1

CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 3 – LAB #1

Copyright © 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Lab #1: Part 1Physical Imaging W/Helix Edit the SIFT Windows VM and add

another 60GB HD to it. This will simulate a blank disk onto which we will shortly be imaging it.

Change the CDROM drive for the SIFT Windows VM to point to the Helix3 iso file. This will simulate booting it from a CDROM

In the VM options, enable Shared Folders, and share out the drives from the host so you can access files stored there 2

Edit the SIFT Windows VM

Click the Add Button

Select Hard Disk

Create a New Virtual Disk

SCSI (Recommended)

Set Size to 60GB. Other Settings Default

Default .vmdk Filename

60GB Drive Now Added

Now Select the CDROM Drive

Select ‘Use ISO image file’ and browse to your Helix file

Go to the Options Tab & Select Shared Folders

Select ‘Always Enabled’, ‘Map as Network Drive’, and Click Add

Adding a Shared Folder

Add Each Drive Separately (Same Procedure for Each)

Enable

Shares All Added

Inside the VM, Your Newly Mapped Folders Will Now Show Up Under Z:\

VMware Mouse Problem

When Booted from CDROM, VMware detects USB mouse, by default, as USB device rather than mouse Result: You can’t click Fix: With VM shut down, edit .vmx file &

add (or modify) these lines: usb:0.deviceType="mouse“ usb:0.present="FALSE“ mouse.vusb.enable="FALSE"

20

Open .vmx File in Notepad

Find These Values

Replace with these & Save

To Make Booting into BIOS Easier

Lab #1: Part 1Physical Imaging W/Helix (1)

Boot the Windows SIFT Kit In VMware Player, hit F2 quickly (this is

difficult with the default settings, see previous slide)

In VMware Workstation, which is on the DePaul Lab systems, you can just click VM -> Power -> Power On to BIOS

Change the boot order to put the CDROM first

25

In VMware Player, Hit F2

BIOS Settings

Right-Arrow Three Times to Tab Over Down-Arrow Twice to Select CDROM

‘+’ Twice to Move CDROM to Top, F10 to Save & Exit

Once Helix3 boots, go to Applications->System Tools->Partition Editor

In the upper right, select your new 60GB disk

Device->Set Disklabel Click create Right-click on the unallocated space, click

new, and format the result as fat32 Hit Apply Right click on the new filesystem->mount

on /media/sdc Your newly added disk is now mounted

read/write

Lab #1: Part 1Physical Imaging W/Helix (2)

30

Helix Boot ScreenHit Enter to Boot into Helix Environment

Run the Partition Editor

Select /dev/sdc(Your newly added 60GB Virtual Disk)

Set Disklabel

Hit Create to write an MBR Partition Table to the New Disk

Be Sure You Haven’t Selected /dev/sda or /dev/sdb (That would be bad…)

Right-click on the Unpartitioned Space, and Hit New

Change Type for New Partition from Default ext2 to fat32, and Hit Add

Right-click on New Partition, Select Format to fat32, and Hit Apply

Right-click on New Filesystem, Select Mount on /media/sdc1

Run Applications->Forensics & IR->Linen Hit spacebar to begin imaging, then select sda

using the left & right arrows Type /media/sdc1/image_drive_1 as the path for

the image files No alternate path is necessary Case number can be anything. Use 1 Use your name for examiner name Evidence number: ‘1’, ‘C:’ for description Current date, no notes, compress, hash, no

password Total sectors is the default, max file size 2000 The rest are defaults

Lab #1: Part 1Physical Imaging W/Helix (3)

41

Start the Linen Imaging Application

Once Linen StartsAll Physical & Logical Disks Are Listed

Hit Spacebar to Begin Acquisition

Use Right-arrow to select sda

Hit Enter, and Type Your Image File Path: /media/sdc1/test_image

Hit Enter (No Alternate Path is Necessary)

Enter Case Number (if desired) and Hit Enter

Enter Examiner Name (Mandatory) and Hit Enter

Enter Evidence Number (if desired) and Hit Enter

Enter Description (Mandatory) and Hit Enter

Current Date Should Populate by Default. Hit Enter

Notes not RequiredHit Enter

Enable CompressionHit Enter

Enable HashingHit Enter

No PasswordHit Enter

Total Sectors Automatically Calculated Hit Enter

Set Max Image Segment Size to 2000 Hit Enter

Leave Block Size DefaultHit Enter

Leave Error Granularity DefaultHit Enter to Begin Imaging

This will work, but it would take a while

61

Here’s what it looks like completed

62

Close the Linen window, (cancelling) Then quit out of Helix

And Restart

Hit EnterVM will reboot into Windows

Login to SANSForensics408with password: forensics

Windows wants to be activatedHit Cancel

Close the Software Counterfeiting nag box

Close the Security essentials nag box too

Select your virtual DCROM drive in VMware, and ‘connect’ it

Browse to IR\RAM\Winen and execute winen.exe

Lab #1: Part 2Memory Imaging: Helix/Winen

72

Enter Parameters as Before

Lab #1: Part 3Memory Imaging: FTK Imager

Run FTK Imager (desktop icon) Select ‘Capture Memory’ Enter Parameters

Image Path Image Filename

Click ‘Capture Memory’

Run FTK Imager (desktop icon)Select ‘Capture Memory’

Enter Parameters

Click ‘Capture Memory’

Lab #1: Part 4Logical Disk Imaging: FTK Imager

Run FTK Imager (desktop icon) Select ‘Create Disk Image’

‘Logical Drive’ <Next> Source Drive: C:\ <Finish>

Add Destination Image Type: E01 <Next> Enter Parameters (all values optional) Image Destination Folder: Image Filename:

Windows_SIFT_Kit_First_Logical_Volume Image Fragment Size: 2000 Compression: 9

Click Start

Run FTK Imager (desktop icon)Select ‘Create Disk Image’

Select Source: Logical DriveHit Next

Select Source Drive: C:\Hit Finish

Add Image Destination, Select E01Hit Next

Enter ParametersHit Next

Enter Folder, Filename, Fragment Size, & Compression, Hit Finish

Hit Start

87

Questions?