CMIT 424: Digital Forensics Analysis and Application Lab 2: Integrating Digital Forensics with Incident Response Guided Practice Exercises This lab provides guided practice which will help you to develop your forensic analysis skills as you find, recover, and analyze digital artifacts using a digital forensics analysis tool. Please complete the Lab 2 lecture and readings before beginning this lab. Before You Begin You will be using three different evidence files for this lab. These files are: ● H:\Lab Resources\Resources\Lab2\FD1_05282014a.E01 ● H:\Lab Resources\Resources\Lab2\FD2_05282014a.E01 ● H:\Lab Resources\Resources\Lab2\FD3_05282014a.E01 (Double click on the Lab Resources icon located on the desktop to navigate to these files.) Note: WinHex Specialist will only allow processing of raw format data files (.001 extensions). (This is a licensing limitation.) In a later lab, you will learn how to convert other forensic file formats to raw format so that you can examine them using WinHex. Guided Practice #1: Processing Forensic Image Files Using EnCase In this part of the lab, you will use EnCase to create a Case and then add evidence files to that case. You will also set processing options for each evidence file to recover active and deleted files and folders. The processing options and evidence refinement options selected for evidence files after they are added to the case will impact how EnCase interprets and reports information found in file system data structures, data structures contained within files, and information found elsewhere in the evidence, e.g. within unallocated space or slack space. Processing options can also be used to control whether compound files (e.g. MS Office documents or ZIP files) are expanded into separate parts representing metadata, internal data structures, file content, embedded content, etc. You define such settings later using the “EnCase Processor Options” feature. 1. Create a set of working folders to hold your case for this lab (and future labs) on the VDA desktop: ● C:\Users\StudentFirst\Desktop\Cases Copyright © 2019 by University of Maryland University College. All Rights Reserved. 1 of 68 CMIT 424: Digital Forensics Analysis and Application ● C:\Users\StudentFirst\Desktop\Backup Note: Typically, an examiner would have a “Cases” and “Backup” folder created on a non-operating system drive i.e. not the “C” drive. Given our virtual environment, placing them on the Desktop is a matter of convenience to facilitate the learning process. 2. Launch EnCase by accessing the Lab Resources folder and then Applications folder from the VDA Desktop and double-clicking the EnCase icon. 3. Once the application opens to the main page, select “Tools” > “Options” from the main menu bar. “Options” is the last entry under Tools. Then click the “Fonts” tab. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 2 of 68 CMIT 424: Digital Forensics Analysis and Application 4. This next step is unique to our virtual classroom environment. Depending on your monitor specifications and settings, there will be times that the bottom of various EnCase screens will be difficult to see or access. For this reason, it may be necessary to decrease the font sizes for the default entries (note: you may opt to not change any font’s sizes initially to determine if these adjustments are necessary). It is recommended to first decrease each number by 2. For example, the “Status Bar and Tabs” entry is 11 by default so should be changed to 9. By doubleclicking in each font data entry field, you will be able to adjust the font size. For example, after double-clicking the “Status Bar and Tabs” entry this window should appear allowing the size change: Once this has been done for each entry, press enter or click the “okay” button at the bottom of the screen. For some, you may not be able to see the “okay” button so just press enter. You should see the screen adjust immediately and will be returned to the EnCase Forensic home page. By going back to the font settings screen (Tools > Options), the screen should now look as below: Copyright © 2019 by University of Maryland University College. All Rights Reserved. 3 of 68 CMIT 424: Digital Forensics Analysis and Application If you are still unable to see the OK button on any future screens, decrease each of the font sizes by an additional number. Often times, only the “Dialog Boxes” entry needs to be decreased to at least a 7 in order to view the OK button at the bottom of various windows. Experiment with what works best on your system. 5. From the EnCase Forensic homepage, click “New Case”. 6. Enter the following information in the New Case Options pop-up window (see below figure): Left Side of Screen ● Templates: Select “Basic” ● Case Information: Enter as shown (double-click each data field to edit). Case Number: 424-001 Examiner Name: Your name Description: Triage of recycled media. Right Side of Screen ● Name: Lab2 ● Base case folder: Navigate to the “Cases” folder on the desktop. As previously mentioned, a “Case” folder would typically be saved to an alternate drive and not the root of the “C” drive or other location. For our purposes and convenience, the “Desktop” provides easy access and quick visibility. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 4 of 68 CMIT 424: Digital Forensics Analysis and Application ● ● ● ● ● Check box for “Use base case folder for primary evidence cache”. Leave Secondary Evidence Cache blank. Leave Backup option unchecked (normally would be enabled but for performance reasons will be left disabled for training purposes). Leave “Maximum Case Backup” size as default. Backup Location: Navigate to the Backup folder location on your desktop. 7. Click OK to open the case. Acknowledge “Yes” to “Disable Backup”. 8. This will redirect you to the EnCase Forensic Home Page. 9. Save the current case file by navigating to the menu bar and selecting “Case > Save” (be sure to routinely save your case; “Lab2.case” will be created in the Lab2 folder in “Cases”): Copyright © 2019 by University of Maryland University College. All Rights Reserved. 5 of 68 CMIT 424: Digital Forensics Analysis and Application 10. Select “Add Evidence”. This can also be accomplished via the top menu bar. 11. The Add Evidence pop-up window will appear. Choose “Add Evidence file” then click OK. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 6 of 68 CMIT 424: Digital Forensics Analysis and Application 12. The Add Evidence File pop-up window will appear. Navigate to the H:\Lab Resources\Resources\Lab2 13. Select all three files by clicking the first file (FD1_05282014a.E01) and then pressing the CTRL key while selecting the remaining two files (FD2 _05282014a.E01 & FD3_05282014a.E01). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 7 of 68 CMIT 424: Digital Forensics Analysis and Application 14. Click “Open” to be brought to the “Evidence” tab to view each of the added image files. EnCase will ingest the evidence files and create a verification hash to ensure it matches the original acquisition hash of each image file. If these two hashes do not match, the examiner will be alerted of a mismatch. This information can be found in the View Pane using the “Report” view. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 8 of 68 CMIT 424: Digital Forensics Analysis and Application 15. In the Evidence window, select “Process Evidence > Process”: 16. The “Encase Processor Options” window will appear. Maximize this window for better viewing. ● Leave “What to Process” unchanged (all three evidence files in this case). ● Leave “Immediately queue the evidence” selected. ● Leave the “Options Label” unchanged. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 9 of 68 CMIT 424: Digital Forensics Analysis and Application 17. In the “EnCase Processor Options” area (observe what each functions or modules does via explanations given on the right side of screen when selected): ● Leave “Prioritization” deselected. ● Select “Recover Folders” (click to expand and select option for NTFS 3.0) ● Select “File signature analysis” (selected by default as are some other options) ● Select “Protected file analysis” ● Select “Thumbnail creation” ● Select “Hash analysis” ● Select “Expand compound files” ● Select “Find email” ● Select “Find Internet artifacts” ● Select (also expand module) “Index test and metadata” ● Select the “Modules” folder and expand. Select the “File Carver” module. Select “Optimized” carving type and select each artifact i.e. email, documents, etc. Leave the “Search Unallocated” and “Search File Slack” options selected. ● Click “Next” at bottom of file carver window pop-up and then “Finish”. ● Leave remaining modules unchecked. Under “Modules”, select the file carver options as in the above directions. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 10 of 68 CMIT 424: Digital Forensics Analysis and Application * Note that some processing options above include a “!” symbol in front of their name. This indicates that this process can only be executed during initial processing. Other options can be executed after initial processing if deemed necessary. 18. Click OK at the bottom of the screen to begin processing. Click “Yes” to the follow-on warning regarding the “Options Label”. Note: In some cases, an examiner may want to save specific processor settings for specific types of cases. They can do this by renaming the Options Label. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 11 of 68 CMIT 424: Digital Forensics Analysis and Application 19. Observe the progress bar at the lower right hand screen. 20. Once complete save the case! Main menu bar on top of screen (Case > Save). 21. To open all the evidence items at once, select each item in the Evidence window and click “Open”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 12 of 68 CMIT 424: Digital Forensics Analysis and Application 22. Set the time for the entire case (all evidence items) to EST. To do this, highlight the top level “Entries” icon. Right-click > Device > Modify time zone settings Copyright © 2019 by University of Maryland University College. All Rights Reserved. 13 of 68 CMIT 424: Digital Forensics Analysis and Application 23. Select Eastern Time (US & Canada) and then OK. The examiner can also right-click on individual evidence entries and in the same manner to set different time zones for each piece of evidence. 24. Verify the list of Evidence Items as shown below. Expand the last entry. Your results should look similar to those shown below. Note that you can switch evidence views with the “View Entries” option. The current view (View Entries) will expand the file structure for analysis. The previous view (View Evidence) shows all evidence items belonging to the case. Become familiar with toggling between both views under the “Evidence” tab. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 14 of 68 CMIT 424: Digital Forensics Analysis and Application It is recommended that you spend some time with these interfaces to become comfortable and familiar with navigation. In EnCase, the left pane (Tree Pane) drives the right pane (Table Pane) which drives the bottom pane (View Pane). Please be sure to also complete all reading assignments from the EnCase manual to further facilitate your familiarity. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 15 of 68 CMIT 424: Digital Forensics Analysis and Application In addition, start exploring the “View” tab from the main menu tool bar as shown below. This is a good place to go if stuck and need to find your way back to a specific tab in EnCase. 25. At this point, we have completed setting up the EnCase case file and could begin our analysis. BUT, there is one important step that needs to occur FIRST – BACKUP THE CASE (see next Guided Practice section). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 16 of 68 CMIT 424: Digital Forensics Analysis and Application Guided Practice #2: Backing Up a Case with EnCase In this next section of the lab you will create a case backup and save it to the virtual desktop. You will also learn how to restore a Case Folder from a case backup. Creating a backup now and updating it periodically as you process the case will allow you to spread your lab work across multiple days or to recover your work if your lab session is interrupted. Creating and Saving a Case Backup 1. With EnCase, there is no need to close the current case in order to backup and if you recall, we have already set up our “Backup” folder on the desktop. This folder will hold your backup folders and files. In a real-world environment, it is recommended to place the Backup folder on a separate hard drive but for learning purposes this is sufficient. If you recall, we did not enable Backups during the setup of this case for performance reasons, but the examiner can always initiate a backup when desired. 2. Return to the Home page, View > Home Page. From the top menus, choose Case > Case Backup > Use Current Case. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 17 of 68 CMIT 424: Digital Forensics Analysis and Application 3. Choose “Use Current Case”. 4. The “Backups” pop-up window will appear. Highlight (not check) “Custom” and click “Create Custom”. 5. In the Create Custom Backup window, name the backup “Lab2 Backup” and click OK. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 18 of 68 CMIT 424: Digital Forensics Analysis and Application 6. Observe the progress bar as the case backup is being created. Upon completion, your screen should look similar to below. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 19 of 68 CMIT 424: Digital Forensics Analysis and Application 7. Using File Explorer, navigate to the Backup folder on the Desktop and verify that it contains the EnCase backup files. 8. Close the Backup window. Save your case in EnCase and then close the case using the options listed in “Case” dropdown options. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 20 of 68 CMIT 424: Digital Forensics Analysis and Application Copyright © 2019 by University of Maryland University College. All Rights Reserved. 21 of 68 CMIT 424: Digital Forensics Analysis and Application Next, you will need to transfer your Case Backup to a storage location outside of the virtual desktop. Since the Case Backup folder contains a large number of files it is strongly recommended that you create a ZIP archive containing the entire folder. You are able to download a file from within your Workspace to your physical computer. See instructions below: • • • • Click Download from the top menu bar (This opens the Desktop folder) Select the file(s) you want to download or browse to the Desktop to select the file(s) and click Open At this point you get the option to select a location on your Personal Computer to save the files you want to download Select where you want to save the file and click Save Consider also saving the “Cases” folder to a location in your Workspace as this will contain the EnCase case file and all the pointers necessary to reload the case if the original evidence paths have not changed. 9. Create a ZIP archive containing C:\Users\StudentFirst\Desktop\Backup by right-clicking on the folder name and then selecting Send to > Compressed (zipped) folder 10. The Backup.zip archive file will be created in the C:\Users\StudentFirst\Desktop\Backup folder Copyright © 2019 by University of Maryland University College. All Rights Reserved. 22 of 68 CMIT 424: Digital Forensics Analysis and Application 11. To transfer Backup.zip to your student Workspace, right-click on the file and select copy. 12. Click on the “Desktop” icon on the taskbar and click paste. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 23 of 68 CMIT 424: Digital Forensics Analysis and Application Restoring a Case from a Backup File 1. Click on the “Desktop” icon on the taskbar. 2. Right-click the Backup.zip file and select copy. 3. Right-click on the desktop area in your Forensic workstation and click paste. 4. Right-click on the file and select 7-Zip, then select extract to Backup. 5. Double click on the Backup folder. View the similar file structure below. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 24 of 68 CMIT 424: Digital Forensics Analysis and Application 6. Now that the backup folder has been copied to the UMUC Virtual Lab, it can be used to restore the Case files in EnCase. 7. Ensure that all previous EnCase case files are closed and restart EnCase before attempting to restore. Return to the EnCase Forensic Home Page. 8. Select from the menus Case > Case Backup > Specify Backup Location. 9. Navigate to the “Backup” folder just unzipped in the “C:” drive. Select OK. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 25 of 68 CMIT 424: Digital Forensics Analysis and Application 10. You should now see the Lab2 backup in the Case Backup Folder highlighted. Since this is the first case, there is only one current case file. Select OK. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 26 of 68 CMIT 424: Digital Forensics Analysis and Application 11. The “Case Backup” window will appear. Select Custom under Backups and then select the backup file. Only select the “Custom” box in the Table Pane (right side). Look at the top menu bar and ensure that only one item is selected (Selected 1/6). 12. Click “Restore” 13. Select “Restore to new locations”. Then, click Next. If you cannot see the “Next” button at the bottom of the screen, close the backup windows, and return to Tools > Options > Fonts and reduce the font number by one additional digit for “Dialog Boxes”. Then return to this window starting with Step 8. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 27 of 68 CMIT 424: Digital Forensics Analysis and Application 14. Change the Base case folder location by browsing to the C: drive and “Make New Folder” named “Case Restore”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 28 of 68 CMIT 424: Digital Forensics Analysis and Application 15. Then click Finish. Agree to “Disable Backups” and agree to overwrite any data in the specified directory which is empty anyway. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 29 of 68 CMIT 424: Digital Forensics Analysis and Application 16. After the restore is complete (you will see a green progress bar scroll quickly at the bottom of the window), close the open Restore and Backup windows and return to the Forensic Home Page. 17. Click “Open” and navigate to the case restore folder on the “C:” drive. 18. Highlight the case name in the Case Restore folder and select Open. Select the Lab2.Case file. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 30 of 68 CMIT 424: Digital Forensics Analysis and Application 19. Verify that your case contains the evidence files which you previously processed via Browse, Evidence. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 31 of 68 CMIT 424: Digital Forensics Analysis and Application Guided Practice #3: Creating an Evidence Items Inventory in EnCase In this part of the lab, you will generate an Excel spreadsheet which contains an inventory of the evidence items recovered from the three evidence files. You will use this inventory later in the lab to record your comments and analysis for these items (adding annotations). Please note that will not be necessary for you to annotate every item. Only those items which support your answers to the case questions (i.e. are forensically interesting) will require annotations / comments. Other items can be marked as “N/A” to indicate that you examined the item but found it did not contribute to your overall investigation of the evidence. Keep this strategy in mind for future examinations and reports. 1. Turn on visibility for all evidence items clicking the Homeplate icon to the left of the top Entry in the Tree pane and then select all items by checking the Entries box. (The icons for all evidence entries in the Tree Pane will turn green to show that visibility is on and selected.) This will cause all items in the case to be listed in the Table pane to the right. Make sure all items are checked / selected. 2. In this case, we will rename each of the image files for organizational purposes using the identifiers FD01, FD03, and FD03 from the top down. In order to rename, right-click on each piece of media and “rename”. Note that in most cases, this will not be necessary. These images, however, were received in this manner from IT i.e. labeled “untitled”. This naming convention was established during the acquisition process. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 32 of 68 CMIT 424: Digital Forensics Analysis and Application 3. In the Table pane with all items selected / checked, click the hamburger menu to the right and select “Save as”. 4. Choose the Output Format as “Tab Delimited”. Select “Only Checked Rows”. Select the following Fields: ● Name ● File Ext ● Logical Size ● File Type ● Last Written ● MD5 ● SHA1 ● Item Path ● Original Path ● Is Duplicate Copyright © 2019 by University of Maryland University College. All Rights Reserved. 33 of 68 CMIT 424: Digital Forensics Analysis and Application Copyright © 2019 by University of Maryland University College. All Rights Reserved. 34 of 68 CMIT 424: Digital Forensics Analysis and Application 5. Rename the output file to “Lab2_evidence_inventory”, select “Open file”, and save to the Desktop. Click OK. 6. The inventory document should open in Notepad. Once open, highlight all the data via Edit > Select All. Then copy all the data via Edit > Copy. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 35 of 68 CMIT 424: Digital Forensics Analysis and Application 7. Minimize Notepad and EnCase Forensic windows. 8. Switch to your Workspace tab and click on “Microsoft Office”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 36 of 68 CMIT 424: Digital Forensics Analysis and Application 9. Click on “Excel”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 37 of 68 CMIT 424: Digital Forensics Analysis and Application 10. Switch back to the next tab (Lab Broker) and open a blank spreadsheet. 11. Click on the first cell in the spreadsheet to select it (Row 1, Column A). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 38 of 68 CMIT 424: Digital Forensics Analysis and Application 12. Type Control-V to paste the contents of the clipboard (your file inventory from Notepad) into the spreadsheet. Next, we will add a column to the spreadsheet to hold the annotations (“Comments”). 13. Select column D by clicking on the column heading. Then “Insert Sheet Columns”. 14. Type “Comments” (without the quotation marks) into cell D1 (column D, row 1). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 39 of 68 CMIT 424: Digital Forensics Analysis and Application Next, you will use Excel’s formatting tools to resize columns, wrap text in columns, and align text to “top of cell.” These three actions will make your inventory file easier to read and understand. 15. To begin, select the left-most cell of the column header (selects all cells). 16. While all cells are selected, right-click any column header and select column width. Enter 15 and click Ok. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 40 of 68 CMIT 424: Digital Forensics Analysis and Application 17. Select Column D, right-click any column header as in the previous step, and select column width. Enter 50 and click ok. 18. For the MD5 and SHA1 column, make it wide enough to show the entire number on a single line (double-click the separator bar between columns H/I). 19. Next, we will set “wrap text” and align text to the top of cells. To begin, select the left-most cell of the column header (selects all cells). 20. On the Home ribbon, click Format (Cells group) and select drop-down menu for Format and then select Format Cells. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 41 of 68 CMIT 424: Digital Forensics Analysis and Application 21. Select the Alignment tab in the “Format Cells” pop-up window. 22. Change the Vertical setting (“Text alignment” group) to “Top.” Copyright © 2019 by University of Maryland University College. All Rights Reserved. 42 of 68 CMIT 424: Digital Forensics Analysis and Application 23. Check the boxes for “Wrap Text” (“Text control” group) 24. Click OK to accept the changes. 25. As you look at your newly formatted spreadsheet, you will probably see some rows that are too tall. To fix this, you will change the row height. (Make sure that you have all cells selected -repeat step #22 if necessary). 26. On the Home ribbon, select the Format tool. Then choose “AutoFit Row Height” from the popup menu. 27. Check your overall formatting and adjust column widths / row heights to create a professional appearance. The sheet should look similar to that shown below. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 43 of 68 CMIT 424: Digital Forensics Analysis and Application 28. Save the spreadsheet to the Forensic workstation desktop as lastname_Lab2_Inventory.xlsx and then transfer it to your local PC. You are able to download a file from within Workspace to your physical computer. See instructions below: • Click Download from the top menu bar (This opens the Desktop folder) • Select the file(s) you want to download or browse to the Desktop to select the file(s) and click Open • At this point you get the option to select a location on your Personal Computer to save the files you want to download • Select where you want to save the file and click Save You will include an annotated version of this spreadsheet as part of the Lab2 deliverables that you submit to your instructor for grading. In the remaining sections of this lab, you will annotate the inventory by adding comments to the entries for forensically interesting files or artifacts (e.g. MBR, FAT, unallocated space, etc.). You can make your annotations in the VDA copy of the file or in a copy that you transferred to your local PC. The important thing to remember is, you must submit the ANNOTATED version of the file as part of your Lab 2 deliverables. Forensically interesting means that the file or artifact contains or provides information that supports your answer(s) to case questions or provides evidence of wrong-doing / criminal behavior that must be reported to law enforcement authorities (e.g. child pornography). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 44 of 68 CMIT 424: Digital Forensics Analysis and Application Guided Practice #4: Reviewing Processing Results in EnCase In this section of the lab, you will review the processing results as reported by EnCase, identify forensically interesting items, and then annotate your Inventory Spreadsheet to record the results of your analysis for these items. Before you begin, open your Inventory spreadsheet in Excel. You can edit this file using Excel on the VDA desktop or you can edit it on your local PC. Annotate (add comments) to the appropriate line items in the inventory spreadsheet as you work through this guided practice. Please make sure that you save your work frequently and throughout the course. Review the Evidence Items Tree 21. Switch back to the CMIT 424 Forensic Workstation. 22. Expand the entries in the evidence Tree Pane (“Homeplate” the arrows to the left of each entry). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 45 of 68 CMIT 424: Digital Forensics Analysis and Application 23. Deselect the Homeplate for “Entries”. Then Homeplate each evidence entry one at a time and view the contents in the Table Pane to the right. (a) FD01 Copyright © 2019 by University of Maryland University College. All Rights Reserved. 46 of 68 CMIT 424: Digital Forensics Analysis and Application (b) FD02 (c) FD03 Copyright © 2019 by University of Maryland University College. All Rights Reserved. 47 of 68 CMIT 424: Digital Forensics Analysis and Application 24. Click on the volume boot entry for FD01. 25. Review the contents (View Pane) for the FAT1 (primary), FAT2 (secondary), and VBR (volume) items (click on the item’s name in the Table Pane) for FD01. The contents of these items indicate that this floppy disk was formatted with a FAT12 file system using a Full Format. Practice using the “Text”, “Hex”, and other views directly above the bottom View Pane to review the data. The indicators of this are: a. The directory contains all zeroes b. The two FAT tables have been initialized (first three bytes are 0xF0 FF FF; all other bytes in the FATs contain zeroes) c. The Volume Boot Record (VBR) specifies the file system type as FAT12 d. The remaining sectors of the disk contain 0xF6 (click on the volume entry then scroll through the data displayed in the File Contents pane) 26. Select FD02 and FD03 one at a time for analysis. a. Review the contents of the FAT tables (FAT1 and FAT2) for each volume. Note that the FAT tables for each volume contain file chains. b. The starting point for each file chain is stored in the directory entry for the file (“Starting Sector” field in the directory entry contains the number for the FAT entry which points to that sector).We will not reconstruct the file chains manually but, you should be aware that this can be done even if the root directory and/or sub Copyright © 2019 by University of Maryland University College. All Rights Reserved. 48 of 68 CMIT 424: Digital Forensics Analysis and Application directories have been corrupted or wiped. After the list of sectors has been recovered from the FAT, an attempt can be made to manually recover “lost” files. Each file chain in a FAT is a forward linked list in which each entry points to entry for the next sector in use by a given file. Each FAT entry gives you two pieces of information. The entry’s position (entry number) corresponds to a sector (or cluster). The contents of each FAT entry (its value) provide a link to the next FAT entry in the chain. Entries set to 0xFF represent the end of file (last sector in the file). Entries set to 0x00 are not in use and are available for allocation to a new file. When a file is deleted, the file chain entries are set to Zero. This marks the associated disk sectors as “free” and makes them available for reuse. The actual contents of the sectors remain unchanged and may be recovered using data carving or file carving. The directory entry for a deleted file remains in the directory. The first byte is set to 0xE5 to mark the entry as deleted. The file name, file size, and create / modify / access time stamps remain unchanged and can be recovered / interpreted as part of your examination. EnCase will list the directory entry information in the File List pane and will overlay the file type icon with a red X. (WinHex marks deleted files in a similar fashion.) 27. Before you leave this section, check your inventory annotations to make sure that you have recorded the required information from your review of the evidence. You should have comments that address the following: a. MBR/VBR entries: identifying information (volume names, software types & versions) b. MBR/VBR entries: file system type and/or format (e.g. FAT12, FAT32, NTFS, HFS) c. Unallocated space (or other artifact where found): i. indications that the media was formatted or reformatted (quick format, low‐ level format) ii. attempts to sanitize the media (disk wipe) Review the Hash Values & Identify Duplicate Files 1. Turn on visibility for all evidence items clicking the homeplate icon to the left of the top-most entry in the Evidence tab Tree Pane. (The icons for all entries in the Tree Pane will turn green to show that visibility is on.) This will cause all items in the case to be listed in the Table Pane (to the right). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 49 of 68 CMIT 424: Digital Forensics Analysis and Application 2. Review the contents of the Table to make sure that you can see all items in the three evidence files. You should have 85 items. 3. Double click on the MD5 column heading in the Table Pane. This will sort the entries by their hash values. If necessary, expand the width of the MD5 column to display the entire hash value. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 50 of 68 CMIT 424: Digital Forensics Analysis and Application 4. Scroll through the files listed in the Table Pane to find duplicate MD5 hash values and review the contents of the files. Note that in EnCase you can drag the columns to different locations (left or right) if you choose. In the below Table Pane, we dragged the MD5 column next to the Name column. We then used the “Doc” view for the View Pane. To view the contents of a file, click on the file in the Table Pane. Then view the contents using the View Pane via the Hex, Text, Doc, Picture, etc. options to examine the file. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 51 of 68 CMIT 424: Digital Forensics Analysis and Application Files that have the same MD5 hash value are duplicates of each other. These files will appear together in the sorted file list. Check the file path to see if the duplicate items occur within the same evidence file (same floppy disk) or if they occur in differing evidence files (different floppy disks). 5. Annotate the entries in your file inventory which correspond to the duplicate files. Include a brief description of the contents of the file, e.g. a business letter or a note providing a meeting time or location. You should make note of which entries (by file name and Excel inventory #) are duplicates of each other. Review the Evidence Files by File Category 1. Double-click (sort) on the “Category” column in the Table Pane. Note that in this example the “Category” column was dragged over to sit next to the “Name” column for convenience. By holding down the “shift” key and double-clicking on the “Name” column, this applies a double sort. EnCase allows up to three, triple sorts on columns. Be sure that all the data is “homeplated” (arrows are green in the Tree Pane) for all three evidence items. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 52 of 68 CMIT 424: Digital Forensics Analysis and Application 2. Explore the other types of file category groupings. 3. Navigate to the “Email” files in the “Category” column in the Table Pane. To speed your search, just type “email” from anywhere in the “Category” column. This feature works similarly for all columns. 4. Review the different view fields that are available to you i.e. Report, Text, Hex, Doc, Transcript, Picture, and Console. Each option provides information in a different format. For the above email file, try the “Transcript” view. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 53 of 68 CMIT 424: Digital Forensics Analysis and Application 5. Go back to the “Doc” view and click on the attachment hyperlink to open. 6. Now view this file using the “Report” option in the View Pane and observe the property info that is available. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 54 of 68 CMIT 424: Digital Forensics Analysis and Application 7. Navigate to the ‘Picture” files in the “Category” column in the Table Pane. To speed your search, just type “picture” from anywhere in the “Category” column. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 55 of 68 CMIT 424: Digital Forensics Analysis and Application 8. A more effective way to review the Picture files in a case (or specific evidence item) is to use the “Gallery View” for thumbnail views of all picture files. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 56 of 68 CMIT 424: Digital Forensics Analysis and Application 9. Click on a thumbnail and explore the data below in the View Pane using various views such as Text, Transcript, etc. This information can contain GPS locations, names of photographers, and comments about the image. You may also find that the comments fields contain messages, phone numbers, etc. Metadata which is of forensic interest should be noted in the inventory annotations for the graphics file. 10. Select the (7) Image1.JPG file in the Gallery. View using different options in the View Pane. Note the information when using the “Transcript” view and record it in your annotated file inventory. This name of the author is in the EXIF data. 11. Continuing reviewing all graphics files in the case to determine if there are visual or metadata components which contain information that contributes to answering the case questions or which contains pornography, contains images of contraband, or shows prohibited or illegal behavior. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 57 of 68 CMIT 424: Digital Forensics Analysis and Application Export a File for Further Analysis Occasionally, you may find a file that requires the use of another tool to analyze its contents. This is particularly true in the case of graphics files where there is a need to extract and analyze both the visual and the metadata information. 1. Scroll down to the (18) Purple.PNG file in the Gallery. 2. Export Purple.PNG so that you can open it with another tool to make the tone-on-tone embedded text more readable. To export the file, right-click on the file picture in the Gallery, select “Entries > Copy Files”. Not Copy! Copyright © 2019 by University of Maryland University College. All Rights Reserved. 58 of 68 CMIT 424: Digital Forensics Analysis and Application 3. Keep the defaults and select “Next”. 4. Keep the defaults and select “Next”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 59 of 68 CMIT 424: Digital Forensics Analysis and Application 5. Change the location to save to “Desktop” and then “Finish”. 6. Review the export/copy results on your Desktop. Note that this is the technique for exporting any type of file in EnCase. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 60 of 68 CMIT 424: Digital Forensics Analysis and Application 7. In this case, we can see that there is some type of writing in the graphic image. The image file can be inserted into an MS Word or MS Power Point document and then edited to improve the contrast. This can make it easier to read and decipher the writing. You would need to first copy this file to the virtual desktop environment for access to those applications. Original Select Image > Format > Corrections > Picture Corrections Options > Increase Brightness & Enlarge 8. In a later lab, you will need to use this technique for locating GPS coordinates to obtain an address or other information about the geographic location. If you type these GPS coordinates into a Google search you will get the following information. You should record this in your annotated file inventory entry for Purple.PNG. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 61 of 68 CMIT 424: Digital Forensics Analysis and Application 9. Locate Image05182014c.GIF in the Gallery. This file appears to be a picture taken with a camera of some type. 10. Export this file to the desktop. 11. In the File Explorer window, right-click on the filename and select properties from the pop-up menu. Switch to the “Details” tab to view any comments which have been entered into the file’s metadata. 12. In the case of this particular picture, the metadata from the camera has either been removed or the camera was setup to not insert the data/time/location information into the file’s metadata. You should record this finding in your annotated file inventory. Review Evidence Items by File Status 13. Next, switch from the Gallery View to the Table Pane which will show the file listing. Find the “Description” column and double-click to sort. Find the “File, Deleted” entries. This will display the deleted files. These files are constructed from deleted directory entries (the first byte of the directory entry contains 0xE5). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 62 of 68 CMIT 424: Digital Forensics Analysis and Application 14. As you examine the deleted files reported by EnCase you will find that the file contents were not recovered for most of the files. This is due to the file chain entries being set to Zero during the deletion process. We will learn how to recover the contents of deleted files in a later lab. 15. Click on the “Protected” column. Drag this column next to the “Name” column. 16. The files reported in this category are both MS Office files. Annotate your file inventory to show that these files were encrypted. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 63 of 68 CMIT 424: Digital Forensics Analysis and Application According to Microsoft’s MS Office file format documentation, an Open password is used to encrypt the file contents for .doc files. EnCase provides a utility which can be used to recover file open passwords using the file structure (as defined by Microsoft) and the encryption algorithms used by the applications associated with the files. In Guided Practice #6 of this lab, you will learn how to use EnCase and Passware to setup a password recovery job. * The Evidence Processor's protected file analysis uses Passware's toolkit to identify the protected files. The strength of protection is stored so that you can first try to decrypt weaker passwords before applying them to more complex protection. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 64 of 68 CMIT 424: Digital Forensics Analysis and Application Guided Practice #5: Password Recovery Procedure Processing times for password recovery (“password cracking”) vary by the length and complexity of the password, the encryption algorithm used by the software application to encrypt the file, and the speed of the computer system being used to run the recovery. In this part of the lab you will first attempt to recover a password for a file that you create. (You will launch Passware Kit from the desktop icon.) 1. Switch to the Workspace tab and click on “Microsoft Office”. 2. Click on “Word” to open. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 65 of 68 CMIT 424: Digital Forensics Analysis and Application 3. Switch back to the next tab (Lab Broker) to open a blank MS Word document. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 66 of 68 CMIT 424: Digital Forensics Analysis and Application 4. Download this document to the Workspace. Paste the following text into a blank document (see http://www.lipsum.org for an explanation of what this text represents): Lorem ipsum dolor sit amet, consecteturadipiscingelit. Etiam ex nunc, lacinia sit amet lorem sit amet, tristiquesagittisaugue. Morbi egestas ligula eros, quisauctorlacustemporauctor. Pellentesqueeu ex sagittis, molestieenim sit amet, auctorpurus. Duis id placerat sem. Curabiturauguenunc, cursus id aliquam et, conguequiselit. Maurisegettristique est. Vivamuseublanditrisus, euplaceratleo. 5. Click on the File Ribbon. The Info page will be displayed (if not, select Info from the left hand menu). 6. Click on the down arrow in the Protect Document icon to bring up the menu. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 67 of 68 CMIT 424: Digital Forensics Analysis and Application 7. Select “Encrypt with Password” from the menu. 8. Type a 3-letter dictionary word as your password. Use lower case letters only! Suggested words: can, but, ask. Re-enter the password when asked. 9. The Protect Document item will change to a gold background to denote the presence of the password. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 68 of 68 CMIT 424: Digital Forensics Analysis and Application 10. Select Save-As and save the file to the Desktop. Use the suggested filename (Lorem ipsum dolor sit amet.docx) or select one of your own. 11. Close and exit from MS Word. 12. Verify that your file is password protected by opening it (double Click on the icon for your test file). You should see a request asking for the password. 13. Verify the password that you set by entering the password to open the file. The file should open and display the Lorem Ipsum text. 14. Close the file. 15. Click on the desktop icon on the taskbar, right-click on the Word file and select copy. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 69 of 68 CMIT 424: Digital Forensics Analysis and Application 16. Switch back to the CMIT 424 Forensic Workstation. 17. Launch Passware Kit Forensic Demo using the shortcut folder “Forensic Tools.” found on the Desktop in Desktop 18. Drag the icon for your test file from the Desktop into Passware or use the “Browse” feature to add. 20. Select “Use Predefined Settings” (default option), click “Recover”. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 70 of 68 CMIT 424: Digital Forensics Analysis and Application 21. Password should be cracked in less than a minute depending upon processor speeds. 22. The password for Letter_100.doc discovered during our examination is a combination of a five letter English dictionary word followed by three numeric characters. The dictionary word contains both upper-case and lower-case characters. This password is sufficiently complex that it would take several days (or longer) to recover using a standard laptop computer (or the virtual desktop). Copyright © 2019 by University of Maryland University College. All Rights Reserved. 71 of 68 CMIT 424: Digital Forensics Analysis and Application 23. The process, however, would be the same to crack this file. First, export the encrypted file to the Desktop as we did with the picture files in Guided Practice #4 and then add to Passware Kit. Note that while this product is in the procurement process, the demo version will be available which is capable of cracking the first three characters of a password. Hint: The last 5 characters is ***er123 reference the password described in step #22. Keep this password in mind for future lab exercises! Copyright © 2019 by University of Maryland University College. All Rights Reserved. 72 of 68 CMIT 424: Digital Forensics Analysis and Application Guided Practice #6: Report Writing In this lab, you learned how to use EnCase and Passware to examine and triage evidence from multiple sources (image files) as part of a computer security incident investigation into apparent violations of company policies. You also began an annotated file inventory in which you recorded findings related to specific files, directories, and file system data structures. In the final “Guided Practice” for this lab, you will independently complete the computer security incident investigation (see Case Scenario and Case Questions in the Lab2_Content.docx file) and prepare a brief memo-format report of your findings. Deliverables Your deliverables are as follows: 1. Incident Summary Report (Use the Summary Report Template located in Week 2 Activities) In this deliverable, you should provide information about the computer security incident response investigation that you conducted using the three forensic image files for Lab 2 and the specified forensic tools (EnCase and Passware). You should also address the computer security incident as presented in the lab scenario. Your memorandum should contain a summary of: (a) tools used (names, versions), (b) significant findings (use your annotated file inventory and include item names and descriptions) and (c) other relevant information. 2. Triage Table (see discussion and instructions in the “CMIT 424 Lecture #2 - Read Before Attempting the Lab” document) Table 1. Triage Table: Files & Artifacts Requiring Further Investigation Evidence Tag (Storage Media ID) File Name & Path Description of Contents Triage Category Copyright © 2019 by University of Maryland University College. All Rights Reserved. 73 of 68 CMIT 424: Digital Forensics Analysis and Application 3. Annotated File Inventory (Excel spreadsheet) Your Excel spreadsheet file should include the Encase-generated file list and metadata. There should also be a column which contains your brief annotations for individual files (Excel has a hard limit of 256 characters per cell. Your annotations should not be more than 50 – 100 characters per file or data structure.) It is not necessary to annotate every file or data structure listed in the file inventory but, your annotations should include the following types of information: a. b. c. d. e. f. g. indications that the media has recently been formatted attempts to sanitize the media (disk wipe) attempts to delete or remove individual files or folders presence or absence of metadata (internal to files) providing names of authors or other indications as to who created, copied, or modified information present on the media presence of password protection or encryption (including passwords if recovered) files or folders related to business records including documents, electronic mail, memoranda, notes about meetings, spreadsheets, etc. attempts to hide data or otherwise conceal information in images Grading for Lab Deliverables 1. Incident Investigation Summary Report 50% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Description of Analysis & Processing 15% d. Evidence Handling (including use of hash values) 5% 2. Triage Table 20% 3. Annotated File Inventory 15% 4. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.) Copyright © 2019 by University of Maryland University College. All Rights Reserved. 74 of 68 Examiner Name CMIT 424 **Remove / replace all red writing prior to submission** To: Requestor Information Title: Case Title, I.E. Suspect Name & Type of Case Date item(s) received: Date: Case #: Report Date XXXXXX Date received by examiner Item(s) Submitted for Exam: Item# Description Make Model S/N# Case Summary: A summary of the request, i.e. by whom, why, what is being ask to search for and recover, etc. Why is this examination being conducted? Legal Authority: Search warrant, consent, government/organizational property, etc. Software Tools Used: Tool Name Ex. Windows 10 Version Used For 10.0.17763 Operating system of forensic laptop. Hardware Tools Used: (simulate write blocker(s) and system information) Tool Name Ex. Tableau TD2u S/N# Used For #12345 Hard drive imaging. 1 Preliminary Findings: This is a synopsis of what you found of forensic value i.e. Out of analyzing “x” number of files, “x” were of forensic value; briefly describe the types of files discovered (you'll get into the details in the next section). Also briefly describe the partition and file structure of the media examined i.e. partitions, volume names, sizes, files systems. Details of Examination: (This will typically be the longest part of this document. It is more than just answering the case questions! Please be sure to read the assignment deliverables carefully at the end of each lab). Describe your examination procedures performed, i.e. signed for items for examination, photographed evidence, conducted pre/post hash (describe why you perform hash analysis show both acquisition and verification hash sums), describe tools validation procedures (your forensic hardware and software), anti-virus scans conducted. Documentation of results to include answering questions detailed in the request, etc. This is where the files of forensic interest are reported on and linked to the case questions / scenario. Findings should be described just not with words but snippets, screen shots, and addendums when practical. If you feel that some detailed findings would be better placed in an addendum that is fine. Including triage tables, snippets of your findings, and other visual aids will better visually guide the reader so consider using those in the labs and definitely the FR1 and FR2 assignments. Remember that readers of these reports are often not technical by trade. Including an evidence photo(s) is also best practice (see Addendum A). Conclusion / Recommendations: State the facts only and avoid opinion / emotional explanations. Detail any further examinations that maybe required, interview questions of subject(s) if applicable, what could further be done in the investigation from the outcome of your examination, etc. Disposition of Evidence: Document here the disposition of the items submitted for exam, i.e. stored in evidence control, returned to requestor etc. Report End 2 Addendum A: Photos Simulate with pictures of similar devices you can find on the Internet. It is best practices to include a picture(s) of the evidence you examined. For example: The following is a photograph of Lenovo Laptop, Model 7834, Serial #765432. PICTURE(s) SHOWN HERE (find an example using “Google Images”) You may want to include the hash values in this area and just refer the reader to Addendum A in the main document. Example: The following details the forensic image processing. Example: Seagate Hard Drive, 250GB, Serial #12345: Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below: MD5 checksum: XXXX SHA1 checksum: XXXX The forensic processing subsequently created XXXX (X) files (simulated). Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files) The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below. MD5 checksum: XXXX: verified SHA1 checksum: XXXX: verified The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files. 3 Addendum B: Steps Taken These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court. I recommend just numbering your steps i.e. 1, 2, 3 in chronological order. Start with how you received the media and describe how you sterilized. For example: 1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated. 2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match, verifying the target media was forensically sterile. 3. Describe your analysis steps. 4. cont'd Include as many addendums as necessary to fully describe your findings. Ensure that all addendums are referenced from the summary report. Consider inserting “Bookmarks” (information that you have determined is of evidentiary value) from your EnCase examination either into the “Detailed Findings” section in the summary report template or as a separate addendum to fully describe your findings and answer the case questions (each week’s Lab Lecture document will describe the scenario and case questions to be answered). Remember to spell check your work before submitting. 4 UMUC Virtual Labs Table of Contents Getting Started 2 First time accessing UMUC Virtual Lab Environment HOME View DESKTOPS View APPS View The UMUC Lab Broker 2 2 2 3 4 What is the UMUC Lab Broker? Opening the Lab Broker Using the Lab Broker to Access the Lab VMs Destroying Lab Resources 4 4 4 6 Credentials to access the Lab VMs 6 Obtaining Lab Assistance for UMUC Labs 8 1 Getting Started First time accessing UMUC Virtual Lab Environment You can access your Virtual Lab environment, your student Workspace, by navigating to this portal, https://vdi.umuc.edu. The UMUC Virtual Lab environment is accessible using any major browser such as Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge and Safari. Your lab environment and applications have already been configured based on the course(s) you are currently enrolled in. HOME View The portal is made up of three views, the HOME, APPS and DESKTOPS views. Upon accessing your Virtual Lab environment, you will be presented with your HOME view by default. On this view, you will be presented with groups of applications made available to you based on your course, lab work and other productivity needs. These groups of applications (i.e. Cyber Programs, Data Analytics Program, Microsoft Office, and Productivity) will be presented in a carousel as depicted below DESKTOPS View The DESKTOPS view will provide you access to a full virtual desktop. Some classes will require access to a full virtual desktop to complete the course exercises. Upon clicking the DESKTOPS icon to access this view, you will be presented the Virtual Desktops available to you based on your course(s). 2 To open a Virtual Desktop, you just need to click the intended Virtual Desktop. This will open in another tab within your browser to access the Virtual Desktop as shown below. APPS View On the portal, you will also be able to access the “Apps” view. This view will show you all applications that you have access to for your course(s), lab work and other productivity needs. You are able to open these applications from this view by simply clicking on their icons. The application will open a new tab within your browser where it will be ready for use. From this view, you can also bookmark an App to be accessible from your Home view by marking it as “Favorites”. This is done by clicking to select (turn yellow) the star on the top left corner of the Apps button. 3 The UMUC Lab Broker What is the UMUC Lab Broker? Located in the Virtual Lab environment (your Workspace), the UMUC Lab Broker is an application that allows you to access the lab virtual machines (VMs) needed for your course(s). Opening the Lab Broker Under the APPS view of the portal, you will see the icon for Lab Broker. You may open this application by clicking on its icon and it will open in a new tab in your browser. Once the application is open, it will display your course(s) name(s) and provide you access to the lab resources for your course(s). Using the Lab Broker to Access the Lab VMs Once you open the Lab Broker, you will see a new window open. Each of your courses that contain labs will be listed here in the interface. 4 If you are accessing the lab for the first time, after expanding the list of nodes available for your course, you’ll notice that the “Connect” and “Start” button are grayed out and only the “Allocate Lab” button is clickable. Click on “Allocate Lab” to activate the nodes. Within each course block (e.g., CMIT 424), you will see the various machines needed for your labs. Follow your lab instructions regarding which machines to access for each lab assignment. To connect to an individual lab machine, simply click the “Connect” icon. 5 Destroying Lab Resources Clicking the “Destroy” button allows you to DELETE the existing nodes within that course and the option to reallocate BRAND NEW machines Credentials to access the Lab VMs User ID: StudentFirst Password: Cyb3rl@b 6 Button Use If you’re accessing the lab for the first time, you will need to request that lab machines be set aside for your use. Clicking this button provides those resources to you. Clicking this button starts allocated lab machines. Using this option will destroy your currently allocated lab resources. Once your machines are available and running, the connect option will become available. Clicking this will link you to the new lab machine. ** Use this button to start an individual lab machine. Once the machine is started and running, the connect option will become available. The icon next to the IP address lets you copy the IP address and paste it in applications or tools used to connect to that node. **Note: The first time you attempt to connect to a Windows machine and a Linux machine, you will receive a pop-up notification (External Protocol Request) that will ask you to approve the Lab Broker to open your lab machines. For convenience, it is recommended that you select “Remember my choice for all links of this type”. Next, click “Launch Application” to proceed to the lab environment. 7 Obtaining Lab Assistance for UMUC Labs Primary support for labs is available from a team of trained professionals. Lab Assistants (LAs) will help with technical issues associated with the environment or with the virtual machine(s) created so you can perform your lab exercises. Note that LAs are not instructors or teaching assistants. Therefore, course or project content-related issues, which require subject matter expertise, should be directed to the instructor. To obtain lab assistance, e-mail undergraduatecyber@umuc.edu with the following information in the body of your email. ● ● ● ● ● ● ● ● ● Your Full Name: Student ID: Your User ID: Preferred E-mail: Your Course & Section Number: Detailed description of the issue: Machine Type (PC, tablet, mobile device): OS Type and Version: Browser Type and Version: *** Provide any available information related to the issue that you are experiencing and attach any screenshot that you may be able to produce. Once you send an e-mail, a ticket is created based on the information you provided. The next available lab assistant (LA) will contact you to provide help within a 24-hour period. As needed, a Google Hangout, a Zoom session or a phone call may be scheduled by the LA. A LA may need a remote support session with you to expedite resolution. Please make yourself available. 8 
Purchase answer to see full attachment