IAS And DF Capstone Project
Excerpt from Capstone Project :
Assurance and Security (IAS) Digital forensics (DF)
In this work, we take a look at three laboratory-based training structures that afford practical and basic knowledge needed for forensic evaluation making use of the latest digital devices, software, hardware and firmware. Each lesson has three parts. The duration of the first section of the three labs will be one month. These labs would be the largest labs. The Second section would consist of smaller labs. The training period duration in these labs would also generally be one month. The third section would consist of smallest labs. The duration of training period in these labs would be one week. The training will be provided in the field of software, programming concepts, flowcharting and algorithms and logical reasoning- both linear and iterative.
Part 1 Larger Labs:
Lab 1(Timeline Analysis)
Purposes and goals of the Lab (Lab VI):
Use MAC (Media Access Control, internet adapter physical address) to extract time-stamped event progress
- Analyze timeline for extracting proof.
Concepts of IAS/DF ( Internet Authentication Service (related to Microsoft) / Digital Forensics)(Lab VI):
Creating a time-stamped sequence to analyze and access of files.
Software Needed: MAC (Microsoft) and Linux-Forensics
Skills Needed: Timeline concept- uses and applications
Main Tasks/Procedures (Lab VI):
Extract Media Access Control (MAC) Times for the files marked Unallocated and Allocated Files
Obtain MAC Times for Unallocated Inodes
Extracting the Timeline with MAC time
Creating a Time-stamp using Autopsy
Expected Outcome: It is expected that the writer express his analysis of the Timelines generated for the possible sequence of events.
Suggested grading criteria: 1) The analytical expression and capability of the student
2) Testing the students on following queries:
From analysis of MAC times, is it possible to determine each instance of access or modification of a particular file? Support your answer with reasoning. (Lab VI)
Explain the significance of MAC times of the unallocated files?
What information of importance does the uptime give the hacker? (Lab VI)
Possible Bonus Work and points: The trainee demonstrates the timeline methodology to the class with his own inputs.
Duration of lab: One month (Trainees should work in pairs and gradually improve upon their timeline skills and retrieval acumen during the course of one month).
Suggested Courses: Digital Electronics Advanced Computer Science,, Communication Theory Advanced Digital Forensics, advanced Digital Forensics, and MAC Forensic Analysis
MAC analysis for Forensic sciences helps to prepare the timeline of the access of files and can hence be a concrete proof of the sequence of events. The physical address pointing to communication modem is a very effective tool for establishing of communication.
Lab 2 (File Recovery: Meta Data Layer)
Purpose and Goals of the Lab: (Lab IV)
- The Meta data for search list entries can provide vital information like properties and encryption. Students are expected to find all such information for evidences.
- Using information in Meta data for evidence, extract a specific file.
- Use of Autopsy Forensic Browser (Linux-based graphical interface) at the Meta data layer (Lab IV)
- understand the 'delete' ramifications when used in other file handling systems when you are at the Meta data layer.
IAS/DF Concepts Covered: File Recovery
Software Needed: Linux and SLEUTHKIT TOOLSTAT/Autopsy Forensic Browser (Lab IV)
Skills Needed: knowledge of meta data and SLEUTHKIT, basic computer skills; how data is stored and different file systems, and file recovery in different file systems
Main Tasks/Procedures: (Lab IV)
Launching the "Linux - Forensics" virtual machine.
-locate the index node (inode) using the Block number.(Understand the data structure system)
Use Meta Data Information to recover files.
Using Autopsy browser a graphical interface in HTML at the Meta Data Layer
Understanding Meta Data on Different (EXT1, EXT2, EXT3…) File Systems
Expected Outcome: connecting the information gained to recover a file...
...List all the steps that you'll take. Which block in the image will the 'keyboard' be located?
What would it mean if stats showed the index node ( inode) is shown as being allocated, by stats, what does it mean? What would you infer if it was shown unallocated? Would you infer that the inode being viewed is the same that you looked for in the search?
State three important fields of the meta data needed to recover a file?
What is the difference between icat and dcat? Under what conditions does one have to use dcat for file recovery rather than using Icat?
What is the difference of exporting data from file in the meta data layer and the meta data unit?
What is the main difference in the formatting structure and file content of meta data layer and the meta data unit? The contents of the meta data unit have to be altered while exporting the file to another disk, while no modifications are required in the case of meta data layer, why?
Create the NTFS partition analysis for the meta data information that you come across in it. As you are aware, different file structures give information differently, list those differences. It will enable learning extraction of data and analysis in different file systems. Enumerate and understand the data information in meta data layer in different file structures.
Explain and enumerate the modifications to ext2 inode when data on the files of ext2 was deleted. Now, recover the file and explain the process and changes made.
Possible Bonus Work: None
Duration of Lab: this lab study will be for duration of four weeks and the students will need to work in pairs. The course will be divided into two parts, each of the sections lasting a fortnight. The involved processes are to recover lost data in meta data in different file systems (FAT32 and NTFS, for example in windows).
Suggested Courses: Computer science theory and file systems organization. Advanced Digital Forensics, and Windows Forensic Analysis
Lab 3 (File Recovery Data Layer/Revisited)
Purpose and Goals of the Lab (Lab V):
- Use of file Headers, meta data to carry out search.
- Data Carving with Foremost ( a Linux data recovery program based on headers, footers and data structures)
- Zip files password recovery methodology and techniques
IAS/DF Concepts Covered:
File Recovery using Linux-based softwares (Lab V)
Software Needed: Linux operating system and KMenu
Skills Needed: In-depth knowledge of the different data layers, file recovery procedures and methodologies and enhanced computer skills
Main Tasks/Procedures (Lab V):
Start by opening the Kmenu. After that go to the Office menu. From here look for the open office writer (a parallel of the MS office, with all features embedded). Launch Open Office Writer. On the top of the office viewer in the new file that you have opened, open a new text document. Type out a couple of paragraphs to try the "save" features. In the drop-down menu click 'save as' not 'save'. Create a new document with text and go to Save As. Here you need to convert the file to 'save as Microsoft word XP/2007/97 (either of them)). In the save to options, type / tmp/test.doc . this is test file that you need to save as 'Khexedit'. Now the file has been saved. Open the test file by using 'open file' drop down menu where you should see you 'recent' document. Click properties in the bottom to view the hex connotation of your file. To compare and check the hex allocation, create another file and check its hex allocation, too.
You are now ready to launch a 'search' operation using the information of the file, this search is done using the search words that are a part of the document you have already created. The header file of the document contains the required document in the hex notation and can be searched using the dls file contents. To access the hex file of your interest 'dls will have to be used, the location of hex notation are in a place termed as 'hexdump'. This is a utility to check header contents. Alternatively, you can use the _C option, too. It is parallel to the khexedit. This will ultimately lead you to the 'grep' that will allow you to look for the header search that you have launched. To look for the header one needs to use only eight bytes of the header. If you want to know, the decimal equivalent of the hexcode that you want to search for in the header you can use the tool known as Kcalc. The tool can be found easily on the toolbar.
Those were the basics and intricate steps of carving out data (meaning extracting hidden data) from the recesses of the computer memory. There are however, easier ways of doing that these days. Under Linux Environment, data carving is done using an application…
Sources Used in Documents:
 Lab VI: Timeline Analysis. Available at https://cs.nmt.edu/~df/Labs/Lab06_sol.pdf
 LAB IV: File Recovery: Meta Data Layer. Available at
 Lab V: File Recovery: Data Layer Revisited. Available at
 Windows Client Configuration. Available at <http://nmtvet.weebly.com/uploads/2/4/4/6/24461117/lab_sheet_1.pdf>
Cite This Capstone Project: