2 pages Digital Forensic Partition drive assignment
Examine Evidence Partitions
Analysis of four small partitions extracted from a suspect's hard drive. Your analysis will assess the nature of each partition—specifically, whether each partition is encrypted, compressed, wiped, or none.
Demonstration and hands-on training are always most effective, so you turn to the former in Step 2. Digital forensic investigators need to understand how to examine evidence partitions. In a case that you are working on currently, the suspect's computer contains four disk partitions. A disk partition is a portion of a whole disk with its own file system. Access the virtual lab to examine evidence partitions in order to determine whether files on each partition are encrypted, defragmented, securely deleted, or none of these. If they have been encrypted, what process was used: NTFS encrypted file systems, BitLocker, PGP, etc.?
After conducting your analysis, you demonstrate how you would document your findings in a formal forensic report. Include descriptions of destruction strategies such as wiping, overwriting, corruption, and degaussing. Make sure these strategies are explained in terms that IT temps, recent hires, and other nonexperts can understand in a consistent way. This will be the first section of your investigative report.
Share this section of the report with a colleague (your instructor) for review and feedback before continuing to the next step, where you will search for hidden data in files. Make sure to incorporate any suggested changes. This will be the first section of the sample investigative report to be included in the job aid submitted in the final step.
Lab Work Instruction:
Examine Evidence Partitions
You are provided four NTFS partitions from a hard drive, each about 100MB in size. One of the partitions has been defragmented, one used file encryption, and one used secure file deletion; no action has been taken on the other. Your task is to determine which action (if any) has been applied to each partition.
You will examine each partition using FTK (Imager is sufficient) and the Windows operating system. Your guidance for determining which actions have been taken on a specific partition are as follows:
Normal (no action):
· files are scattered throughout the partition
· you will see deleted files with content
· you will see data in file slack space
Defragmentation:
· files are stored in contiguous locations
· file slack space is zeroed out
· measurable with native OS tools
Encryption:
· file contents are “jibberish” (very little readable plain text)
· FTK may show a "key" icon
· OS may indicate encryption (e.g., "lock" icon)
Secure Wipe:
· deleted files in unallocated space will not contain any readable content
· there will not be any data in file slack space
To examine each of the partitions, perform the following steps until you are confident about which action was applied to each partition. The partitions for this exercise are raw dumps and are named partition_blue.dd, partition_green.dd, partition_red.dd, and partition_yellow.dd.
1. Mount partitions (images) in Windows OS:
Run FTK or FTK Imager; select File: Image Mounting with the settings below (your file paths will differ).
Repeat for all four partitions and you should see each partition show up in the "Mapped Images" portion of the window (eight entries, one physical and one logical for each partition). When all four images are mounted, click Close.
2
Examine the mounted partitions and files in Windows Explorer. If files appear to be present but you can't open them or see the file contents, then encryption is a possibility (confirmed if you see a "lock" icon over some files, such as image files that can't render the thumbnail):
2. Examine the partitions in FTK Using FTK or FTK Imager, examine each of the four partitions.
3
Choose File: Add Evidence Items, then Image File, then Next, browse to the partition image folder, select the image (dd) file, then select Finish. Repeat for all four partitions and FTK (Imager) should look like this:
Look for the following features and characteristics to help determine actions performed on the partition:
• While at the base of each image (i.e., don't start browsing the filesystems yet), search for a file name on each of the partitions (e.g., "Blue hills", but any file name you saw in Windows Explorer with a lock icon will work). Be sure to check the Unicode box (see the first screenshot below). You should find references to the file on all four partitions, but some of the references will have the characters "$.E.F.S.1" (EFS1 in unicode) about 150 bytes after the filename. This indicates use of the Microsoft NTFS Encrypted File System, and this partition should be the same one you found above that suggested encryption.
4
Confirm that you have identified the encrypted partition by looking through the filesystem of that partition and noticing all the key icons (see screenshot below). If so, you've identified which partition was encrypted, and the encryption implementation used (EFS). Note that other encryption implementations have different "signatures", some less obvious than others.
3. Find the defragmented partition
Using the Windows command line, check the fragmentation level of the three remaining partitions (the fourth is the encrypted partition).
C:\> defrag X: /a
where X is the drive letter of the partition you're checking (see the drive letters in Windows Explorer) and /a means just analyze the partitions (don't actually defragment them).
You should find one partition with 0% fragmentation and two partitions with 2% fragmentation. The partition with 0% fragmentation is the one that has been defragmented.
4. Find the secure delete partition
Secure delete tools overwrite deleted content so that it cannot be recovered (normally we find useful data from deleted files in the unallocated portions of media).
6
Using FTK (Imager), examine the entries in the [unallocated space] of the two remaining partitions. If a secure delete tool has been used, the entries in unallocated space will contain only random data and INDX records (from the filesystem; readable but not containing actual deleted file content). If the entries in unallocated space contain readable data from deleted files, then those files were not securely deleted.
For example, this executable file (note the MZ at the start of the file and readable text) was not securely deleted:
and this file was securely deleted:
5. The remaining partition is the one on which no actions were taken.
Based on your analysis above, identify which action (defragmented, encrypted, secure delete, no action) was applied to each partition. Include your process and results in your writeup.
partition_blue.dd: defragmented
partition_green.dd: encrypted
partition_red.dd: secure delete
partition_yellow.dd: no action
__________________
__________________
__________________
__________________
Use the following format to write the laboratory report using the above lab description for the findings. Use APA format 2 pages
Laboratory Report
Laboratory Number:_____
Date____________
Examiner's Name: _______________________________
<Exercise, Validation Test, or Examination > Number: ______________
Examination or Validation Tasking:
This is where you put the description of the requirements, the examination goals and any
appropriate examination criteria. This section defines "when you are done."
Forensic Question(s):
1. Identify relevant information concerning...
2. Locate all document files...
3. Compare files/hashes of ....
4. Associate files, media, computer, IP address with...
5. Reconstruct the events/ activities which resulted in ...
Steps Taken:
1. List the important steps taken.
2. It is not necessary to put every step, just those which are required to understand the
examination process and results.
3. Identify (with some specificity) any tools or procedures that you used.
4. Do not put screenshots here! It should be grammatically correct text.
5. Do not put your results here, but outline the framework of the entire process.
6. This is not a regurgitation of your lab notes
Results:
This is where you describe the data, what examination products are being provided, and their disposition. An example might be: "There were 26 graphics files identified which appeared to be children. These files have been placed on a CD-ROM marked UCF0101001A1" and provided to the contributor.
Rev. 04/30/07
1 of 2
Conclusions:
This is where you outline the logical conclusions derived from the facts. You must link the data in the results with the scientific conclusions that can be derived from that data. There are three elements: the data, the science, and the process. While the courts do not really address the difference between scientific opinion and scientific conclusions, we will make the distinction for educational purposes as that between the logical conclusion to be reached from a scientific set of facts and an opinion based on experience.
Opinions: