COMP1321 Prac 10: Finding Data on a Hard Disk – Digging Deeper

As explained in a previous session, there are specific rules for analysing hard disks so the evidence will stand up in court.

To summarise, these four principles are:

·  A copy of the contents disk must be taken, and the original disk must be placed in a sealed container

·  The data in that sealed container may in exceptional circumstances be viewed directly but only by someone with the necessary expertise

·  There must be an audit trail of all processes that took place when examining the data

·  In court, it is the responsibility of the person examining the data to show that their activities have complied with the law and accepted practice.

Specialist software (e.g. WinHex) is needed to take an image of the whole disk, including boot sector, and file system catalogue areas. This is the same process that is often used in “imaging” a hard disk for rolling out onto other computers with identical hardware.

The audit trail can be conducted manually or recorded automatically by specialist software. The commentary through the audit trail has to be created and delivered by the computer scientist conducting the investigation. The importance or attention to detail and making sure things are recorded cannot be emphasised strongly enough.

Exercise 10(a) Using WinHex effectively

You had problems with WinHex last week, due to security on the network protecting the hard disk from being examined. This week, we’ll adopt a slightly different approach!

1.  Logon, if you haven’t already done so.

2.  As last week, Open File explorer and create a new folder C:\test

3.  Create a word file, and type in a couple of sentences of data. Describe where the data is being held as/after you’ve typed in.

4.  Save the data to the test folder as evidence.docx (suffix will of course be added automatically). Describe where the data is being held now.

5.  Open Winhex (Install if not available), and look at all the options available. This is a 45-day evaluation version. The university has good security at a network level and on local computers and you are no longer able to analyse “sector-by-sector”. However, you will be able to install it on your personal device and will be able to use it for long enough to complete assignment 1…

6.  To display (hexadecimal) the data associated with folder indexes and the index structure, you need to use the “open disk” command. This takes a copy and saves it to another location which can be used for investigation, but keeps the original untouched. It may take some time to take a copy of all the indexes, etc…

7.  Now, you should be to access that copy of the test folder, which will not be protected in the same way as the original. Make a note of the starting and end locations for the evidence.docx file.

8.  Now use Winhex (File/Open) to go to the starting address for the file, and look at the contents that have been displayed. Is this what you would expect?

9.  Scroll through the file until the end of the sector. Note how Microsoft Word saves a lot of data that the user wouldn’t normally see. Write down some of the “extra” items that were saved.

10. Now use Windows file explorer to delete the file evidence.docx. Check that the test folder is now empty.

11. Look again at the Winhex display for c:/test. You may need to refresh the screen or even restart the application. What has happened to the index entry?

12. Now go back to the data associated with the folder. Can you see any difference to the display you looked at earlier? What is it?

13. How would you get the original data back, so the file appears again with file explorer?

14. Have a go at restoring the file using Winhex…

15. Check with File Explorer that the file has indeed been recovered. Well done if you succeeded.

Exercise 10(b) IP & MAC Addresses for Devices and use of Packet Tracer

Last week, you saw (or should have seen!) the Address Resolution Protocol (ARP) in action allowing a computer to find the MAC address of a node with an IP address on the same physical network, when given device IP address.

Network devices have always used MAC addresses, and routing was done via MAC address. IP addresses are more useful nowadays because they are associated with TCP/IP – the communication protocol used by the Internet. In this exercise, we will look at a network modelling tool called Packet Tracer, produced by the networking hardware supplier Cisco, which can use both IP addresses and MAC addresses. However, packet tracer is only a simulation of a real network.

CISCO are the biggest manufacturer of computer networking hardware in the world… by far! Packet tracer is a wonderful simulation tool for creating networks without the need to use real hardware. This is an excellent way to get up to speed on the basics of creating a network infrastructure before being let loose on real Switches and Routers.

CISCO also has an extensive set of resources for students wishing to become infrastructure specialists, on their “Net Academy” website. They also have a series of examinations, which are highly thought of in the industry. More of that later… First, you need to enrol!

1.  Go to http://netacad.com This is the website for Cisco education about all aspects of networks and infrastructure

2.  Use your university email address as username, and set up a student account on Netacad

3.  You should receive an activation email… once you click, you should be able to logon and access netacad resources. Check that you can, and have a quick look round… at the range of resources available. We’ll use some of these in future practical sessions

Exercise 10(c) Introduction to Packet Tracer

Packet Tracer has been developed by CISCO over many years. The current version is 7.1, although this may change before you complete this module. To access and run Packet Tracer…

1.  Close down your browser.

2.  Locate Cisco Packet Tracer on the applications menu. Note that there is also a “help” option

3.  Choose to “deny” when the pop-up appears, as the network design interface comes up on the screen

4.  You should now be looking at the Packet Tracer Interface... use “help” to explain what this application is and does…

5.  Now go to your Cisco Net Academy page, and take a look at the courses that are available to you…

6.  Now, back to Net Academy. Find, and enrol to the course on Packet Tracer. Launch, choose chapter 1, and watch the 11 minute video. Maybe this has confused, rather than informed you? No matter, let’s take a further look.

7.  Before progressing, please note that all networking hardware needs to be configured (can be auto-configured…), and CISCO hardware devices all use the same operating system, called iOS. A device can be configured either from the Windows interface, or the Command Line. Of course, the hardware device needs to be connected to a screen to see either type of user interface.

Now, click on the ? icon on the top-right hand corner of the screen, which will access local help. My First Cisco Lab, and click on “tutorial”.

8.  Watch carefully… this is a walkthrough of setting up a very simple network consisting of one PC and one server. You don’t need to do anything else, but makes notes if you like because next time (see below) you’ll be on your own.

9.  Now, over to you. You may wish to “play” first of all. Look at all the devices and types of devices that are available. Drag devices as appropriate into the white space on the screen to create a network consisting of two computers connected by fast ethernet cabling to a switch.

Ideally, the network should also be using fast network interfaces when establishing connectivity… but don’t worry about the configuration commands (for now!)

10. All done? Do you have green lights or red lights? Red lights indicate a configuration problem. This needs to be fixed if the network is to be expected to work! The interface naming and IP addresses need to be the same at each end of each link. Look again at the walkthrough, if necessary.

When all is green, the mininetwork has logical and physical connectivity. Save this as a file that you can return to later (file suffix is .pkt or .pka by default). Log off.

11. Now log in again, and have another look at resources available. If you are interested in the networking side of cyber security, the sky is the limit… the range of resources available is truly awesome! You can also work towards professional networking qualifications, if you wish.

Enough for now, though. Log off from netacademy, and log out of the network.

RCH17 3