Reference no: EM133700512

Computer Forensics and Investigations

Part 1: P Image analysis using Autopsy

You were given an image file (8-jpeg-search.dd) and asked to analyse its included files using the Autopsy tool in your Ubuntu VM.
Answer the following questions:
Why file7.hmm is marked in red? What is its file type? How do you identify its real type?
How to find the extension mismatch files in the given .dd file? Show the interface used to retrieve the result and the result page (with file details).
Hints: file META, file type.
Please report your findings by preparing a document and listing the tools you used and the steps you took with screenshots.
Submit your attempt (.pdf) to onTrack.

Part 2:
2.1P Mount and Grep

You have learned how to use "grep" to perform powerful content-based search. Now you will use it, together with Autopsy, to find some sensible clues.
You are given an image called C2Prj03.dd (available under ~Desktop/Data-files/week02/). Your task is to find a secret code hidden in a file by a suspect. You only know the code is 6 digits long and starts with "46". It is a combination of digits 1, 2, 4, 5 and 6.
(Hint: You may need to conduct both content-based and cluster-based file search in Autopsy. Try to browse through every graphical file because many of them are not searchable.)
Report your findings by preparing a document and listing the steps you used with screenshots. If commands are used, please explain their switches.
Submit your attempt (.pdf) to onTrack.

Part 3:
3.1P DiskDump

Q1: Use dd and dcfldd to dump disk.
The memory of most Linux systems is stored at /dev/mem. Please use dd and dcfldd to dump the first 200 sectors of the memory with block size 1024 bytes, respectively.
Submit the screenshots of the commands used and their output. Briefly explain what the output tells you.

Q2: Describe the major difference(s) between "dd" and "dcfldd", and explain which one is more suitable for digital forensics acquisition and why.

Q3: Use HashCalc (with all hash algorithm boxes ticked) to generate hash values of sda.dd (available under "~/Desktop/Data-files/week03" in Ubuntu VM). Rename it to sdaa.dd and generate the renamed file's hash values.
Submit the screenshots of the commands used and their output. Are the two sets of hash values the same? Briefly explain why we need to calculate at least 2 different checksum values using different algorithms for a digital forensic file.

Please answer the above questions and submit your attempt (.pdf) to onTrack.

Part 4: 4.1P File recovery from mounted encrypted volume and keyword search

In this task, we further examine the evidence in the USB drive image "Terryusb.E01" (available under ~Desktop/Data-files/week04/ on Ubuntu VM). Some files in "Terryusb.E01" contain a keyword "patents". You are asked to count how many times the word "patents" appears in the files (both deleted and undeleted). (Hint: use command line as Autopsy keyword search function might not work.)
Report your findings by preparing a document and listing the tools and the steps (commands) you used with screenshots.
Submit your attempt (.pdf) to onTrack.

Part 5: 5.1P Hidden file recovery

There are some hidden data in the recovered picture "Broken.pdf". A ZIP file is suspected. Open the file in HxD and search for the "magic number" to locate the hidden ZIP file. (Hint: the "magic number" is specified in "archive.pdf" under "~Desktop/Data-files/week05/".)
Use copy and paste in HxD to carve out the hidden file. (Hint: PDF files normally have a footer of Hex value "0xFFD9"; and you should convert the Oct values of the magic numbers to Hex values for better clarity.)
Extract the contents of the hidden file and briefly describe what the contents are.
Please report your findings by preparing a document, and listing the steps you took with screenshots. If commands are used, please explain their switches.
Submit your attempt (.pdf) to onTrack.

Part 6: P Australian Cybercrime reporting and analysis

In this week's workshop, you are provided with the names of Australian Groups/Agencies that are involved in reporting computer crime and recent crime reports.
You are asked to do the tasks given in the first three sections of this week's workshop:
1 task under "Cybercrime reporting in Australia"
3 tasks under "Analysis of Threat Report"
1 task under "Analysis of Crime Statistics" Submit your attempt (.pdf) to onTrack

Part 7: P Password recovery

On a seized computer, you find a suspicious file "DeakinWeb.zip" which is password protected. You suspect that there are some sensitive users' hash values inside.
Please use what you learnt this week to open the zip file and crack the hash values. Report your findings by preparing a document and listing the tools you used and the steps you took with screenshots.
Submit your attempt (.pdf) to onTrack.

The following "Reflection task" is for SIT703 students ONLY:
Please explain the difference between LM hash and NT hash;
Besides of the OphCrack program introduced in this week's workshop, please use any other TWO tools/programs to crack the following 3 hashes.

0dbc75ca710e732c944e2df489a880e4:192c670d242fe23e0e7f3ac4061b94aa 050b44b3930b270253bac0fa79a61dc4:714b6fe38e859afb64674beb90dc69e6 732fb77c95422bc51486235a2333e4d2:89f792bbf84ea3898cf30f49d8c814e2

Record which hash can/cannot be cracked by OphCrack and the two tools/programs of your choice. Why?
Report your findings and list the tools/programs you used and the steps you took with screenshots. Combine your answers to the above two tasks ("Password recovery task" and "Reflection task") in one pdf and submit to onTrack.

Part 8: P Using steganography tools to recover hidden information

On a seized computer, you find 3 suspicious files: "COD-steg.jpg", "division-steg.jpg" and "mandalorian-steg.jpg". You suspect that there is sensitive information hidden inside.
Please use what you learnt this week to recover information from these 3 files, then hide the recovered information in "MonaLisa.bmp" using passphrase "evidence".
Report your findings in a document, and list the tools you used & the steps you took to recover the information with screenshots. Please also show screenshots to prove that the information you hide can be revealed properly.
Submit your attempt (.pdf) to onTrack.

The following "Reflection task" is for SIT703 students ONLY:
Besides of using the tool(s) that you learnt this week to recover information from these 3 files, please try to find any other TWO methods/tools/programs that have not been introduced in this week's workshop to do the same thing;
Please write your reflection by briefly comparing these three methods/tools/programs (the one taught in this week's workshop and the two of your choice).

Report your findings and list the tools/programs you used and the steps you took with screenshots. Combine your answers to the above two tasks ("Using steganography tools to recover hidden information task" and "Reflection task") in one pdf and submit to onTrack.

Part 9: 9.1P Encrypting and decrypting information

You have created a pair of Public/Private keys and want to protect the private key (in key.txt) on your computer.
You install CrypTool 1.4.41, and choose Symmetric (classic) XOR to encrypt the private key file (key.txt) using hex characters 0xaa or any other hex characters of your choice.
Then you convert the unreadable binary output to Base64 encoding format. You save the Base64 code to a file (e.g. encrypted-key.txt).
To double check there is no error, you decode the file (e.g. encrypted-key.txt), then decrypt it to the original private key.
Please prepare a document, listing all the steps you took to encrypt/decrypt the key file and encode/decode Base64 code with screenshots.
Submit your attempt (.pdf) to onTrack.