Here they are

profilexomewjrks1116
computer_forensics_labs.zip

Computer Forensics labs/Lab07/Lab Seven.docx

Lab Seven: Networks Investigations

Objective: To learn some tools and techniques that are useful for finding and analyzing network evidence.

Background: When conducting a live analysis of a system, a forensics examiner can learn about the networking activity of a suspect by using command-line networking utilities. In this lab, you will try using some of the typical utilities. The output may seem confusing as we haven't had time to cover networking in much detail, but feel free to ask questions or do some Internet research to understand the output better. 

Task: Open a blank Word or Text file. Write your answers to the following questions in your Word or Text file. Save the file and submit that file via Moodle. Please include the question number.

1. Investigate your IP address (Review from Lab 1).

From the Start menu (Windows icon, bottom left), where it says "Search programs and files" type cmd and press Enter to access the command line interface.

In the command window type ipconfig and press Enter to display your IP address.

a) What is your IPv4 address for the Ethernet adapter Local Area Connection?

b) What format do IPv4 addresses use? Binary, hex, something else?

2. Investigate your Media Access Control (MAC) address. (Review from Lab 1).

In the command window, type ipconfig /all and press Enter to display your MAC address (Physical Address).

a) What is the Physical Address for your Ethernet adapter Local Area Connection?

b) What format do MAC addresses use? Binary, hex, something else?

3. Try pinging another computer to test network connectivity.

First try pinging google.com. In the command window, type ping google.com.

a) What are the results?

Now try pinging by IP address. In the command window, type ping 8.8.8.8.

b) What are the results of pinging by IP address?

4. Use Trace Route to determine the path from your computer to an Internet server, via a set of Internet routers.

In the command window, type tracert 8.8.8.8. In a few seconds you will start to see the addresses (and maybe names) of routers between you and 8.8.8.8.

a) What is the IP address of the first router to respond?

b) How many routers are there between your computer and 8.8.8.8?

5. Do some Domain Name System (DNS) research.

In the command window, type ipconfig /flushdns to empty your DNS cache.

After a couple of minutes, type ipconfig /displaydns to display your DNS cache.

a) What DNS records, if any, did your computer automatically add to your DNS cache after you had emptied the cache?

Now, go to a web browser (such as Google Chrome or Firefox) and enter http://www.yahoo.com in the address bar. This is just for testing. There's no need to wait for the Yahoo page to load.

Back in the command window, type ipconfig /displaydns to display the DNS cache again.

b) What DNS records did your computer add when you went to Yahoo's web site?

Another useful tool for researching domain names is Whois, so next try the Whois network utility. Type whois priscilla.com.

c) What results do you see with the Whois command?

6. Do some additional DNS research.

In this section, you will try the Nslookup utility. In a command window, type nslookup and press Enter. This will take you into the Nslookup user interface. 

a) What is the name and address of the DNS default server that your computer is using? (Note that Nslookup should automatically display this information.)

While still in the Nslookup utility, type priscilla.com.

b) What is the IP address for priscilla.com?

While still in the Nslookup utility, type ls -d priscilla.com to try to display more detailed information about the priscilla.com domain name.

c) What is the result? Are you able to display more information about priscilla.com

Type exit and press Enter to get out of nslookup.

7. Use a few other networking commands to learn about your computer's connections to other computers.

In this section, you will try a few other networking utilities that are often used in a live forensics analysis to learn about networking activity. 

a) In the command window, type netstat and press Enter. What connections does your computer currently have open to other computers? List a few interesting ones. 

b) What are the states for the connections that you listed? Listening? Established? Something else?

c) Next investigate your routing table. Type route print and press Enter. What is the IP address of your default gateway? The default gateway is the router that your computer uses by default. Typically its address ends in .1.  

d) Finally, investigate Address Resolution Protocol (ARP) information. Type arp -a and press Enter. What is the MAC address of your default gateway?

Computer Forensics labs/Lab08/email01.png

Computer Forensics labs/Lab08/email01.txt

google+ logo

Dear , Sorry you are seeing this. We are doing a spam and fraudulent verification survey. Please its very important you participate in this survey to help us serve you better.

Click here to help you perform this verification survey.
The achievement of this survey is to track and shut down fraudulent user and phising domain to help improve and make your mailing system better. Please If a verification response is not gotten from you in the next 24 hours, we will assume you are a fraudulent user and shut down your mail account, till after proper verification recovery before you can access you mail account again. Thanks. All Domain 2014 Team.
powered by: Google+

Computer Forensics labs/Lab08/Lab Eight.docx

Lab Eight: Fraudulent Email Analysis

Objectives

· Learn about fraudulent email

· Learn how to investigate domain names, IP addresses, and URLs

· Learn how to determine if an email message really came from the person or organization it appears to come from

Background

In this lab, you will investigate an email message that is allegedly related to a service called One-Email (also known as EmailMyName) that provides personalized email to users so that they can use their own name rather than the name of an Internet Service Provider in their email address. The company that runs this service is based in Woodland Hills, CA. 

Task

Open a blank Word or Text file. Write your answers to the following questions in your Word or Text file. Save the file and submit that file via Moodle. Please include the question number.

1. Open a screenshot of the email message.

Open the email01.png file from Moodle. This is a screenshot of the email message that is under investigation. 

a) Who sent this email message?

b) Who was this message sent to?

c) Where should replies to this message go?

d) Does the email message look suspicious to you? If yes, what aspects seem suspicious?

2. Open the raw source for the email message.

Now, open the email01.txt file from Moodle. In this case, the email recipient viewed the "raw source" of the message, including the email headers and the HTML-encoded message. The recipient then saved this information in the text file.

The first line of the raw source is the Return-Path. The Return-Path is added by the recipient's email server. (The field isn't actually in the message that the sender sends, but instead is added by the recipient server to provide information to the end-user about the probable sender.) a) What is the Return-Path in this email message?

b) In typical messages, the Return-Path is the same (or very similar) to the sender listed in the From field. Does that seem to be the case here?

3. Analyze the second part of the email header.

Find the To, From, and Reply-To fields in the raw source of the email message. These fields are filled out at the sender's end, either by the user or by the sending email server. The fields you see in the raw source should generally match the information you saw in the screenshot, but include more details.

a) Who sent this email message?

b) Who was this message sent to?

c) Where should replies to this message go?

d) Are these fields generally the same as what you saw in the screenshot of the email message?

A sophisticated sender can manipulate the To, From, and Reply-To fields to make them look believable and not suspicious, so you may not want to trust them. Let's see what other clues there are in this part of the header. For example, the X-Mailer field usually includes information about the software and software version that sent the email message. Examples of typical senders are Apple Mail Ver 2 or Microsoft Windows Live Mail Ver 16.

e) What is the X-Mailer value in the email message under investigation?

f) Are there any clues about the software that sent the message?

4. Analyze the first part of the email header.

The first part of the header has more clues than the bottom part of the header. The first part includes the path that the email traveled from the sender, through one or more email servers, and finally to the destination email server. To understand this part of the header, you need to read it "upside down," from bottom to top. Also, be aware that it is written in the passive voice. So it says things like "received by" rather than "sent to." The passive voice makes analysis somewhat tricky.

Note the line that says Received: by vgrd.ru. The vgrd.ru text refers to the domain name of the sender's email server. The server received the email message from the user. Note that the server is running the Postfix email server software.

a) What is the IP address for vgrd.ru? To answer this question, remember to read the information "upside down" and to keep in mind the use of passive voice.

b) What server received the email message next, after vgrd.ru? (What is that server's name and IP address?)

c) What is the name of the final server?

5. Research more information about the sender.

Note that the email has a couple of clues that point to a country top-level domain of .ru. You can see a list of country domains here:

http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

a) What country is .ru?

b) One of the servers in the path is 188.226.187.143. Where is that server? You can use the Whois server here to answer the question:

http://whois.domaintools.com

c) Whois can look up information by IP address or name. So also look up vgrd.ru. What clues do you find regarding the owner of the vgrd.ru domain name?

6. Analyze the HTML in the email message.

Scroll down in the email01.txt file to the body of the message. The body of the message is encoded in HTML. See if you can find the HTML that goes with the "Click here to help you perform this verification survey." text.

a) Notice that the "Click here..." text is associated with a link to a URL. What is the URL?

b) Notice the gargiulocpa.com domain name in the URL. Use the Whois server to determine more information about this name. What additional clues can you gather from the domain name used in the URL?

c) The URL includes the ii.php text. Do a little research on PHP. Why might the URL refer to PHP?

7. Synthesize what you learned.

Scammers and spammers have gotten very good at hiding their tracks and obfuscating details in their emails, so you may not be able to pinpoint the exact story behind this strange email message without spending a lot more time. Nonetheless, there are some important clues in the raw source of the email that should help you answer the following questions:

a) Does it seem like this email really came from One-Email?

b) What do you think the purpose of the email message was? Scientific guesses are fine. 

c) Would you click where it says "Click here..." if you received this email message?

8. Plan for the future.

Every email service has a different way of letting you see the full headers and raw source of an email. Sometimes this feature is hard to find, but it's a good idea to know where it is so you can avoid being the victim of a fraudulent email scheme. a) How do you display full headers or raw source with the e-mail application that you typically use? See if you can figure this out and write down the steps (or include a screenshot if you prefer).

Note that email apps on phones and tablets may not have a way to see the full headers or raw source, so you may want to answer this question for a service that you use on a desktop or laptop computer.

Computer Forensics labs/Lab09/Lab Nine.docx

Lab Nine: Introduction to Wireshark

Objectives

· Learn about network forensics

· Learn how to decode network packets

· Gain exposure to Wireshark, a free, but sophisticated, packet sniffer used for network forensics and network troubleshooting

Task

Open a blank Word or Text file. Write your answers to the following questions in your Word or Text file. Save the file and submit that file via Moodle. Please include the question number.

1) Explore traffic on the lab network

1. Open the Wireshark application.

2. Now, start a Capture of live network traffic.

1. Pull down the Capture menu and select Options.

2. Select the correct interface (Local Area Connection).

3. Click Start.

4. Capture packets for about 30 seconds.

5. Click the red Stop button (or select Stop from the Capture menu) to stop capturing packets.

3. The upper window in Wireshark is called the Summary Window. It shows one line per packet, and includes summarized information about the addresses and highest-layer protocol present in each packet.

4. List some of the protocols that are present in the lab network. For example, you may see Spanning Tree Protocol (STP) packets. What else do you see?

5. To look at an individual packet in detail, in the View menu, select Expand All.

6. Now, highlight a packet in the Summary Window. What type of packet is it? (What does the Protocol column say for the packet?)

7. The middle window in Wireshark shows each packet in detail. The middle window is called the Detail Window. For the packet you highlighted, scroll through the Detail Window to see all the layers (packet headers) for that packet.

8. List all the protocol layers (packet headers) that are present. For example, you might list Ethernet II, Internet Protocol (IP), User Datagram Protocol (UDP), and Domain Name System (DNS) for a DNS packet.

2) Prepare to just look at your own traffic 

1. Determine the MAC (physical) address of the Ethernet Network Interface Card (NIC) in the computer that you are using.

1. From the Start menu (Windows icon, bottom left), where it says "Search programs and files" type cmd and press Enter to access the command line interface.

2. In the command window type ipconfig /all and press Enter to display your MAC (physical) address for your Ethernet adapter Local Area Connection.

3. What is your MAC address?

3) Set up a Capture Filter in Wireshark.

1. Go back to Wireshark.

2. Pull down the Capture menu and select Capture Filters.

3. Click New.

4. In the Filter Name field, type a name for your filter, for example, This PC.

5. In the Filter String field, type your filter.

a. The syntax is ether host, followed by your MAC address.

b. For example, ether host 00-00-0e-d5-c7-e7.

6. Click OK.

4) Capture traffic just for your PC

1. In Wireshark, pull down the Capture menu and select Options.

2. Click the Capture Filter button and select the filter that you just created.

3. Click OK to confirm selection of your filter and then Start.

4. Click Continue without Saving to start the capture.

5) Capture web-browsing traffic

1. While still capturing traffic in Wireshark, launch a web browser (e.g. Internet Explorer or Google Chrome) and go to your favorite website.

2. After the website loads, return to Wireshark and stop capturing packets. 

3. Examine the Summary Window in Wireshark. What protocols were used during the time you captured network traffic while accessing a website?

6) Examine Domain Name System (DNS) traffic

1. See if you can find the packet where your PC sent a query to the DNS server to ask for the IP address of the Web server that you went to. If you can't find such a packet, ask for help. (A Display Filter for dns will help you find the packet.)   

2. Examine the DNS query in the Detail Window. What is the Ethernet Source Address for this packet? It should be the MAC (physical) address of your PC.

3. Find the response from the DNS server, which is probably the next packet, though not necessarily. Examine the packet in the Detail Window. 

4. In the DNS layer of the response from the DNS server, find the Answer section. What is the IP address of the Web server that you went to, according to the DNS server?

5. Examine the DNS response in more detail. What protocols does DNS depend on? In other words, what protocol layers (packet headers) do you see in addition to DNS in this packet?

7) Examine web-browsing traffic

1. Find the TCP SYN packet your computer sent to establish a connection with the Web server. What protocols does TCP depend on? In other words, what protocol layers (packet headers) do you see in addition to TCP in this packet? (If you set a Display Filter for dns be sure to clear it.)

2. At the IP layer in the TCP SYN packet, what is the IP Destination Address? (It should be the address of the Web server which your computer discovered when it queried the DNS server.)

3. Find the first HTTP packet that your computer sent to get the initial data from the Web server. Do you see an HTTP GET command in the HTTP header? If the packets are encrypted you might not be able to see the GET.

4. Examine some packets from the Web server. Looking at the bottom window in Wireshark, see if you can find some readable text and jot down what you find. If the packets are encrypted you might not be able to see anything useful, however, so just jot down that the packets seem to be encrypted if that's the case.

8) More exploration: Examine packets and protocols for another networking application

1. Run Ping, Tracert, FTP, Telnet, or any other networking application of your choice. Ask for help if you need it.

2. Using Wireshark, capture the traffic that your computer sends and receives while you run the application. 

3. Briefly describe or list the packets and protocols that the application uses to get its job done.

Computer Forensics labs/Lab10/Lab Ten.docx

Lab Ten: Connecting the Dots

Objectives

· To gain experience analyzing cell phone Call Detail Records

· To "put it all together" and think about the various tools we used in class and which types of evidence each tool can analyze

Scenario

· You work for the FBI and are investigating a possible terrorism plot to set off a bomb in New York City. 

· Based on probable cause that a particular individual is the master mind of the plot, you have requested and received the Call Detail Records related to this individual from a major telecomm company in New York. 

· You will analyze the Call Detail Records and make a plan to continue the investigation into the case.

Tasks

· Open a blank Word or Text file. Write your answers to the questions below in your Word or Text file. Save the file and submit that file via Moodle. Please include the question number.

· Take a look at the following Call Detail Records Summary Report. See if you can figure out who makes and receives most of the calls. Drawing a diagram of who calls whom may be helpful. Ask for pencil and paper if you would like. Another possible approach would be to copy and paste the data into Excel and manipulate the data there. For example, in Excel, you could sort the data based on calling party or called party.

Call Detail Records Summary Report 6/10/15-6/13/15

ID

 Date

 Time

 Calling Party

 Called Party

 Duration

 Disposition

1

6/10/15

9:01:05

212-555-1111

212-555-2222

04min 30sec

Connected

2

6/10/15

9:15:34

212-555-2222

408-555-1111

05min 21sec

VoiceMail

3

6/10/15

10:30:00

212-555-2222

312-555-1111

52min 00sec

Connected

4

6/10/15

13:00:00

408-555-1111

212-555-2222

03min 23 sec

Connected

5

6/11/15

7:00:00

212-555-3333

212-555-2222

02min 01sec

VoiceMail

6

6/11/15

7:45:00

212-555-2222

212-555-3333

27min 23sec

Connected

7

6/11/15

11:00:00

212-555-2222

408-555-2222

00min 15sec

Dropped

8

6/11/15

11:03:01

541-555-2222

212-555-5555

03min 27sec

Connected

9

6/11/15

14:03:09

408-555-3333

212-555-1111

07min 02sec

Connected

10

6/12/15

7:00:01

212-555-2222

312-555-1111

00min 45sec

Connected

11

6/12/15

7:03:45

212-555-1111

212-555-4444

07min 23sec

Connected

12

6/12/15

8:45:01

212-555-1111

212-555-2222

20min 03sec

Connected

13

6/12/15

9:43:01

312-555-1111

212-555-2222

35min 20sec

Connected

14

6/12/15

16:00:00

408-555-1111

212-555-2222

21min 03sec

Connected

15

6/12/15

17:03:34

408-555-2222

212-555-3333

05min 45sec

VoiceMail

16

6/13/15

10:01:05

212-555-1111

212-555-2222

04min 30sec

Connected

17

6/13/15

11:05:34

212-555-2222

408-555-1111

05min 27sec

VoiceMail

18

6/13/15

12:30:00

212-555-2222

541-555-2222

53min 00sec

Connected

19

6/13/15

13:40:01

408-555-1111

212-555-2222

03min 15 sec

Connected

20

6/13/15

14:03:45

212-555-3333

212-555-2222

02min 01sec

VoiceMail

21

6/13/15

15:02:33

212-555-2222

212-555-3333

28min 42sec

Connected

22

6/13/15

16:03:01

212-555-2222

541-555-2222

00min 15sec

Dropped

23

6/13/15

17:45:23

541-555-2222

212-555-2222

03min 27sec

Connected

24

6/13/15

18:23:45

212-555-3333

541-555-1111

07min 02sec

Connected

1. Based on your analysis of the Call Detail Records, answer the following questions.

a) Which phone made the most calls?

b) Which phone received the most calls?

c) Which phone is associated with the phone calls that lasted the longest in duration?

d) Which phone do you think belongs to the main suspect in the case (the master mind of the bombing plot?) 

e) Is there some urgency to find the suspect? (Do the number of calls to and from the suspect seem to be increasing?)

f) Is it possible that the Call Detail Records search has gathered information about innocent companions of the suspect?

g) Assume that you have decided to find the suspect. What steps will you take? Will you ask the telecomm company for more information, for example, and if so, what information will you ask for? What tools or methods will you use to determine the physical location of the phone?

2.  Assume that you are able to physically locate the suspect and that you have a search warrant to enter the suspect's home. 

a) If you find the suspect's phone, briefly describe the steps you will take to preserve and collect evidence from the phone.

b) Briefly describe some challenges you might encounter when collecting evidence from the phone.

c) What tool or mechanism will you use to ensure that the phone cannot receive a phone call?

d) If you find the suspect's computer, briefly describe the steps you will take to preserve and collect evidence from the computer. 

e) Briefly describe some challenges you might encounter when collecting evidence from the computer.

f) If you wanted to capture live network traffic from the suspect's running computer, what tool would you use?

3. You are now back in the forensics lab and you need to collect evidence from the suspect's computer.

a) What tool will you use to ensure that you don't write any information to the suspect's hard drive?

b) What tool will you use to clone the suspect's hard drive?

c) What tool will you use to analyze the cloned image of the hard drive? (It could be the same tool as the one you use to clone it).

d) What mechanism(s) will you use to verify the integrity of the clone as you work with it? 

e) What evidence will you look at to examine Windows configuration information, such as information about USB thumb drives that were connected to the computer or Internet Explorer typed URLs?

f) If the suspect has received some suspicious emails, what mechanism(s) will you use to determine where the emails really came from?