Scribd
Upload
176 views6 pages

Digital Forensics Lab Projects Guide

The document provides instructions for four hands-on projects using forensic tools to analyze files and recover passwords. It details examining differences in files at the hexadecimal level, exploring metadata in file systems including timestamps, viewing file headers in various formats, and using OSForensics to recover browser and Windows passwords from an image.

Uploaded by

xmallmall1961
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
176 views6 pages

Digital Forensics Lab Projects Guide

The document provides instructions for four hands-on projects using forensic tools to analyze files and recover passwords. It details examining differences in files at the hexadecimal level, exploring metadata in file systems including timestamps, viewing file headers in various formats, and using OSForensics to recover browser and Windows passwords from an image.

Uploaded by

xmallmall1961
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

College of Technological Innovation

SEC 435: Digital Forensics Foundations


Lab 2: Data File Structures
Hands-On Project 5-1:

In this project, you compare two files created in Microsoft Office to determine whether
the files are different at the hexadecimal level. Keep a log of what you find.

Procedure:

1. Start Word, type “This is a test.”, and save the file (Mywordnew.docx) in your
work folder.

2. Start Excel, enter a few random numbers, and save the file (Myworkbook.xlsx)
in your work folder.

3. Start WinHex and open Mywordnew.docx. Click Edit, Copy All, then click Editor
Display.

4. Start Notepad, paste the copied data, and leave the window open.

5. Open WinHex and open Myworkbook.xlsx. Click Edit, Copy All, then click Editor
Display.

6. Paste the copied data under the Word document header you pasted previously.
Add your observations about the two files’ header data, size and contents. Save
this file as C5Prj01.txt.

Hands-On Project 5-2:

In this project, you explore the MFT and learn how to locate date and time values in the
metadata of a file you create. These steps help you identify previously deleted
fragments of MFT records that you might find in unallocated disk space or in residual
data in Pagefile.sys.
Procedure:

1. Start Notepad, create a text file with one or more of the following lines, and save
it (C5Prj02.txt) in your work folder.
a. A countryman between two lawyers is like a fish between two cats.
b. A slip of the foot you may soon recover, but a slip of the tongue you may
never get over.
c. An investment in knowledge always pays the best interest.
d. Drive thy business or it will drive thee.

2. Start WinHex in Read-only Mode (=write protected), and open C5Prj02.txt.


Ensure that the Win32 FILETIME (64Bit) checkbox has been ticked.

3. Navigate to your work folder in WinHex. Keep scrolling down until you find the
C5Prj02.txt file.

4. Click at the beginning of the record, on the letter F in FILE, and then drag down
to the right while you monitor the hexadecimal counter in the lower-right corner.
When the counter reaches 50 release the mouse button.

Offset value 50

5. Move the cursor one position to the next byte and record the date and time of the
Data Interpreter’s FILETIME values.

File creation
10/29/2019 15:13:47

6. Reposition the mouse cursor on the remaining offsets listed in the previous
charts and record their values.

File altered
10/29/2019 15:13:47
Last accessed
10/29/2019 15:13:47

File creation
10/29/2019 15:13:47

File altered
10/29/2019 15:13:47

File read
10/29/2019 15:13:47

MFT change
10/29/2019 15:13:47

Hands-On Project 5-3:

In this project, you use WinHex to become familiar with different file types.

Procedure:

1. Locate or create Microsoft Excel(.xlsx), Microsoft Word(.docx), .gif, .jpg,


and .mp3 files.

2. Open each file type in WinHex, record the hexadecimal codes for each in a text
editor, and save it (C5Prj03.txt).

Hexadecimal view of the .doc file


Hexadecimal view of the .xls file

Hexadecimal view of the .gif file

Hexadecimal view of the .jpg file

Hexadecimal view of the .mp3 file

Hands-On Project 5-4:

This project is a continuation of the in-chapter activity carried in class using


OSForensics. The paralegal has asked you to see whether any passwords are listed in
the images of Denise Robinson’s computer.

Procedure:

1. Start OSForensics and mount the InCh05.img file.

2. Click Manage Case, in the Select Case Pane double click InChap05 if there is no
green check mark displayed next to it.

3. In the left navigation bar, click Passwords. Choose Find Browser Passwords tab.
Click the Scan Drive radio button, and choose the mounted driver (G:).

4. Click Retrieve Passwords. In the right results pane right-click the first item and
Export List to Case. In the title box type Denise Robinson’s additional email and
password and click OK. Repeat for all other passwords that were recovered.
5. In the Password window, Select the Windows Login Passwords tab. Click the
Scan Drive radio button, and choose the mounted driver (G:).

6. Click Retrieve Hashes. Then click Save to File, navigate to your work folder and
type Denise-Robinson-Win-Passwords-Hashes in the Final name textbox and
Click Save.

7. Click Manage Case, in the Manage Current Case pane click Add Attachment.
Navigate to where you saved the password hashes file and click Open. In the
export title textbox type Denise-Robinson-Win-Passwords and click add.

8. Click Generate report, Click OK, if you get a warning that the report exists click
Yes to overwrite it.

Under OSForensics Exports, in Denise Robinson’s


additional e-mail and password (1)

Under OSForensics Exports, in Denise Robinson’s


additional e-mail and password (2)

Under Attachments, in Denise-Robinson-Win-Passwords

You might also like