Digital forensics

Anonymous
timer Asked: Jul 2nd, 2018
account_balance_wallet $40

Question description

Please see detial instructions in the attachments

Before you begin your analysis of Internet and network activity, you should review the following readings about tools and techniques that can be used to reconstruct Internet activity.

  1. Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigations, 8, S62–S70. Read the original paper and review the DFRWS 2011 conference presentation.
  2. FTK User Guide (access the PDF file from the FTK help menu)
    • Chapter 19: Examining Email
    • Chapter 22: Examining Miscellaneous Evidence: Examining Internet Artifact Data
    • Chapter 25: Searching with Indexed Search
  1. Wireshark User Guide (access the help file from the Wireshark help menu)
    • Chapter 6: Working with Captured Packets

Note: The version of FTK that has been licensed for student use in the VDA does not include the Visualization component. You may, however, find useful pointers, charts, and techniques for generating activity charts and timelines in the FTK User Guide's chapters on visualization.

Lab 6 Overview

In this lab you will search for and recover Internet usage information from one or more forensic images and one or more packet capture (PCAP) files as provided by your instructor. Your focus should be upon finding and documenting answers to the case questions as provided in the lab scenario. Your presentation of your findings should be succinct. This means that you will need to apply your best judgment as to which information should be included in your report and which information should be omitted.

Note: in your reports and tables you should clearly identify which items were found in which evidence files.

CMIT 424: Digital Forensics Analysis and Application Lab 6: Analysis of Internet and Network Activity Introduction Before you begin your analysis of Internet and network activity, you should review the following readings about tools and techniques that can be used to reconstruct Internet activity. 1. Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigations, 8, S62–S70. Read the original paper and review the DFRWS 2011 conference presentation. 2. FTK User Guide (access the PDF file from the FTK help menu) • Chapter 19: Examining Email • Chapter 22: Examining Miscellaneous Evidence: Examining Internet Artifact Data • Chapter 25: Searching with Indexed Search 3. Wireshark User Guide (access the help file from the Wireshark help menu) • Chapter 6: Working with Captured Packets Note: The version of FTK that has been licensed for student use in the VDA does not include the Visualization component. You may, however, find useful pointers, charts, and techniques for generating activity charts and timelines in the FTK User Guide's chapters on visualization. Lab 6 Scenario and Case Questions A laptop and several USB drives from the offices of Practical Applied Gaming Solutions, Inc., have been sent to your lab for analysis. This laptop was returned to the company by a former employee several weeks after the employee's unexpected resignation. A single USB drive was found in a deep pocket in the laptop carrying case. During case triage, it was determined that VMWare was installed on the laptop. Several folders containing virtual machines were also found. A forensic image (E01 format) was created from each of the virtual disks (VMDK files) by a forensic technician using FTK Imager. You have been asked to contribute to the investigation by reconstructing the usage of one of the virtual machines from the contents of the associated VMDK file. The chain-of-custody log states that this file contains an image of a Windows 7 system disk. You were also given an E01 image from the USB drive that was found in the laptop carrying case. The lead investigator has asked you to address the following case questions about Internet artifacts and usage history. 1. What web browsers and other Internet applications were loaded and available for use in the VM? 2. Who used the web browsers and Internet applications? (More than one user?) 3. What websites or IP addresses were accessed by users of the VM? Are any of these network hosts blacklisted or otherwise suspicious in nature? Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application 4. Was the VM used to send or receive electronic mail messages? What information was contained in these messages? Who were the recipients? 5. Are there indications of an intent to hide or obscure Internet activity and/or other uses of the VM? 6. Are there indications of an intent to use the VM to facilitate illegal or unethical behavior? (Unethical includes actions that are contrary to the employer's best interests or that violate the company's Acceptable Use Policy while using company resources, such as the laptop on which the VM was found.) Lab 6 Overview In this lab you will search for and recover Internet usage information from one or more forensic images and one or more packet capture (PCAP) files as provided by your instructor. Your focus should be upon finding and documenting answers to the case questions as provided in the lab scenario. Your presentation of your findings should be succinct. This means that you will need to apply your best judgment as to which information should be included in your report and which information should be omitted. Note: in your reports and tables you should clearly identify which items were found in which evidence files. The lab scenario and case questions are your starting point for this investigation. You must develop and execute your own strategy and procedure for conducting the required forensic examination. At a minimum, you should perform the following tasks: • • • • • • • Document the system configuration for the virtual machine using registry files (computer name, operating system name, operating system version, and installation date, at a minimum). Analyze Windows registry files to find information related to Internet activity (including the IP address of the target computer). Find and analyze artifacts related to or containing electronic mail messages. Analyze the contents of the web-browsing histories and file caches for each of the installed web browsers. Your analysis should include (a) visited web pages, (b) searches and search terms, and (c) downloaded files. Using Internet tools such as WhoIS (http://www.who.is), determine the ownership and registration information for suspicious websites or domain names found in the browsing history, browser cache, or packet capture files. Using Wireshark, analyze the packet capture streams (pcap or pcapng files) found in the forensic image. Identify URLs, IP addresses, and domain names that were accessed. Construct a timeline showing significant Internet activity. Pay special attention to any timeline anomalies that may be present in the forensic image. You will find that a large number of files in the forensic image have been wiped (contents set to 0x00). The contents of these files are not important to this lab and the wiping should not be reported as part of your examination. The directory information (file names and create/modify/access dates) for all files, including those that were wiped, is correct and accurately reflects system usage. The directory information is important to this lab and should be used in your analysis. Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application You are expected to use appropriate tools and techniques during your analysis of the provided files. Document your processes, procedures, and findings using a memo format report (five pages maximum). Provide your timeline of Internet usage (table format) and your analysis summary tables as attachments to your memo. The tables are not included in the maximum page count but you should include only the information necessary to explain or support your findings. Required Software • • • • Forensic Toolkit FTK Registry Viewer MS Excel (or equivalent spreadsheet application) Wireshark Deliverables 1. Incident Investigation Summary Report : a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. 2. Your report should include high-level analysis summaries in table format for: a. network activity (MAC addresses, IP addresses, domain names, etc.) b. email and webmail c. web browsing history d. ownership/registration information for suspicious websites or domain names e. names and contents of suspicious files f. timeline for Internet and Network Activity Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included. Grading for Lab Deliverables 1. Incident Investigation Summary Report 50% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Description of Analysis & Processing 15% d. Evidence Handling (including use of hash values) 5% 2. High Level Summaries (attachments or internal to memo) 35% a. network activity (MAC addresses, IP addresses, domain names, etc.) b. email and webmail c. web browsing history d. ownership/registration information for suspicious websites or domain names e. names and contents of suspicious files Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application f. timeline for Internet and Network Activity 3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.) Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Lab 6 Outcomes The following table lists the Lab 6 outcomes mapped to the corresponding course outcomes. Lab 6 Outcomes • • • • analyze and interpret network and Internet activity identify and document processing issues analyze and interpret recovered data prepare brief report summarizing findings Course Outcomes for Lab 6 • • • apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital artifacts select and apply the most appropriate methodology to extract data based on circumstances and reassemble artifacts from data fragments analyze and interpret data collected and report outcomes in accordance with incident response handling guidelines Copyright © 2015 by University of Maryland University College. All Rights Reserved.
CMIT 424: Digital Forensics Analysis and Application Lab 6: Analysis of Internet and Network Activity Introduction In this final lab for the course, you will perform a series of guided practice exercises in which you search for and recover Internet usage information from one or more forensic images and one or more packet capture (PCAP) files as provided by your instructor (see folder H:\CMIT424\Lab6 in the VDA). These exercises are different from earlier labs in the course since there are no step-by-step directions. Instead, you should read the guided practice information and then develop your own approach to performing the required analysis. Your focus in this lab should be upon finding and documenting answers to the case questions as provided in the lab scenario. Your presentation of your findings should be succinct (clear and concise). This means that you will need to apply your best judgment as to which information should be included in your report and which information should be omitted. The lab scenario and case questions are your starting point for this investigation. You must develop and execute your own strategy and procedure for conducting the required forensic examination. At a minimum, you should perform the following tasks: • • • • • • • Document the system configuration for the virtual machine using registry files (computer name, operating system name, operating system version, and installation date, at a minimum). Analyze Windows registry files to find information related to Internet activity (including the IP address of the target computer). Find and analyze artifacts related to or containing electronic mail messages. Analyze the contents of the web-browsing histories and file caches for each of the installed web browsers. Your analysis should include (a) visited web pages, (b) searches and search terms, and (c) downloaded files. Using Internet tools such as WhoIS (http://www.who.is), determine the ownership and registration information for suspicious websites or domain names found in the browsing history, browser cache, or packet capture files. Using Wireshark, analyze the packet capture streams (pcap or pcapng files) found in the forensic image. Identify URLs, IP addresses, and domain names that were accessed. Construct a timeline showing significant Internet activity. Pay special attention to any timeline anomalies that may be present in the forensic image. You will find that a large number of files in the forensic image have been wiped (contents set to 0x00). The contents of these files are not important to this lab and the wiping should not be reported as part of your examination. The directory information (file names and create/modify/access dates) for all files, including those that were wiped, is correct and accurately reflects system usage. The directory information is important to this lab and should be used in your analysis. You are expected to use appropriate tools and techniques during your analysis of the provided files. Document your processes, procedures, and findings using a memo format report (five pages maximum). Provide your timeline of Internet usage (table format) and your analysis summary tables as attachments Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application to your memo. The tables are not included in the maximum page count but you should include only the information necessary to explain or support your findings. Before You Begin An FTK Case Backup folder for Lab 6 has been provided in folder H:\CMIT424\Lab6\FKTK Case Backup\Lab6. Both the USB and the Virtual Hard Disk evidence files from the H:\CMIT424\Lab6 folder were added to the case. The only evidence refinement option used was “Expand Compound Files: Zip files.” To save time (approximately 45 minutes), you should restore this Case Backup to C:\Cases (instead of starting from scratch with a new case). Restoring the case requires approximately 5 minutes (longer if the systems are heavily loaded). You *may* need to perform additional evidence processing using the “Evidence > Additional Analysis” menu in FTK. Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application The additional processing options are divided into three groups (tabs): (a) Hashing / Job Options, (b) Indexing / Tools, and (c) Miscellaneous. File signature analysis, data carving and “expand compound files” are under Miscellaneous. Data carving is *not* recommended for the Virtual Hard Disk image (Lab6_Win7Prof.E01). You may, however, wish to carve for files in the USB image (Lab6-USB1.E01). Guided Practice #1: Recovering and Triaging Evidence Related to Internet Activity In this lab you will practice finding, recovering, and analyzing artifacts that contain information about a user's Internet activity. Such activity may include accessing webmail, browsing web pages, downloading files from web servers or FTP servers, sending and receiving electronic mail, sending and receiving chat or text messages (including Tweets), watching streaming video, etc. Internet activity can also include near real-time exchanges of information in text, audio, or video forms as chat, video conferencing, and webinars. Each of these types of activities will usually leave behind remnant information in the form of files, registry key values, or fragments of digital information left behind in slack space or unallocated space. Specific types of files and artifacts that we rely upon for documenting Internet activity include • • • • • • chat logs and history domain names electronic mail (messages and headers) Internet Protocol (IP) addresses uniform resource locators (URLs) web browser indexes, browser cookies, browsing history, and cached files Forensic tools such as FTK and EnCase will identify and categorize artifacts containing remnants of Internet activity. FTK, for example, categorizes artifacts by browser type and then by data type (cookies, downloads, search keywords, URLs, etc.). These categories can be viewed on the Internet/Chat tab and from the Overview tab. Each of these tabs will provide a slightly different interpretation of the available artifacts. Figure 6-1. FTK Internet/Chat Tab Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Figure 6-2. Internet/Chat Files Viewed from Overview Tab Electronic mail messages found by FTK can be viewed using the Email tab and the Overview tab (expand the nodes for File Category > Email). Automatic identification of email artifacts will not find content that occurs in file slack space and unallocated disk sectors. Yet, these locations may contain significant amounts of information about Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application email communications. The indexed search in FTK or simultaneous search in WinHex specialist can be used to find email artifacts from anywhere in the forensic image. A basic search strategy can be developed around keywords that are normally found in email headers. Suggested keywords include: • • • • Recipient Sender From: Subject: Figure 6-3. FTK Indexed Search for Email Using Keywords After looking for the basic keywords, you should also consider searching for email headers using Internet header keywords such as: • • • • Delivered-To DKIM-Signature Return-Path MIME-Version Note: Searching for hyphenated keywords requires use of a search function that will treat the hyphen as a normal character. Live search within FTK and simultaneous search within WinHex Specialist both allow search strings that include hyphens and other special characters and, thus, can be used for this search. Figure 6-4. FTK Live Search Using Internet Email Header Keyword "DKIM-Signature" Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application As you recover and analyze artifacts for Internet activity, you should make note of domain names, IP addresses, URLs, etc., that are suspicious or that appear to have significance with respect to answering the case questions. You should then research the ownership, history, and usage information for these items. Guided Practice #2: Researching Internet Resources As part of a forensic examination, the examiner should investigate ownership and use of domain names, IP addresses, and URLs recovered during the examination to determine if such information is of use in answering questions that may arise about Internet activity. To begin your research, you should identify the IP addresses and MAC addresses used by the computer system you are investigating. For computers running Microsoft Windows, you can usually obtain the IP addresses assigned to the computer using the SYSTEM registry key (HKEY_SYSTEM) ControlSet001\Services\Tcpip\Parameters\Interfaces. If there are multiple network interfaces, there will be multiple subkeys under this key, each corresponding to a separate network interface card or virtual network interface. In our example, there was one active network interface, and that interface was assigned the IP address 192.168.241.132 by the DHCP server with IP address was 192.168.241.2. These IP addresses are in a reserved, nonroutable (private addressing) range, which usually means they are usable only within a local area network. The three nonroutable ranges are 10.x.x.x, 172.16.x.x, and 192.168.x.x. Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Figure 6-5. Registry Keys Containing TCP/IP Addressing Information If you are starting your research using a routable IP address, you can find out the associated domain names and registrars by using the lookup services provided by Internet Assigned Names Authority (IANA) (https://www.iana.org/whois) or Who.IS (http://www.who.is). If you are starting your research from a domain name, the ownership information and associated IP addresses can be obtained from Internet registrars and IANA, http://www.iana.org. IANA also provides a listing of the root domains (also referred to as top-level domains or TLDs) and the sponsoring organizations for each. A more detailed profile for a domain name—including current ownership, ownership and registration history, DNS server names, server names (e.g., email, web, ftp) and associated IP addresses and address ranges—can be obtained from lookup services such as http://who.is. In addition to researching domain name registration and associated IP addresses, you may also need to research the contents of web pages at a specific point in time. The Internet Archive (http://www.archive.org ), also referred to as the Wayback Machine, contains copies of web pages that were found by its web crawlers ("spiders"). This archive is searchable by URL. If the requested page has been archived, you can then search by date of retrieval. For example, if you wanted to research the home page for http://www.umuc.edu as it existed on April 20, 2011, you could do so by searching for the domain name and then clicking on the year in the history bar. Next, you would select the closest retrieval date that occurred before your date of interest. In the example shown below, that date would be April 18, 2011. Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Figure 6-6. Wayback Machine Search Results for www.umuc.edu (year = 2011) Clicking on the date in the calendar will cause the archived page to be loaded and displayed. You should be aware that the archive may not contain copies of all page elements, but in general, you should be able to see enough of the web page to determine its content. By inspecting the page source, you will be able to recover metadata elements (if present) that list author, ownership, and other information about the page. Figure 6-7. Archived Web Page from April 18, 2011, for www.umuc.edu Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Guided Practice #3: Using External Viewer Programs Internet activity can result in a large variety of files and file types being downloaded onto a computer system. There are limitations to the file types and formats that forensics tools can display using a built-in viewer. For this reason, you may find it necessary to use external viewer programs to inspect the contents of files that contain information about Internet activity. You may be able to locate and download appropriate viewer software from the Internet. Open-source software is easily located and downloaded using an Internet search engine. For proprietary file types, many vendors will provide a free viewing-only utility. Microsoft, for example, provides free viewers for Microsoft Office files in Excel, Power Point, or Word format. You can download these viewers from the Microsoft Download Center (http://www.microsoft.com/en-us/download/search.aspx?q=viewer), or you may need to find a utility provided by a third party. One such utility is the Database Browser for SQLite, which is available from http://sqlitebrowser.org/ Additional sources of viewing utilities include • • • • • Apple https://www.apple.com/downloads Adobe http://www.adobe.com/downloads.html CNET Downloads http://www.download.cnet.com Forensics Wiki http://www.forensicswiki.org/wiki/Tools SourceForge http://sourceforge.net Note: You should verify that any software downloaded from the Internet is free of malware before using it for a forensic examination. If you cannot locate a matching software version for download from the Internet, look for the associated software application or appropriate viewer program in the forensic image itself. If found, you may be able to export the required files and then load them on a dedicated workstation or virtual machine (a VM sandbox is highly recommended). Next, export the file or files that require this application for viewing and transfer to the sandbox where you will perform your inspection and analysis. Launch the application and review the copies of your files. Make sure you update your chain-of-custody log to track the movement of the exported files. Your forensic report should also include documentation of what viewers were used and the source from which the viewer software was obtained. Note: For licensed software, you should ensure that you comply with the end-user license agreement (EULA) and then delete all copies from the sandbox system at the conclusion of your examination. Guided Practice #4: Network Forensics with Wireshark As a forensic analyst, you may be asked to review and make sense out of network packet captures. The packet capture files, commonly referred to as PCAP files, will contain information captured from TCP/IP packets transmitted to and from network hosts connected to a specific network segment. This information can be used to reconstruct Internet activity for specific network hosts. (A "network host" is equivalent to a workstation, laptop, or other device that is connected to a network.) Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Before spending time analyzing a packet capture file, you should check to make sure that packets sent to or from your target IP address are present in the file. This can be quickly accomplished in a number of ways, but we will use a filter for this example. On the filter bar, enter the expression ip.addr eq 192.168.241.132, then click Apply. If the IP address is not present in the capture file, the packet capture stream display will be empty. Figure 6-8. Applying an IP Address Filter in Wireshark Once you have verified that the packet capture file contains packets to or from your target IP address, you can apply additional filters to find packets that are of interest to your examination. Commonly used filter expressions can be viewed using the Analyze > Display Filters menu item. These display filters can be used to quickly build filter expressions that allow you to view the packets associated with specific values for header fields in packets, specific types of protocols, etc. Figure 6-9. Wireshark Display Filter, Default Profile Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application A more detailed list of filter expressions and prompts can be accessed using the "Expression" button on the Filter menu bar or from within the Display Filters pop-up window. Click this button to display a list of prompts for advanced filters. These filter expressions are most useful when you need to filter by the contents of specific fields within packets or by specific protocols. As your examination proceeds, you may need to recover and analyze TCP/IP sessions ("conversations"). First, select the "Conversations > IPV4" item from the Statistics menu. Then sort the list of conversations by IP address (click on the "Address" column). Scroll down to find the target IP address in the "Address A" column. In the "Address B" column you will see the IP addresses for network hosts that the target computer system communicated with. Figure 6-10. Wireshark IPv4 Conversations List Sorted by IP Address Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Processing Hint: If there are a large number of IP addresses, you can use the Copy button to copy the entire list of conversations to the Windows clipboard in CSV (comma-separated value) format. Paste the clipboard contents into a document file using Microsoft Word. Then, convert to table format (Insert > Table > Convert Text to Table) using "comma" as the separator. Double-check to make sure you have the same number of columns as displayed in the conversations list, then click OK. Edit your table to remove the extraneous commas. Figure 6-11. Wireshark Conversations List as a Microsoft Word Table (partial) Another method for recovering TCP/IP sessions begins with a packet of interest. For this example, we will begin by finding packets containing the text string google that were formatted using the http protocol. Our search filter would be (http and (tcp contains "google")) Figure 6-12. Packet Filter Results for (http and (tcp contains "google")) We then scroll through the filtered packet capture stream to find a packet of interest. Right-clicking on the packet brings up a context menu from which we select "Follow TCP Stream. " Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Figure 6-13. TCP Stream Using the "tcp contains xxx" filter will allow you to perform keyword searches within the packet stream. Consider the case where your examination of a packet stream requires you to find and document file transfers. You can construct a filter that looks for file names or file extensions in the TCP packets. For example, if you wanted to find conversations containing Internet search engine queries or results, you could use the filter expression tcp contains "search?"(for Bing searches) or you could filter by the URL of the search engine, e.g., tcp contains www.google.com Or, perhaps you are interested in finding file transfers (downloads) involving executable files. You could use the filter: tcp contains "exe" Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Figure 6-14. Packets Containing Text String "exe" Inspecting the payload of a selected packet (see Figure 6-14) shows us that a file was downloaded from http://download-installer.cdn.mozilla.net/pub/firefox/releases/32.0.2/win32/enUS/Firefox%20Setup%2032.0.2.exe. If we investigate further, perhaps using a Google search or by visiting the URL itself, we find that this file contains the installation package for a version of the Firefox browser. Finally, you may find it helpful to combine search terms into a single, complex filter expression. To do this, enclose each search term in parentheses, e.g., (tcp contains "keyword"), and then use Boolean operators between the terms. For example, to find http packets that contain search queries for Google or Bing, you could use the filter expression http and ((tcp contains "google") or (tcp contains "bing")). Remember to use parentheses to enclose terms and operators so that the expression evaluates correctly. Guided Practice #5: Report Writing For this lab, you are expected to write an incident summary report using the reporting writing skills and techniques learned in earlier labs in the course. You will need to decide how much supporting information to include in your report. The use of tables and bullet lists to summarize information is encouraged but, these formats should not at the expense of clarity. If a paragraph’s worth of explanation is required – put the information in a paragraph! (Not in a cell within a table or a bullet within a bullet list.) In your reports and tables, you should clearly identify which items were found in which evidence files. Deliverables Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application 1. Incident Investigation Summary Report: a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your memo should include sufficient supporting information and “summary tables” to substantiate your assertions about the data in a way that makes it easy to understand (a) the case, (b) the case questions, and (c) your answers / findings in regards to the case and case questions. 2. Your report should include high-level analysis summaries in table format for: 1. network activity (MAC addresses, IP addresses, domain names, etc.) 2. email and webmail 3. web browsing history 4. ownership/registration information for suspicious websites or domain names 5. names and contents of suspicious files 6. timeline for Internet and Network Activity Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included. Grading for Lab Deliverables 1. Incident Investigation Summary Report 50% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Description of Analysis & Processing 15% d. Evidence Handling (including use of hash values) 5% 2. High Level Summaries (attachments or internal to memo) 35% a. network activity (MAC addresses, IP addresses, domain names, etc.) 5% b. email and webmail 5% c. web browsing history 5% d. ownership/registration information for suspicious websites or domain names 5% e. names and content summaries for suspicious files 10% f. timeline for Internet and Network Activity 5% 3. Professionalism (formatting, grammar, spelling, punctuation, etc.) 15% Copyright © 2015 by University of Maryland University College. All Rights Reserved.
Digital Forensic Examination Summary Report (for ALL lab assignments except Lab 0; remove red writing before submitting assignments) Examiner: your name and company (simulated) ______________________________________________________________________________ Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what's given to you in the lab scenario assignment to establish a quality case background. ______________________________________________________________________________ Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report): ______________________________________________________________________________ Tools Used: for the readers sake who often are not technical, break up this section into subsections Hardware Software (include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn't specify how the data is write protected. A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.) ______________________________________________________________________________ Initial Processing (show both acquisition and verification hash sums; list the media examined with description and serial number / see Addendum A) example verbiage: "The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable." ______________________________________________________________________________ Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.) ______________________________________________________________________________ Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that's a good place too). ______________________________________________________________________________ Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption? Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let them make the decisions on what to do with the information.) Each Addendum should start on a separate page. Addendum A: Photos (simulate with pics of similar devices you find on the Internet. It is always a good idea to include a picture of the evidence you examined.) The following is a photograph of XXXX PICTURE(s) SHOWN HERE The following details the forensic image processing. example: Seagate Hard Drive, 250GB, Serial #12345: Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below: MD5 checksum: XXXX SHA1 checksum: XXXX The forensic processing subsequently created XXXX (X) files (simulated). Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files) The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below. MD5 checksum: XXXX: verified SHA1 checksum: XXXX: verified The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files. Addendum B: Steps Taken These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court. I recommend just numbering your steps i.e. 1, 2, 3 in chronological order. Start with how you received the media and describe how you sterilized. For example: 1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated. 2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match, verifying the target media was forensically sterile. 3. describe your analysis steps 4. cont'd Report End

Tutor Answer

nancyW
School: Duke University

...

flag Report DMCA
Review

Anonymous
Totally impressed with results!! :-)

Similar Questions
Hot Questions
Related Tags

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors