This lab emphasizes the aspects of computer forensics that are encountered with the highest frequency. The activities are broken into small activities with specific foci. Alert your instructor to your successful completion of each section.

A. Lab Setup

  1. Create a directory named class31 on your desktop. All of the files created in this lab will be stored there.
  2. Download and Install FoxAnalysis:
    Download, double click to extract, double click on Setup.msi to begin install.
    FoxAnalysis Setup Wizard: Select "Next
    License Agreement: Select "I Agree", Select "Next" Select Installation Folder: Select "Everyone", Select "Next"
    Confirm Installation: Select "Next".
  3. Download and Install ChromeAnalysis
    Download, double click to extract, double click on Setup.msi to begin install.
    ChromeAnalysis Setup Wizard: Select "Next
    License Agreement: Select "I Agree", Select "Next" Select Installation Folder: Select "Everyone", Select "Next"
    Confirm Installation: Select "Next".

B. File carving

This section of the Forensics Lab introduces you to file carving. File carving is an incredibly useful skill to have in the world of computer forensics. It basically means recovering files from a physical storage device after the files have been deleted, the device has been erased, or the device has been partially destroyed. At this point, the data on the device just looks like a sequence of "raw bytes" — meaning a sequence of bytes without any information as to where any file(s) begins or ends in this sequence.

With computers, "deleting" a file doesn't necessarily mean the data stored in the file (the bytes that comprise the file) are gone. It means that the filesystems record of the file's name and its connection to that area of the hard drive are gone. Those bytes become "unallocated space".

To carve a file from a block of bytes, you'll need to look for the header (and, depending on the file type, the footer) of the file. For example, the header (in hex) for a PNG file is 89 50 4e 47 and the footer is 49 45 4e 44 ae 42 60 82. Below we have an example of a chunk of unallocated space from a drive. Looking carefully, we spot a PNG header (starting at offset 10) and, following it, a PNG footer (ending at offset 42) and thus we can deduce that the from offset 10 to 42 is a PNG file.

Block of unallocated space from a drive
PNG header body PNG footer

File Carving Activity Starts ...
Suppose you recover a hard drive from a bad guy's computer. Your job is to find incriminating data, or data that will help in an investigation. Now you have before you a sequence of tasks:

  1. To start with, let's review a basic file format. The Portable Network Graphics format give us files with a .png extension. This file type has a very distinctive header and footer.

    Save the following file into your class31 directory: oneFile. Using frhed, open the saved file. Can you see the PNG header in the file anywhere? You can always press cntl+F and enter a search for 'PNG' or alternatively, type in <bh:89><bh:50><bh:4e><bh:47> to the search prompt. You can follow the same style for the footer. (Note: Search only looks forward in the file from the current location.) Write down the offset (the location relative to the start of the file, which is shown at the bottom left of the frhed window.) of the first byte of the header and the last byte of the footer. You can use the decimal or the hex offset, just be consistent and stick with one of them. Once you have the header and footer located, i.e. you know their offsets, then:

    1. Select Edit ⇒ Copy, and enter the start and ending offsets.
    2. Select File ⇒ New to create a new document.
    3. Select Edit ⇒ Paste, choosing the option to Insert (NOT OVERWRITE). Press ok.
    4. Choose File ⇒ Save and save as a .png file.
    5. Open the file from the file browser to see the image.

  2. Your next task is to carve two files from a chunk of data called twoFiles, which you first need to save into your class31 directory, and open with frhed like you did with oneFile. You will use the same file carving technique with your hex editor. In this case, one file is a jpg image and the other file is an audio file of the wav format. The information below should help you on your task.

    Remember, if you need to search for the hex values, use this format: <bh:89><bh:50><bh:4e><bh:47>

    File Format Header in hex Footer in hex
    jpg ff d8 ff e0 ff d9
    wav 52 49 46 46 (RIFF) NO FOOTER!

    Some file formats do not have footers. This can be problematic, but humans are often better than computers at solving this problem. In the case of the audio file, you will see a change in the information in the file. You can also try cutting differing amounts of data into the file, and see if it works. Experiment and answer the questions on the lab worksheet.

  3. You are now skilled at file carving by hand! But what if the data in question is megabytes large and the number of files is either very large or unknown. Because we know how to do this task on a small scale, it can be automated for larger sets of data, which is great. We'll be using a file carving program called scalpel, which is free software; If you did it correctly, scalpel was installed to your C:\SI110Programs directory during the first homework assignment. Scalpel automates file carving. A user sets up a configuration file that lists different types of files it can search for, based on headers and footers. We've prepared one for you to use.

    Next, follow these steps:

    1. First download unknownChunk.raw and scalpel.conf and save them in the class31 directory.
      unknownChunk.raw - This is raw bytes recovered off the hard drive of a confiscated computer.
      scalpel.conf - This describes file headers and footers in a form scalpel.exe can use.
    2. Open a Command Prompt and navigate to your class31 directory.
    3. Execute this command: scalpel.exe -c scalpel.conf unknownChunk.raw
    4. A summary of how many files and of what types scalpel found are produced as output in the shell (if everything was done correctly). Read through the output and determine how many and what types of files scalpel found. In other words, what data was hidden on this hard drive. A directory called scalpel-output will be created in the class31 directory. Using the file browser, explore the scalpel-output directory and confirm what was reported in the shell about what the file carver "scalpel" was able to retrieve. Then answer the questions on your worksheet. If you got an error instead of scalpel results in the shell (the scalpel command never ends - you get stuck in the shell), you will need to start over. There will still be a scalpel-output directory created. NOTE: Scalpel will not run if it detects a folder called scalpel-output that already exists. If you need to run scalpel again, first delete that folder.

C. Web Browser Forensics

Now we turn our attention to the world of internet browsers. Among the more popular browsers are Firefox, Chrome, Safari, Opera, and Internet Explorer. Did you know that these all retain information about what you do online? Now, with our newfound computer forensics expertise, we can see what they save. In general, they each maintain a lengthy history of web sites you visit, cookies web sites give you, stored passwords and form data, and often search terms. Today we'll explore Firefox and Chrome.

Both Firefox and Chrome build a profile for a user. This allows the browser to store all of this information for multiple users on a computer. It's very convenient, but do you want all of this information stored on the computer? We have taken some time to put together a couple profiles for you to use. Just download and then unzip the files to a location you will remember (see below). The actual profile folder for Chrome is called Default and the Firefox profile is called ebkkqy8u.default.
Save the below files to the directory you created.

For each of the two downloaded browser profile files, right-click on the file and extract all files.

The tools we'll use for this activity come from the same author. FoxAnalysis and ChromeAnalysis are sister tools that accomplish the same thing for different browsers. They each attempt to load the profile of the user, and then parse the information.

We need a tool to help us, because the data is stored in sqlite3 database format, which is not readable to the average human. Because the task is well understood on a small scale, we can build a tool that helps automate the task for larger data sets. First we will analyze the Firefox profile.

  1. Run the FoxAnalysis program. Select File ⇒ New Case.
  2. In the window that opens, click on the ellipsis to navigate to the Firefox profile you downloaded from above. Select the ebkkqy8u.default folder within the Firefox Profile folder.
  3. Click on the Check Files button just below. This will verify that you have the required sqlite files in the profile directory. Close the window when all files have been found.
  4. Click Next three times.
  5. Click Extract.
  6. Click Finish.
  7. Analyze the history, bookmarks, cookies, downloads, form history, and logins for any suspicious activity.
  8. Example FoxAnalysis Results:
  9. Repeat the above process for ChromeAnalysis, except that when you navigate to the Chrome profile, select the Default folder within the Chrome Profile folder.
  10. Example ChromeAnalysis Results:

D. Trace an Email

Email is one of the most common forms of communication today. While older forms of communication required the presence and participation of two parties, email is more asymmetric in nature. Email makes use of the SMTP protocol, meaning that it follows a proscribed set of rules, which makes it predictable and simple to understand. Today we're going to look at a couple emails and determine if they are legitimate or a spam email. The basis for this analysis will come from the header of the email. An email header contains information from every Mail Transfer Agent it comes in contact with on its route to the destination. This can be very helpful when putting together the path it traveled.

First examine this email: Email 1. If we start from the bottom of the email, you'll see several large chunks of data that look like some sort of encoding. These are images being sent through email. All attachments get broken into the base64 format for transfer. Before each chunk you can actually see the file name, for when it gets reconstituted on the receiving end. If you scroll up past the images, you'll eventually arrive at the actual text of the message. Interesting, but this rarely helps with attribution.

As you move up the email, you can see the following fields and their meaning:

Field Meaning
Message-ID A unique message ID as it transits smtp servers. This is used to avoid duplication of messages.
From The address the sender filled in here. This could be made up!
To This is the destination address.
X-Mailer The mail client (program) from which the email was sent.
Subject The subject of the email.
Reply-To This is the address the "reply" button usually uses. The sender can fill this in with whatever he wants!
Received These fields indicate the location and time of receipt of this email by a mail server. The top received is closest to you, while the received that is lowest is closest to the sender.
Return-Path This is the address delivery error (bounce) messages should be sent to.

Typically, we want to follow the path of Received messages. This represents a very real path that the email took, and it is nearly impossible to forge this. Examine the fields described above of email #1.

Now, investigate Email 2 and see if you can determine where it originated from.