Reference no: EM132854571
ICT378 Cyber Forensics and Information Technology - Murdoch University
The objective of these projects is to give you practice in mounting and imaging virtual machines and cloud forensics investigations.
- Tools needed to complete this lab: FTK Imager, Forensics, Belkasoft Live RAM Capturer, Autopsy
- Files needed to complete this lab: The files can be found on the Workshop Source Files
Before beginning, create a Work\Chap10\Projects folder on your system.
Part 1: FTK Imager and OSForensics for VM
If necessary, download VMware Workstation Player from and install it. You also need FTK Imager Lite. In this activity, you examine your own system for evidence of a VM:
1. Start FTK Imager Lite, and click File, Add Evidence Item from the menu.
2. In the Select Source dialog box, click the Logical Drive option button, and then click Next.
3. In the Select Drive dialog box, click the Source Drive Selection list arrow, click the drive where you installed VMware Workstation Player, and then click Finish.
4. In the upper-left pane, expand the drive where VMware Workstation Player is installed until you see a folder with "[root]" next to it. Expand this folder, and navigate to the Windows\System32 folder.
5. Right-click the config folder and click Export Files.
6. In the Browse For Folder dialog box, navigate to and click your work folder, and thenclick
OK. Click OK in the Export Results dialog box, and then exit FTK Imager.
7. Start OSForensics, and start a new case. When you're prompted for a case folder, create one under your work folder called InChap10-1.
8. In the left pane, click Registry Viewer, which opens to a listing of Registry keys.
9. Click the Software folder in the right pane and click Open. In the left pane of the window that opens, expand the SOFTWARE node, scroll down, and then expand C:/VMware, Inc. and VMware Drivers. The drivers shown in the below Figure are examples of what you might see in the Registry as evidence of a VM's presence on the system. Exit OSForensics.
After determining that a VM was installed on the host, the next step is finding it. In VMware, you look for files with .vmdk, .vmsd, or .vmx extensions as well as nvram (virtual RAM) files. Next, you need to acquire an image of the VM. Follow these steps:
1. Start your Web browser, and go to www.ubuntu.com/download/desktop. Download an ISO image of Ubuntu Linux 16.04.
2. Start VirtualBox. Create a virtual machine named Ubuntu 16.04, and install Ubuntu 16.04 as the guest OS.
3. Start FTK Imager Lite, and click File, Add Evidence Item from the menu.
4. In the Select Source dialog box, click the Image File option button, and then click Next.
5. Click the Browse button, navigate to \users\username\VirtualBox VMs\Ubuntu 16.04, click the Ubuntu 16.04 folder, and double-click the .vmdk file. Then click Finish.
6. Click to expand the Evidence Tree in the left pane. Typically, in an Ubuntu installation, three partitions are listed: partition 1, containing the root partition; partition 5, containing the swap partition (see the below Figure); and unallocated space.
7. Now that you have the virtual machine file open, acquire an image of it by clicking File, Create Disk Image from the menu.
8. In the Select Source dialog box, click the Image File option button, and then click Next.
9. In the Select File dialog box, click the Browse button, and then navigate to and double-click the .vmdk file. Click Finish.
10. In the Create Image dialog box, click the Add button in the Image Destination section.
11. In the Select Image Type dialog box, verify that Raw (dd) is selected for the image format, and then click Next.
12. In the Evidence Item Information dialog box, enter today's date for the evidence number, your name, and any other pertinent information, and then click Next.
13. In the Select Image Destination dialog box, click the Browse button, navigate to and click your work folder, and then click OK. In the Image Filename (Excluding Extension) text box, type C10InChap-2. In the Image Fragment Size (MB) text box, type o so that FTK Imager Lite doesn't attempt to break the image file into chunks that fit on a CD.
14. Click Finish, and then click Start to begin the image acquisition. This process might take a few minutes. When it's finished, exit FTK Imager Lite. You can then examine the image with the tool of your choice.
Part 2: Nested VM
In this project, you examine a virtual machine nested inside another virtual machine. Keep in mind that the number of VMs you can nest depends on the host machine's hardware. For this project, you use both VMware Workstation Player and VirtualBox. (If you haven't installed VMware Workstation Player yet, go to www.vmware.com/products/workstation- player/workstation-player-evaluation.html to download it, and then install it.)
1. Create a folder called shared on your host system. Start VMware Workstation Player, create a VM called Ubuntu-Primary, and install Ubuntu 16.04 as a guest OS. In the main VMware Workstation Player window, click the Ubuntu-Primary VM, and then click Edit virtual machine settings. Click the Options tab (on VMWare Pro, go to VM»Settings»Options), and click Shared folders on the left. On the right, click Add to start the Add Shared Folder Wizard. In the welcome window, click Next. In the Name the Shared Folder window, click Browse, navigate to and click the shared folder on your host system, and click OK. Click Next and then Finish to enable the share.
2. Start a Web browser, and go to www.ubuntu.com/downloads. Download a 32-bit version of Ubuntu 16.04 to the shared folder. Back in VMware Workstation Player, start the Ubuntu-Primary VM, and click the Ubuntu software icon so that you can install the software easily without having to download it. In the search area, type VirtualBox, and then select and install it.
3. Start VirtualBox on the Ubuntu-Primary VM, and create a VM called Ubuntu-Nested. In the Create Virtual Machine window, notice that only 32-bit versions of this OS are listed as choices. Continue creating the VM. Click the VMDK (Virtual Machine Disk) option button for the hard disk type, and leave the default settings in the remaining windows.
4. With the VM powered off, click Settings, and then click Storage. Navigate to and click the shared folder, and click the 32-bit Ubuntu 16.04 version you downloaded earlier. (Note: You might need to install VMware Tools to make sharing work. Be sure to adjust the RAM to approximately half that of the host VM, and confirm that you have at least 10 GB of storage on this one.) Start the Ubuntu-Nested VM, and install Ubuntu 16.04.
5. Take a screenshot of Ubuntu-Nested running inside Ubuntu-Primary. Navigate to where virtual machine files are stored on Ubuntu-Primary, and take a screenshot showing where files for Ubuntu-Nested are located. When you're finished, power off Ubuntu-Nested.
6. Take a snapshot of the Ubuntu-Primary VM, and name it SS_of_Ubuntu_Nested. Add descriptive comments, if you like. Power off the Ubuntu-Primary VM, and exit VMware Player.
7. Write a short report on the problems caused by deleting the VM that another VM is nested inside, and state whether any trace of the primary VM would be left.
Part 3: Capturing Live RAM
For this project, you install and use a tool for capturing live RAM.
1. Start a Web browser, go to belkasoft website, and download Belkasoft Live RAM Capturer. Install this tool, accepting the defaults, and then start it.
2. Take a screenshot of the opening window. In the "Select output folder path" text box, type your work folder name, and then click Capture! When the capture is finished, click Close.
3. Using WinHex, the hex editor you've used in previous workshops, open the testdumpfile and examine its contents. Do a search for keywords you'd expect to find in a physical machine's RAM, such as Microsoft, From, To, Subject, and http. If you find other keywords, make note of them. Take screenshots of the searchresults.
4. Exit WinHex. Write a short paper on your findings, and describe the challenges and possibilities of using Belkasoft for capturing live RAM and WinHex for analysis in an actual investigation.
Create a Work\Chap13\Projects folder on your system before starting these projects; it's referred to as your "work folder" in steps. Copy the InCh05.img file from Workshop 8 Source Files to this work folder.
Part 4: OSForensics for Dropbox (Optional)
You have been asked to identify any files that might have been uploaded from Denise Robinson's computer to the Dropbox cloud service. To determine whether files were
uploaded, you must find the Dropbox folder where files are synchronized to see what it contains. For this project, you examine the InCh05.img image file. Follow these steps:
1. Copy InCh05.img from Workshop 8 Source Files to your work folder. Start OSForensics with the Run as administrator option, and click Continue Using Trial Version. In the left pane, click Manage Case, if necessary. In the Manage Case pane on the right, click the New Case button. In the New Case dialog box, type InChap13 in the Case Name text box and your name in the Investigator text box. For the Acquisition Type setting, click the Investigate Disk(s) from Another Machine option button, and click Custom Location for the Case Folder setting. Click the Browse button, navigate to and click your work folder, and then click OK twice.
2. To mount the disk image, scroll down the navigation pane on the left and click Mount Drive Image.
3. In the "Mounted virtual disks" window, click the Mount new button. In the OSFMount - Mount drive dialog box that opens, click the ... button next to the Image file text box, navigate to your work folder, click InCh05.img, click Open, and then click OK.
4. You need to find Denise Robinson's account name listed in drive:\Users\username\Dropbox. To find this information, click File System Browser in the left pane. In the "Select device to add" dialog box, click the Drive Letter option button, if necessary. Click the Drive Letter list arrow (see the below Figure), click the drive letter assigned to the InCh05.img file, and then click OK.
5. In the File System Browser window, navigate to drive\Users (substituting the correct drive letter for drive) and expand the file listings. Click to expand the Denise user account folder, and then click the Dropbox subfolder, as shown in the below Figure.
6. Right-click the Getting Started.pdf file in the right pane and click View with Internal Viewer to display its contents. In the viewer window, click the File Viewer tab (see the below Figure), if necessary, and scroll through the document, which is a welcome notice from Dropbox. Close this viewer window, and repeat this step for other files in this folder to determine their contents.
7. In the File System Browser window, right-click the Dropbox.zip file and click Save to disk. In the "Save file as" dialog box, navigate to your work folder, click Save, and then click OK. Close the File System Browser window.
8. Open File Explorer, navigate to your work folder, and extract (unzip) Dropbox.zip. Examine the extracted data, and write a memo to the attorney stating that you recovered the Dropbox.zip file and describing its contents.
9. Leave the OSForensics running for Part 5.
Part 5: Autopsy for Google Drive
The attorney managing the case discovered that Denise Robinson's computer contains the IMG_3646.png file that might have been uploaded to Google Drive. To determine whether it has, you need to examine the Google Drive file sync_log.log. For this project, you need a text editor (Notepad, WordPad, or any word processor), OSForensics, a Web browser, and the image file InCh05.img you saved in Part 4. Follow these steps:
1. If you exited OSForensics, restart it, and open the InChap13 case and the
InCh05.imgfile.
2. Click File System Browser in the left pane and navigate to C:\Users\Denise\AppData\Local\Google\Drive. Right-click sync_log.log and click View with Internal Viewer.
3. In the viewer window, click the Text Viewer tab, if necessary. In the text box, type IMG_3646, and then click the >> button. Finding the file confirms that it was uploaded to Google Drive.
4. Scroll to the right to view the modified=1406307808 and created=1406307808 values. Because both timestamp values are identical, you need to convert only one of them. Highlight the modified timestamp 1406307808, as shown in the below Figure, and then right-click it and click Copy.
5. Start a Web browser, go to, paste the numbers into the UNIX TimeStamp text box, as shown in the below Figure, and click Convert. (Note: If you can't access this Web site, try www.onlineconversion.com/unix_time.htm.)
6. In the Result text box, highlight the converted date and time value, and then right- click it and click Copy.
7. Start a text editor and type IMG_3646.png in the first line. Press Enter to add a blank line, and then press Enter again. Create two columns by typing Last modified date, pressing Tab eight times, and typing Created date. Place the cursor under the "Last modified date" column, and then right-click and click Paste. Repeat to paste the same date and time value under the "Created date" column.
8. Save the file as Google Drive IMG_3646 date stamps.txt. Exit the text editor, and write a short report of all your results and screenshots. Leave OSForensics running for the next project
Part 6: OSForensics for OneDrive (Optional)
The case attorney asked you to examine the OneDrive synchronization folder for Denise Robinson to look for any e-mail correspondence.
Follow these steps:
1. If you exited OSForensics, restart it, and open the InChap13 case and InCh05.img file. In the left pane, click File System Browser.
2. In the File System Browser window, navigate to drive:\Users\Denise\SkyDrive\OneDrive\E-mails. Extract all files with the extension .oxps by right-clicking each file and clicking Save to disk, and then clicking OK in the message box about saving the file successfully. Exit OSForensics.
3. Open File Explorer, navigate to your work folder, and open each file to view its contents. Write a one-page memo describing the contents of each file you recovered, and then close File Explorer. Turn the memo in to your instructor
Note: Need only first 3 questions.
Attachment:- Forensics Workshop.rar