Lab-Project 10: Static acquisition with Kali Linux

What You Need for This Project

 A virtual machine running Kali Linux. Other operating systems might work, but
the procedure will be different.

Downloading the Kali Linux

1. If you don’t have a Kali Linux 2021, try to download the Kali Linux VMware
image from here.
2. Unzip the file to C:\Users\username\Documents\Virtual Machines. Replace
username with your Windows username.

Opening the Kali Linux Virtual machine

3. Open VMware Workstation 16 Player.

4. Select Open a Virtual Machine.

5. Navigate to the location you extracted the Kali Linux VMware image. For me it
is C:\Users\username\Documents\Virtual Machines\ kali-linux-2021.3-
vmware-amd64.vmwarevm.

6. Select the vmx file. Click Open.

Exclamation mark

7. In the two lines below if you can’t do “Copy-Paste”, try to fix Kali
annoyances.
8. On your host Windows system, in your Web browser, use the mouse to
highlight and copy this command:
echo "Your name here!"
9. On your Kali Linux system, paste this in a Terminal window and execute
 root@kali:~# echo "Your name here!"

10. You don’t get the expected result with echo command. Indicate a way
you should follow.
Saving a screen image
11. Make a sreenshot and save the image with the filename Lab-Proj10a-
YOURNAME.png. Use your real name, not the literal text YOURNAME.
Network Test
12. The file /tmp/pinger contains two lines:

13. However, the script is not running:

14. What command will fix this problem?

Saving a screen image
15. Make sure the command is visible.
16. Save the image with the filename Lab-Proj10b-YOURNAME.png. Use your
real name, not the literal text YOURNAME.
Missing Line
17. Here's a script named d, with one line redacted (covered in a grey box):

18. The script works, as shown below:

19. What's the redacted line?

Saving a screen image

20. Make sure the redacted line is visible.
21. Save the image with the filename Lab-Proj10c-YOURNAME.png. Use your
real name, not the literal text YOURNAME.
Network Problem
22. The machine can't ping google
 23. What command should be executed to fix the problem?

Saving a screen image

24. Make sure the command is visible.
25. Save the image with the filename Lab-Proj10d-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Downloading and adding the evidence hard drive

26. Download and unzip the evidence hard drive from here.
27. In VMware Workstation 16 Player, right-click on kali-linux-2021.3-
vmware-amd64 virtual machine. Select Settings.

28. In the Virtual Machine Settings window, select Add.

29. In Hardware Type selection, keep the default option Hard Disk and click
Next.

30. In Select a Disk Type, select SCSI and click Next.

31. In Select a disk, choose Use an existing virtual disk. Click Next.
 32. In Select an Existing Disk, click Browse. Navigate to the location where you
extracted the evidence drive. Select the evidence drive. Click Open. Click
Finish. If a prompt appears asking to convert disk to newer format, select Keep
existing format.

Adding an empty hard drive

33. Repeat step 27 to step 29.

34. In Select a Disk, choose Create a new virtual disk. Click Next.
 35. In Specify Disk Capacity, keep the default options. Click Next.

36. In Specify Disk File, keep the default name and click Finish.

Disabling Networking
37. A fundamental rule of forensics is WORK IN ISOLATION.
38. In Virtual Machine Settings, navigate to Network Adapter. In Network
connection section, select Host-only to disable network.
 39. For this project, we will need network. Select NAT to enable and click OK.

Identifying the drives with parted

40. In VMware Workstation 16 Player, right-click on the Kali Linux VM and
select Power on.
41. A prompt will appear to tell you that the VM might have been copied or
moved. Select I Copied it.
42. Wait until the VM boots to the login screen. Login with the following
credentials:
Username: kali
Password: kali
43. In Kali Linux, open Terminal Emulator located on the top left of the screen.
 44. In Terminal Emulator, enter the following commands, pressing Enter after
each one:
sudo parted
You will be asked for the password for kali. Type kali and press Enter.
print devices

45. This lists the attached drives. In my case, the evidence drive is /dev/sdb. The
empty drive to collect evidence is /dev/sdc.

Formatting the empty drive with parted

46. We will use the empty drive to gather evidence. First, we will have to format
the empty drive.
47. In Terminal Emulator, enter the following commands, pressing Enter after
each command:
select /dev/sdc
mklabel msdos
mkpart primary fat32 0.0 500.0
A warning will appear to say that the partition is not properly aligned for best
performance. Enter i and press Enter to ignore the warning.
48. In Terminal Emulator, enter this command and then press Enter:
print all
49. A list of partitions appears, as shown below. You should see a 32.9 MB
partition on the evidence drive and a 500 MB partition on the empty drive.
 50. In Terminal Emulator, enter this command and then press Enter:
quit

Mounting the partition

51. Now you must mount the new partition. As you can see from the screenshot
above, the file system of our new partition is empty. This will cause an error
while mounting the partition as demonstrated below.
52. In Terminal Emulator, enter the following commands, pressing Enter after
each command:
sudo mkdir /media/data
sudo mount /dev/sdc1 /media/data
53. An error appears, saying wrong fs type, bad option, bad superblock etc. This
error happened because our partition does not have a defined file system.

54. To define a file system on the partition, enter the following command and then
press Enter:
sudo mkfs -t vfat /dev/sdc1
You will see a 500 MB Volume show up on the Desktop.
55. Now try to mount the partition again with:
sudo mount /dev/sdc1 /media/data
The 500 MB Volume will light up. The mounting was successful.
 56. Enter the following command to see the mounted partition:
df

57. The last line shows the new volume mounted at /media/data.

Testing the new partition

58. In Terminal Emulator, enter the following commands, pressing Enter after
each command:
cd /media/data
echo test | sudo tee foo
ls -l

59. The directory shows a foo file. The partition is ready to be used.

Acquiring an image of the whole evidence drive with dd

60. In Terminal Emulator, enter the following commands, pressing Enter after
each one. Replace YOURNAME with your own name:
sudo dd if=/dev/sdb of=YOURNAME-dd
md5sum YOURNAME-dd | sudo tee YOURNAME-dd-hash
cat YOURNAME-dd-hash
 61. Your hash value should match the screenshot shown above. You can use
HashCalc to calculate the hash of the evidence drive. It should be different than
the hash of your dd image. The VMware hard disk format is not a simple dd of
a hard drive. It adds headers, rollback data and such, as explained here.

Acquiring an image of the whole evidence drive with dd

62. In Terminal Emulator, enter the following commands, pressing Enter after
each one. Replace YOURNAME with your own name:
sudo dd if=/dev/sdb1 of=YOURNAME-1-dd
md5sum YOURNAME-1-dd | sudo tee YOURNAME-1-dd-hash
cat YOURNAME-1-dd-hash

63. Your hash value should match the screenshot shown above. The hash value is
different than the one from the dd of the whole disk, because this is an image of
one partition, not the whole drive.

Acquiring an image of the whole evidence drive with dcfldd

64. In Terminal Emulator, enter the following command, pressing Enter:
sudo apt-get install dcfldd
This will install dcfldd on your VM. dcfldd is an enhanced version of dd
developed by the U.S. Department of Defense Computer Forensics Lab. It is
not included in Kali Linux.
 65. In Terminal Emulator, enter the following command, replacing
YOURNAME with your real name and pressing Enter:
sudo dcfldd if=/dev/sdb of=YOURNAME-dc hashlog=YOURNAME-dc-
hash
66. To read the hash file of the newly acquired disk, enter the following command
and press Enter:
cat YOURNAME-dc-hash

Using dcfldd to verify the image

67. In Terminal Emulator, enter the following command, pressing Enter:
sudo dcfldd if=/dev/sdb vf=YOURNAME-dd

68. The result is Total: Match, as shown above.

Saving a Screen Image

69. Make three screenshots above. Be sure that the dcfldd command and the result
of Total: Match.
 70. Save three images with filename Lab-Proj10e, f, g-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Testing the effect of a change

55. In Terminal Emulator, enter the following commands, pressing Enter after
each one:
echo test | sudo tee /dev/sdb
sudo dcfldd if=/dev/sdb vf=YOURNAME-dd

56. As you see, the image no longer matches the drive because we altered the
evidence drive.

Snowden's Password
57. A memory image was collected when the subject of inquiry was logged in to
Twitter, as shown below:

58. Download the memory image here. (the file with size 78,997,006 bytes and
MD5 = 80672496cd56f10b6697965e5a0103dd)
59. Unzip the file and rename it to snowden_YourName.mem.
 60. Find the subject's Twitter password from the memory image.

Saving a screen image

61. Make sure the image indicates a clear password.
62. Save the image with the filename Lab-Proj10h-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Turning in your Project

63. Submit the images you collected at steps Saving a Screen Image to: cms with a
subject line of Lab-Proj10-YOURNAME, replacing YOURNAME with your
real name.