question archive 20) An image of a suspect drive can be loaded on a virtual machine
20) An image of a suspect drive can be loaded on a virtual machine
Subject:Computer SciencePrice: Bought3
20) An image of a suspect drive can be loaded on a virtual machine. True or False?
21. EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global Registry d. Network servers
22. What happens when you copy an encrypted file from an EFS-enabled NTFS disk to a non-EFS disk or folder? a. The file can no longer be encrypted. b. EFS protection is maintained on the file. c. The file is unencrypted automatically. d. Only the owner of the file can
continue to access it.
Hands-On Projects
There are no data files to download for this chapter’s projects, but create a Work\Chap05\ Projects folder on your system before starting the projects.
Hands-On Project 5-1 In this project, you compare two files created in Microsoft Office to determine whether the files are different at the hexadecimal level. Keep a log of what you find. Follow these steps:
1. Start Word, and in a new document, type This is a test. 2. Save the file as Mywordnew.docx in your work folder, using Word Document (*.docx)
as the file type. Exit Word. 3. Start Excel, and in a new workbook, enter a few random numbers. Save the file
in your work folder as Myworkbook.xlsx, using Excel Workbook (*.xlsx) as the file type.
4. Exit Excel, and start WinHex (running it as an Administrator). 5. Click File, Open from the menu. In the Open dialog box, navigate to your work folder
and double-click Mywordnew.docx. 6. Notice the file hexadecimal header 50 4B 03 04 14 00 06 00 starting at offset 0.
Click Edit, Copy All from the menu, and then click Editor Display. 7. Start Notepad, and in a new document, press Ctrl+V to paste the copied data. Leave
this window open. 8. Click File, Open from the WinHex menu. In the Open dialog box, navigate to your work
folder and double-click Myworkbook.xlsx. 9. Repeat Step 6.
10. Paste the data you just copied under the Word document header information you pasted previously.
11. In the Notepad window, add your observations about the two files’ header data. Save this file as C5Prj01.txt and turn it in to your instructor. Exit WinHex.
Hands-On Project 5-2 In this project, you explore the MFT and learn how to locate date and time values in the metadata of a file you create. These steps help you identify previously deleted fragments of
68944_ch05_hr_195-266.indd 260 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
MFT records that you might find in unallocated disk space or in residual data in Pagefile.sys. You need the following for this project:
• A system running Windows with the C drive formatted as NTFS • Notepad to create a small text file • WinHex (downloaded from http://x-ways.net and installed, if you haven’t done so
already) to analyze the metadata in the MFT 1. Start Notepad, and create a text file with one or more of the following lines:
• A countryman between two lawyers is like a fish between two cats. • A slip of the foot you may soon recover, but a slip of the tongue you may never get over. • An investment in knowledge always pays the best interest. • Drive thy business or it will drive thee.
2. Save the file in your work folder as C5Prj02.txt, and exit Notepad. (If your work folder isn’t on the C drive, make sure you save the file on your C drive to have it entered in the $MFT files you copy later.)
3. Next, review the material in “MFT and File Attributes,” paying particular attention to attributes 0x10 and 0x30 for file dates and times. The following charts show the offset byte count starting at position FILE of the file’s MFT record for the date and time stamps:
Note
The offsets listed in the following charts are from the first byte of the MFT record, not the starting position of the specific attributes 0x10 and 0x30.
Description of field Offset position Byte size
C Time (file creation) 0xB8 8
A Time (file altered) 0xC0 8
R Time (file read) 0xC8 8
M Time (MFT change) 0xD0 8
0x30 $File_Name (data starts at offset 0x18)
Description of field Offset position Byte size
C Time (file creation) 0x50 8
A Time (file altered) 0x58 8
L Time (Last accessed) 0x60 8
0x10 $Standard Information (data starts at offset 0x18)
CHAPTER 5 Working with Windows and CLI Systems 261
68944_ch05_hr_195-266.indd 261 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
Figure 5-39 Changing WinHex to read-only mode Source: X-Ways AG, www.x-ways.net
Next, you examine the metadata of the C5Prj02.txt file stored in the $MFT file. Follow these steps:
1. Start WinHex with the Run as administrator option. If you see an evaluation warning message, click OK.
2. As a safety precaution, click Options, Edit Mode from the menu. In the Select Mode (globally) dialog box, click Read-only Mode (=write protected), as shown in Figure 5-39, and then click OK.
3. Click Tools, Open Disk from the menu. In the View Disk dialog box, click the C: drive (or the drive where you saved C5Prj02.txt), as shown in Figure 5-40, and then click OK. If you’re prompted to take a new snapshot, click Take new one. Depending on the size and quantity of data on your disk, it might take several minutes for WinHex to traverse all the files and paths on your disk drive.
Note
WinHex defaults to an editable mode, which means you can alter data in important system files and possibly corrupt them. When using a disk editor such as WinHex, always set it to read-only mode, unless you need to make specific modifications to data.
Note
By default, WinHex displays a floating Data Interpreter window that converts hex values to decimal values and can also convert date and time codes. If you don’t see this window, activate it by clicking View, pointing to Show, and clicking Data Interpreter.
4. Click Options, Data Interpreter from the menu. In the Data Interpreter Options dialog box, click the Windows FILETIME (64 bit) check box, shown in Figure 5-41, and then click OK. The Data Interpreter should then have FILETIME as an additional display item.
CHAPTER 5 Working with Windows and CLI Systems262
68944_ch05_hr_195-266.indd 262 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
Figure 5-40 Selecting the drive in WinHex Source: X-Ways AG, www.x-ways.net
Figure 5-41 The Data Interpreter Options dialog box Source: X-Ways AG, www.x-ways.net
CHAPTER 5 Working with Windows and CLI Systems 263
68944_ch05_hr_195-266.indd 263 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
5. Now you need to navigate to your work folder (C:\Work\Chap05\Projects) in WinHex. In the upper-right pane of WinHex, scroll down until you see your work folder. Double- click each folder in the path (see Figure 5-42), and then click the C5Prj02.txt file.
Figure 5-42 Navigating through folders in WinHex Source: X-Ways AG, www.x-ways.net
Figure 5-43 Locating the date and time value in the MFT record Source: X-Ways AG, www.x-ways.net
After dragging, release mouse button and click here to interpret date and time
Click here and drag down until offset counter shows 50 bytes
Note date and time Offset counter
6. Drag from the beginning of the record, on the letter F in FILE, and then down and to the right while you monitor the hexadecimal counter in the lower-right corner. (Note: 50 hexadecimal bytes is the “position” for the first date and time stamp for this record, as described in the previous charts for 0x10 $Standard Information.) When the counter reaches 50 (see Figure 5-43), release the mouse button.
CHAPTER 5 Working with Windows and CLI Systems264
68944_ch05_hr_195-266.indd 264 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
7. Move the cursor one position to the next byte (down one line and to the left), and record the date and time of the Data Interpreter’s FILETIME values.
8. Reposition the mouse cursor on the remaining offsets listed in the previous charts, and record their values.
9. When you’re finished, exit WinHex and hand in the date and time values you recorded.
Hands-On Project 5-3 In this project, you use WinHex to become familiar with different file types. Follow these steps:
1. Locate or create Microsoft Excel (.xlsx), Microsoft Word (.docx), .gif, .jpg, and .mp3 files. If you’re creating a Word document or an Excel spreadsheet, save it as a Word or Excel file.
2. Start WinHex. 3. Open each file type in WinHex. Record the hexadecimal codes for each file in a text
editor, such as Notepad or WordPad. For example, for the Word document, record Word Header: 50 4B 03 04.
4. Save the file, and then print it to give to your instructor.
Hands-On Project 5-4 This project is a continuation of the in-chapter activity done with OSForensics. The paralegal has asked you to see whether any passwords are listed in the image of Denise Robinson’s computer. Follow these steps:
1. Start OSForensics. If prompted to allow the program to make changes to your computer, click OK or Yes. In the OSForensics message box, click Continue Using Trial Version.
2. Copy the InCh05.img file to your work folder. Mount the InCh05.img file as described in the in-chapter activity.
3. In the main window, click Manage Case in the navigation bar on the left, if necessary. In the Select Case pane on the right, double-click InChap05 if a green checkmark isn’t displayed next to it.
4. In the navigation bar on the left, click Passwords. In the pane on the right, click the Find Browser Passwords tab, if necessary. Click the Scan Drive button, and then click the drive letter for the InCh05.img mounted virtual drive.
5. In the navigation bar on the left, click Retrieve Passwords. In the pane on the right, right-click the first item and click Export List to Case. In the Title text box, type Denise Robinson’s additional e-mail and password, and then click OK. Repeat this step for all browser passwords that were recovered.
6. In the Passwords window, click the Windows Login Passwords tab. Click the Scan Drive button, and then click the drive letter for the InCh05.img mounted virtual drive.
7. Click Retrieve Hashes, and then click Save to File. In the Save to dialog box, navigate to your work folder, type Denise-Robinson-Win-Passwords in the File name text box, and then click Save.
CHAPTER 5 Working with Windows and CLI Systems 265
68944_ch05_hr_195-266.indd 265 08/01/18 11:48 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
Case Projects
Case Project 5-1 Using the information you gathered in Hands-On Project 5-4, write a one-page memo to the paralegal, Ms. D. K. Jones, explaining the process you used to find the e-mail and password data.
Case Project 5-2 An employee suspects that his password has been compromised. He changed it two days ago, yet it seems someone has used it again. What might be going on?
Case Project 5-3 Sometimes you need to see how an application works and behaves on a booted suspect’s computer. For this project, write a short guideline of two to three pages on how to use VirtualBox to start and run applications from a suspect’s disk image. Your research should start with the VirtualBox user guide at www.virtualbox.org. For more information, search for terms such as “VirtualBox convert RAW image to VDI” or “convert raw to vmdk.”
CHAPTER 5 Working with Windows and CLI Systems266
8. In the navigation bar on the left, click Manage Case. In the Manage Current Case pane on the right, click the Add Attachment button. Navigate to and click the Denise- Robinson-Win-Passwords file, and click Open. In the Export Title text box, type Denise-Robinson-Win-Passwords, and then click Add.
9. In the navigation bar at the top, click Generate Report. In the Export Report dialog box, click OK. If you get a warning message that the report already exists, click Yes to overwrite the previous report.
10. Exit OSForensics, and print the report displayed in your Web browser. Turn the report in to your instructor.
68944_ch05_hr_195-266.indd 266 08/01/18 11:49 am
Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Nelson, Bill, et al. Guide to Computer Forensics and Investigations, Cengage Learning US, 2018. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/csuau/detail.action?docID=5474388. Created from csuau on 2020-04-15 16:37:14.
C op
yr ig
ht ©
2 01
8. C
en ga
ge L
ea rn
in g
U S
. A ll
rig ht
s re
se rv
ed .
