Lab 6:

Windows OS
Forensic Analysis 2021-2022
© Daan Pareit, Hendrik Derre and Koen Koreman
Introduction

Lab concept
This lab simulates a real world forensic case where the student will act as forensic investigator. A fictive
company has had a data breach on one of their employees computers and has ordered a full investigation
to determine the root cause (and verify that the employee is a victim and not involved in this).

Scenario:

You have been contacted by the company OfficeHustler to assist them with a suspected hacking
case. Their employee Danny Blue reported some sensitive company data stolen from his PC and
the hacker left a short ransom note on his desktop. Danny claims he didn’t download any
executables or visited any dangerous (artistic) sites but the company doesn’t completely trust him
since he has a history of slacking off on the job.

The OH company wants you to perform an in-depth forensic research and to present them with
a detailed report of the events that took place. If you are able to recover their stolen data there
might be a nice bonus in it for you!

Your colleagues have already been on-site to perform the initial incident response and have
created a forensic working copy of the disk from the victim’s computer for you to analyze.

Forensic artifacts:

[1] Full Disk image – forensic working copy [vmdk file]

✓ Filename: ForLab06_victim.vmdk
✓ MD5: 8AEA104393018866CB4EEA629A2ADFCE (of vmdk file)
✓ MD5: a172503cd9511f8226673374d7acc2bf (of disk in kali/linux*)
*after attaching the disk in linux, the md5sum will calculate the hash of the full 60GB disk. The
vmdk is not preallocated and contains some metadata so this disk hash in linux will differ from
the downloaded file.

Practicalities
You can use any forensic tools at your disposal to perform this investigation. The tools covered during the
‘windows OS forensics’ lesson are recommended but you can add-on your own tools as needed.

The disk of the victim will be supplied as a VMware virtual disk (vmdk) which contains all the artifacts
containing to this case. You can find the vmdk at:
• the samba share: \\nas.ti.howest.be\TI-StudentShare\TI-S4-Forensics ,
• or via HTTP at https://nas.ti.howest.be:5001 in the TI-S4-Forensics folder.

Steps to follow:

- Mount the vmdk in Kali Linux

- Extract useful files
- Use the tools to find the information on your host or Windows VM (suggested)
- The registry can be viewed with Registry Explorer

! Warning: this vmdk has a disksize of 60GB (not preallocated). If you perform a full disk image the
resulting image will be 60GB in size!

Forensic Analysis / 2
Learning goals
Knowledge
• Forensic artifacts contained in Windows OS
• NTFS filesystem forensics

Skills
• Forensic tools usage
• Report writing

Lab assignments

Perform a forensic investigation

Use all the seen tools and techniques to perform an in depth forensic investigation on the victim’s disk.

Try to answer (at least) the following questions:

• What was the initial attack vector used to compromise the victim system?
• What was the payload executed to gain control of the system?
• What actions did the attacker perform on the system?
• How was the data exfiltrated?
• Can you recover the stolen data?

• What information can you recover that could help in discovering the identity of the
attacker?

Remark: During the investigation you will come across some sensitive information in the form of FLAGs.
Be sure to keep a record of these.

Write a forensic report

The client expects a detailed report describing the forensic investigation that was performed.
This report must contain the following sections
1. Executive summary: Write down what happened in your expert opinion. This
summary must be readable for people with no forensic experience.
2. Timeline of events: Make a visual representation of the key events with some basic
information about each event. Refer to the analysis details were needed.
3. Analysis Details: A detailed and technical documentation of all the relevant artifacts
you have discovered during your investigation.

Forensic Analysis / 3