¶ … Assurance and Security (IAS) Digital forensics (DF) In this work, we take a look at three laboratory-based training structures that afford practical and basic knowledge needed for forensic evaluation making use of the latest digital devices, software, hardware and firmware. Each lesson has three parts. The duration of the first section of the three labs will be one month. These labs would be the largest labs. The Second section would consist of smaller labs. The training period duration in these labs would also generally be one month. The third section would consist of smallest labs. The duration of training period in these labs would be one week. The training will be provided in the field of software, programming concepts, flowcharting and algorithms and logical reasoning- both linear and iterative.

Part 1 Larger Labs:

Lab 1(Timeline Analysis)

Purposes and goals of the Lab (Lab VI):

Use MAC (Media Access Control, internet adapter physical address) to extract time-stamped event progress

- Analyze timeline for extracting proof.

Concepts of IAS/DF ( Internet Authentication Service (related to Microsoft) / Digital Forensics)(Lab VI):

Creating a time-stamped sequence to analyze and access of files.

Software Needed: MAC (Microsoft) and Linux-Forensics

Skills Needed: Timeline concept- uses and applications

Main Tasks/Procedures (Lab VI):

Extract Media Access Control (MAC) Times for the files marked Unallocated and Allocated Files

Obtain MAC Times for Unallocated Inodes

Extracting the Timeline with MAC time

Creating a Time-stamp using Autopsy

Expected Outcome: It is expected that the writer express his analysis of the Timelines generated for the possible sequence of events.

Suggested grading criteria: 1) The analytical expression and capability of the student

2) Testing the students on following queries:

From analysis of MAC times, is it possible to determine each instance of access or modification of a particular file? Support your answer with reasoning. (Lab VI)

Explain the significance of MAC times of the unallocated files?

What information of importance does the uptime give the hacker? (Lab VI)

Possible Bonus Work and points: The trainee demonstrates the timeline methodology to the class with his own inputs.

Duration of lab: One month (Trainees should work in pairs and gradually improve upon their timeline skills and retrieval acumen during the course of one month).

Suggested Courses: Digital Electronics Advanced Computer Science,, Communication Theory Advanced Digital Forensics, advanced Digital Forensics, and MAC Forensic Analysis

MAC analysis for Forensic sciences helps to prepare the timeline of the access of files and can hence be a concrete proof of the sequence of events. The physical address pointing to communication modem is a very effective tool for establishing of communication.

Lab 2 (File Recovery: Meta Data Layer)

Purpose and Goals of the Lab: (Lab IV)

- The Meta data for search list entries can provide vital information like properties and encryption. Students are expected to find all such information for evidences.

- Using information in Meta data for evidence, extract a specific file.

- Use of Autopsy Forensic Browser (Linux-based graphical interface) at the Meta data layer (Lab IV)

- understand the 'delete' ramifications when used in other file handling systems when you are at the Meta data layer.

IAS/DF Concepts Covered: File Recovery

Software Needed: Linux and SLEUTHKIT TOOLSTAT/Autopsy Forensic Browser (Lab IV)

Skills Needed: knowledge of meta data and SLEUTHKIT, basic computer skills; how data is stored and different file systems, and file recovery in different file systems

Main Tasks/Procedures: (Lab IV)

Launching the "Linux - Forensics" virtual machine.

-locate the index node (inode) using the Block number.(Understand the data structure system)

Use Meta Data Information to recover files.

Using Autopsy browser a graphical interface in HTML at the Meta Data Layer

Understanding Meta Data on Different (EXT1, EXT2, EXT3…) File Systems

Expected Outcome: connecting the information gained to recover a file using meta data information and meta data layer understanding.

Suggested Grading Criteria: test based on the following questions will be used to grade the students (Lab IV):

1)

Use search word 'keyboard' to recover file05 which is a MS word document. List all the steps that you'll take. Which block in the image will the 'keyboard' be located?

2)

What would it mean if stats showed the index node ( inode) is shown as being allocated, by stats, what does it mean? What would you infer if it was shown unallocated? Would you infer that the inode being viewed is...

As you are aware, different file structures give information differently, list those differences. It will enable learning extraction of data and analysis in different file systems. Enumerate and understand the data information in meta data layer in different file structures.
8)

Explain and enumerate the modifications to ext2 inode when data on the files of ext2 was deleted. Now, recover the file and explain the process and changes made.

Possible Bonus Work: None

Duration of Lab: this lab study will be for duration of four weeks and the students will need to work in pairs. The course will be divided into two parts, each of the sections lasting a fortnight. The involved processes are to recover lost data in meta data in different file systems (FAT32 and NTFS, for example in windows).

Suggested Courses: Computer science theory and file systems organization. Advanced Digital Forensics, and Windows Forensic Analysis

Lab 3 (File Recovery Data Layer/Revisited)

Purpose and Goals of the Lab (Lab V):

- Use of file Headers, meta data to carry out search.

- Data Carving with Foremost ( a Linux data recovery program based on headers, footers and data structures)

- Zip files password recovery methodology and techniques

IAS/DF Concepts Covered:

File Recovery using Linux-based softwares (Lab V)

Software Needed: Linux operating system and KMenu

Skills Needed: In-depth knowledge of the different data layers, file recovery procedures and methodologies and enhanced computer skills

Main Tasks/Procedures (Lab V):

1)

Start by opening the Kmenu. After that go to the Office menu. From here look for the open office writer (a parallel of the MS office, with all features embedded). Launch Open Office Writer. On the top of the office viewer in the new file that you have opened, open a new text document. Type out a couple of paragraphs to try the "save" features. In the drop-down menu click 'save as' not 'save'. Create a new document with text and go to Save As. Here you need to convert the file to 'save as Microsoft word XP/2007/97 (either of them)). In the save to options, type / tmp/test.doc . this is test file that you need to save as 'Khexedit'. Now the file has been saved. Open the test file by using 'open file' drop down menu where you should see you 'recent' document. Click properties in the bottom to view the hex connotation of your file. To compare and check the hex allocation, create another file and check its hex allocation, too.

2)

You are now ready to launch a 'search' operation using the information of the file, this search is done using the search words that are a part of the document you have already created. The header file of the document contains the required document in the hex notation and can be searched using the dls file contents. To access the hex file of your interest 'dls will have to be used, the location of hex notation are in a place termed as 'hexdump'. This is a utility to check header contents. Alternatively, you can use the _C option, too. It is parallel to the khexedit. This will ultimately lead you to the 'grep' that will allow you to look for the header search that you have launched. To look for the header one needs to use only eight bytes of the header. If you want to know, the decimal equivalent of the hexcode that you want to search for in the header you can use the tool known as Kcalc. The tool can be found easily on the toolbar.

Those were the basics and intricate steps of carving out data (meaning extracting hidden data) from the recesses of the computer memory. There are however, easier ways of doing that these days. Under Linux Environment, data carving is done using an application called 'foremost'. After foremost launches and starts its search process, you will find the directory / mnt/recover/lab5/foremost-output/. Within this foremost-output directory is a file named audit.txt. This is the file that contains the 'offset' value of the memory location of the stored file. All the files found by it have their offset values in this directory. All the files that did not open first, will have their locations stored here. All you have to do is…