Professional Documents
Culture Documents
Lab-Project 10: Static Acquisition With Kali Linux: What You Need For This Project
Lab-Project 10: Static Acquisition With Kali Linux: What You Need For This Project
1. If you don’t have a Kali Linux 2021, try to download the Kali Linux VMware
image from here.
2. Unzip the file to C:\Users\username\Documents\Virtual Machines. Replace
username with your Windows username.
5. Navigate to the location you extracted the Kali Linux VMware image. For me it
is C:\Users\username\Documents\Virtual Machines\ kali-linux-2021.3-
vmware-amd64.vmwarevm.
Exclamation mark
7. In the two lines below if you can’t do “Copy-Paste”, try to fix Kali
annoyances.
8. On your host Windows system, in your Web browser, use the mouse to
highlight and copy this command:
echo "Your name here!"
9. On your Kali Linux system, paste this in a Terminal window and execute
root@kali:~# echo "Your name here!"
10. You don’t get the expected result with echo command. Indicate a way
you should follow.
Saving a screen image
11. Make a sreenshot and save the image with the filename Lab-Proj10a-
YOURNAME.png. Use your real name, not the literal text YOURNAME.
Network Test
12. The file /tmp/pinger contains two lines:
26. Download and unzip the evidence hard drive from here.
27. In VMware Workstation 16 Player, right-click on kali-linux-2021.3-
vmware-amd64 virtual machine. Select Settings.
31. In Select a disk, choose Use an existing virtual disk. Click Next.
32. In Select an Existing Disk, click Browse. Navigate to the location where you
extracted the evidence drive. Select the evidence drive. Click Open. Click
Finish. If a prompt appears asking to convert disk to newer format, select Keep
existing format.
36. In Specify Disk File, keep the default name and click Finish.
Disabling Networking
37. A fundamental rule of forensics is WORK IN ISOLATION.
38. In Virtual Machine Settings, navigate to Network Adapter. In Network
connection section, select Host-only to disable network.
39. For this project, we will need network. Select NAT to enable and click OK.
45. This lists the attached drives. In my case, the evidence drive is /dev/sdb. The
empty drive to collect evidence is /dev/sdc.
54. To define a file system on the partition, enter the following command and then
press Enter:
sudo mkfs -t vfat /dev/sdc1
You will see a 500 MB Volume show up on the Desktop.
55. Now try to mount the partition again with:
sudo mount /dev/sdc1 /media/data
The 500 MB Volume will light up. The mounting was successful.
56. Enter the following command to see the mounted partition:
df
57. The last line shows the new volume mounted at /media/data.
59. The directory shows a foo file. The partition is ready to be used.
63. Your hash value should match the screenshot shown above. The hash value is
different than the one from the dd of the whole disk, because this is an image of
one partition, not the whole drive.
69. Make three screenshots above. Be sure that the dcfldd command and the result
of Total: Match.
70. Save three images with filename Lab-Proj10e, f, g-YOURNAME.png. Use your
real name, not the literal text YOURNAME.
56. As you see, the image no longer matches the drive because we altered the
evidence drive.
Snowden's Password
57. A memory image was collected when the subject of inquiry was logged in to
Twitter, as shown below:
58. Download the memory image here. (the file with size 78,997,006 bytes and
MD5 = 80672496cd56f10b6697965e5a0103dd)
59. Unzip the file and rename it to snowden_YourName.mem.
60. Find the subject's Twitter password from the memory image.
63. Submit the images you collected at steps Saving a Screen Image to: cms with a
subject line of Lab-Proj10-YOURNAME, replacing YOURNAME with your
real name.