cyberpatriot forensicspr ig - leidos forensics challenge 6 forensics – instruction guide the...

CyberPatriot Forensics Challenge 1 Forensics – Instruction Guide www.leidos.com/cybersecurity/solutions/CyberNEXS

DIGITAL FORENSICS

Practice Exercise March 2017

Prepared by Leidos


Introduction

The goal of this event is to learn to identify key factors of the digital forensics field while engaging your creativity and sense of adventure. This is a Digital Forensics treasure hunt which may include various encryption/encoding methods using cipher, codes, crypto, and Autopsy. You must find the answer to the clues, which will lead you to the next clue. Answers will be hidden in various sources.

Please read this document entirely – it contains Three (3) Exercises to be executed for practice.

Getting Started

1. Download the Forensics Virtual Machine zip from the website:

https://www.leidos.com/civil/commercial‐cyber/cybernexs/cyberpatriot

2. To open the zip file, you will need to enter a password. The password for this exercise is

2016CBPg03s4th

3. After downloading an image, use the MD5 hash to calculate the image checksum. Instructions for using this software can be found in the document labeled “Install MD5” located on the download site. If the checksum matches the one provided in the email, you have successfully downloaded the zip file. If it does not, re‐download the file. If the checksum does not match after several re‐downloads, try using a different browser, computer, or network. The video link below will help you through the verification process of the zip file. https://www.youtube.com/watch?v=Mod9TZ858AU

4. For the purposes of this practice exercise, answers will not be submitted to a scoring engine. This

exercise is for practice and familiarization only.


Exercise 1 Objective The objective of this exercise will be to run Autopsy on the provided Virtual Machine (VM) available for download at https://www.leidos.com/civil/commercial‐cyber/cybernexs/cyberpatriot. Once the Autopsy exercise has been executed, you will examine the existing case provided.

Familiarization with Autopsy Autopsy is a (free) front‐end application for the Sleuth Kit (TSK), which is a collection of Unix and Windows‐based tools for forensic analysis of computer systems. A good introduction may be found at https://en.wikipedia.org/wiki/The_Sleuth_Kit for some background. Detailed Autopsy user documentation can be found here: http://www.sleuthkit.org/autopsy/docs/user‐docs/4.0/

Digital forensic evidence must be processed (detected, collected, and preserved) in special ways (preserving the “chain of custody” and data/evidence integrity, thus guaranteeing evidence is not tampered, destroyed, or modified during handling/analysis/storage) in order for cases to be successfully litigated. Autopsy is a tool that wraps analysis and reporting capabilities around a case management framework. This framework helps the analyst meet these rigorous handling requirements, as well as perform detection and analysis work. For this reason, Autopsy requires you first open a “case” before allowing you to do anything else. Within an open case, Autopsy allows you to specify a data source like a digital “image” file, or an attached drive on your computer. It will allow you to pick all or a select number of analyses that it performs as it populates a database with results.

Digital image files are usually captured from actual disk drives (or memory) from computers seized for evidence. These “images” are not necessarily just pictures but the whole disk structure and content, and are made using other tools (like “dd” in unix) and stored on separate media so as not to contaminate or modify the original drive. In this spirit, Autopsy inputs data using images of evidentiary drives or analyzes a local drive without modifying or writing to the original. All results (extracted or recovered files/records) are saved in the “export” directory where the case is maintained. If you wonder why Autopsy is making your life difficult, keep in mind the requirements for evidentiary preservation of data integrity and chain of custody. There’s a big tradeoff between ease of use/analysis and proper forensic processing evidence in the real world. This exercise will introduce and illustrate to you to some of these concepts and processes.

Exercise Instructions 1. Setup the Forensics Virtual Machine

a. A Windows 7 virtual machine (VM) was prepared with Autopsy already installed, and a test case

with some simple results. You fill first need to start downloading the VM from the Leidos CyberNEXS site: https://www.leidos.com/civil/commercial‐cyber/cybernexs/cyberpatriot. The file name is Win7_Forensics_VM.7z. You will need to unzip the file with 7zip (free) from http://www.7‐zip.org/ if you don’t already have it. Run 7z. In the file navigation bar, go to


where Win7_Forensics_VM.7z is. Highlight the file, Win7_Forensics_VM.7z. click on Extract. Supply the decryption key. The extracted directory is “Windows 7Baseline”.

b. You will also need VM Player (free) to run this VM. If you don’t already have this, you will need

to download and install it. VM Player was recently repackaged and included with VM Workstation12 as VM Workstation Player ( non‐player workstation requires a license) so you currently need to install VM Workstation but when the install finishes, just find and run VM Player (needs no license). If you want to try the latest, go to:

https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workst ation_player/12_0 .

c. Start VM Player (or VM Workstation Player). Note where you put the downloaded VM from Leidos. Click “Open a Virtual Machine”. Navigate to where you placed the extracted Windows 7Baseline directory. Click on it and highlight Windows 7 Misconfigured Baseline.vmx. Click on Open. In the left hand column, note the link to WIN7‐Forensics. Highlight WIN7‐Forensics and click “Play virtual machine”.

d. The forensics Windows 7 machine is now running. No login is required. Note on the desktop, the

existing Autopsy case directory, “testcase2”. If you choose to create your own case, you can save them anywhere you choose.

e. Start Autopsy by clicking on the Autopsy 4.0.0 shortcut icon. You’ll see the following screen:


f. Click on “Open Recent Case”. Click on testcase2 and then select Open.

This case has two data sources, both are captures of the same disk called “data” which is drive “E:” on the virtual machine. Each capture is a separate image of the same E: drive, but the second is after some changes were made to the original drive. This drive contains some forensic artifacts you will search for and investigate (not necessarily with Autopsy). At this point, Autopsy will show:


The screen capture below shows the Windows 7 disk volumes on this machine. Analysis is being done on Data (E:) which is static (do not make any changes here). The C: drive is the system drive and is dynamic. In real life, you would want to inhibit any changes to the C: drive of a “seized” computer to preserve evidence and data integrity. This is an important yet complicated step that is out of scope and is not covered here. Instead we limit analysis only to the static E: drive, and possibly image files captured by other means from this or other machines.

g. When the E: drive was attached to the case as a data source, it was analyzed and the results were

populated in the Autopsy database. To look at some results, click on “Views” and expand on File Types and Deleted Files in the Autopsy left‐hand navigation panel. Click on File Types ‐> Images. You should see the image below.

Autopsy has found some image files in that disk volume that could potentially contain evidence or other artifacts of interest. If present, Autopsy can also find deleted files, file fragments, videos, audio, archive, executable, document files and more. Make a note of this result for later. Check out http://www.sleuthkit.org/autopsy/docs/user‐docs/4.0/ for particulars.


Exercise 2

Objective

Find and retrieve a deleted file from an externally obtained disk image.

Exercise Instructions 1. Restart Autopsy and open a new case (Create New Case in diagram below), using case names, analyst

names, and numbers of your own choosing.

2. On your own computer (Not the Forensics VM), open a Web browser (IE or FireFox, etc.) and go to http://www.cfreds.nist.gov/dfr‐test‐images.html , go the bottom of the page and find Test Image Links. Click on the NTFS link for Test Case DFR‐01‐ RECYCLE, which is an image file of a drive where a file has been deleted and the Recycle Bin emptied. Download the compressed file, dfr‐01‐recycle‐ntfs.dd.brz2, to your desktop. Use WinZip or 7‐Zip to extract the image file, dfr‐01‐recycle‐ntfs.dd to your desktop (may be in its own directory).

3. Copy/paste or drag and drop dfr‐01‐recycle‐nfs.dd to the desktop of the Forensics VM running in VM Player (This works in VM Workstation Player v. 12, unchecked in earlier versions of Player). See diagram below:


4. Autopsy should be showing the “Enter Data Source Information Wizard” page as shown below. For “Select source type to add: “, select Image File (default). Click Browse. Click Desktop and then click on dfr‐01‐recycle‐ntfs.dd, as shown below. Click Open, and then Click Next.

5. Autopsy opens to the “Configure Ingest Modules wizard” where you can pick specific analyses to employ.

Click Next, which selects all modules (default) if none were changed.


6. Click Finish and ignore the error applet. The source has now been analyzed and added to the local

database. Click on Views ‐> Deleted Files‐> All (3) in the left‐hand navigation window. Autopsy now looks like this:

These three files with red “x”es flag either recoverable or non‐recoverable files that have been permanently deleted from the target drive (the recycle bin emptied). If disk data clusters from a deleted file are reused (re‐allocated) to a new file, that cluster’s data is lost and the intact file is unrecoverable, though fragments may be found and analyzed. This underscores why a drive must be made static or image captured as soon possible when a computer is seized for investigation.

7. Recover the Castor.txt:

a. In Autopsy Directory Listing window, mouse‐over Castor.txt, and right click. A drop‐down menu opens. See diagram below. Click on Extract File(s).


8. Click Finish and ignore the error applet. The source has now been analyzed and added to the local database. Click on Views ‐> Deleted Files‐> All (3) in the left‐hand navigation window. Autopsy now looks like this

These three files with red “x”es flag either recoverable or non‐recoverable files that have been permanently deleted from the target drive (the recycle bin emptied). If disk data clusters from a deleted file are reused (re‐allocated) to a new file, that cluster’s data is lost and the intact file is unrecoverable, though fragments may be found and analyzed. This underscores why a drive must be made static or image captured as soon possible when a computer is seized for investigation.

9. Recover the Castor.txt:

a. In Autopsy Directory Listing window, mouse‐over Castor.txt, and right click. A drop‐down menu opens. See diagram below. Click on Extract File(s).


b. Save the recovered file in the Export directory of the case you opened. In this example, a case was opened called “Deleted File Recovery“ which created a directory by the same name as shown in the diagram below:

c. Navigate to the Export directory of your case and find the recovered file.

CyberPatriot Online Forensics Challenge 1 Forensics – PR Instruction Guide www.leidos.com/cybersecurity/solutions/CyberNEXS

Exercise 3

Objective

Answer the questions associated with the Autopsy case.

Exercise Instructions After you have used Autopsy to find the artifacts check the artifacts for steganography files and file carving files. The Challenges are encrypted and hidden in the VM image. Find and decrypt each encrypted challenge you find. Each encryption challenge is titled Encryption challenge 1, 2, etc. FOR THE PURPOSES OF THIS PRACTICE EXERCISE THERE ARE ONLY 11 ENCRYPTION CHALLENGES TOTAL AND THEY ARE NOT IN ANY SPECIFIC ORDER. Once you complete all the encrypted challenges you find in the VM, answer the questions below. The phrases are sentences and quotes, plus some challenges will be encrypted more than once. The answer is the word that does not fit within the sentence. Several of the answers are compound words that make no sense such as BOOKTV. This is your indicator that you’ve successfully found the answer. Answer the following questions:

1. What are the names of the file carving files?

2. What are the names of the files you found on the stenography challenge?

cyberpatriot forensicspr ig - leidos forensics challenge 6 forensics – instruction guide the...

Documents