Digital Forensic investigation use caine6.0 Withe virtual machine.
CO4514 Digital Forensic Technology/ Practical Exercise – CAINE & Autopsy
Autopsy is a web-based open source forensic tool that comes pre-installed on the CAINE Linux distribution. This practical exercise will look at how to use the Autopsy program for the purpose of performing a basic forensic investigation.
1. Download the VMWare package file from Blackboard
If you aren’t using VMWare then you will need to rebuild the virtual machine. Details can be found at the bottom of this practical sheet.
2. Start the virtual machine
This will boot into CAINE version 6.
3. Click Menu->Forensic Tools->Autopsy 2.24
At first a terminal window will display giving you some instructions. Ignore this and wait for the browser to be displayed. Eventually your screen should look like,
The terminal window is running a background service for the Autopsy browser application. Leave the terminal window running during your use of Autopsy, but you can ignore it as you won’t be interacting with this terminal window.
4. Click on “New Case”
Enter the details like in this screen shot (but use your own name).
5. Click on the “New Case” button
You will now be asked to create a new host.
6. Enter the host details like in this screen shot.
7. Click the “Add Image” button
Here we are going to add a DD image file that I have created for you (and it is stored on the virtual disk you have in this virtual machine).
8. Click “Add image File” button
In the path, type “/media/sda1/evidence/sdb” (without the quotes) and then click the Next button.
9. Select “Calculate hash value for this image”.
When you add a new evidence file, it is normal for you to check the MD5 value hasn’t been changed. If the value has been changed then it might indicate that the evidence has been altered/tampered with.
Notice the part at the bottom which says “For your reference, the MMLS output was the following:”. The MMLS tool is a “sleuth kit” command that tries to work out what file systems you have installed on a hard drive. In this instance, it is trying to tell us that this file system has a FAT32 file system installed.
10. Click the Add button
This will now try to calculate the MD5 for the evidence file you have added.
The MD5 for this evidence file should be 36BC42007728DDD6250DB23CB541235B. You should check to make sure the MD5 hasn’t been changed by something.
11. Click the OK button
You are now presented with the ability to consider the evidence as a “disk” or as a “file system”.
Looking at the evidence in “disk” view will allow you to run some keyword searches or allow you to view the individual disk sectors.
Looking at the evidence in “file system” view will allow you to interact with the file system – as file system objects (files and folders) rather than as disk objects (sectors).
12. Ensure “disk” is selected and then click the “Analyze” button
You will be presented with the investigation options similar to the screen shot above.
As we are looking at the evidence in “disk mode”, we can’t do everything – we can’t analyse the file system (it doesn’t know what a “file” is). We can perform a keyword search, see the individual disk sectors or look at the evidence file.
13. Click on Image Details
Click on the “Image Details” button tells us some information about the evidence file we’ve added.
This is showing the forensic investigator how the disk is set up. When you install a file system on a Windows based operating system, you create a “partition” to store your data. When you use Windows you will be used to seeing “C:” or “N:” which is a partition. When you create files and folders you store them inside this partition.
A partition is a handy way for the disk to organise itself. It basically says “my partition starts at this disk address, and has so many disk sectors”.
In the “image details” screen above it says…
Slot 00 – is the “master boot record” which contains a description of the partitions
Slot 01 – is unallocated, it hasn’t been allocated to a partition and therefore you shouldn’t find any useful information there (note: this is a good place to hide information!)
Slot 02 – has a FAT32 partition that starts at disk sector 63 and runs for 208844 sectors (this works out to about 100 megabyte)
Slot 03 – starts at disk sector 208845 and runs for 51 sectors (note: this is called “partition slack” and is another good place to hide data).
This screen is good to check to see if the evidence file contains data that is hidden.
14. Click “keyword search”
This will work through the evidence file and look for the keywords you have entered.
There are different types of keywords searches.
Plain text / literal keywords – if you search for the word “john” then it will find instances where the word “john” is found. Remember that a computer is a number crunching machine, so uppercase and lowercase letters are not the same. ASCII uses 7 bits and is normally stored in 8 bits to represent a letter, Unicode uses 16 bits to represent a letter.
Regular expressions – are about matching patters rather than literal keywords.
15. Click on the “Regular Expression Cheat Sheet” link on the page
For example, if my credit card number was
4953-3283-3838-8287 then I could use a literal keyword search to find THIS credit card number. But what if I was trying to find ALL credit card numbers, rather than just a single credit card number?
I could use a pattern in this instance.
The pattern for a credit card number could be,
4 numbers – dash – 4 numbers – dash – 4 numbers – dash – 4 numbers
I could define this pattern using a regular expression, and then search against the evidence file to see examples where this has occurred.
Task: Can you define a regular expression for a credit card number?
Note: if you use a search engine you will find that many people create and publish their regular expressions.
When using pattern matching you want to reduce the number of “false positives”; and there seems to be quite a lot of competition to see who can write the ‘best’ regular expression for various patterns.
Task: Have a look at “email address” regular expressions. Find a really complicated one and put it in the discussion board – along with your explanation! ?
16. Search for the keyword “evidence”
You should find 1 occurrence. You can view this occurrence by clicking on either the ASCII or Hex links under the occurrence.
In the screenshot above I have clicked on the ASCII link. This is displaying the human readable text in the right hand window.
This is the same file, but viewed as a hex dump rather than ASCII.
On the far left hand side (0, 16, 32, 48, 64 etc) you have the data offset.
The data offset tells you how far from the starting point of the file the data is at. For example, where it says 16, the data next to it starts with 69 – this means the 16th byte of this data block is 0x69 (hex code 69 – which is read six nine; not sixty-nine).
17. Click on “Data Unit” in the top menu
18. Enter the unit number of zero; and a number of units as 1.
19. Click on the View button
This displays the ASCII contents of the first sector (the first sector starts at address 0 and runs for 512 bytes).
Click on Hex (display).
This displays the disk sector in hexadecimal view.
Click on hex (report)
This will open a new browser window with the contents exported in its own report.
20. Click the Close button
21. Select the “C:” option and click the “Analyze” button
22. Click the “File Analysis” button
This now displays the contents of the file system.
When we were viewing the “disk” view we never got to see files; now that we are viewing the “C:” partition as a file system we can see the various file system artefacts. In the screen shot above we can see $FAT1, $FAT2 and $MBR. These correspond to “arterfacts” within a FAT file system.
You can also see “documents” and “pictures”.
23. Click on “documents”.
24. Click on the file “doc1.docx”
This file seems like a load of random text. This is actually the file format used by a Word document (if you are interested to know more, look up ‘compound file’ or ‘iStorage’ and ‘iStream’ on Google).
The in-built features of Autopsy don’t allow us to view this file; however we can export this file and view it in Office Libre.
25. Click on the “Export” link
When asked if you want to save the file, click to save the file.
The download icon in Firefox will flash blue; click on the downwards pointing blue arrow and then select the file that has been downloaded.
26. Look at all the other documents; where necessary use an external viewer by exporting the file first
27. Navigate to the C:pictures folder
28. Click on “pic1.jpg”
Autopsy will display a thumb nail image; however this isn’t always detailed enough to see all the information.
29. Click “View Full Size Image”
This will display a larger version of the same file; and will allow you to see more of the detail.
30. View the other image files; make sure you’re not missing any details by viewing the full size image
31. Click “Image Details” in the top menu
This will tell you more information about the file system. This screen can tell you about the actual partition – for example how the file system is formatted. If you scroll down this list you will find information about the FAT table – this can help you to understand how files are built. In reality – this information isn’t particularly useful (unless you are trying to recover data).
32. Click “Meta Data” in the top menu
33. Click “Allocation List”
This tells you a list of the files that are recorded and where about on the file system they are recorded.
34. In the screenshot above, click on the number 2.
This tells you information about the data stored at cluster number 2.
This is actually the root directory of the partition.
35. Click on the “View Contents” button
36. Change the view so that it shows you the hex data
In this screen shot we actually see the underlying data for the root directory. If you examine it carefully enough you will see DOCUME~1 and PICTURES which is the 8.3 file format for the folder names Documents and Pictures.
37. Click the “Close” button in the top menu
38. Click the “Close host” button
39. Click the “close case” button
40. Close Firefox
Because we have used the CAINE operating system as a live CD-ROM (booting straight from the ISO image) we won’t be able to save any of the work we have done. As soon as you reopen Autopsy you will have to start again and create a new case.
Not Using VMWare?
If you are not using VMWare (don’t forget that you can get VMWare for free to download at home) then you can still use this evidence file.
You will need to set up a virtual machine connected to CAINE 6; and then add the evidence file contained within the VMWare virtual disk file that you’ve downloaded from Blackboard.
The file “co4514 week 08 CAINE.zip” file from Blackboard must be downloaded and stored somewhere on your computer.
Create your virtual machine so that it runs from the CAINE 6 ISO image.
Remove all existing hard drives connected to the virtual machine.
Connect a new hard drive, and point it at the extracted file. The .VMDK file that you want to connect to is called “co4514 week 08 CAINE.vmdk”.
CO4514 Digital Forensic Technology
Unit 08 – Practical Exercise – CAINE & Autopsy
Autopsy is a web-based open source forensic tool that comes pre-installed on the CAINE Linux distribution. This practical exercise will look at how to use the Autopsy program for the purpose of performing a basic forensic investigation.
1. Download the VMWare package file from Blackboard
If you aren’t using VMWare then you will need to rebuild the virtual machine. Details can be found at the bottom of this practical sheet.
2. Start the virtual machine
This will boot into CAINE version 6.
3. Click Menu->Forensic Tools->Autopsy 2.24
At first a terminal window will display giving you some instructions. Ignore this and wait for the browser to be displayed. Eventually your screen should look like,
The terminal window is running a background service for the Autopsy browser application. Leave the terminal window running during your use of Autopsy, but you can ignore it as you won’t be interacting with this terminal window.
4. Click on “New Case”
Enter the details like in this screen shot (but use your own name).
5. Click on the “New Case” button
You will now be asked to create a new host.
6. Enter the host details like in this screen shot.
7. Click the “Add Image” button
Here we are going to add a DD image file that I have created for you (and it is stored on the virtual disk you have in this virtual machine).
8. Click “Add image File” button
In the path, type “/media/sda1/evidence/sdb” (without the quotes) and then click the Next button.
9. Select “Calculate hash value for this image”.
When you add a new evidence file, it is normal for you to check the MD5 value hasn’t been changed. If the value has been changed then it might indicate that the evidence has been altered/tampered with.
Notice the part at the bottom which says “For your reference, the MMLS output was the following:”. The MMLS tool is a “sleuth kit” command that tries to work out what file systems you have installed on a hard drive. In this instance, it is trying to tell us that this file system has a FAT32 file system installed.
10. Click the Add button
This will now try to calculate the MD5 for the evidence file you have added.
The MD5 for this evidence file should be 36BC42007728DDD6250DB23CB541235B. You should check to make sure the MD5 hasn’t been changed by something.
11. Click the OK button
You are now presented with the ability to consider the evidence as a “disk” or as a “file system”.
Looking at the evidence in “disk” view will allow you to run some keyword searches or allow you to view the individual disk sectors.
Looking at the evidence in “file system” view will allow you to interact with the file system – as file system objects (files and folders) rather than as disk objects (sectors).
12. Ensure “disk” is selected and then click the “Analyze” button
You will be presented with the investigation options similar to the screen shot above.
As we are looking at the evidence in “disk mode”, we can’t do everything – we can’t analyse the file system (it doesn’t know what a “file” is). We can perform a keyword search, see the individual disk sectors or look at the evidence file.
13. Click on Image Details
Click on the “Image Details” button tells us some information about the evidence file we’ve added.
This is showing the forensic investigator how the disk is set up. When you install a file system on a Windows based operating system, you create a “partition” to store your data. When you use Windows you will be used to seeing “C:” or “N:” which is a partition. When you create files and folders you store them inside this partition.
A partition is a handy way for the disk to organise itself. It basically says “my partition starts at this disk address, and has so many disk sectors”.
In the “image details” screen above it says…
Slot 00 – is the “master boot record” which contains a description of the partitions
Slot 01 – is unallocated, it hasn’t been allocated to a partition and therefore you shouldn’t find any useful information there (note: this is a good place to hide information!)
Slot 02 – has a FAT32 partition that starts at disk sector 63 and runs for 208844 sectors (this works out to about 100 megabyte)
Slot 03 – starts at disk sector 208845 and runs for 51 sectors (note: this is called “partition slack” and is another good place to hide data).
This screen is good to check to see if the evidence file contains data that is hidden.
14. Click “keyword search”
This will work through the evidence file and look for the keywords you have entered.
There are different types of keywords searches.
Plain text / literal keywords – if you search for the word “john” then it will find instances where the word “john” is found. Remember that a computer is a number crunching machine, so uppercase and lowercase letters are not the same. ASCII uses 7 bits and is normally stored in 8 bits to represent a letter, Unicode uses 16 bits to represent a letter.
Regular expressions – are about matching patters rather than literal keywords.
15. Click on the “Regular Expression Cheat Sheet” link on the page
For example, if my credit card number was
4953-3283-3838-8287 then I could use a literal keyword search to find THIS credit card number. But what if I was trying to find ALL credit card numbers, rather than just a single credit card number?
I could use a pattern in this instance.
The pattern for a credit card number could be,
4 numbers – dash – 4 numbers – dash – 4 numbers – dash – 4 numbers
I could define this pattern using a regular expression, and then search against the evidence file to see examples where this has occurred.
Task: Can you define a regular expression for a credit card number?
Note: if you use a search engine you will find that many people create and publish their regular expressions.
When using pattern matching you want to reduce the number of “false positives”; and there seems to be quite a lot of competition to see who can write the ‘best’ regular expression for various patterns.
Task: Have a look at “email address” regular expressions. Find a really complicated one and put it in the discussion board – along with your explanation! ?
16. Search for the keyword “evidence”
You should find 1 occurrence. You can view this occurrence by clicking on either the ASCII or Hex links under the occurrence.
This is the same file, but viewed as a hex dump rather than ASCII.
On the far left hand side (0, 16, 32, 48, 64 etc) you have the data offset.
The data offset tells you how far from the starting point of the file the data is at. For example, where it says 16, the data next to it starts with 69 – this means the 16th byte of this data block is 0x69 (hex code 69 – which is read six nine; not sixty-nine).
17. Click on “Data Unit” in the top menu
18. Enter the unit number of zero; and a number of units as 1.
19. Click on the View button
This displays the ASCII contents of the first sector (the first sector starts at address 0 and runs for 512 bytes).
Click on Hex (display).
This displays the disk sector in hexadecimal view.
Click on hex (report)
This will open a new browser window with the contents exported in its own report.
20. Click the Close button
21. Select the “C:” option and click the “Analyze” button
22. Click the “File Analysis” button
This now displays the contents of the file system.
When we were viewing the “disk” view we never got to see files; now that we are viewing the “C:” partition as a file system we can see the various file system artefacts. In the screen shot above we can see $FAT1, $FAT2 and $MBR. These correspond to “arterfacts” within a FAT file system.
You can also see “documents” and “pictures”.
23. Click on “documents”.
24. Click on the file “doc1.docx”
This file seems like a load of random text. This is actually the file format used by a Word document (if you are interested to know more, look up ‘compound file’ or ‘iStorage’ and ‘iStream’ on Google).
The in-built features of Autopsy don’t allow us to view this file; however we can export this file and view it in Office Libre.
25. Click on the “Export” link
When asked if you want to save the file, click to save the file.
The download icon in Firefox will flash blue; click on the downwards pointing blue arrow and then select the file that has been downloaded.
26. Look at all the other documents; where necessary use an external viewer by exporting the file first
27. Navigate to the C:pictures folder
28. Click on “pic1.jpg”
Autopsy will display a thumb nail image; however this isn’t always detailed enough to see all the information.
29. Click “View Full Size Image”
This will display a larger version of the same file; and will allow you to see more of the detail.
30. View the other image files; make sure you’re not missing any details by viewing the full size image
31. Click “Image Details” in the top menu
This will tell you more information about the file system. This screen can tell you about the actual partition – for example how the file system is formatted. If you scroll down this list you will find information about the FAT table – this can help you to understand how files are built. In reality – this information isn’t particularly useful (unless you are trying to recover data).
32. Click “Meta Data” in the top menu
33. Click “Allocation List”
This tells you a list of the files that are recorded and where about on the file system they are recorded.
34. In the screenshot above, click on the number 2.
This tells you information about the data stored at cluster number 2.
This is actually the root directory of the partition.
35. Click on the “View Contents” button
36. Change the view so that it shows you the hex data
In this screen shot we actually see the underlying data for the root directory. If you examine it carefully enough you will see DOCUME~1 and PICTURES which is the 8.3 file format for the folder names Documents and Pictures.
37. Click the “Close” button in the top menu
38. Click the “Close host” button
39. Click the “close case” button
40. Close Firefox
Because we have used the CAINE operating system as a live CD-ROM (booting straight from the ISO image) we won’t be able to save any of the work we have done. As soon as you reopen Autopsy you will have to start again and create a new case.
Not Using VMWare?
If you are not using VMWare (don’t forget that you can get VMWare for free to download at home) then you can still use this evidence file.
You will need to set up a virtual machine connected to CAINE 6; and then add the evidence file contained within the VMWare virtual disk file that you’ve downloaded from Blackboard.
The file “co4514 week 08 CAINE.zip” file from Blackboard must be downloaded and stored somewhere on your computer.
Create your virtual machine so that it runs from the CAINE 6 ISO image.
Remove all existing hard drives connected to the virtual machine.
Connect a new hard drive, and point it at the extracted file. The .VMDK file that you want to connect to is called “co4514 week 08 CAINE.vmdk”.