Data Acquisition and Verification

Click the button to connect the USB thumb drive you will be analysing to your virtual machine. It will be connected as device "/dev/sdd".

Create directory /home/caine/evidence where you will save all the evidence from your investigation. Make sure the user "caine" owns the directory, and it is in the appropriate group.

Before we perform any form of activities in relation to the suspect disk, we need to make an initial set of integrity hashes of the device /dev/sdd and dd image file called CBarrow.dd. Calculate hash signature for /dev/sdd and CBarrow.dd, using md5sum command, and save the output in to two separate files called sdd.hash and CBarrow.hash (put both files in to /home/caine/evidence directory).

This activity will introduce you to the tools required in order to analyse the partitions that are present on the disk. These tools are: mmls, and fsstat.

They are part of The Sleuth Kit http://www.sleuthkit.org, which is a set of command line tools designed for digital investigations. Before using these tools, please read about them by following these links:

    mmls command
    fsstat command

Perform an initial analysis of the disk and CBarrow.dd image with mmls.

What is the total size (in Bytes) of the disk and dd image?
sdd size (bytes):
dd size (bytes):

What is the size (in Bytes) of each partition on the disk and the dd image?
sdd partition 1 size (bytes):
dd partition 1 size (bytes):

What are the start and end sectors on last of the unallocated space on CBarrow.dd image? Do not include leading "0" characters in your answer.
Start Sector:
End Sector:

Use fsstat command to analyse disk and CBarrow.dd image.

Hint: Use fsstat command with and without the '-o 63' switch.

What was the importance of supplying 63 after the -o switch?

What is the type of a file system installed on each partition?

sdd partition 1 : hidden fat16 fat16 fat32 Novell Netware NTFS Linux Linux Swap
dd partition 1 : hidden fat16 fat16 fat32 Novell Netware NTFS Linux Linux Swap

From output of CBaroow.dd image: in which cluster the MFT is located?
First MFT:

What operating system is installed on the CBarrow.dd image? Windows 7 Windows Vista Windows 95 Windows XP Linux Hurd

This activity will show you how to make an image of an entire drive using the tool dcfldd. You will make an image of the device /dev/sdd.

Before you begin, read the documentation for dcfldd, and familiarise yourself with the following options by going to the following URL (make notes on the next page if necessary):

   dcfldd command

Execute the following command:

    dcfldd if=/dev/sdd of=/home/caine/evidence/sdd.dd bs=512 hashlog=/home/caine/evidence/sdd_Hash.hash

Verify that hash value in the sdd_Hash.hash file is the same as the hash value from Activity 1.

Are the hash values the same?
Hash files are identical Hash files have different formats, but hash is the same. Hash files have different formats, and hash is different. Hash files have the same format, but hash is different.

Why is this important?
The dd is a perfect copy of the physical disk The dd is a very likely to be a perfect copy of the physical disk The md5 has been extracted from the physical disk correctly All md5 files have been found on the physical disk It shows the physical disk has changed.

Open the CBarrow.dd image in Autopsy (refer to Lab 1). Identify the case using the name "cbarrow1" (plus a descriptive description), and with host "cbarrow". Add the image as a Disk, and import as a symlink. Use the hash in question 1 to validate the image when adding it to Autopsy by getting the add image to calculate the hash.

Click on Analyse, and Analyse the whole Disk. Then select Image Details. How big is the Meta entry for slot 00 in bytes?
Meta Size:

The output from the Image Details is similar to which tool? fsstat fdisk mmls ls -l msstat

Why are certain buttons greyed out and not available?
There are no files on the disk The partition table is corrupt The disk is too big for analysis This is a disk not a partition The filesystem is not recognised

Click the close button.

The select the partition labelled C: and click on the Analyze button.

Click on the Image Details button.

The output from the Image Details is similar to which tool?
fsstat fdisk mmls ls -l msstat

A disk that is organized using DOS partitions has an MBR in the first 512-byte sector. The MBR contains boot code, a partition table, and a signature value. The boot code contains the instructions that tell the computer how to process the partition table and locate the operating system. The partition table has four entries, each of which can describe a DOS partition.

The first 446 (0x1be) bytes contain boot code. The next 64 (0x40) bytes contain four partition tables (16 bytes each). The last 2 bytes contain signature value of 0xAA55. The signature is reversed (0x55aa) due to endian ordering.

To analyse MBR execute the following command:

    sudo dd if=/images/CBarrow.dd bs=512 skip=0 count=1 | xxd

MBR Analysis:

At offset 440 (0x1b8), for a length of 4 bytes is the Windows Disk signature. This is unique for a drive and can be considered to be a forensic artifact. This value is stored in the registry, under "Mounted Devices", and can be used to match a hard drive to a computer, even if the data has been deleted/wiped.

What is the Windows Disk signature for CBarrow.dd? Use the format "**** ****", e.g. "ffff ffff". Keep it in its native endian.

At offset 446, for a length of 1 byte, is a value which states if the partition is active or not, In this example the value is set to "80" which means the partition is active.

At offset 450, for a length of 1 byte, is the partition type indicator. This tells the computer what type of partition to expect, NTFS, FAT32, EXT2, etc. Each partition type has its own unique number. In this case it is 0x7, which indicates NTFS.

At offset 454 the location of the partition is given. A single byte at offset 454 states the number of sectors before the start of the partition, from the MBR. In this example, and in most .standard. systems, the value is 0x3F. 0x3F in hex is 63 in decimal. This means that the partition starts at sector 63.

At offset 458, for a length of 4 bytes, is the size of the first partition, in sectors.

What is the hex value of the partition size? Format you answer using lower case hex and include the leading 0x, e.g. 0x123456.

Conversion of this value will provide the size of the volume in sectors (not bytes or clusters).

This value first needs to be converted from little endian to big endian and then it needs to be converted in to decimal.

What is the big endian order of the partition hex value?? Again use a format like 0x00345678

What is the decimal value of the hex?

Is the decimal value the same as shown in mmls command output?
yes no

Based on the above exercise inspect MBR of the SDD disk...

What is the Windows Disk signature? Use the format "**** ****", e.g. "ffff ffff". Keep it in its native endian.

Is this partition active?
yes no

What is the partition type indicator? Format your answer like 0x00.

What is the partition type? Hint - use Google. hidden fat16 fat16 fat32 Novell Netware NTFS Linux Linux Swap

In which sector does the partition start?

What is the hex value of the partition size?

What is the big endian order of the partition hex value?

What is the decimal value of the hex?

Is the decimal value same as shown in mmls command output? yes no

Click the button to unplug the USB drive you were analysing.