CSCB544/CCSB5223 Computer Forensics 1

LAB 05: USING FORENSICS TOOLS TO EXAMINE WINDOWS IMAGE

OVERVIEW
To be an expert forensic investigator, you must have sound knowledge of various tools.

Instructions
(i) This is an INDIVIDUAL assessment.
(ii) Submit your answer in Moodle. Name your file as stated in the Activities.

TASK 1: EXPLORE MICROSOFT FILE STRUCTURES

OBJECTIVE:
To identify the file system used on an unknown disk.

SOFTWARE
To complete this activity, you will have to download and install software, WinHex.
WinHex: https://www.x-ways.net/winhex/

Follow these steps:

1. Insert a USB drive into a USB port.
2. Right-click the WinHex desktop icon and click Run as administrator. If necessary, click
Continue or Yes in the UAC message box.
3. Click Tools, Open Disk from the menu to see a list of logical drives. Click the C drive and
click OK. Try to locate the information about file system.
4. Click Tools, Open Disk again, but this time, click your USB drive in the Edit Disk list, and
then click OK. Compare the file system label for this drive with the one you saw in Step 4.
5. Show the comparison of both file systems in a file, save as Lab05_SW000000A1.jpeg and
submit it in Moodle. Exit WinHex.
CSCB544/CCSB5223 Computer Forensics 2
TASK 2: IDENTIFY FILE HEADERS
OBJECTIVE:
Compare various files created in Microsoft Word and other programs to determine whether the
files are different at the hexadecimal level. Keep a log of what you find.

SOFTWARE
To complete this activity, you will have to download software, Notepad++ and WinHex.
Notepad++: https://notepad-plus-plus.org/downloads/v7.9/
WinHex: https://www.x-ways.net/winhex/

Follow these steps:

1. Start Word, and in a new document, type “Digital Forensics”.
2. Save the file as WordOne.docx in your work folder, using Word Document (*.docx) as the
file type. Exit Word.
3. Start Excel, and in a new workbook, enter a few random numbers. Save the file in your work
folder as ExcelOne.xlsx, using Excel Workbook (*.xlsx) as the file type.
4. Exit Excel, and start WinHex (running it as an Administrator).
5. Click File, Open from the menu. In the Open dialog box, navigate to your work folder and
double-click WordOne.docx.
6. Notice the file hexadecimal header 50 4B 03 04 14 00 06 00 starting at offset 0. Click Edit,
Copy All from the menu, and then click Editor Display.
7. Start Notepad++, and in a new document, press Ctrl+V to paste the copied data. Leave this
window open.
8. Click File, Open from the WinHex menu. In the Open dialog box, navigate to your work folder
and double-click ExcelOne.xlsx.
9. Repeat Step 6.
10. Paste the data you just copied under the Word document header information you pasted
previously.
11. Locate or create .pptx, .ppt, .doc, .xls, .pdf, .png, .jpg, and .mp3 files.
12. Open each file type in WinHex. Record the hexadecimal codes for each file in a text editor,
such as Notepad++. In the Notepad++ window, add your observations about the TEN files’
header data. Save this file as Lab05_SW000000A2.txt and submit it in Moodle. Exit WinHex.
CSCB544/CCSB5223 Computer Forensics 3
TASK 3: EXAMINE WINDOWS REGISTRY
OBJECTIVE:
To examine Windows registry from an image file. The AccessData Registry Viewer is a standalone
product that can be integrated with the FTK and allows you to view the contents of the Windows
registry. Unlike the traditional Windows Registry Editor, Regedit, which displays only the current
system registry, the Registry Viewer can visualize registry files from any system.

SOFTWARE AND RELATED FILE(S)

To complete this activity, you will have to download software, AccessData Registry Viewer.
AccessData Registry Viewer: https://accessdata.com/product-download/registry-viewer-2-0-0
Registry files: Registry Hives.zip

To examine Registry files with Registry Viewer, follow these steps:

1. Start Registry Viewer with the Run as administrator option.
2. Click on Open in the toolbar. Select the registry file and click on Open. The tool will
interpret the data of the registry key and will present it in a friendly format. Get important
evidence from the following registry files:
a. Registry file: SAM.
Contains user account information and the logon password for all users and groups
on the system.
i. Expand SAM – Domains – Account – Users
ii. User Name: Administrator, Guest, …
iii. Last Logon Time for each user
b. Registry file: System
Stores the computer name, device drivers, system configuration, setup information,
time zone information, etc.
i. Go to Select – check Current data → 001
ii. Expand ControlSet001 – Control – Computer Name
iii. Expand ControlSet001 – Control – TimeZoneInformation
iv. MountedDevices
v. Expand ControlSet001 – Enum – USBSTOR
c. Registry file: ntuser.dat
Detailed information about specific user.
i. Control F / Edit → Find and Type → “TypedURLS”
3. In the Notepad++ window, add your observations about
a. The computer name of the system
b. Time zone setting for the computer
c. Number of mounted devices on this system that have assigned drive letters.
d. Name of USB drives connected to the computer
Save this file as Lab05_SW000000A3.txt and submit it in Moodle. Exit Notepad++.
CSCB544/CCSB5223 Computer Forensics 4
TASK 4: SECURELY WIPING A USB DRIVE
OBJECTIVE:
To wipe a storage device securely.

SOFTWARE
To complete this activity, you will have to download software, ProDiscover Basic.
• File name: ProDiscoverRelease8202Basicx86.exe

In this activity, you are required to wipe the contents of a USB drive by using ProDiscover Basic:
1. Insert a USB drive containing files you don’t need.
2. Right click the ProDiscover Basic and click Run as administrator to start ProDiscover
Basic. Click Yes in the User Account Control message box.
3. In the Launch Dialog box, click the “Don’t show this dialog” in the future check box and
then click Cancel to close the Open dialog box. Click Tools, Secure Wipe from the
ProDiscover menu.
4. In the Secure Wipe Disk dialog box, click the Disk to Wipe list arrow, and click the drive
letter corresponding to the USB drive. Verify that you have selected the correct drive letter
to prevent accidentally erasing any other attached storage device. In the Number of Passes
list box, type 3, and then click Start to begin the process.
5. Click OK in the ProDiscover message box to bypass the warning that all data will be
securely wiped. The Securely Deleting file message is displayed in the lower-left corner to
indicate that disk files are being wiped.
6. When the disk has been wiped THREE times, you see the message “The selected disk has
been securely wiped”. Click OK and exit ProDiscover Basic.
7. Open File Explorer, and then right click the USB drive and click Format.
8. In the Format dialog box, click NTFS in the File system list box and type EVIDENCE in
the Volume label text box. Click Start to format the USB drive. Click OK in the Format
Removable Disk message box.
9. When the format is finished, click OK in the Formatting Removable Disk message box,
and close the Format dialog box. Your USB drive is ready to be your original source of
digital evidence or destination drive.
CSCB544/CCSB5223 Computer Forensics 5
TASK 5: USING PRODISCOVER BASIC

Scenario: Company Policy Violation

Companies often establish policies for employee use of computers. Employees surfing the Internet,
sending personal e-mail, or using company computers for personal tasks during work hours can
waste company time. Because lost time can cost companies millions of dollars, digital forensics
specialists are often used to investigate policy violations.

Manager Steve Billings has been receiving complaints from customers about the job performance
of one of his sales representatives, George Montgomery. George has worked as a representative
for several years. He’s been absent from work for two days but hasn’t called in sick or told anyone
why he wouldn’t be at work. Steve asks the IT Department to confiscate George’s hard drive and
all storage media in his work area.

He wants to know whether any information on George’s computer and storage media might offer
a clue to his whereabouts and job performance concerns. To help determine George’s whereabouts,
you must take a systematic approach, described in the following section, to examining and
analyzing the data found on George’s desk.

OBJECTIVES:
• To create a new digital forensics investigation case.
• To analyze the acquired data.
• To generate a report.

SOFTWARE AND RELATED FILE(S)

To complete this activity, you will have to download software, ProDiscover Basic.
• ProDiscover Basic: ProDiscoverRelease8202Basicx86.exe
• Image file name: Mont.dd

Activity 5.1: Create a New Case

1. In your working folder named Forensics, download/copy the Mont.dd file into the working
folder
2. Start ProDiscover Basic.
3. To create a new case, click File, New Project from the menu.
4. In the New Project dialog box, type your StudentID in the Project Number text box and
again in the Project File Name text box. Click OK.
5. In the tree view of the main window, click the + (plus symbol) next to the Add item, and then
click Image File.
6. In the Open dialog box, navigate to the folder containing the image, click the Mont.dd file,
and click Open. Click Yes in the Auto Image Checksum dialog box, if necessary.
CSCB544/CCSB5223 Computer Forensics 6
Activity 5.2: Display Contents of the Acquired Data
1. In the tree view, click to expand Content View, if necessary. Click to expand Images and the
image filename path C:\Forensics\Mont.dd
2. Next, click All Files under the image filename path. When the CAUTION dialog box opens,
click Yes.
3. The Mont.dd file is then loaded in the main window.
4. In the upper-right pane (the work area), click your file to view its content in the data area.
5. In the data area, you see the contents of your file. Continue to navigate through the work and
data areas and inspect the contents of the recovered evidence. Note that many of these files
are deleted files that haven’t been overwritten.

Activity 5.3: Analyze Data and Search for Keywords of Interest

The method for locating evidentiary artifacts is to search for specific known data values. All the
searchable data values are referred to as “keywords”. For George Montgomery case, you need to
find any files associated with George Montgomery. Find any reference to the name “George”:
1. In the tree view, click Search.
2. In the Search dialog box, click the Content Search tab, if necessary. Click the Select all
matches check box, the ASCII option button, and the Search for the pattern(s) option button,
if they aren’t already selected.
3. Next, in the text box under the Search for the pattern(s) option button, type your word.
4. Under Select the Disk(s)/Image(s) you want to search in, click E:\... Mont.dd (substituting the
path to your work folder), and then click OK to initiate the search.

Activity 5.4: Generate a Report for your Discovery

Generate a report for printing:
1. In the tree view, click Report. The report is then displayed in the right pane of the main
window.
2. To print the report, click File, Print Report from the menu.
3. In the Print dialog box, click OK.
4. Review the report, and then click File, Exit from the menu to exit ProDiscover Basic.

Proof of Completion: Report

Screenshot of the Report. Save the picture as Lab05_SW000000A5.jpeg and submit it in Moodle.
Exit ProDiscover Basic.
CSCB544/CCSB5223 Computer Forensics 7

Example of a ProDiscover Report

CSCB544/CCSB5223 Computer Forensics 8
ACTIVITY 6: USING AUTOPSY

Scenario: Company Policy Violation

Companies often establish policies for employee use of computers. Employees surfing the Internet,
sending personal e-mail, or using company computers for personal tasks during work hours can
waste company time. Because lost time can cost companies millions of dollars, digital forensics
specialists are often used to investigate policy violations.

Manager Steve Billings has been receiving complaints from customers about the job performance
of one of his sales representatives, George Montgomery. George has worked as a representative
for several years. He’s been absent from work for two days but hasn’t called in sick or told anyone
why he wouldn’t be at work. Steve asks the IT Department to confiscate George’s hard drive and
all storage media in his work area.

He wants to know whether any information on George’s computer and storage media might offer
a clue to his whereabouts and job performance concerns. To help determine George’s whereabouts,
you must take a systematic approach, described in the following section, to examining and
analyzing the data found on George’s desk.

OBJECTIVES:
• To create a new digital forensics investigation case.
• To analyze the acquired data.
• To generate a report.

SOFTWARE AND RELATED FILE(S)

To complete this activity, you will have to download software, Autopsy
• Autopsy:
o https://github.com/sleuthkit/autopsy/releases
o File name: autopsy-4.16.0-64bit.msi
• Image file name: Mont.dd
CSCB544/CCSB5223 Computer Forensics 9
Activity 6.1: Create a New Case
Before analyzing digital evidence, you are required to configure Autopsy for a new case and
analyze the image file of George Montgomery’s USB drive.

1. Create a working folder and download Mont.dd file in the working folder.
2. Start Autopsy for Windows. In Autopsy’s main window, click the New Case button. In the
New Case Information window, enter MontCase01 in the Case Name text box, and click
Browse next to the Base Directory text box. Navigate to and click your working folder.
Make sure the Single-user option button is selected for Case Type, and then click Next.
3. In the Optional Information window, type MontCase01 in the Case Number text box and
YOUR NAME in the Examiner text box, and then click Finish to start the Add Data
Source Wizard.
4. In the Select Type of Data Source to Add window, click the Select data source type list
arrow, and click Disk Image or VM file. Click Next.
5. Click the Browse button next to the “Path” text box, navigate to and click your working
folder and the Mont.dd file, and then click Open. Click Next.
6. Keep the default settings in the Configure Ingest Modules window. Click Next and then
Finish.

Activity 6.2: Display Contents of the Acquired Data

Follow these steps to display the contents of the acquired data:

1. In the Tree Viewer pane on the left, click to expand Views, File Types, By Extension, and
Documents.
2. Under Documents, click Office. In the Result Viewer (upper-right pane), click the first file,
Billing Letter.doc, to display its contents in the Content Viewer (lower-right
pane).
3. Right-click Billing Letter.doc, point to Add File Tag, and click Tag and
Comment.
4. In the Select Tag dialog box, click the New Tag Name button. In the New Tag section,
type Recovered Office Documents in the Tag Name text box, click OK, and then click
OK again.
5. In the Result Viewer pane, Ctrl+click Billing Letter.doc, Income.xls,
Regrets.doc, f0000000.doc, and f0000049.doc to select these files, and then
release the Ctrl key. Right-click the highlighted files, point to Add File Tags and then click
Recovered Office Documents.
6. Under Documents in the Tree Viewer pane, click Plain Text to display more recovered
files.
7. In the Result Viewer pane, select the files listed in Step 5 again, right-click the selection,
point to point to Add File Tags and then click Follow Up.
CSCB544/CCSB5223 Computer Forensics 10
Activity 6.3: Analyze Data and Search Related Information
The method for locating evidentiary artifacts is to search for specific known data values. All the
searchable data values are referred to as “keywords”. For George Montgomery case, you need to
find any files associated with George Montgomery. Find any reference to the name “George”:

1. Click the Keyword Search button at the far upper right, type George in the text box, and
then click Search.
2. In the Result Viewer pane, a new tab named Keyword search 1 opens. Click each file to
view its contents in the Content Viewer. Look for files containing the name “George.”
3. Click the Keyword Lists button at the far upper right, click the Email Addresses check
box, and then click Search.

Activity 6.4: Completing the Case

Autopsy has several styles of reports, including a plain text file, an HTML Web page with links to
artifacts, and an Excel spreadsheet. To generate a report, you can follow this general procedure:

1. If you exited Autopsy, start it again, and click Open Recent Case. Click MontCase01 and
then click Open. In Autopsy’s main window, click the Generate Report button at the top.
2. In the Generate Report window, select Results – Excel Report and click Next. Select
Mont.dd to be included in the report, click Next. Select All Results, click Finish. Once the
report generation progress is completed, click Close. Retrieve your Excel report in the
directory.

Proof of Completion: Report

Submit the Excel report, rename it as Lab05_SW000000A6.xls and submit it in Moodle. Exit
Autopsy.

Additional info:
The files on George’s USB drive indicate that he was conducting a side business on his company
computer. Now that you have retrieved and analyzed the evidence, in a real investigation, you
need to find the answers to the following questions to write the final report:
• How did George’s manager acquire the disk?
• Did George perform the work on a laptop, which is his own property? If so, did he conduct
business transactions on his break or during his lunch hour?
• At what times of the day was George using the non-work-related files? How did you
retrieve this information?
• Which company policies apply?
• Are there any other items that need to be considered?
CSCB544/CCSB5223 Computer Forensics 11
In the George Montgomery case, you want to show what evidence exists proving that George had
his own business registering domain names. You should include a list of his clients’ names, his
income from this business, and any correspondence he wrote to clients about their accounts. The
time and date stamps on the files are during work hours, so you should include this information,
too. Eventually, you hand the evidence file to your supervisor or to Steve, George’s manager, who
then decides on a course of action.

REFERENCES:
Bill Nelson, Amelia Phillips, Chris Steuart (2019), Guide to Computer Forensics and
Investigations, Sixth Edition, Cengage Learning.
EC-Council Press (2010), Computer Forensics Evidence Collection & Preservation, Cengage
Learning
CSM Digital Forensics First Responder SOP

ASSESSMENT RUBRIC
Lab 5 Grading Criteria Maximum Points
Task 1 (Lab05_SW000000A1.jpeg) 5
Task 2 (Lab05_SW000000A2.txt) 5
Task 3 (Lab05_SW000000A3.txt) 5
Task 5 (Lab05_SW000000A5.jpeg) 5
Task 6 (Lab05_SW000000A6.xls) 5
Total: 25