[Revision] Lab

  Lab 1 Notes Sheet: Part I List Steps taken Incorporate screen shots and information from your notes into your final report. 4. ______________________________________ Write down the files in the projects folder: __________________________________________________ 6. Write down the IP address displayed for the Student First VM ___________________________________________________________ 7. Take a screen shot of the output from using the $ losetup-1 command ______________________________________________________________ 8. Take a screen shot of the results from using $ gnome-disks command 11. Take a screen shot of the results from using $ sudo mount command Write down the complete path displayer in your Terminal Window Type: $ mount | grep /dev/loop _______________________________________________________ Write down your results. What does this give us? Same result? _______________________________________________________________ 13. Take screenshot of the files in the downloads directory after using the $ ls command __________________________________________________________________________ 14. Take a screenshot of your hash value. Does your hash value match the instruction hash value? ________________________________________________________________________ Part II 3. Take a screenshot of your hash value after making the forensic copy. Does your hash value match the instruction hash value? Part III of Exercise II No screenshot required Part IV 5. Take a screenshot of the desktop of you lab VM showing the files that were created 6. Record the hash values contained in the text file memecapture.ad1 text file. Part V 7. Provide screenshots of the results of your commands 8. Provide screenshots of the results of your commands Report Writing and Grading Instructions The grade for your digital forensics imaging task report, will be determined by the number and quality of tasks you perform according the project instructions, documentation of screen shots, answers to questions presented within the project, additional announcement instructions provided by your instructor, incorporation of applicable checklists used in the course, the structure and organization of your report format minimally incorporating suggested in report writing examples, templates or outlines provided in the course as follows : T1 - Imaging Project Report Template Note: Use I, II, III, IV and VI for your imaging lab report Cover Page Title: Digital Forensics Examiners Report Project No. Name: I. Introduction - How you received the case, etc. II.Task Summary III. File Details IV.Steps Taken V. Exhibits- Not Applicable VI.Chain of Custody – VII. Opinions – Not Applicable Attached to your report will be a separate sheet of brief Notes listing the following: 1.list dates and times for your work 2.list your answers to project questions 3.list tasks performed/completed in the project 4.list observations 5.note discoveries 6.document relevant analysis, etc. Note: Your notes will be used to the summary, steps taken, notable items, analysis, opinions and exhibits referenced in you imaging project report or case report. Take a screenshot showing the icon disappears after the disk volume is unmounted. Your Forensic Examiners Report should be written using the following format: REPORT WRITING FORMAT Digital Forensics Examiners Report – Imaging Project Only I. Introduction 1st paragraph (State how you got the case and tasks you were requested to perform or examine a. Who or where you obtained case file information from b. Describe the purpose of you task or examination (e.g. to image a hard drive for digital forensics examination; search for evidence of illegal activity, etc.) II. Examination Summary 1-3 paragraphs (Brief Summary/Overview of the requested task(s) you completed in and imaging only request; or in a case investigation briefly summarize the most important evidence that you found in relationship to the case investigation) III. File Details (Important Files Are Highlighted) * bullet point most important files you worked with in an imaging only task In Case Investigation * bullet point most important files you worked with (Note/List top 5 files, or top 10 files, etc. you found that are important to the case) * label photos or evidence details w/ a short caption e.g. this photo contains an image of … ;or e.g. photo ace.jpg contains an image of a wrench IV. Steps Taken (Explain How Examination Was Conducted) Example: * A forensic image of the hard disk was made using FTK Imager * A checksum was performed on the hard disk and an MD 5 hash was generated * The hard drive was examined using Linux Commands, Encase 6.0. * A Forensics Examiners report was completed for the hard disk examination, to image the drive V. Exhibits (List Exhibits by File Type Documents, Images, RAR etc.) Exhibits 1-5 contain recovered text file documents obtained from the hard disk Exhibits 6-10 contain recovered image files obtained from the hard disk Exhibit 11 contains email messages obtained from the hard disk VI. Chain of Custody (Document where & how media obtained & processed) “The Modern hard disk No. LRDP102839 was received by Fed Ex Shipping No. 67201732 and stored in the locked evidence bin/drawer #6.Chain of custody form was completed. A forensic image of the original hard disk forensic was made and the original was returned to evidence bin/drawer #1 for safekeeping. An examination was conducted on the forensic hard disk image working copies. The original Modern hard disk No. AD42783 was returned to the Daylight Company by FED Ex Shipping No. XYT42071 after completion of the examination. All files and exhibits and the examination report are contained in “ Daylight Examination Folder” on a CD labeled Daylight Examination Case No. 7632019. VII. Opinions (State your opinion based upon what you found and why it appears to be important for the client purposes, to the investigation or the task assigned) It is my opinion that …. e.g. the recovered photos of broken glass on the showroom floor is consistent with unauthorized access after normal business hours, or; is inconsistent with a malware intrusion, or; is consistent with the user’s placement of the unlicensed software on the desktop, or: the bike photos appear to be what the investigator is looking for but additional follow up may be needed to determine the actual bike owner’s identity, and whether the type, color and model are consistent with the description of the missing bike in the theft case .