot of“Content Search” with selected parameters
b. Type a name that could possible existed in your device, such as “Jennifer,” in
the text box under “Search for the pattern(s)” (See Figure 1-20)

i decided to type my name in the text box

c. Under “Select the Disk(s)/Image(s) you want to search in,” click C:\Work\Lab1\
Lab1-usb.eve (Replacing the path with your actual one) and “OK” to start the
search.
d.
Screenshot of selected drive and pressed OK button
3. When the search is completed, the results are displayed in the search results pane in
the work area (See Figure 1-21).

There were no results and i decided to run some more searches but still ended up
with no results
a. Note that ProDiscover adds a new tab for each search as Search 1 and Search 2
shown in Figure 1-21.
b. If no results found, how can we improve our search? (Hint: May be to specify the
absolut PATH?)
 Screenshots of further searches with no results. I believe the reason for no
results is because i am working with a brand new usb and there aren't
enough files on it

4. Click each file in the search result pane and examine its content in the data area
If a file is selected it will display was we know as binary data in the data section of
the application and if it is double clicked the file will display the data into the work
section of the application. After the file is double clicked in the work section it will
start whatever application its associated with and display the contents .
a. If the file you select displays binary data in the data area, you can double-click
the file to display the data in the work area. Then double-click the file in the work
area to start an associated application, such as Excel, to display the content.
5. In the tree view, click “Search.”
6. In the “Search” window, click the “Content Search” tab.
a. Click “Select all matches” check box, “ASCII” and “Search for files named”
buttons.
b. Type any file name(s) in the text box to search for specific file.
7. Repeat steps 1-4 by selecting “Hex,” instead of “ASCII.”
a. Comparing with the results from Step 4, are there any differences?
b. Can you conclude when is better to use “Hex,” than to use “ASCII?”
i can conclude that the ASCII is better
Lab C. Generating an Investigation Report for Evidence
1. In the tree view, click “Report.” The report will be displayed in the right pane, as shown in
Figure 1-23.

Screenshot of Prodiscover evidence report

 2. You may click “File,” “Print Report,” and “OK” from the menu to print the report.
a. Report can be saved to a text file by clicking “Report,” “Action, Export,” choose
the file format and enter filename to save the file.
3. Click File, Exit to exit ProDiscover Basic.

Lab 3.4 Analyzing an Image from a USB drive with ProDiscover (Optional)

1. Format your USB drive to free all space (Disk B), or disk copy your drive (Drive A) to
another empty USB (Drive B) and format it.
2. Repeat. Step 3.1 to 3.3 (except for Lab 3.3C) to retrieve image and information
3. Observe from the lab and determine if the format did remove original evidence
a. Are the image file the same as in Lab 3.2?
b. Are there any evidence disappeared from the image acquired from Disk B?

Notes and Suggestions:

The lab was relatively simple and straightforward. The lab took about 1 and half
to 2 hours for completion. The only problem I encountered was getting the image
to be captured, however I fixed this by clearing space on my usb drive and
desktop drive, which let the capture image process continue. This lab was
created using ProDiscover Basic and a new 16gb flash drive.

● Different computers may have different operating systems and hardware configurations.
If you use your own computer for this lab, the above procedure may not be completely
applicable. For example, you cannot follow the same procedure for MAC computer.
● Make sure that the computer is back to its original condition. Do not leave a computer in
a non-functioning condition.

Lab report:

● Your report should include all information required to be noted in the procedure, any
problems/issues you encountered during the lab and how did you resolve them.