Final Practical Exam

DATE: 12/03/2020
CASE: FGF-20201203-01
AGENCY: University of Advancing Technology
EVIDENCE: able2.dd
EXAMINER: Lorenze Salas
Lorenze Salas
CFR101 Final
Practical Exam
12/3/20
1
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
BACKGROUND
In accordance with the CFR101: Final Practical Exam, I downloaded the image from Project:
Able to provide a detailed report by using FTK Imager and Autopsy application. Jonathan
Zdziarski stated that “In forensics, we often misplace our trust in tools that, unlike tried and true
scientific methods, are usually closed source. While true scientific process relies on making our
findings repeatable and verifiable” (Zdziarski, 2014).
CASE SUMMARY
● Applicable
Facts:
1. When using FTK Imager, a forensic imaging tool, can “Generate hash reports for regular
files and disk images to use as a benchmark to prove the integrity of your case evidence”
(“FTK Imager”).
2. Autopsy, similar to FTK Imager and other digital forensic tools, is an”efficient tool for
hard drive investigation with features like multi-user cases, timeline analysis, registry
analysis, keyword search, email analysis, media playback, EXIF analysis, malicious file
detection” (One, 2020).
2
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
EVIDENCE
I included the one files from my personal computer, including
➢ Able2.tar (Unzipped file folder)
Provide a description of the SD card, including make, model, and serial number (you can make
this up if it's not provided)
➢ Make: onn. 64GB Class 10 U3 microSDXC Flash Memory Card
➢ Model: 100006053
➢ Serial Number:R064GS0SUG1953X
HASH VERIFICATION
FTK Imager Autopsy
MD5 02b2d6fc742895fa4af9fa5662
40b880 02b2d6fc742895fa4af9fa5662
40b880
SHA1
2d0af55e931f4ab2135606e94 2d0af55e931f4ab2135606e94
1ccc74785e4926d 1ccc74785e4926d
NARRATIVE
3
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
On December 3, 2020, I unzipped the able2.tar.gz from my pc and put the file to the CFR101
folder. Then I opened AccessData FTK Imager 4.3.1.1 to get under way performing the analysis.
In FTK Imager, I click “Add Evidence Item”, then Image File, select the able2.dd as the
evidence and click finished. Then it shows me the able2.dd file along with the 4 partitions and
unpartitioned space.
4
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
When describing the media architecture such as the total number of sectors, both allocated and
unallocated. In FTK Imager, I looked at the “Properties” section under the “Evidence Tree”,
which shows the sector count. To locate both allocated and unallocated files, I opened up each of
the Partitions and looked at the file list, it indicated that it is an unallocated space in the able2.dd
file. Unallocated space is defined “where deleted documents, file system information, and other
electronic artifacts reside on the hard drive, which is often able to be recovered and analyzed
through a forensic investigation. Unlike allocated space on the hard drive, the electronic
evidence in unallocated space may be overwritten (and thus lost completely) with new data as
the computer continues to be used” (2018).
To identify the file system on the media, it shows a [Ext2] or [Linux
swap] on each one of the partitions. The file system would be a Linux
Kernel since it is an Ext2 file.
5
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
When describing the various directories on the media, each partition (hard drive) has their own
amount of megabytes depending on how small or larger it is. Partition 3 doesn’t give enough
information since it is an unrecognizable file, except it has 32 megabytes. Additionally, Partition
1 has a small amount of storage and a couple of files stored. For Partition 2 and 4, they have
detailed information about the storage.
To identify significant files, I found an image in the lolit_pics.tar file under the partition 2
directories. The information gives me enough detail
about the image and when it was created. The file
properties is shown as:
Date Modified 8/3/2003 11:15:07 PM
File Class Regular File
File Size 673, 986
GID 1,000
Group Name users
Name lolitaz2
Owner Name barry
6
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
UID 1,000
Unix Permission --rw-r--r--

When using the Properties and Hex Value Interpreter, I go to the lolit_pics.tar.gz properties and
it shows that it was created in a specific folder on 11:37 PM on August 3, 2003. For the Hex
Value Interpreter, when highlighting the hexadecimals, it gives me specific value types and
spotlights the word “lolitazl”. Jamie McQuaid points out “If all your tools and scripts fail or
don’t support a given artifact, you can always fall back to a hex viewer to dig into an artifact to
uncover any evidence within.” (McQuaid, 2019).
To get the SHA-1 and MD5 hash values, I right clicked on able2.dd and hit verify drive/image.
Then I got the complete results.
7
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
Next, I opened Autopsy 4.15.0 as my secondary application to perform other analyses. In the
Autopsy application, I filled out the case information on the “New Case” option and saved it on
the CFR101 folder.
In the data source sections, I click the “Disk Image or XM File” option, for my data source I add
on “able2.dd”. I checked all the boxes except the last 4 boxes in the ingest modules. Then I
clicked finish and waited for the analysis files to be completed.
8
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
Once the data source and ingest modules finished, I got the complete results.
9
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
In the results feature, it gives me the extracted content, e-mail messages, and accounts data. The
operating system confirms it is Linux, which was mentioned earlier. In the e-mail messages
section, I found 7 messages in the source file, which is suspicious. Additionally, it gave me the
email address on the account emails section.
In the View feature, there are two different files: the file types and deleted files. When extending
the file types, It gave me a bunch of file types which includes the images, audio, archives, and
databases. On the deleted files, it gives me files that were deleted dated back to 1996 until 2003.
10
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
In the inguest modules, at the data source integrity, It calculated MD5 and SHA-1 hash values,
which match the FTK Imager hash verification. In the brower results, it found Microsoft Edge as
the only web browser. Lastly, there were a couple of errors encountered since there are a couple
deleted files.
11
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
CONCLUSION
In the conclusion of the final, FTK Imager and Autopsy are both
reliable forensic tools when it comes to finding suspicious and
behavioral activities on the file. After investigating, the outcome from the “able2.dd” file shows
that it can gather and recover the evidence from a device. Based on the operating system,
partitions, email recoveries, images, file types, and additional information that has been
recovered by using FTK Imager and Autopsy.
RESOURCES
FTK® Imager. (n.d.). Retrieved December 06, 2020, from https://accessdata.com/products-

services/forensic-toolkit-ftk/ftkimager
Hex & Text Viewer. (2019, March 19). Retrieved December 06, 2020, from
https://www.magnetforensics.com/blog/hex-text-viewer/
One, T. (2020, February 29). Autopsy Tutorial for Digital Forensics. Retrieved December 06,
2020, from https://medium.com/@tusharcool118/autopsy-tutorial-for-digital-forensics-
707ea5d5994d
WHAT IS UNALLOCATED SPACE AND WHY DOES IT MATTER? (2018, April 25).
Retrieved December 06, 2020, from
https://insights.bit-x-bit.com/computerforensics/what-is-unallocated-space-and-why-
does-it-matter/
Zdziarski, J. (2014, March 28). The Importance of Forensic Tools Validation. Retrieved
December 06, 2020, from https://www.zdziarski.com/blog/?p=3112
12
DATE: 12/03/2020
CASE: FGF-20201203-01
EVIDENCE: able2.dd
13

Final Practical Exam

Uploaded by

Copyright:

Available Formats

You might also like

Final Practical Exam

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final Practical Exam

Uploaded by

Copyright:

Available Formats

DATE: 12/03/2020

findings repeatable and verifiable” (Zdziarski, 2014).

detection” (One, 2020).

I included the one files from my personal computer, including

➢ Able2.tar (Unzipped file folder)

this up if it's not provided)

➢ Make: onn. 64GB Class 10 U3 microSDXC Flash Memory Card

FTK Imager Autopsy

the computer continues to be used” (2018).

To identify the file system on the media, it shows a [Ext2] or [Linux

Kernel since it is an Ext2 file.

information since it is an unrecognizable file, except it has 32 megabytes. Additionally, Partition

detailed information about the storage.

directories. The information gives me enough detail

about the image and when it was created. The file

properties is shown as:

Date Modified 8/3/2003 11:15:07 PM

File Class Regular File

File Size 673, 986

Group Name users

Owner Name barry

Unix Permission --rw-r--r--

uncover any evidence within.” (McQuaid, 2019).

Then I got the complete results.

the CFR101 folder.

clicked finish and waited for the analysis files to be completed.

email address on the account emails section.

reliable forensic tools when it comes to finding suspicious and

recovered by using FTK Imager and Autopsy.

FTK® Imager. (n.d.). Retrieved December 06, 2020, from https://accessdata.com/products-

You might also like