Magic Number Chart - Pennsylvania State University



Basic Forensic analysis:Scenario:Last week University police arrested a student, Billy Badguy, for selling cocaine. During the pursuit the student threw a USB drive into a storm drain. The Office of the Phyical Plant (OPP) was contacted and they were able to recover the USB drive. The Police department has asked you to perform a forensic analysis on this USB drive. You have created an image and left it on your desktop.Objectives:Create a case in Autopsy.Locate deleted/hidden filesPerform a dirty word searchCreate a case report with any evidence you find.Remember to read the report requirements at the end of this document to see what is necessary to hand into the instructor.Logon On to VM WareOpen the VMWare Infrastructure Client from the “Start > VMWare” program. Type in “vslvc.ist.psu.edu” for the IP address. Then enter your team user ID and password given to you by your instructor.Navigate to View > Inventory > Virtual Machines and TemplatesLocate the virtual machine folder that has been assigned to you (contact your instructor if you don’t have one), and select IST454.Highlight your machine and click the Console icon to launch the Virtual Machine Console to your virtual machine.Note: If you see a black screen, you need to “power on” the virtual machine by clicking the green arrow at the top.Logon to the machine with the user name “ISTForensics”. Click twice on ISTForensics to get the password field. The password is “password” (no quotes).Welcome to your Virtual Machine. Task 1 - Create a case in AutopsyOpen a terminal window. Go to Applications > Forensics > Autopsy. You will be required to enter a password. Type in the word: password. (The password is not visibile as you type it.)This is what you will see when you have successfully entered the password. Leave this window open.Open the Firefox Web Browser by going to Applications > Internet > Firefox Web Browser. Autopsy is set as the home page.Scroll down if necessary and click on the “New Case” button.Fill in the fields as follows: “Case Name” – Type: USBcase1“Description” - Add a short sentence describing the case. Reread the scenario at the beginning of this document for help with your short description.“Investigator Names” - Type in your name and the names of the members of your team. Click the “New Case” button.Leave the default and click the “Add Host” button at the bottom.Click another “Add Host” button.Click “Add Image.”Click “Add Image File.”Fill in the fields in the “Add a New Image” screen.”“Location” Type /home/administrator/Desktop/usbimage1.dd “Import Method” select copy.Click “Next.”Select “Volume Image” on the right, ensure the “dos” is selected in the drop down of “Volume System Type”. Click “OK.”Select “Calculate” under the topic, “Data Integrity” and check “Verify hash after importing”. Click the “Add” button. Once the calculations are done, click the “OK” button.Task 2: Locate deleted/hidden filesClick the “Analyze” button.Select “File Analysis”The files labeled in red are the deleted files. They also are the ones with a checkmark under the DEL to the left of the filename. Click on the files and examine them in the window below. If data appears, click report next to ASCII and get a screenshot of the report to use in your report later. (Clicking on “display” does not give you the report. You must click on the word “report”.) “X” out of this tab.Then click “Export” to export the file from the image to the Downloads folder. Once the files are saved outside the image open them and get a screen shot of the data in the file for your report to the police. Follow the same procedure for the files listed in blue. These are files that exist openly on the drive. If the file does not work when you open it, examine the “magic number” as seen in the magic number chart to ensure that the file is labeled correctly. The Magic Number is the first few bytes as seen in hex. A file that has been mislabeled won’t open properly but can still hold data uncorrupted. The magic number can be seen in Autopsy if you examine the file in hex. It will be the first few bytes. The mp3 file will work just not with the movie player. You won’t be able to hear it in this lab.Task 4: Perform dirty word searchA dirty word search is a search through all of the bytes in the image looking for specific strings or words. Look at the information listed in the case summary, and consider what words a drug dealer might use. This search takes a some time. Normally a forensic analyst would have a long list of dirty words ready. Because of time constraints just use the key words from the scenario at the beginning of the lab.Click on the “Keyword Search” button.Ensure ASCII , and Case Insensitive are selected. Type in a dirty word from your list. Click the “Search” button.When you get a hit, make a note of the sector the hit was in. You will be able to determine what file the hit was located in by comparing the sector the word was found in with the sectors listed in the file reports you made during the file analysis.Click the hex link next to the sector number.Click on report next to hex at the top of the screen.Click on the previous/next buttons to ensure you have all relevant data. If you find more data, click the Hex report again and get another screen shot.Task 4: Answer questions. Create a Case report.The police want to know:What is the name of Billy’s supplier?When and where is the next meet?Who else on campus is involved?Were there any secret messages if so in which file were they located?Extra credit: How was the secret message made, or how could it have been made?Write a Forensic ReportYou should have the following parts:A forensic report is a step by step list of everything you have done and what the results were. You don’t need to actually list all of the failed attempts or crowd it with non-relevant facts. Keep it accurate, relevant and simple.Grading RubricCredit for each section is as follows. Forensic Report (100%):NoteBe sure to include your name and email address in the report. The report should be turned in before class on the specified due date. Late submissions will be issued a grade deduction especially if permission is not obtained from the instructor. The instructor reserves the right to grant or reject extra time for report completion.Links:Magic Numbers: a Low Cost Forensics Workstation Forensics - We've Had an Incident,Who Do We Get to Investigate? FORENSICS LABSMaking a Digital DifferenceWhat the FBI has achieved with computer forensics of Justice, Electronic Crime Scene Investigation: A Guide for First Responders. Computer Forensics, Focus, Computer Forensics News, Information and Community, forum. Article: Don’t steal music (or how to catch an iPod thief using forensics), Sleuthkit/Autopsy free forensics tool. happens when you delete a file? is learned during a Sans computer forensics course. Number ChartHere are a few magic numbers, These are of image files. File typeTypical extensionHex digitsxx = variableAscii digits. = not an ascii charBitmap format.bmp42 4dBMOffice2007 Documents.xlsx50 4B 03 04 14 00 06 00PKGIF Format.gif47 49 46 38GIF8MP3.mp349 44 33ID3PDF.PDF25 50 44 46%PDFJPEG File Interchange Format.jpgff d8 ff e0....NIFF (Navy TIFF).nif49 49 4e 31IIN1PM format.pm56 49 45 57VIEWPNG format.png89 50 4e 47.PNGPostscript format.[e]ps25 21%!Sun Rasterfile.ras59 a6 6a 95Y.j.Targa format.tgaxx xx xx...TIFF format (Motorola - big endian) .tif4d 4d 00 2aMM.*TIFF format (Intel - little endian) .tif49 49 2a 00II*.X11 Bitmap format.xbmxx xxXCF Gimp file structure.xcf67 69 6d 70 20 78 63 66 20 76gimp xcfXfig format.fig23 46 49 47#FIG ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download