After completing these activities you should be able to:
This lab emphasizes the aspects of digital forensics that are commonly encountered. The activities are broken into small activities with specific foci.
Your Digital Forensics worksheet is due to your instructor at the beginning of class on the day listed on the course calendar, typically a week from the date assigned.
forensicson your desktop. All of the files created in this lab will be stored there.
Email is one of the most common forms of communication today. While older forms of communication required the presence and participation of two parties, email is more asymmetric in nature. Email makes use of the SMTP protocol, meaning that it follows a prescribed set of rules, which makes it predictable and simple to understand. Today we're going to look at a few emails and determine if they are legitimate, a spam email, or something else. The basis for this analysis will come from the header of the email, primarily. An email header contains information from every Mail Transfer Agent it comes in contact with on its way to the destination. This can be very helpful when putting together the information systems the email message passed through.
First examine this email by simply clicking on this link (don't download): Email 1. If we start from the bottom of the email, you'll see several large chunks of data that look like some sort of encoding. These encodings are images being sent through email. All attachments get encoded into the base64 format for transfer. Before each chunk you can actually see the file name, for when it gets reconstituted on the receiving end. If you scroll up past the images, you'll eventually arrive at the actual text of the message. Interesting, but this rarely helps with attribution (Non-Repudiation).
As you move up the email, you can see the following fields and their meaning:
|Message-ID||A unique message ID as it passes through SMTP servers. This is used to avoid duplication of messages.|
|From||The address the sender filled in here. This could be made up!|
|To||This is the destination address.|
|X-Mailer||The mail client (program) from which the email was sent.|
|Subject||The subject of the email.|
|Reply-To||This is the address the "reply" button usually uses and is where the reply email will be sent. The sender can fill this in with whatever he wants! The receiver may not even realize there is a different address here.|
|Received||There are several lines for this field which each indicate the location and time of receipt of this email by a mail server. The top received is closest to the receiver, while the received that is lowest is closest to the sender.|
|Return-Path||This is the address delivery error (bounce) messages should be sent to.|
All emails will have some or all of these lines (called the email header) and possibly other lines as well. If email is potentially considered to be spam, there is usually a line or two in the header details that flag the email as spam. In Gmail, you can view the header and the email contents, safely, for any of your emails by clicking on the ▾ button next to the reply button in the header information of the email message. Click Show original in the resulting drop down menu.
Typically, we want to determine the mail servers and their ordering that the email message passed through. The mail server data in the email header represents the real path that the email took, and it is hard to forge all of this data. Examine the fields described above for Email 1.
Now, investigate Email 2, which is a spoofed email, and see if you can determine where it originated from.
Finally, investigate Email 3. This time, examine not only the header, but also the actual email message. Often, email servers can be compromised and used to send legitimate looking emails. Domain names in legitimate emails will be consistent throughout, especially if an email is providing a link to the website or a file to download. Other indications of spam and phishing emails are misspellings or poor grammar.
This section of the Forensics Lab introduces you to file carving. File carving is an incredibly useful skill to have in the world of digital forensics. It basically means recovering files (data) from a physical storage device after the files have been deleted, the device has been erased, or the device has been damaged. At this point, the data on the device just looks like a sequence of "raw bytes" — meaning a sequence of bytes without any information as to where any file(s) begins or ends in the sequence of bytes.
With computers, "deleting" a file doesn't necessarily mean the data stored in the file (the bytes that comprise the file) are gone. It means that the file systems' record of the file's name, and the files' connection to that area of the hard drive are gone. Those bytes become "unallocated space", but still hold data that can be interpreted.
To carve a file from a block of bytes, you'll need to look for the header of the file, and depending on the file type the footer of the file.
For example, the header (in hex) for a PNG file is
89 50 4e 47 and the footer is
49 45 4e 44 ae 42 60 82.
Below we have an example of a chunk of unallocated space from a drive.
Looking carefully, we spot a PNG header (starting at offset 10) and, following it, a PNG footer (ending at offset 42), therefore we deduce a PNG file is at the offset from 10 to 42.
|PNG header||body||PNG footer|
File Carving Activity Starts ...
Suppose you recover a hard drive from a bad guy's computer. Your job is to find incriminating data, or data that will help in an investigation. Your goal is to recover files from raw bytes from a recovered disk image:
ff d8 ff e0
frhed, open the saved file. Can you see the JPG header in the file anywhere? Not easily!
Ctrl-fand enter a search for the header in hex by typing <bh:ff><bh:d8><bh:ff><bh:e0> into the search prompt. The
bhis specifying you want to search for the byte specified in hex. When the bytes are located, they will all be highlighted in
frhed. Do not use uppercase hex characters.
frhedwindow) of the first byte of the header and the last byte of the header on your worksheet.
frhedthe entered offset is hex.
forensicsdirectory, and open with frhed like you did with oneFile. You will use the same file carving technique with your hex editor. In this case, one file is a pdf file and the other file is an audio file of the wav format. The information below should help you on your task.
Remember, if you need to search for the hex values, use this format: <bh:89><bh:50><bh:4e><bh:47> (which searches for a PNG file - you need to change the hex values for the header or footer you are specifically searching for)
|File Format||Header in hex||To Search in
||Footer in hex||To Search in
Some file formats do not have footers. This can be problematic, but humans are often better than computers at solving this problem. In the case of the audio file, you will see a change in the information in the file. You can also try cutting differing amounts of data into the file, and see if it works. Experiment and answer the questions on the lab worksheet. One approach is to use the last byte in the file and work backwards (there is more than one way to solve a problem).
scalpel, which is free software; if you did it correctly,
scalpelwas installed to your
C:\SI110Programsdirectory during the first homework assignment.
scalpelautomates file carving. A user sets up a configuration file that lists different types of files it can search for, based on headers and footers. We've prepared a
scalpelconfiguration file for you to use.
C:>md5 -h ← print help/usage statement
Follow these steps:
scalpel.confand save them in the
unknownChunk.raw- Raw bytes recovered off the hard drive of a confiscated information system.
scalpel.conf- Describes file headers and footers in a form
md5 unknownChunk.rawand record the hash value on your worksheet.
scalpel.exe -c scalpel.conf unknownChunk.raw
scalpel-outputwill be created in the
unknownChunk.rawfile again and record the results on your worksheet. If the hash is different from the start of the activity, you need to download unknownChunk.raw again and repeat the scalpel activity after computing the hash.
scalpel-outputdirectory and confirm what was reported in the shell about what the file carver (
scalpel) was able to retrieve. Then answer the questions on your worksheet. If you got an error instead of
scalpelresults in the shell (
scalpelnever ends – you get stuck in the shell), then you will need to start over. There will still be a
scalpelwill not run if it detects a directory named
scalpel-outputalready exists. If you need to run scalpel again, first delete the
C:>aes ← print help/usage statement
C:>aes -d symEncKey -i inFile -o outFile
unknownChunk.rawfrom Part C is a section of the HDD that was additionally recovered from the user's computer. Looking at the files you carved, are there any clues that can help you decrypt and view the email attachment?
Just as you understand that your actions from your laptop leave evidence on your laptop, your and others' past actions have also left evidence (Locard's Exchange Principle), evidence that still exists on the Internet.
The personal evidence in the cyber domain can negatively impact Fleet operations. Adversaries are continually searching for information about targets, constantly looking for information that can be used to gain access to systems in technical and non-technical ways. The phrase Loose Lips, Sink Ships is even more relevant in today's Information Age.
If you are not listed in Spokeo or Peoplefinder, that is good (but you must remain vigilant). Print out a copy of the no results found page with your name as the search criteria to receive credit for this part of the assignment.
Spokeo is an online data aggregator that provides a publicly accessible web interface to search and retrieve aggregated data.
Spokeo gathers publicly available (publicly shared) data about an individual, correlates the data, and allows the data to be publicly searched.
Spokeo is intended to be used
to help reunite friends and family, browse celebrities, and discover information about your online footprint, by simply searching a name, address, email, phone or username (Spokeo).
Spokeo data includes information that can be used to develop a profile of a person, and includes data that is often used in authentication mechanisms.
This should be a concern to anyone who has an online persona, and is certainly concerning for organizations that conduct operations across the Internet.
In this portion of the lab you are going to see what data Spokeo has about you and how you can take steps to remove that data. There may not be results for some students.
At this point Spokeo has given you as much information as they are willing to for free. But given the information presented you should have confidence that you found yourself. Now that you have found yourself, it is time to do something about it. It is time to remove some forensics evidence.
http://www.spokeo.com/Name-Searched-For/State/City/spokeoGeneratedIdentifierRefresh the page and you should see that
No profile informationis available
There are many more data aggregator sites and services online, Spokeo is just one. Many of the data aggregator sites charge for the full reports and require registration to remove data from their databases. Just because you took steps to remove data from Spokeo does not mean you are completely secure; recall we cannot nullify (zero) risk, but we can and should take steps to appropriately mitigate risks.
We may not be able to remove all personal data from the Internet, but we can take steps to minimize data being kept in the future. Most modern day browsers have Do Not Track settings in them. In this portion of the lab you will turn on the Do Not Track settings in commonly used browsers. One thing to note about the Do Not Track settings is that they are voluntary, there is no mandate (legal or technical policy) to enforce a web site or even the browser vendor to adhere to or offer Do Not Track settings.