Scribd
Upload
41 views89 pages

Lab-Computer Forensic

Lab-Computer Forensic

Uploaded by

keisper99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views89 pages

Lab-Computer Forensic

Lab-Computer Forensic

Uploaded by

keisper99
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CHAPTER 20

COMPUTER
FORENSICS

CERTIFIED CYBERSECURITY TECHNICIAN


Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 1
INDEX
Chapter 20:
Computer Forensics

05
Exercise 1:
Create a Disk Image File of a Hard Disk Partition

16
Exercise 2:
Acquire RAM from Windows Workstation

22
Exercise 3:
Acquire Volatile Information from a Live Windows System

34
Exercise 4:
Analyze File System of a Linux Image using Autopsy

65
Exercise 5:
Capture and Analyse Memory Dump on Linux

77
Exercise 6:
View Contents of Forensic Image File

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 2


SCENARIO
Ever-increasing instances of cybercrime and the rise in computing technology have made an efficient and effective information security
program essential for organizations. With the rapid change in technology and threat landscape, it is important for organizations to incorporate
ongoing and proactive computer investigations into their current information security programs to thwart and prevent evolving threats.
To implement these programs, organizations need to adapt current information security best practices to include certain aspects of digital
forensic readiness into their current cybersecurity programs.

OBJECTIVE
The objective of this lab is to provide expert knowledge in conducting computer forensics. This includes knowledge of the following tasks:
• Creating a disk image file of a hard disk partition
• Acquiring RAM and volatile information from a Windows system
• Analyzing file system of a Linux image using tools such as Autopsy
• Capturing and analyzing memory dump on Linux System
• Viewing contents of forensics image file

OVERVIEW INTERRUPTED SESSIONS


Computer forensics is a part of digital forensics that deals with crimes committed across computing devices such as networks, computers, and
digital storage media. It refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document,
and present evidence from computing equipment such that the discovered evidence is acceptable during a legal and/or administrative
proceeding in a court of law.
An exponential increase in the number of cybercrimes and civil litigations involving large organizations has emphasized the need for computer
forensics. It has become a necessity for organizations to employ the service of a computer forensics agency or to hire a computer forensics
expert to solve cases involving the use of computers and related technologies. The staggering financial losses caused by cybercrimes have also
contributed to renewed interest in computer forensics.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 3


LAB TASKS
A cyber security professional or a security professional use numerous tools and techniques to investigate evidence related to cyber-
attacks. The recommended labs that will assist you in learning the process of computer forensics include the following:

01 Create a Disk Image File of a Hard Disk Partition


02 Acquire RAM from Windows Workstation

03 Acquire Volatile Information from a Live


Windows System 04 Analyze File System of a Linux Image using
Autopsy

05 Capture and Analyse Memory Dump on Linux


06 View Contents of Forensic Image File

Note: Turn on PfSense Firewall virtual machine and keep it running throughout the lab exercises.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 4


EXERCISE 1: CREATE A DISK IMAGE FILE OF A HARD DISK PARTITION
A disk image is a bit-by-bit copy of a hard disk or a disk partition, which includes all the files/folders, deleted files, files left in the slack space and
unallocated space, file system information, etc.

LAB SCENARIO
An investigator was performing forensics on a hard disk copy when he triggered a pre-loaded process that deleted the entire disk data leading
to loss of evidence. However, he had already created a forensic copy of the disk, and this gave him the option to work on the same data again.
Therefore, investigators should always create duplicates of the hard disk and perform the forensics process on the copy.
An expert investigator must have sound knowledge of the various disk imaging tools used for forensics investigation.

OBJECTIVE
The objective of this lab is to learn how to create a disk image file of a hard disk partition using R-Drive Image.

OVERVIEW OF TROJAN
This lab helps you learn how to create the disk image file of a hard-disk partition. Imaging of a hard disk or a hard disk partition helps you create
the forensic copy of the disk or a partition on it so that you can use the forensic copy for investigation purposes.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 5


Note: Ensure that PfSense Firewall virtual machine is running.
1. Turn on the Admin Machine-1 virtual machine.
2. Log in with the credentials Admin and admin@123.
Note: If Networks pane appears, click Yes to allow your PC to be discoverable by other PCs and devices on this network.
3. Navigate to Z:\CCT-Tools\CCT Module 20 Computer Forensics\Computer Forensics Software\R-drive Image.
4. Double-click [Link] to launch the setup, select the language (here, English) and click OK.
Note: If an Open File - Security Warning pop-up appears, click Run.
Note: If a User Account Control pop-up appears, click Yes.
5. Follow the wizard-driven installation steps to install the application.
6. On completing the installation, ensure that Launch R-Drive Image option is checked and
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 6


7. The R-Drive Image GUI appears, click Next.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 7


8. In the Action Selection window, Create an Image option is selected by default. Click Next to continue.
9. In this lab, we will be creating an image for D:. Therefore, in the Partition Selection window, select D drive to create a drive
image file of the drive. Click Next.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 8


10. In the Image Destination panel:
• Expand This PC and select the New Volume (F:) (F drive) to save the file in this drive.
• The filename will be automatically taken by the application.
• Select R-Drive Image files (*.rdr) in the Files of type field and click Next.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 9


11. In the Image Options panel, click Next.
Note: Providing a password is optional.
12. In the Backup Options panel, click Next.
13. The Processing panel displays the summary of all the processes. Click Start to start the disk partition imaging process.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 10


11. In the Image Options panel, click Next.
Note: Providing a password is optional.
12. In the Backup Options panel, click Next.
13. The Processing panel displays the summary of all the processes. Click Start to start the disk partition imaging process.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 11


14. T
 he Progress bar in the Processing panel will show the percentage of task completed. Once the processing is done, a pop-up
will appear displaying Image created successfully. Click OK.
15. In the Processing panel, click Continue to complete the process.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 12


16. In the R-Drive Image window that reads Action Selection at the top, click the Exit button to close the application.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 13


17. Now, navigate to the New Volume (F:) (F Drive) to view the created disk partition image file.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 14


Note: The size of the image file depends on the space filled in the drive. Since we are imaging D drive, which is
currently empty, the size of the generated image file is relatively less.
18. Delete the image file upon finishing this lab.
19. This concludes the demonstration showing how to create a disk image file of a hard disk partition.
20. Close all open windows.
EXERCISE 1:
CREATE A DISK
IMAGE FILE OF
A HARD DISK
PARTITION

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 15


EXERCISE 2: ACQUIRE RAM FROM WINDOWS WORKSTATION
RAM (Random Access Memory) is a volatile-memory storage found in computing devices that temporarily holds the data your device needs to
access.

LAB SCENARIO
James, a forensics investigator, is performing live analysis on a suspect’s computer. In this process, he needs to primarily capture the RAM dump
of the machine as it contains volatile data that is lost when the machine loses power. In this scenario, the investigator performs RAM acquisition
on Windows workstation.
An expert investigator must understand how to acquire a RAM dump from Windows and Linux OSes.

OBJECTIVE
The objective of this lab is to learn how to perform RAM acquisition on Windows workstation.

OVERVIEW OF TROJAN
This lab familiarizes you with the Belkasoft RAM Capturer tool, which helps perform RAM acquisition on Windows systems; LiME and fmem do
the same on Linux systems.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 16


Note: Ensure that the Admin Machine-1 and PfSense Firewall virtual machine is running.
1. In the Admin Machine-1 virtual machine, navigate to the directory Z:\CCT-Tools\CCT Module 20 Computer
Forensics\Data Acquisition Tools, copy Belkasoft RAM Capturer folder and paste it onto Desktop.
2. Now navigate to the directory Desktop →Belkasoft RAM Capturer → x64 and double-click [Link] to
launch the application.
EXERCISE 2:
FROM WINDOWS
WORKSTATION
ACQUIRE RAM

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 17


Note: If an Open File - Security Warning pop-up appears, click Run.
Note: If a User Account Control pop-up appears, click Yes.
3. You need to assign a folder to store the captured RAM. Therefore, navigate to the New Volume (D:) (D Drive) and
create a folder named Windows RAM.
4. Now, enter the path for the output (here, D:\Windows RAM) under Select output folder path field and click
Capture!.
EXERCISE 2:
FROM WINDOWS
WORKSTATION
ACQUIRE RAM

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 18


5. The application begins to capture the RAM.
6. Once the memory dump is successfully created, click Close to close the application.
EXERCISE 2:
FROM WINDOWS
WORKSTATION
ACQUIRE RAM

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 19


7. Navigate to D:\Windows RAM to view the created memory dump. The dump is saved in the [Link]
format, where yyyy refers to the year, mm refers to the month, and dd refers to the date.
EXERCISE 2:
FROM WINDOWS
WORKSTATION
ACQUIRE RAM

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 20


8. This way, you can capture the memory dump of a suspect Windows machine. These dumps act as important source of evidence for the
investigators while investigating volatile memory.
9. This concludes the demonstration showing how to acquire RAM from Windows machine.
10. Close all open windows.
EXERCISE 2:
FROM WINDOWS
WORKSTATION
ACQUIRE RAM

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 21


EXERCISE 3: ACQUIRE VOLATILE INFORMATION FROM A LIVE WINDOWS
SYSTEM
Acquiring volatile information from a live system involves obtaining information such as network information and process information about
an OS.

LAB SCENARIO
For forensics investigation, an investigator often needs to gather data from a live Windows system to analyze details such as network information
and process information by using different tools (command-line tools as well as GUI-based tools). Performing a thorough analysis will enable
the investigator to obtain vital evidence, which helps them solve cases related to digital forensics.
An expert investigator should know how to collect volatile information from a live system.

OBJECTIVE
The objective of this lab is to help you collect volatile information from a live Windows system

OVERVIEW OF THE LAB


This lab familiarizes you with the procedures to collect volatile information from a host computer running on a Windows OS by using tools such
as PsTools and LogonSessions.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 22


Note: Ensure that the PfSense Firewall and Admin Machine-1 virtual machine is running.
1. Turn on the AD Domain Controller virtual machine.
2. Log in with the credentials CCT\Administrator and admin@123.
Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

3. Now, connect to the network drive CCT-Tools (Z:) as shown in the below screenshot.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 23


Note: Ensure that the PfSense Firewall and Admin Machine-1 virtual machine is running.
1. Turn on the AD Domain Controller virtual machine.
2. Log in with the credentials CCT\Administrator and admin@123.
Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

3. Now, connect to the network drive CCT-Tools (Z:) as shown in the below screenshot.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 24


Note: Our task in this lab is to collect volatile information from a host machine. We will be using Admin Machine-1 machine as the host
machine and AD Domain Controller machine as a locally connected machine.
Note: If you are already logged into the Admin Machine-1, then skip to Step#6.
4. Now, switch to the Admin Machine-1 virtual machine.
5. In the Admin Machine-1 virtual machine, navigate to Z:\CCT-Tools\CCT Module 20 Computer Forensics\Volatile Data Acquisition Tools.
6. Select the PsTools folder, hold the Shift key on the keyboard, right-click on the selected folder, and then select Open PowerShell window
here from the context menu.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 25


7. The above operation will launch PowerShell displaying the path of PsTools. Type ./[Link] and press Enter.
8. The PsLoggedon License Agreement window will appear. Click Agree to continue.
9. T
 he PowerShell window will now display two results: Users Logged on locally (here, the local user is the Administrator of the local machine)
and Users Logged on via resource shares (in this case, no user is logged on through resource shares; hence, the result displays null in the
Users logged on via resource shares section)
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 26


10. N
 ow, close the PowerShell window and launch PowerShell window with Administrator privileges by right clicking the Start button
(Windows icon button) and then clicking on Windows PowerShell (Admin).
Note: If a User Account Control pop-up appears, click Yes.
11. W
 e will now run the net sessions command, which will list all the connected sessions on the host machine (here, Admin Machine-1), the
command has listed the username of the Admin Machine-1 machine as shown in the following screenshot:
Note: The net sessions command can be run only on Admin Machine-1 machine.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 27


12. N
 avigate to Z:\CCT-Tools\CTT Module 20 Computer Forensics\Volatile Data Acquisition Tools, select the LogonSessions folder, and press Alt,
F, S, A keys on the keyboard one after the other, to open PowerShell window with Administrator privileges.
Note: If a User Account Control pop-up appears, click Yes.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 28


13. The above operation will launch PowerShell with the path of LogonSessions. Type ./[Link] and press Enter.
14. The LogonSessions License Agreement window will appear. Click Agree to continue.
15. The utility will now list the currently active logon sessions.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 29


16. T
 o list the logon sessions, their types, and the processes running under them, use the -p switch in combination with ./[Link].
All the running processes associated with each session will be displayed under the UPN section as shown in the screenshot below.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 30


17. Close the PowerShell.
18. Now, we will use the net file utility to retrieve information pertaining to all the open shared files with respect to Admin Machine-1 virtual
machine.
19. T
 o run the net file command, launch it by right clicking the Start button and then clicking Windows PowerShell (Admin). In the PowerShell
window, type net file and press Enter.
Note: If a User Account Control pop-up appears, click Yes.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 31


20. T
 he net file command will now display the Path of the shared folder from the local machine which is accessed by other machines (here,
AD Domain Controller machine); it also displays the Username of the user account that is remotely accessing the shared folder along with
the ID and Locks that are associated with the shared folder as shown in the screenshot below.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 32


Note: The output of the command shown in the screenshot below, might vary in your lab environment.

21. This concludes the demonstration showing how to acquire volatile information from a live Windows machine.
22. Close all open windows.
ACQUIRE VOLATILE

WINDOWS SYSTEM
EXERCISE 3:
INFORMATION
FROM A LIVE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 33


EXERCISE 4: ANALYZE FILE SYSTEM OF A LINUX IMAGE USING AUTOPSY
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other such digital forensics tools.

LAB SCENARIO
An inspector, who is probing a murder incident, has found a dead system in a crime scene and suspects that the system is related to the incident
and could provide clues about it. When the inspector brings the system to the cyber forensics department, he/she creates an image of the hard
disk and begins to analyze the image using Autopsy. On further analysis of the file systems, the investigator finds some crucial evidence that
might help in solving the case.
In order to investigate a hard disk, as an investigator, you must know the types of file systems and how to analyze them using various tools.

OBJECTIVE
The objective of this lab is to learn and perform file system analysis using Autopsy. Performing file system analysis allows an investigator to
determine the following information:
• File system type
• Metadata information
• Content information

OVERVIEW OF THE LAB


Forensics analysis tools help investigators in collecting, managing, transferring, and storing necessary information required during forensics
investigation. Using these tools, an investigator can act quickly when investigating a security incident.
This lab familiarizes you with file system analysis using Autopsy. It helps you understand how to create a case in Autopsy and then examine the
file system using the application.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 34


Note: Ensure that PfSense Firewall and Admin Machine-1 and AD Domain Controller virtual machines are running.
1. In this lab, we will be using Autopsy tool to examine the filesystem of a Linux image.
2. In the AD Domain Controller virtual machine, double-click the Autopsy 4.14.0 shortcut icon on the Desktop.
3. Autopsy Welcome window will appear along with Autopsy main window in the background. In the Welcome window, click New Case.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 35


4. A New Case Information window opens asking you to input the base Case Name and the Base Directory. The base directory is the location
where the case data will get stored. The case name may be entered according to your identification purpose. In this lab, we are assigning
the case name as Linux_Analysis.
5. Before specifying the base directory, we will be creating a folder on the Desktop with the name Image File Analysis and setting the path of
the Base directory to this folder.
6. Upon setting the base directory, click Next.
7. The New Case Information window now shows the Optional Information section where you can specify details such as name of the
examiner and case number. For this lab, let us enter the name of the examiner as Jonathan and the case number as 1001-125. You may also
SYSTEM OF A LINUX

fill out the other optional fields. Click Finish after entering the details for optional fields.
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 36


8. The Add Data Source window now appears displaying the section Select Type of Data Source To Add. Here, you need to select the type of
data source to be provided as an input. In this lab, we will be analyzing a disk image; therefore, select the option Disk Image or VM File and
click Next.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 37


9. T
 he Add Data Source window now displays the section Select Data Source where you need to select the location of the Image that you are
going to examine. Click Browse.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 38


10. A
 n Open window will appear where you need to specify the forensic image. Navigate to Z:\CCT Module 20 Computer Forensics\Evidence,
select Linux_Evidence_001.img and click Open.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 39


11. Once you set the path of the image file, click Next.
12. T
 he Add Data Source window now displays the Configure Ingest Modules section, which contains lists of options that are checked. Select
the options according to your requirement and click Next.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 40


13. The Add Data Source window now displays the Add Data Source section, stating that the data source is successfully added. Click Finish.
Note: Autopsy will take some time to completely analyze the evidence file. You can proceed to the next steps of this lab even when the
analysis of the evidence file is still in progress.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 41


14. T
 he application now displays the result in the Autopsy main window. Expand the Data Sources node in the left pane and click on the
image file i.e., Linux_Evidence_001.img. This will show the contents of the image file, as shown in the following screenshot:
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 42


15. E
 xpand the image file Linux_Evidence_001.img to see its contents. Upon expanding the image, Autopsy displays the filesystem of the
Linux image as shown in the following screenshot:
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 43


16. Y
 ou may examine all the required files stored in the image as a part of filesystem analysis. In this lab, we are going to view the passwd file
that is stored in \etc location. Therefore, select the etc folder from the left pane.
17. Upon selecting the folder, all the files and folders present in etc are displayed in the right pane of the window.
18. Scroll down the window and select the passwd file.
19. Click the Text tab.
20. A
 utopsy displays all the text (user account information) present in the passwd file, under the Strings tab, as shown in the following
screenshot:
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 44


21. Similarly, click on the File Metadata, Hex, and Annotations tabs to view other details pertaining to the selected file.
22. This way, you can analyze all the other files and folders of your choice to get detailed information on them.
23. Apart from examining the file system, you can also calculate the hashes of the files that you examine, which helps in validating the
integrity of the evidence. In this lab, we will be calculating the MD5 hash of a file named [Link], which is located within /home/roger/
Documents.
24. To view the MD5 hash value of this file, expand home → roger → Documents in the left pane. The [Link] file appears in the right pane
of the Autopsy window. Click the file.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 45


25. T
 he File Metadata section displays the selected folder/file’s metadata information such as the file’s created, modified, and accessed times
followed by its MD5 hash value.
26. Click on File Metadata and scroll down the section to find the MD5 value for the [Link] file.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 46


27. Click on Results tab and you can view information such as Source File Path, Artifact ID and it shows that the file is password protected.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 47


28. Now, click on Images/Videos option from the toolbar to view all the images and videos present in the evidence file.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 48


29. Image/Video Gallery - Editor window appears, maximize the window. It displays only image and video files.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 49


30. Close the Image/Video Gallery - Editor window to navigate back to Autopsy main window.
31. Now, click on Timeline from the menu bar.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 50


32. T
 he Timeline-Editor window opens, displaying a bar graph. Click on GMT/UTC radio button from the left
pane under Display Times In section.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 51


33. Now, right click on the longest bar (here 2016) and select Zoom into Time Range option from the context
menu.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 52


34. vIn the next window, right click on a bar (here June) and click on Zoom into Time Range option from the context menu.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 53


35. In the next window, right click on a date (here 09) and click on Zoom into Time Range option from the context menu. In the following
window, right click on a time interval (here 09) and select Zoom into Time Range option from the context menu.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 54


SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 55


36. Click on List from the View Mode options.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 56


37. The events will be listed in a time sequence; you can select any entry and click on Hex, Text, or File Metadata at the bottom of the window
to view the Hex, Text or Metadata of the event.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 57


38. Now close the Timeline-Editor window to navigate back to Autopsy main window. In the Autopsy window click on the Generate Report
option from the menu bar.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 58


39. A Generate Report window appears. By default, HTML Report will be selected under Report Modules, enter Header and Footer details in the
respective fields and click on Next.
Note: Here we are giving Linux_Analysis as the Header and CCT-Report as the footer.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 59


40. In the Configure Report window, select All Results radio button and click on Finish.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 60


41. A Report Generation Progress… windows appear showing the progress, wait for it to complete.
42. After completion of report generation click on Close to close the window.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 61


43. Minimize the Autopsy window, navigate to the Image File Analysis folder located on the Desktop. After this, navigate to Linux_Analysis/
Reports/Linux_Analysis HTML Report 08-27-2021-05-54-00 and double-click on report.
Note: The name of the HTML Report folder might vary in your lab environment.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 62


Note: If a Set up Internet Explorer 11 window appears, click on Ask me later and close the opened Microsoft tab to navigate to Autopsy Forensic
Report.

44. When the report opens in the default browser, you can explore the report by selecting the options under the Report Navigation menu.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 63


45. This concludes the demonstration showing how to analyze file system of a Linux image using Autopsy tool.
46. Close all open windows.
47. Turn off Admin Machine-1 and AD Domain Controller virtual machines.
SYSTEM OF A LINUX
EXERCISE 4:
ANALYZE FILE

IMAGE USING
AUTOPSY

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 64


EXERCISE 5: CAPTURE AND ANALYSE MEMORY DUMP ON LINUX
Dump files are compressed versions of system log files that are recorded when system crashes or turned off unexpectedly.

LAB SCENARIO
Processes, profiles, other security events are logged in the dump file that allow security teams to identify the reasons for unexpected shutdowns
or terminations, which are mostly caused by errors or bugs. Using these dump files, investigators can troubleshoot the software or OS issues.
Hence a security professional, must be able to capture the memory dump on the system and further analyze it to test for any suspicious files
or activities.

OBJECTIVE
This lab demonstrates how to capture and analyze memory dump on Linux system using various tools such as avml and volatility.

OVERVIEW OF THE LAB


This lab familiarized you with the procedures to capture memory dump using tools such as avml on a Linux system and then analyze the
captured memory dump using volatility tool for any issues.
AVML is an X86_64 userland volatile memory acquisition tool which can be used to acquire memory without knowing the target OS distribution
or kernel. Memory sources used by this tool are /dev/crash, /proc/kcore, /dev/mem.
The Volatility Framework is a completely open collection of tools, implemented in Python, for the extraction of digital artifacts from volatile
memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility
into the runtime state of the system.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 65


Note: For demonstration purpose, we are analyzing memory on the same machine from which it is acquired. But, in the real world, memory is
collected from a different machine and further analyzed in a separate machine for issues.
Note: Ensure that PfSense Firewall virtual machine is running.
1. Turn on the Attacker Machine-2 virtual machine.
2. I n the login page, the attacker username will be selected by default. Enter password as toor in the Password field and press Enter to log in to
the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it.
Note: If a Question pop-up window appears asking you to update the machine, click No to close the window.
3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.
5. In the [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. Now, type cd and press Enter to jump to the root directory.
7. Firstly, we will generate a memory dump of the system using avml tool.
8. Type chmod 755 avml and press Enter to change the file permissions.
9. Now, type ./avml [Link] and press Enter to dump system memory in a file named [Link].
Note: It will take a while create a memory dump.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 66


10. Type ls and press Enter to see the generated file [Link] in the /root directory.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 67


11. Now, type cd volatility-master and press Enter to navigate to the Volatility tool repository.
12. Type cd tools/linux/ and press Enter.
13. Type make and press Enter to install the tool dependencies.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 68


14. Now, type cd and press Enter to navigate back to the /root directory.
15. Type uname -a press Enter to display the kernal version.
Note: The above command is used to display the details such as name of operating system, the system node name, operating system release,
operating system version, hardware name, and processor type.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 69


16. N
 ow, type zip parrot [Link] ./volatility-master/tools/linux/[Link] /boot/[Link]-5.7.0-2parrot2-amd64 and
press Enter to make a zip file and map with the system.
17. Type ls and press Enter to see the created zip file. Observe that a file named [Link] has been created, as shown in the screenshot below.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 70


18. Type mv [Link] volatility-master/volatility/plugins/overlays/linux/ and press Enter to move the zip file to the volatility tool folder.
19. Type cd volatility-master and press Enter to navigate to the tool repository.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 71


20. Type python [Link] --info | more and press Enter to display all the profiles in the directory.
21. A list of Profiles appears, you can observe the first profile Linuxparrotx64, which was moved to this directory in the previous steps.

Note: After viewing the profile list, press Ctrl+C and press Enter to terminate the command.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 72


22. Now, we will analyze the captured memory dump using volatility tool.
23. Now, type python [Link] -f ../[Link] –-profile=Linuxparrotx64 linux_pslist | more and press Enter to list the process IDs.
Note: It will take a while to fetch the results.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 73


Note: After viewing the process list, press Ctrl+C and press Enter to terminate the command.
24. Type python [Link] -f ../[Link] –-profile=Linuxparrotx64 linux_netstat | more and press Enter to display the network
connections, routing tables, and a number of network interface statistics.
Note: It will take a while to fetch the results.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 74


Note: After viewing the connection list, press Ctrl+C and press Enter to terminate the command.
25. Type python [Link] -f ../[Link] –-profile=Linuxparrotx64 linux_bash | more and press Enter to display the terminal history.
Note: It will take a while to fetch the results.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 75


Note: After viewing the bash list, press Ctrl+C and press Enter to terminate the command.
26. Similarly, you can see other details such as a list of open files in the system by replacing the parameter with linux_lsof.
27. This concludes the demonstration showing how to capture and analyze memory dump on linux machine.
28. Close all open windows.
29. Turn off the Attacker Machine-2 virtual machine.
ANALYSE MEMORY
EXERCISE 5:

DUMP ON LINUX
CAPTURE AND

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 76


EXERCISE 6: VIEW CONTENTS OF FORENSIC IMAGE FILE
FTK Imager is a data preview and imaging tool that creates perfect copies (forensic images) of computer data without making changes to the
original evidence.

LAB SCENARIO
As part of investigation in an information theft case, senior investigator Alex has concluded scanning all the systems using the AccessData FTK
Imager tool to know if the deleted files on the systems contain any information of evidentiary value. The tool saves the investigator’s time as it
eliminates the hectic process of recovering every deleted file from the system.
An expert investigator must understand how to assess forensic images and collect the evidentiary data from those images.

OBJECTIVE
The objective of this lab is to learn how to use AccessData FTK Imager for viewing forensics images.

OVERVIEW OF THE LAB


This lab familiarizes you with the AccessData FTK Imager tool and helps you learn how to investigate forensic images of computer data without
subjecting the original evidence to modification. It also helps you understand how to assess electronic evidence to determine whether further
analysis of the evidence with a forensic tool is necessary.

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 77


Note: Ensure that PfSense Firewall virtual machine is running.
1. Turn on Admin Machine-1 and AD Domain Controller virtual machine.
2. In the AD Domain Controller virtual machine, log in with the credentials CCT\Administrator and admin@123.
Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.
3. Navigate to Z:\CCT Module 20 Computer Forensics\Data Acquisition Tools\AccessData FTK Imager, double-click AccessData_FTK_
Imager_4.[Link] to launch the setup, and follow the wizard-driven installation instructions to install the application
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 78


Note: At the end of the installation process, ensure that the Launch AccessData FTK Imager option is checked in the setup wizard and then
click Finish.
4. The main window of AccessData FTK Imager appears, as shown in the following screenshot:
5. Click File → Add Evidence Item… to add evidence.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 79


Note: Alternatively, you may also click on the Add Evidence icon from the toolbar to add evidence.
6. A Select Source window opens. Select the Image File option and click Next.
Note: In this lab, we will be examining a dd image; therefore, select the Image File radio button.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 80


7. Click the Browse button to specify the image file path (Z:\CCT Module 20 Computer Forensics\Evidence\Windows_Evidence_001.dd) and
then click Finish.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 81


8. The evidence file (Windows_Evidence_001.dd) appears in the left pane of the main window under the Evidence Tree section. Expand the
evidence file and its contents so that it appears in the form of a tree, as shown in the following screenshot:
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 82


9. Select any file or folder (here, we selected images folder) from the Evidence Tree to view the file list in the Right pane under File List.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 83


10. A
 part from viewing the contents of a file or folder, AccessData FTK Imager also lets you view the hex values of files. Hex values help
determine the raw and exact contents of a file even if it has been deleted or overwritten. Hex values thus help you identify and
retrieve information that normally cannot be accessed by the OS.
11. To view the Hex value of a file, select a file (here we selected 1200px-Peace_sign.[Link]) from the File List.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 84


12. Click the Hex icon on the toolbar and Hex values of the selected file will be displayed in the bottom-right pane.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 85


13. Click the Properties tab in the lower-left pane to view the properties such as file class, size, date, start cluster, etc. of the selected file.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 86


14. Click the Hex Value Interpreter tab in the lower-left pane to view the properties such as signed integer, DOS date, etc. of the selected file.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 87


15. In this manner, you can examine the contents of the forensic image file using AccessData FTK Imager tool.
16. This concludes the demonstration of showing how to view contents of forensic image file.
17. Close all open windows.
18. Turn off Admin Machine-1, AD Domain Controller and PfSense Firewall virtual machines.
VIEW CONTENTS OF
EXERCISE 6:
FORENSIC IMAGE
FILE

Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 88


Copyrights @ 2022 EC-Council International Ltd. Certified Cybersecurity Technician 89

You might also like