Comp 5350/6350/6356Instructor: Dr. A. SkjellumAssigned: April 16, 2015
T.A.: A. RavipatiDue: April 21, 2015 11:59 PM
Open Source Forensics Tools Assignment
Note: Please refer to the PowerPoint for additional help on completing this assignment.
Be sure to upload your submission to Canvas before the deadline.
Disclaimer:
This is an individual assignment. You should do your own work. Any evidence of copying will result in a zero grade and additional penalties/actions.
Assignment Prerequisites:
- Up-to-date Image of Kali OS
- Image of Puppy Linux
- VirtualBox
- At least a 1GB USB
Assignment Objectives:
- Identify Available Partitions of a given system
- Create a directory
- Mount external media to a directory
- Use dcfldd to create an image of a disk and hash the image using md5 checksum
- Using Kali OS to perform forensic analysis of suspect system
- Use Autopsy to examine an image
Assignment Description
For this assignment you will be using the tool dcfldd to make a bit-by-bit copy of a suspect disk. You should make a hash of the disk while you are imaging it in order to verify the integrity of the image later. Once you have created and hashed your image, you will use Autopsy – a tool available in the Kali Operating System – to import and analyze the image, and to answer the questions at the bottom of this assignment.
Assignment Instructions
1)Download Puppy Linux and use it to create a virtual machine in VirtualBox.
2)Make the disk size for the virtual operating system less than 1 GB.
3)Once you have installed the OS, create a text file and type some text into it.
4)Save the file somewhere on the machine.
5)Now delete the text file that you just created. Be sure to delete it and not just move it to the trash can.
6)Now completely power down the virtual machine.
7)Now change the settings of that specific vm as follows:
- Attach a usb drive to the vm image
- Change the boot order so that the vm will first attempt to boot from the cd drive before booting from the hard drive
- Create a new virtual CD drive and “insert” the Kali iso file into it
8)Now boot up the Puppy Linux virtual machine. It should boot into Kali. If it doesn’t and it launches Puppy Linux instead, then you didn’t configure your settings correctly. Revisit step 6.
9)Select the Live Forensics boot option from the Grub Launcher Menu.
10)Mount the usb thumb/external drive to the virtual machine
11)Open the terminal and find out the following things:
- How many partitions are on the system
- What the names of the partitions are
12)Use dcfldd to create an image of the disk and hash it at the same time the image is being created using an md5 hash.
- Be sure to save the image to the usb drive that you attached in step 9.
- Be sure to save the hash value in a text file on the usb key as well.
13)Power down the machine.
14)Boot into your Kali virtual machine.
15)Mount the usb drive to your virtual machine.
16)Launch autopsy.
17)Create a case using the following information:
- Case Name: Open_Source_Assgn
- Investigator Names: Your_Name
- Host Name: Pup_Lin_Mach
- Import the image to the case by making a copy (not symlink or move).
- Verify the image while importing it.
- Please include a screenshot showing that the image was verified successfully using the hash value computed from step 12.
18)Analyze the image and answer the questions below.
Please answer the following questions once you have completed the assignment:
1)How many partitions were on the disk that you examined?
- Please include a screenshot verifying your answer.
2)What type of file system was the disk that you examined?
3)How many images were on the disk?
4)Where you able to find the file that you previously deleted?
- Please include a screenshot verifying your answer.
5)What is the inode# of the deleted file?
- Please include a screenshot verifying your answer.
6)When was the file last accessed?
7)“Recover the file”.