Digital Forensics Assignment Paper.

Digital forensics is a branch of forensic science that deals with investigations andrecovery of useful materials found in digital devices particularly in cases of computer crime. Inour experiment we will concentrate in different methods of creating disk images for forensicpurposes. Digital Forensics Assignment Paper.The purpose of this experiment is to demonstrate how to use the dd command and theFTK Imager tools for the purpose of creating “forensically sound” disk images using windows 7×86 platform as well as using Hex editor to analyze differences in image parameters.This will be achieved through the usage of several Imaging tools, comparing them afterthe images are created. The images will then be compared using a Hex editor HxD so as to bringout the offset differences.Materials / Tools Used1.Computer with Windows 7 x86 bit platform.2.Helix bootable CD (Version 2009 R1)3.FTK Imager ver. 2.9.04.The dd.exe program from the Forensic Acquisition Utilities (FAU)5.Digital Forensics Assignment Paper.USB Thumb Drive6.Hex Editor HxD

ORDER A CUSTOM-WRITTEN, PLAGIARISM-FREE PAPER HERE

Part I: Using the Helix CD FTK Imager to image a USB thumb drivea.The registry fix disableUSBwrite was run so as to write protect the deviceb.The Windows 7 x86 platform was then started and the USB thumb drive was insertedc.The Helix CD was inserted and the “live” Windows system was started.d.Under Quick Launch, the FTK Imager was chosen.e.Under the file menu, I chose “create disk image” where I chose the physical drive as theevidence source since I was using a USB thumb drive. The appropriate USB thumb drivewas then selected and I clicked finish.f.Under the image destination, I clicked add, chose the raw (dd) format, entered the casenumber – 001, evidence number 001, chose the destination folder to be c:\DigitalForensics and gave the file name as “forensics” and the image creation was startedg.After the image creation was complete, an image file with the name “Forensics1.001”and a text file with the name Forensics.txt containing MD5 and SHA1 has values wasseen. Digital Forensics Assignment Paper.

Part II: Using the FTK Imager ver. 2.9.0 to image a USB thumb drivea.FTK Imager ver. 2.9.0 was installedb.Under the file menu, I chose “create disk image” where I chose the physical drive as theevidence source since I was using a USB thumb drive. The appropriate USB thumb drivewas then selected and I clicked finish.c.Under the image destination, I clicked add, chose the raw (dd) format, entered the case number – 001, evidence number 001, chose the destination folder to be c:\Digital Forensics and gave the file name as “forensics” and the image creation was started.d.After the image creation was complete, an image file with the name “Forensics2.001”and a text file with the name Forensics.txt containing MD5 and SHA1 has values was seen. Digital Forensics Assignment Paper.

Part III: Using the Forensic Acquisition Utility (FAU) to image a USB thumb drivea.The Forensic Acquisition Utility (FAU) Latest ver. FAU-1.3.0.2390a was installed.b.The Folder C:\CGS5131HW1 was created on the computer where the downloaded FAusoftware was uncompressed and saved at. This created a series of subfolders which are;C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.c.The command line window was opened by accessing the folder C:\Windows\system32and then right-clicking the cmd.exe application then selecting “Run as administrator” as shown below. Digital Forensics Assignment Paper.

The following commands were put so as to navigate to the directory where the dd.exe andvolume_dump.exe are located. cd C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86(Followed by the enter key) and then followed by the “dir” command (followed by theenter key).e.Note: “cd” refers to “change directory” while “dir” lists the file named of that directory.The FAU.x86 folder was chosen because i was using a windows 7 x86 bit platform PC.f.The command “volume_dump.exe” was run by typing volume_dump.exe (followed bythe enter key) and the following output was recorded.Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\Administrator>cd C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86.C:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86>volume_dump.exeC:\CGS5131HW1\fau-1.3.0.2390a\fau\FAU.x86\volume_dump.exeForensic Acquisition Utilities, 1, 3, 1, 2390Volume Dump Utility, 1, 3, 1, 2390Copyright (C) 2002-2009 GMG Systems, Inc.Command Line: Digital Forensics Assignment Paper.volume_dump.exeWindows 7 Ultimate 6.1.7600 Multiprocessor Free(, 7600.win7_gdr.100618-1621)9/11/2010 7:18:11 AM (UTC)9/11/2010 10:18:11 AM (local time)Current User: Edgar-PC\AdministratorCurrent Locale: English_United States.437User Default Locale Language: 0x0409Disk0: ST9160823AS (S/N 4e35304b44444343202020202020202020202020)HWDetect:\\?\ide#diskst9160823as_____________________________3.bhd___#5&7373962&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Geometry:Cylinders:20673Tracks per Cylinder:240Sectors per Track:63Bytes per Sector:512Total Size:160041885696DCO Size:160041885696Media Type:Fixed hard disk media48-bit LBA enabled

Flash Disk (S/N ▼) HWDetect:\\?\usbstor#disk&ven_usb2.0&prod_flash_disk&rev_2.60#1000000000008997&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Geometry:Cylinders:257Tracks per Cylinder:255Sectors per Track:63Bytes per Sector:512Total Size:2118123520Media Type:Removable media other than floppy9/11/2010 7:18:12 AM (UTC)9/11/2010 10:18:12 AM (local time)g.The command “dd.exe” was run so as to make a forensic copy of the USB thumb drive.With the USB thumb drive still write protected, the “dd.exe” command was run byentering the following command “dd.exe /?” or “dd.exe –help ” so as to see the helpmanual. The output that describe the options; if, of, conv, bs, count, skip, –localwrt and –cryptsum was recorded as follows:bs=[BYTES]Set ‘ibs’ and ‘obs’ equal to BYTES.conv=[KEYWORDS] Convert the input as per the comma separated keyword list.The following are valid keywords:noerror Continue reading after errors.compCompress the output.decomp Decompress the output. Digital Forensics Assignment Paper.swabSwap each pair of bytes.notrunc Don’t truncate the output file.resume Resume a broken copy operation (Enterpriselevel only).count=[BLOCKS] Copy only the specified number of input blocks.if=[SOURCE]Specifies the source for input; the default is stdin.of=[DESTINATION] Specifies the destination for output; the default is stdout.–cryptsum [ALGORITHM]Includes one or more cryptographicchecksums in the output. “md2”, “md4”, “md5″”and “sha” or “sha1″ are supported on all platforms”sha_256”, “sha_384” and “sha_512″ are supportedon Windows Server 2003 and later.B–localwrtEnables writing output to a local fixed drive.–count [BYTES] Stop after acquiring the specified number of bytes. Digital Forensics Assignment Paper.

The USB thumb drive name is \\.\PhysicalDrive1. The dd.exe command below was usedto make a USB thumb drive image which was saved to the hard drive while computingthe MD5 and SHA1 hashes concurrently.dd.exe –localwrt if=\\.\Physicaldrive1 of=C:\Digital Forensics conv=noerror –cryptsumMD5 – cryptsum SHA1<?xml version=”1.0″ encoding=”UTF-16″ standalone=”no” ?>-<Security_catalog xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”xsi:schemaLocation=”urn:forensic_acquisition_utilitieshttp://www.gmgsystemsinc.com/fau/forensic_acquisition_utilities.xsd”xmlns=”urn:forensic_acquisition_utilities” xmlns:fau=”urn:forensic_acquisition_utilities”Version=”1.2″ SchemaVersion=”1.0.0.21″List_Identifier=”71d1feb869a75d517b452f77709322a3″ Effective_Date=”2010-09-11T07:31:29Z” Toolset=”Forensic Acquisition Utilities, 1, 3, 0, 2390″ Tool=”dd, 5, 3, 0, 2390″Command_line=”dd.exe –localwrt if=\\. Digital Forensics Assignment Paper.\PhysicalDrive1 of=C:\ conv=noerror –cryptsum md5 –cryptsum sha1″ Logged_on_user=”Edgar-PC\Administrator” Collection_id=”{CEB1A26C-FBD5-4A7D-A773-B2AF4F7A3380}”>-<Security_entry Path=”EDGAR-PC_PhysicalDrive1.img” ReferenceNumber=”0″ Abstract=”0″Physical=”0″ Changed=”0″>-<Thumbprint Algorithm=”md5″ Physical=”0″ Compressed=”0″ Changed=”0″><Hash_value>5005565bf399668d45a7708ba0304e6a</Hash_value></Thumbprint>-<Thumbprint Algorithm=”sha1″ Physical=”0″ Compressed=”0″ Changed=”0″><Hash_value>736784f289d0fafb5b936efcc45b156790ac4dc0</Hash_value></Thumbprint></Security_entry></Security_catalog>It was noted that for all the above software’s and methods used to create an image, theimage log results were the same in Part I, Part II and Part III in terms of the thumbprint algorithmmd5 and sha1.Part IVa.Write protection was removed by running enabling the USB write using the“enableUSBwrite” registry fix. Digital Forensics Assignment Paper.

ORDER A CUSTOM-WRITTEN, PLAGIARISM-FREE PAPER HERE

A text file named CGS5131HW1Q4.txt and it was saved under the USB thumb drive’sroot directory. The date/time stamps were reported as follows;b.The FTK imager ver. 2.9.0 in part II was used to create a dd image using the procedurein part 2 while it was not write protected. The image log file results containing MD5 andSHA1 were as follows;c.The created text file “CGS5131HW1Q4.txt” was accessed without being modified,moving, renaming or re-saving it. The date/time stamp were recorded as follows;

There were no changes in the date/time stamps reported in (c) compared to those in step(a). Therefore i opened the saved text file in the USB thumb drive, and saved it back toitself without modifying it. The Date and time stamps were then recorded as follows;e.Digital Forensics Assignment Paper.The FTK Imager used in Part II was used to create an image using the procedure in part IIand the Image log file reports were as follows.f.The Hex editor HxD was used to identify the differences between two images of (b) and(d).

This was achieved through selecting Analysis > File-Compare > Compare and thenselecting the 2 images to be compared.There was only one bit offset that had a difference as shown in the figure above.Offset 000400D0 – 06 was 52 in the image of step (d) while it was A5 in the image of step (b). Digital Forensics Assignment Paper.