Information assurance, security, and digital forensics

¶ … Assurance and Security (IAS) Digital forensics (DF)

In this work, we take a look at three laboratory-based training structures that afford practical and basic knowledge needed for forensic evaluation making use of the latest digital devices, software, hardware and firmware. Each lesson has three parts. The duration of the first section of the three labs will be one month. These labs would be the largest labs. The Second section would consist of smaller labs. The training period duration in these labs would also generally be one month. The third section would consist of smallest labs. The duration of training period in these labs would be one week. The training will be provided in the field of software, programming concepts, flowcharting and algorithms and logical reasoning- both linear and iterative.

Part 1 Larger Labs:

Lab 1(Timeline Analysis)

Purposes and goals of the Lab (Lab VI):

Use MAC (Media Access Control, internet adapter physical address) to extract time-stamped event progress

- Analyze timeline for extracting proof.

Concepts of IAS/DF ( Internet Authentication Service (related to Microsoft) / Digital Forensics)(Lab VI):

Creating a time-stamped sequence to analyze and access of files.

Software Needed: MAC (Microsoft) and Linux-Forensics

Skills Needed: Timeline concept- uses and applications

Main Tasks/Procedures (Lab VI):

Extract Media Access Control (MAC) Times for the files marked Unallocated and Allocated Files

Obtain MAC Times for Unallocated Inodes

Extracting the Timeline with MAC time

Creating a Time-stamp using Autopsy

Expected Outcome: It is expected that the writer express his analysis of the Timelines generated for the possible sequence of events.

Suggested grading criteria: 1) The analytical expression and capability of the student

2) Testing the students on following queries:

From analysis of MAC times, is it possible to determine each instance of access or modification of a particular file? Support your answer with reasoning. (Lab VI)

Explain the significance of MAC times of the unallocated files?

What information of importance does the uptime give the hacker? (Lab VI)

Possible Bonus Work and points: The trainee demonstrates the timeline methodology to the class with his own inputs.

Duration of lab: One month (Trainees should work in pairs and gradually improve upon their timeline skills and retrieval acumen during the course of one month).

Suggested Courses: Digital Electronics Advanced Computer Science,, Communication Theory Advanced Digital Forensics, advanced Digital Forensics, and MAC Forensic Analysis

MAC analysis for Forensic sciences helps to prepare the timeline of the access of files and can hence be a concrete proof of the sequence of events. The physical address pointing to communication modem is a very effective tool for establishing of communication.

Lab 2 (File Recovery: Meta Data Layer)

Purpose and Goals of the Lab: (Lab IV)

- The Meta data for search list entries can provide vital information like properties and encryption. Students are expected to find all such information for evidences.

- Using information in Meta data for evidence, extract a specific file.

- Use of Autopsy Forensic Browser (Linux-based graphical interface) at the Meta data layer (Lab IV)

- understand the 'delete' ramifications when used in other file handling systems when you are at the Meta data layer.

IAS/DF Concepts Covered: File Recovery

Software Needed: Linux and SLEUTHKIT TOOLSTAT/Autopsy Forensic Browser (Lab IV)

Skills Needed: knowledge of meta data and SLEUTHKIT, basic computer skills; how data is stored and different file systems, and file recovery in different file systems

Main Tasks/Procedures: (Lab IV)

Launching the "Linux - Forensics" virtual machine.

-locate the index node (inode) using the Block number.(Understand the data structure system)

Use Meta Data Information to recover files.

Using Autopsy browser a graphical interface in HTML at the Meta Data Layer

Understanding Meta Data on Different (EXT1, EXT2, EXT3…) File Systems

Expected Outcome: connecting the information gained to recover a file using meta data information and meta data layer understanding.

Suggested Grading Criteria: test based on the following questions will be used to grade the students (Lab IV):

1)

Use search word 'keyboard' to recover file05 which is a MS word document. List all the steps that you'll take. Which block in the image will the 'keyboard' be located?

2)

What would it mean if stats showed the index node ( inode) is shown as being allocated, by stats, what does it mean? What would you infer if it was shown unallocated? Would you infer that the inode being viewed is the same that you looked for in the search?

3)

State three important fields of the meta data needed to recover a file?

4)

What is the difference between icat and dcat? Under what conditions does one have to use dcat for file recovery rather than using Icat?

5)

What is the difference of exporting data from file in the meta data layer and the meta data unit?

6)

What is the main difference in the formatting structure and file content of meta data layer and the meta data unit? The contents of the meta data unit have to be altered while exporting the file to another disk, while no modifications are required in the case of meta data layer, why?

7)

Create the NTFS partition analysis for the meta data information that you come across in it. As you are aware, different file structures give information differently, list those differences. It will enable learning extraction of data and analysis in different file systems. Enumerate and understand the data information in meta data layer in different file structures.

8)

Explain and enumerate the modifications to ext2 inode when data on the files of ext2 was deleted. Now, recover the file and explain the process and changes made.

Possible Bonus Work: None

Duration of Lab: this lab study will be for duration of four weeks and the students will need to work in pairs. The course will be divided into two parts, each of the sections lasting a fortnight. The involved processes are to recover lost data in meta data in different file systems (FAT32 and NTFS, for example in windows).

Suggested Courses: Computer science theory and file systems organization. Advanced Digital Forensics, and Windows Forensic Analysis

Lab 3 (File Recovery Data Layer/Revisited)

Purpose and Goals of the Lab (Lab V):

- Use of file Headers, meta data to carry out search.

- Data Carving with Foremost ( a Linux data recovery program based on headers, footers and data structures)

- Zip files password recovery methodology and techniques

IAS/DF Concepts Covered:

File Recovery using Linux-based softwares (Lab V)

Software Needed: Linux operating system and KMenu

Skills Needed: In-depth knowledge of the different data layers, file recovery procedures and methodologies and enhanced computer skills

Main Tasks/Procedures (Lab V):

1)

Start by opening the Kmenu. After that go to the Office menu. From here look for the open office writer (a parallel of the MS office, with all features embedded). Launch Open Office Writer. On the top of the office viewer in the new file that you have opened, open a new text document. Type out a couple of paragraphs to try the "save" features. In the drop-down menu click 'save as' not 'save'. Create a new document with text and go to Save As. Here you need to convert the file to 'save as Microsoft word XP/2007/97 (either of them)). In the save to options, type / tmp/test.doc . this is test file that you need to save as 'Khexedit'. Now the file has been saved. Open the test file by using 'open file' drop down menu where you should see you 'recent' document. Click properties in the bottom to view the hex connotation of your file. To compare and check the hex allocation, create another file and check its hex allocation, too.

2)

You are now ready to launch a 'search' operation using the information of the file, this search is done using the search words that are a part of the document you have already created. The header file of the document contains the required document in the hex notation and can be searched using the dls file contents. To access the hex file of your interest 'dls will have to be used, the location of hex notation are in a place termed as 'hexdump'. This is a utility to check header contents. Alternatively, you can use the _C option, too. It is parallel to the khexedit. This will ultimately lead you to the 'grep' that will allow you to look for the header search that you have launched. To look for the header one needs to use only eight bytes of the header. If you want to know, the decimal equivalent of the hexcode that you want to search for in the header you can use the tool known as Kcalc. The tool can be found easily on the toolbar.

Those were the basics and intricate steps of carving out data (meaning extracting hidden data) from the recesses of the computer memory. There are however, easier ways of doing that these days. Under Linux Environment, data carving is done using an application called 'foremost'. After foremost launches and starts its search process, you will find the directory / mnt/recover/lab5/foremost-output/. Within this foremost-output directory is a file named audit.txt. This is the file that contains the 'offset' value of the memory location of the stored file. All the files found by it have their offset values in this directory. All the files that did not open first, will have their locations stored here. All you have to do is to modify the files and now you will be able to open those files, this modification is done using the editing features of the 'Khexedi'. The file allocation need not be restored to original location completely as you do not have the hash values for the file. Do not worry about that right now. Just make sure you save the file again, that will ensure that the copy that you just created has a fresh hash value and the offsets are redone so that it becomes easier for you to relocate the file in future.

Now open 'zip cracker' using the command line. Allow alphabetical from your character set to be selected. The 'run' or 'next' command will start decrypting the password of the zip file. The password will appear on the screen. Using this password, you can decompress the 'compressed' file stored as a .zip format.

At this point of time you will need to 'revert' back to your system. The drives that you had added on while executing these procedures need to be unmounted. The VMWare system needs to be shut down now. To go back to the snapshot, all you need to do is hit the 'revert' button in the Linux-Forensics. From the c:vmware-imagesLinux - Forensics directory remove all files that start with 'Linux - Forensics-Image'.

Expected Outcome: Conclusively execute file recovery. This lab section conditioned the file recovery procedures (basic as well as advanced) (Lab V).

Suggested Grading Criteria: the queries that would assess the understanding of file recovery can be understood from the Answers elicited from the students are the (Lab V):

1)

What is the number of blocks you needed to recover or carve out the test word document (data carving) that you created? Can the same method (that of recovering a word document data file by locating the file header be used to also recover a plaintext file? (that contains no formatting) provide specific and detailed reasons for your answer, which may be in affirmative or negative.

2)

What are the detailed steps that you undertook to obtain the 'offset value' of the block in the image file. State each command that you used sequentially. Explain the use of commands with reasons. State the starting location of the word document block.

3)

Retry opening the files that were recovered by you. To do this, as already explained you can 'unzip' any file by using the unzip command in the command line. What files opened? If there are some files that are not opening, can you provide the right reason for the same? What do you see as 'corrupt' files now?

Possible Bonus Work: Answer to a bonus question option. The question is (Lab V):

Zip files also have a footer for them. Create a few zip files (# zip zipfile-name files). Now analyze the hexcode in a hex editor (khexedit) to know a 'footer'. (Hint: this can be found in the wildcard character in the .config file). What 'footer' did you find? Modify the configuration file to extract zip files of their original size.

Duration of Lab: this lab duration will be one month long and the students will work in pairs. The lab work will be a weekly exercise. Hence, there will be four lab days in the month long duration (Lab V).

Suggested Courses: None to suggest

Part 2 Medium Scale Labs (Windows Client Configuration):

Lab One (Workstation Network Configuration and Connectivity)

Purpose and Goals of the Lab (Windows Client):

Retrieve IP address configuration information using the command line (That's in 'c').

Determine the switches that you can add to the ipconfig (Windows) or ifconfig (Linux) command to expand its functionality.

Use the Windows GUI (Graphical User Interface) to configure a network data card (hardware) to use a given IP address.

Determine your machine's MAC (Media Access Control) address ( physical address that can't be modified) .

Determine configured network resources specific to your machine (the computer), including its DNS address and Gateway address.

Use the ifconfig (Linux) command to configure and align a network data card with a given IP address.

Understand testing procedures to ascertain network connectivity between two computers, this process is done or achieved by 'pinging' the host computer.

State and explain the options that can be added to the ping command to expand its functionality and gain more information of the connectivity and the two machines.

Use the 'arp' command, the Address Resolution Protocol to view and manage the ARP cache on a computer. It is used to connect two networks- the OSI layer-3 to the Layer-2 that is data Link to network.

IAS/DF Concepts Covered:

Workstation connectivity (that is, the connectivity of the workstation computers and stand-alone systems).

Software Needed: Windows 2003 Server/Windows XP Professional (Windows Client)

Skills Needed: Microsoft working knowledge for interlinking machines and workstation connectivity

Main Tasks/Procedures (Windows Client):

Start the Windows 2003 Server and Windows XP Professional PCs. Log on only to the Windows XP machine.

View the network card configuration using the ipconfig command.

Change the IP address of the Windows XP machine.

Verify the new IP address. Use the ipconfig command to verify that the IP address has changed.

Change the IP address of the Windows XP machine back to the original address.

Ping the Windows 2003 Server machine from the Windows XP PC.

View and modify the ARP table.

Log off from the Windows XP PC.

Expected Outcome: Knowledge of the methods used to establish workstation connectivity

Suggested Grading Criteria: Examine how well the students were able to set up their configurations and observe their explanations about their configurations.

Possible Bonus Work: Students explain their configurations in writing

Duration of the Lab: 2 weeks (Students will work individually bi-weekly to familiarize with configurations)

Suggested Courses: Information Security and Computer Security courses

Lab Two (Port Connection Status):

Purpose and Goals of Lab:

Current TCP/IP network connections. Moreover, the commands used to know the protocol values.

The use of ports to handle multi-port communication channels.

Expand the use of netstat command to improve its functionality by incorporating more commands.

IAS/DF Concepts Covered: TCP Connections/UDP Connections

Software Needed: Windows XP Professional and Windows 2003 Server (Windows Client)

Skills Needed: working of port connections and dents/Basic computer operating knowledge / Windows OS operating knowledge

Main Tasks/Procedures (Windows Client):

Step 1: Log on to the Windows XP Professional and Windows 2003 Server PCs.

Step 2: Use the netstat command and find the open ports of the Windows 2003 Server.

Step 3: From the Windows XP machine, form an FTP and an HTTP connection with the Server.

Step 4: Reuse the netstat command and ascertain the connections on the Windows 2003 Server.

Step 5: Exit from both the machines.

Expected Outcome: Understanding the concept of network management using netsat. Suggested Grading Criteria: assessment can be made by asking the trainees to do a write-up of the procedures involved in network management. Evaluation of the ease of establishing connectivity between devices and the internet.

Possible Bonus Work: Question sheet on the lab that can be handed in with the write-up.

Duration of the lab: Two weeks (working independently for two weeks to gain an insight to form connectivity)

Suggested Courses: None

Lab Three (FTP Communication)

Purpose and Goals of the Lab: (FTP):

View a web page using a browser.

Using HTML and text editor create a web page.

Upload a web page to a Windows-based web server.

IAS/DF Concepts Covered: HTTP (Hypertext Transfer Protocol) File Transfer Protocol (FTP), and HTML

Software Needed: Windows 2003 Server/Windows XP Professional / (FTP):

Skills Needed: working knowledge of Windows OS, familiarity with FTP and HTTP

Main Tasks/Procedures (FTP):

1)

Start the Windows 2003 Server and Windows XP Professional machines. Start only the Windows XP machine.

2)

Create a simple web page.

3)

View the webpage using Internet Explorer.

4)

Upload the webpage on the net

5)

Use Internet Explorer and view the page from the web server.

6)

Log off from the Windows XP Professional PC.

Expected Outcome: Creating a simple webpage and uploading it on the net. Understanding the use of and importance of Windows, HTML, FTP and HTTP.

Suggested Grading Criteria: Teacher supervised participation in group discussion and a written test taken on the teachings of the lab-work.

Possible Bonus Work: The trainees to be given a chance to exhibit their knowledge in an open seminar due shortly. The students will be able to demonstrate the experiences and learning to visitors and take questions and queries from the audience and guests.

Duration of the Lab: two weeks. Students are required to work in pairs and create web pages and upload them on the net to be viewed by different people. An understanding of the process is expected from the students.

Suggested Courses: Internet Security, Introduction to Computer Sciences, and IAS courses,

Lab 4 (Unix File Recovery)

Purpose and Goals of the Lab (Unix File):

- Revisiting unallocated space and its extraction using dls

- Interpret the file system information from the superblock

- Correspond each file to its block number

- Recovery of files from unallocated blocks

- Differentiating sequential (contiguous) and fragmented (noncontiguous) files

-Making use of Autopsy Forensic Browser

IAS/DF Concepts Covered: File Recovery

Software Needed: Linux and Autopsy Forensic Browser

Skills Needed: Basic computer skills, Knowledge of Microsoft programs, knowledge of file recovery, and working knowledge of Linux

Main Tasks/Procedures (Unix File):

1)

Recovering Unallocated Space

2)

Obtaining Plaintext from Unallocated Space

3)

Locating Files by Block Numbers

4)

Extracting Data Blocks

5)

Partial Block File Sizes

6)

Recovering Files in Contiguous Blocks

7)

Recovering Files in fragmented or Noncontiguous Blocks

8)

Recovery of a Non-plaintext File

9)

Using the Autopsy Forensic Browser

Expected Outcome: An understanding of certain file types and Extraction of files

Suggested Grading Criteria: Student gives written answers to questions on the lab exercise. The questions (Unix File)

1)

Open unallocated memory space to the file image.unalloc.dls. Hence, explain your procedure and the commands used by you. Take precaution to avoid loss of any data during the process as you are a deemed investigator.

2)

Explain the commands and procedures you would follow to extract plaintext from the unallocated image files to the file image.unalloc.str. Explain the use of 'grep' to locate the files.

3)

State block size for this image? State byte offset for the location of the string "file01" in the .dls file. What would you do convert this byte offset to a block offset in the .dls file and what is that value?

4)

Ascertain the location of file02 in the image.dd file. Explain the process. What was the block number you found?

5)

Explain the use of dcat to obtain all the blocks for file04? Name each part file04-p1, file04-p2, etc. (Hint: you will not need to use dcat more than twice to obtain all the data blocks).

Possible Bonus Work: There is a bonus assignment for students that can be given along with the written work assignment. The assignment (Unix File):

There are more uses of 'dd' than to just image disks. It can also be used for file recovery. Demonstrate that by recovering file 03. Execute the procedure to avoid any modification for file size match.

Duration of the Lab: duration of the lab work is two weeks. Each student will work independently thrice weekly, thus he will do the required lab work six times during the course duration.

Suggested Courses: None

Lab Five (Search Word Filtering from Unallocated, Slack, and Swap Space)

Purpose and Goals of the Lab (Search Word):

- Forming an initial search word list to begin an investigation. Towards this, the interview process has to be understood.

- Extraction of unallocated space found in an image

- Extraction of slack space found in an image

- Copy the swap file

- Use your search list to look for, analyze evidence from unallocated, slack, and swap space

- Incorporate words in the search list that you come across in the investigation and repeat the process of investigation. This is an iterative process.

IAS/DF Concepts Covered: Creation of a search list to carry on the investigation process. The evidence found will be analyzed from the search list.

Software Needed: NTFS System / Windows XP Professional / / Linux

Skills Needed: Basic computer skills, forming a search word list, familiarity with Windows, and knowledge of digital forensics.

Main Tasks/Procedures (Search Word):

1)

Extraction of Unallocated Space

2)

Extraction of Slack Space

3)

Copying the Swap File

4)

Extraction of Plaintext from Unallocated Slack and Unallocated Swap

5)

Deciphering evidence by using a Search Words list

6)

Rinse and Repeat

Expected Outcome: student will learn the process of searching files using key search words provided. This helps him to understand the concept of search words in investigation procedures.

Suggested Grading Criteria: Students are expected to write down their lab training experiences. A discussion supervised by the teacher will evaluate the participation of the students. The questions asked will be: (Search Word):

1)

Were you able to use dd to write the image file to a fresh blank drive as a bootable clone? Support your answer with reasoning.

2)

What is slack space and slack data? What is the difference in the two? Can slack data exist in unallocated space? Support your answer with reasoning.

3)

What are the required attributes needed for the unallocated, slack and swap data files? What command is used to establish them? What is the command to append all three hashes to the following file: / mnt/evidence/lab2/image.sha1.txt? Do not overwrite the hash of the complete image file.

4)

What are the different types of information obtained by you? Did you get many false hits, why? What steps would you take to narrow down the search list? You should look for threads and clues with the help of which you can continue searching for any other evidence.

Possible Bonus Work: individual case files to be handled individually by students. The work file will be on work done.

Duration of the Lab: Training duration for this module will be of two weeks. Students will be required to work in pairs and the search lists will have to be analyzed together. The lab training will be conducted thrice a week. There will be a test taken after the training is over the weekend. In the bonus section work, each student will be offered to work independently and respond to queries given as a task to the students.

Suggested Courses: Introduction to Digital Forensics, Advanced Digital Forensics, and Advanced Computer Science. The students coming to this course are expected to have a sound knowledge in computer science. That is a prior requirement for this syllabus. It is most desirable if the pupils choose to elect a course in forensic sciences if they wish to enroll for this training. Even students that have an exposure to computer science at the undergraduate level can take up this course. It is advised that a course in computer science and training here should not be done simultaneously.

Part 3 Small Scale Labs

Lab One (Disk Cloning and Imaging)

Purpose and Goals of the Lab (Disk Cloning):

- Alter device configuration in a VMWare system

- Make an image of Drive on a file

- Next, from this image try and remove a partition from the image file.

- Prepare this image for 'read only' format and remember to use it as a loopback prior to read only.

- Prepare the drive for cloning

- understand 'Cloning as against imaging drive on file

- use hashing to check the contents of the cloned data and structure.

IAS/DF Concepts Covered:

Imaging and Cloning Of Disks

Software Needed: VMWare

Skills Needed: Basic computer knowledge and information of disk imaging and cloning

Main Tasks/Procedures (Disk Cloning):

1)

Creating Virtual Disks in VMWare

2)

Imaging A Disk

3)

Verify Disk Image

4)

Division of each Partition

5)

Mounting And Partitioning Images

6)

Cloning

Expected Outcome:

- The main aim is to understand the difference between imaging a drive onto a file and creating a clone of the disk in question.

- Creating a new clone of the disk in question

Suggested Grading Criteria:

The ability of the student to image a disk in a file and to create a clone of the disk.

Possible Bonus Work (Disk Cloning):

- Testing the students on their ability to understand the practical work based on the answers provided to the following questions:

- What possible effect can an internet connection have on a machine while a drive is being analyzed for its contents by your home computer?

- It is always advisable to use an independent, blank, and much larger drive than the original one from which the image or clone has been obtained. Why would that be important for the image contained in the image? List all the possible reasons.

- Make use of partitioning command line 'fdisk' (for Windows) and hence ascertain the device name linked to the blank drive & the drive under scrutiny. What are the pointers that reveal the identity of a drive.

- Read out the displayed sector numbers for the two partitions that you created. Identify the starting sector numbers for each sector. Work out the bytes properly if the displayed numbers are not aligned properly. Note that the first sector never begins at '0'. There is no sector'0'. Why?

Duration of Lab- 2 Days

Suggested Courses- Introduction to Computer Programming, Introduction to Digital Forensics, Knowledge of Advanced Digital Forensics, Knowledge of Forensic Recovery of Evidence Device (FRED)

Lab 2 (Digital Forensics with FRED)

Purpose and Goals of the Lab (Digital Forensics):

As the name suggests FRED is a dedicated workstation to evaluate the contents of another hard disk. In this course, the trainee will be presented an introduction to the FRED system. The introductory workshop will provide the learner with the working of 'Triage' and 'Duplication' techniques. This advanced platform can be used in conjunction with other forensic digital devices. The trainees will be taught how to configure it for such supplementary and complementary uses. This course is of specific use to the eDiscovery practitioners and the first responders. The new enrollees gain an insight into the new developments taking place in the digital forensic world that outdo the criminals by upstaging their smartness with digital devices. The basic premise for such a workstation is that no data is ever fully lost.

IAS/DF Concepts Covered (Digital Forensics):

-Introduction and overview Digital Intelligence Hardware Overview

- Understanding FRED

- Troubleshooting and Updating

- Optimizing Configurations

- Creating Back Up and Restore files

- Understanding specific software tools-Forensic and eDiscovery Overview

- Forensic Triage and Duplication

Software Needed:

FRED (specific Forensic recovery software tool)

Skills Needed:

Familiarity with Microsoft Windows and process of data recovery (Digital Forensics): and basics. Familiarity with English essential.

Main Tasks/Procedures: (Digital Forensics):

Introductions by the staff and students

An brief discussion of the various FRED systems and configurations

Overview and introduction of additional hardware of Digital Intelligence to allow writing storage solutions, adapters, blockers, etc.

Different components of a FRED system

Understanding of write blocker Ultrabay and its functions

Understanding detachable drive bays and their functions

Introduction of Forensic Card Reader for detachable media

Identify and use software to update components

Understand and resolution of technical issues

Discuss FRED options and RAID systems

Identify optimal configurations

Understand system restore disc/restoration of SUSE Linux disc

Discuss procedures of creating backup files using FRED

Learn the basic components in typical forensics and eDiscovery analysis.

Learn creation of a forensics triage

Understand common forensic duplication instances

Learn duplication of all media types

Learn duplication and split or converge media files.

Expected Outcome: Gain an insight of the FRED system

Suggested Grading Criteria: Performance of students to be done at actuating the procedures taught and practiced. The involvement in discussions can also be used for assessment.

Possible Bonus Work: None

Duration of Lab: One day (Digital Forensics):

Suggested Courses: Introduction to Digital Forensics, Introduction to Microsoft Windows

Lab 3 (Encase 7: Basic and Intermediate Topics)

Purpose and Goals of the Lab: (Encase 7)

This is a four day class. It will familiarize the trainee with Windows based artifacts that have been omitted or skipped earlier. Conducting forensic examination with EnCase v. 7.

IAS/DF Concepts Covered: Encase 7

Software Needed: Windows 7/Windows XP (Encase 7)

Skills Needed: English Language, a basic course digital forensic lab training, familiarity with Microsoft Windows and concepts of data recovery

Main Tasks/Procedures (Encase 7):

1)

Identification of main drives and interfacing devices

2)

Identification of forensic importance in the CMOS (memory)

3)

Circumventing passwords associated to CMOS

4)

ASCII/ANSI character sets and their characteristics, definition of Unicode

5)

Understand 'Sectors' and Bios Settings, LBA

6)

Knowledge of various Operating Systems (OS like windows, Linux, Unix)

7)

Knowledge of various File Systems

8)

Partitioning in primary and extended forms

9)

Extracting hidden partitions and deleted ones

10)

Knowledge of File Allocation Tables (FAT 32

11)

Differentiate between System and Data segments on a formatted disk

12)

Understand the working of New Technology file System (NTFS)

13)

Understanding the $Metadata files

14)

Describe the Master File table (MFT) for files and folders

15)

Creation of forensic triage

16)

Understand duplication problems occurring frequently

17)

Creation of images for media types

18)

Conversion of duplicate forensic formats

19)

Join split images to recreate the original single file

20)

Identification of .config Files

21)

Memory locations and mapping methods

22)

Understanding creation of a case

23)

Highlighting methodologies to screen attributes in the application

24)

Using the Case Processor feature to recover deleted partitions

25)

Downloading and accessing NIST NSRL and Hashkeeper for FTK updates and databases

26)

Creating and editing custom hash sets

27)

Windows Registry/Email/Link File/Internet Artifacts

Expected Outcome: knowledge of conventional artifacts of normal operating system functions and user interactions

Suggested Grading Criteria: written exam on the practical work practiced shall be used to evaluate conceptual assimilation.

Possible Bonus Work: None offered

Duration of the Lab: the lab duration is of four days (Encase 7). Two sections of the syllabus have been made to ease the assimilation process.

Suggested Courses: Advanced English knowledge, higher level Computer Technology courses, and courses in forensic sciences.

Lab 4 (Basic DOS Commands)

Purposes and Goals of the Lab (Some Basic DOS):

This course will enable the trainee to use the dos prompt and reach the inner recesses of the working of the computer. The skills gained will be that of creation of files, directories, partitioning, and accessing and modifying the directories. They should be able to change the file attributes and file structure after completing the course.

IAS/DF Concepts Covered: various Disk Operating System (DOS) Commands

Software Needed: Disk Operating System (DOS)

Skills Needed: Basic computer working

Main Tasks/Procedures (Some Basic DOS):

1)

The DOS prompt can be accessed in various ways. The most used is to start Windows, press Start > Run > then type "command." Alternatively, click Start > Programs > Accessories >and select Command Prompt. If Windows fails, press F8 while booting and then select "Safe mode with command prompt" from the options on the screen.

2)

At the "C" prompt, type in "dir." this will display the list of directories in the drive.

3)

To create a new directory, type the md directory_name or mkdir directory_name command. Type "md IT" to create the IT directory.

4)

Next, display the IT directory using the dir command at the root (C:>).

5)

The cd directory_name or chdir directory_name command changes directories.

6)

For example, to access the "IT" directory, type in "C:>cd IT." Using this command will change the "C" prompt to C:IT>.

7)

The command prompt should now be C:IT>. Now, create one more directory called "pcs."

8)

access "pcs" directory.

9)

use the copy con filename command creates a new file. This copies a file from the console (con) & places it in the directory. The console is the screen. A blank line follows this command. Next, type in text to be stored in the created file. Type Ctrl+Z together and then 'enter'. The screen (console) will now read "1 file(s) copied."

10)

Display the contents of the "pcs" directory. The screen displays sample.txt in the directory. Figure [4] shows the DOS output for DIR command in the "pcs" directory.

11)

Type in attrib filename to display the attributes of a particular file.

12)

Modify attributes using the attrib [-/+] attribute_value filename command. The minus (-) option will delete an attribute of a file and the plus (+ ) option will adds an attribute. As discussed, valid attribute values are R (read-only), A (archive), S (system), and H (hidden).

Expected Outcome: Using Disk Operating System commands

Suggested Grading Criteria (Some Basic DOS):

following queries' answers based on lab work:

What is the command to make a directory?

What is the command to delete or remove a directory?

what are four different attributes to a file?

Possible Bonus Work: No bonus work will be given

Duration of the Lab: This lab exercise is to be done independently in a one day schedule students will work individually.

Suggested Courses: Introduction to English, Digital Forensics, Advanced Digital Forensics & Introduction to Computer Science. These basic concepts are expected from the trainees prior to attending this course.

Lab 5 (Caesar Cipher in C)

Purpose and Goals of the Lab (Lab 9 Caesar Cipher):

Write the Cesar Cipher in C. Read the text thoroughly and understand all specifications for implementations.

IAS/DF Concepts Covered:

Caesar Cipher

Software Needed:

Caesar Cipher

Skills Needed: Caesar Cipher knowledge

Main Tasks/Procedures (Lab 9 Caesar Cipher):

a) Create two strings (contiguous data values) as global variables.

b) Print a prompt that asks to either decrypt or encrypt a string, or 'x' to quit.

c) Print a prompt like a 'printf' statement followed by 'scanf' asking the user to enter a number 1 and 25, the shift amount.

d) Decrypt or encrypt the string by prompting a request to the user (you).

e) Display encrypted/decrypted characters.

f) Use Print statement to display the source string, the decrypted/encrypted string.

g) Repeat all steps from b)

Expected Outcome: Understanding Caesar Cipher Algorithm

Suggested Grading Criteria: Grading is based on completing the job successfully and the quality of the task assigned to the student.

Possible Bonus Work: None provided for Duration of the Lab: Individual working process for one-day duration of the lab

Suggested Courses: Advanced Digital Forensics, Computer Science

Lab 6 (Computer Forensic Analysis and Validation)

Purposes and Goals of the Lab (Computer Forensic Analysis):

The use of skills in forensic analysis will be used in this lab to explain relevant data and its analysis. Hex code validation and applications of forensic software has been explained.

IAS/DF Concepts Covered: Forensic Analysis

Software Needed: Microsoft Office

Skills Needed: Basic Computer Skills

Main Tasks/Procedures (Computer Forensic Analysis):

- Choosing or screening data that should be analyzed in a digital forensics investigation.

- Tools used for validating data.

- Explain the common techniques for hiding data.

- Explain methods to acquire data remotely.

Expected Outcome:

Knowledge of Computer Forensic Analysis

Suggested Grading Criteria:

The students will prepare a report on the work of the course and hand it over within a week's time of completion of the course.

Possible Bonus Work: None

Duration of the Lab:

This lab is for duration of two days working will be independent.

Suggested Courses:

None required

Lab 7: Understanding Computer Investigations

Purposes and Goals of the Lab (Understanding Computer):

Investigation management is the main theme of this Lab. There are many challenges that analysts and investigators come across when pursuing an investigation. The problems could lie in the analysis, data collection or even the preparatory stage. In this workshop, trainees will be explained all the troubles that may crop up and the readiness of the mind becomes an important factor.

IAS/DF Concepts Covered:

Computer Investigations

Software Needed:

Linux and Microsoft Office

Skills Needed: Basic computer skills, working of MS Office and knowledge of forensics and digital forensics

Main Tasks/Procedures (Understanding Computer):

1)

Preparations needed for a computer investigation

2)

Plan a systematic analytical procedure for the investigation

3)

Plan methods for elite-corporate investigations

4)

Explain use and importance for data recovery hardware (workstations) and software

5)

Describe the steps to carry out an investigation

6)

Explain the steps for closure and critically analyze a case

Expected Outcome:

Trainees acquire insight into working of investigations using computer

Suggested Grading Criteria: Trainees will need to answer lab-work-based questions

Possible Bonus Work: No bonus work is given.

Duration of the Lab: This is a three-day course.

Suggested Courses: None

Lab 8 (Working with Windows and Disk Operating System)

Purpose and Goals of the Lab (Working with Windows):

The data management system of MS-OS (Microsoft Operating system) is discussed here.

Once familiar with the working, inadvertent erasure of data will be avoided in practical conditions when analyzing information on a disk.

IAS/DF Concepts Covered:

Disk Operating System

Software Needed:

Disk Operating System

Skills Needed:

Familiarization with DOS and basic computer operational skills

Main Tasks/Procedures (Working with Windows):

a. File systems -use and structure.

b. Describe types of file structure of Microsoft

c. Explain the NTFS files structure

d. Enumerate different procedures for decrypting drives whose entire disk has been encrypted.

e. Explain the working of Windows Registry.

f. Describe Microsoft boot procedures.

g. Describe startup tasks of MS-DOS startup tasks.

h. Explain the use and importance of a virtual machine.

Expected Outcome:

Trainees will understand the working of DOS and be able to explain the use and importance of virtual machine

Suggested grading Criteria:

Students will have a practical exam as well as written exam based on lab work.

Possible Bonus Work:

Students will be given a mini project based on the lab-work.

Duration of the Lab:

One week individual working mode

Suggested Courses:

Introduction to Digital Forensics, Intermediate Digital Forensics and Computer Lab

Lab 9 (Computer Forensics Tools)

Purpose and Goals of the Lab (Computer Forensics):

The purpose of this lab is to make practical use of the tools in software and hardware devices for forensic analysis.

IAS/DF Concepts: Linux

Software Needed:

Microsoft Office

Skills Needed:

Basic computer operating knowledge

Main Tasks/Procedures (Computer Forensics):

a. Explain use of computer forensics tools.

b. List the various computer forensics software(s)

c. List attributes computer forensics hardware

d. Calibration and testing of computer forensics tools.

Expected Outcome:

Understanding the application of tools in field activities

Suggested Grading Criteria:

Based on presentation given on lab work

Possible Bonus Work:

Students will be given the findings of the lab

Duration of Lab:

Individual working for three days

Suggested Courses:

Introduction to Computer Science, Digital Forensics Introduction

Lab 10 (Email Investigations)

Purpose and Goals of the Lab (Email):

This lab will teach the workings of the e-mail, the protocols followed the servers accessed and the interfacing with the internet. It will also introduce some basic tools used in digital forensic science based on Linux operation System.

IAS/DF Concepts Covered:

Specialized Linux-based Forensic Tools (Autopsy - graphical interface)

Software Needed:

Linux

Skills Needed:

Use and operation of email, the internet and capability to use the computer basically. Development of computer skills.

Main Tasks/Procedures (Email):

a. What is the part played by e-mail in any investigation?

b. Explain the 'client' and 'server' as referred to in e-mail.

c. How is e-mil and investigating it important for dtecton and prevention of crimes?

d. What is the use of the logged data in e-mails at the server end?

e. What are the different types of tools available by making use of the e-mail ?

Expected Outcome:

The comprehension of importance of analyzing the e-mail use to detect and prevent crimes. In general, understand the e-mail relevance in legal domain.

Suggested Grading Criteria: The students are expected to complete all the tasks and understand all the concepts clearly. The teacher is expected to give his remarks on the performance of the student.

Possible Bonus Work:

Description of the content in the lab syllabus.

Duration:

This is a one day workshop that each will work on independently as it is a basic syllabi.

Suggested Courses: None

Forensic data and its significance

The significance of the forensic data scouring and retrieval of hidden data, deleted data, and corrupted data can be best understood from the following real-life incident. The unraveling of facts obtained from a computer memory was used as evidence and the timeline of the series of events established. The Illinois police department was tipped off about a 'sex party'. The worrying part was that two children aged three-year a 11-year-old were allegedly taken to the party by an woman from Chicago (F.B.I Digital Forensics). Three adults sexually abused the kids. By the time the information reached the police, however, they had already committed the crime. Apparently, there was no proof to bring the culprits to book. The incident had taken place in 2008.

The Chicago RCFL (Regional Computer Forensics Laboratory) trained specifically for decoding and unearthing data stored in digital devices delved into the Personal mail of the woman (F.B.I Digital Forensics). The search revealed directions to a hotel in Indiana. The mail had been deleted, yet it had been found. That, then, led to the identity of the receiver and the sender had been established. The convicted adults had subjected the children to extreme sexual abuse They are now serving life long prison terms

The director of Chicago RCFL, John Dziedzic, a forensic analyst in Cook County Sheriff's Office states that this an example of what the department does as a part of its investigating procedures. The evidence revealed thus, is important to the prosecutor in the court of law. Many cases have been solved using digital forensics since the time FBI (the Federal Bureau of Investigation) formed the first Regional Computer Forensics Laboratory in 2000 in San Diego (F.B.I Digital Forensics). The FBI set up subsequently sixteen such labs all around the country jointly with the law enforcement agencies comprising of Federal, state as well as local departments. The labs are well equipped to investigate digital data pertaining to economic offenses, terrorism, child abuse and other forms of violence (F.B.I Digital Forensics). These labs also have a full-fledged training centers and facilities. They train agents and personnel to examine, unearth, and decrypt digital data that are essential to act as evidences and trace and indict charges against the culprits. This data detection and tracing requires an in-depth knowledge of how data is stored in the digital devices and how to access data that has already been deleted (F.B.I Digital Forensics).

Justin Poirier, Special Agent who is the Director at Chicago RCFL states that all data stored in digital form can be retrieved irrespective of the extent of damage done to it, corrupted, deleted, or otherwise hidden. The digital device in which the data is stored could be any of the many devices in use in day-to-day life- reel tapes, cell phones and messaging devices, computers, and the like. All such digital data can now be analyzed for content and data that is useful for forming the retracing the sequence of events. The training given to agents helps them to decrypt, and analyze data after extraction. The extraction of all kinds of corrupted, deleted, hidden data is possible with proper knowledge and training. The FBI oversees the training and conducts workshops to certify trainees. There is a widespread use of digital devices like computers, laptops, video games and the like and hence digital forensics has become all the more relevant. According to Poirier, the creation of localized RCFL helps local law enforcement agencies to access information speedily without having to wait for some central office that may already be burdened by many requests. In addition, local knowledge may be more relevant in many cases. The trainees have a commitment to serve the department for at least three years following successful training. Thus trained at the FBI, the local and state agents they are more skilled in decoding the digital devices for data in their own RCFL centers and are an invaluable asset to the department. Thus, the federal body bonds closely with the local and regional units that can then help speedy investigations (F.B.I Digital Forensics).