Forensics labs 6 to 10

Forensics labs

Book: System Forensics, Investigation, & Response (3rd edition) JBLearning

Lab 6: Recognizing the Use of Steganography in Image Files

All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.

In a forensic investigation, investigators will explore a targeted machine in search of steganographic evidence, but when they do this, they risk changing the very data they seek, potentially invalidating evidence. For this reason, they will often make an image (copy) of an evidence drive and conduct the investigation on that image. In this lab, you will use S-Tools, and Windows Paint to discover possible steganographic activity on the image files in this evidence drive copy. Using S- Tools, you will properly identify and extract embedded data in a carrier image and document your findings.

 Upon completing this lab, you will be able to:

Use S-Tools for Windows utility to search for possible steganographic activity embedded in image files

Extract a cipher key text file

Identify the use of steganographic data concealment techniques for covert communication and potential injected data

Extract steganographic sequestered data from identified image files while conserving their integrity

Report the details of hidden files

Deliverables:

SECTION 1 of this lab has two parts which should be completed in the order specified.

In the first part of the lab, you will open image files on the TargetWindows01 machine using Microsoft Windows Paint and describe the images in your Lab Report

In the second part of the lab, you will S-Tools to identify and extract any hidden embedded data.

Lab 7: Automating E-mail Evidence Discovery (E3)

All tools and instructions to complete this lab are found in the virtual lab access that accompanies the textbook.

In this lab, you will use E3 to automate e-mail and chat analysis to identify suspect files that may be useful in a forensic investigation. You will use E3’s sort features to sort the files on the evidence drive into categories for easier analysis. You will document your progress throughout the lab to preserve the source and ensure the evidence is defensible and presentable in a court of law.

Deliverables:

Please complete Sections 1 and 2 of this lab (excluding lab quiz),

SECTION 1 of this lab has two parts which should be completed in the order specified.

1. In the first part of the lab, you will create and sort an evidence case file using E3.
2. In the second part of the lab, you will use E3 to view suspicious chat and e-mail files for evidence investigation.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will review e-mail evidence from a different drive image, export e-mail files as evidence, and compare hash codes before and after exporting the e-mail files..

Lab 8: Decoding an FTP Protocol Session for Forensic Evidence

All tools and instructions to complete this part are found in LAB 8 as part of the virtual lab access that accompanies the textbook. 

In this lab, you will use two very powerful forensic analysis tools, Wireshark and NetWitness Investigator, to examine the same File Transfer Protocol (FTP) traffic capture file, and compare the results of each. FTP is a protocol that is used extensively in business and social communications as a means to move files between a host and a client. Just about every time you download something from an internet site, you are using a version of FTP to manage the process. It is the most-frequently used file transfer tool, but it is vulnerable. You will explore the protocol capture file to see how FTP’s cleartext transmission can endanger an organization. 

Please complete Sections 1 and 2 of this lab (excluding lab quiz),

SECTION 1 of this lab has two parts which should be completed in the order specified.

1. In the first part of the lab, you will use Wireshark to examine a protocol capture file and identify the specifics of an FTP
2. In the second part of the lab, you will use NetWitness Investigator to examine that same protocol capture file and identify further specifics of an FTP

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will generate your own protocol capture file for examination.

Lab 9: Identifying and Documenting Evidence from a Forensic Investigation

All tools and instructions to complete this part are found in LAB 9 as part of the virtual lab access that accompanies the textbook.

In this lab, you will explore the forensic capabilities of E3 by using the sorting and search features to identify evidence. You will create bookmarks for the evidence you find to make it easier to locate them later. You will create an evidentiary report that can be used in a court of law, and a MD5 hash code for the report.

 perform the following:

• Discuss proper documentation requirements and the chain of custody for a forensic investigation
• Use E3 to search for potential evidence in a forensic case file
• Bookmark evidence in a forensic case file
• Generate an evidentiary report from E3 that can be submitted in a court of law
• Generate an MD5 hash file for evidentiary reports generated by E3

Please complete Sections 1 and 2 of this lab (excluding lab quiz)

 SECTION 1 of this lab has two parts which should be completed in the order specified.

 In the first part of this lab, you will create and sort a new case file using E3.

1. In the second part of this lab, you will identify relevant evidence and generate an investigative report from E3.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will identify and document evidence from a different drive image.

Lab 10: Conducting an Incident Response Investigation for a Suspicious Login

All tools and instructions to complete this part are found in LAB 10 as part of the virtual lab access that accompanies the textbook.

In this lab, you will use NetWitness Investigator to analyze the network traffic to identify a suspect’s login credentials from an FTP packet trace. You will also use E3 to analyze the digital portion of a forensic image and locate the transferred file on the suspect’s own evidence drive. You will export the suspect files, add bookmarks in the Case Log, and create a report to detail your findings.

Upon completing this lab, you will be able to:

• Identify suspect login credentials from an FTP packet trace
• Evaluate information that would be useful to an attacker who has infiltrated the network
• Analyze the digital portion of a forensic investigation and link the two pieces of evidence together to solidify your case
• Bookmark and export suspect data
• Create a report detailing findings based on automated reporting of evidence related to a suspect’s email communications, identified email attachments, and the protocol capture of the FTP session

Please complete Sections 1 and 2 of this lab (excluding lab quiz)

 SECTION 1 of this lab has four parts which should be completed in the order specified.

1. In the first part of the lab, you will use NetWitness Investigator to examine a protocol capture file and find specific information needed to complete the deliverables for this lab.
2. In the second part of this lab, you will create and sort a new case file using E3.
3. In the third part of the lab, you will use E3 to perform a forensic image investigation and explore a suspect user’s email account for
4. In the fourth part of the lab, you will use E3 to generate an evidentiary report of a suspect’s email

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will also add screen captures from a Netwitness Investigator report to your E3 case file.