11: Windows Forensic Exam
Estimated time to complete: Who knows? Clearly I’m unable to estimate these things reliably
Collaboration: Permitted (groups of up to three students may make a single submission together)
As we noted way back in the first lecture, the goal of forensics is to gather artifacts for refinement into evidence that supports or refutes a hypothesis about an alleged crime or policy violation. In this assignment, you will work either alone or in a small group to analyze a provided disk image. You’ll refine the raw disk image into evidence, document your process, and reason about how this evidence supports or refutes your hypotheses about a user’s actions.
Scenario
You are a digital forensic expert retained by the FBI’s elite CRimes Against Zebras ElitE Special Task Force — the CRAZEES. This special group has been formed to combat the growing trend of trafficking in Equus quagga imagery and related paraphernalia for unsavory purposes by the members of NAMZLA and less organized groups. By act of Congress (the Equus Protection Act), possession of realistic imagery of Equus quagga is now a crime, and the act conspiring to possess, or actually possessing an Equus quagga is…well, let’s not go there.
Recently, CRAZEE received a tip that one Mr. Brian Grevy was involved in the electronic trafficking of Equus quagga imagery. After obtaining a search and arrest warrant, they interrogated Mr. Grevy and acquired (among other things) an electronic copy of his computer’s hard drive.
On the basis of the interview and background facts, CRAZEE has tasked you with the following:
- Find evidence that Grevy intentionally stored and/or looked at and/or downloaded images of zebras. Grevy strongly asserted during interrogation that he’s “not into zebras at all.” Seeing lots and lots of evidence supporting this allegation is the only way to persuade a jury (made up of, as you know, computer science professors, TA, and graders). For full credit, find (or rule out) multiple forms of evidence support intentional receipt, possession, viewing, and/or distribution of the contraband imagery.
- The tip that led to Grevy’s arrest came from a man named Shima Uma who was charged with violating the EPA previously. Shima Uma claims that he visited Grevy several times on April 8, 2015, about a week prior to Grevy’s arrest. On each visit, he allegedly brought with him a zebra file on storage device of some kind, connecting the device to Grevy’s computer and transferring the file. Grevy denies these allegations. For full credit, find (or rule out):
- evidence of these visits that day (how many, when, etc?)
- an identifier or identifiers for the device(s)
- the file(s) that were transferred
- the location of the files on the hard drive, or if you believe they were moved to another storage device, possible such locations (and supporting evidence)
- Uma claims that Grevy planned to travel from Santa Cruz, CA to Monterey, CA the week following his arrest for a meeting of other contraband traders, but Grevy denies making any such plans. Find evidence that supports or refutes this claim.
- (Extra credit) Find any other relevant information not covered by the above.
What to do
First, acquire a copy of the image. It’s stored on the Edlab in /nfs/elsrv2/projects5/cs365/s2015/
. You have two choices: an uncompressed version that’s suitable for direct examination on the Edlab machines (case.dd
, 20GB), and a compressed version that you can download and decompress (case.dd.bz2
, 6.1GB).
Then, examine the image using The Sleuth Kit and other tools and techniques that either we’ve learned about or that you’ve found yourself. You are welcome to use any free tool that you find (and believe to be forensically valid), but tools that require a license fee or other payment are out of bounds for this assignment. Most of the tools I demonstrated in lecture are now installed on the EdLab. But I suggest installing them yourself on a local Linux or Mac system or VM, or partnering with someone who can show you how to do so.
Keep careful track of the commands you run and their output. If you use command line tools, I recommend copy/pasting the terminal input and output into a file, and/or redirecting command output to a file. If you are using a graphical tool such as Autopsy, then take frequent screenshots documenting your actions and their results.
What to submit
Your final product should be a single PDF describing your investigative tools, process, and results. Credit will be apportioned roughly as follows:
- 10% tool description: The report should clearly identify the tools (by version or other relevant information) you used, and why you believe the to be forensically valid.
- 30% process description: The report should document the steps you took and their results (positive or negative) while searching for evidence. Include the exact commands you ran and/or textual descriptions of the GUI commands you executed. You may wish to include this information in an appendix to make the main body of the report more readable.
- 40% artifacts/evidence, results, reasoning: The report should explain the issues you considered when doing your forensic analysis, both positive and negative. It should present the artifacts and evidence you acquired (and that you looked for but did not find). The report should also explain your reasoning: why you performed the steps you did, what you expected to find (or not), and how the evidence you found supports or refutes your hypotheses (or how it helped you refine existing hypotheses or generate new ones). Include relevant context and any assumptions you may have made. In sum, the report should state your conclusions and support them with recovered evidence.
- 20% organization and readability: There is no autograder for this assignment: A human being is going to be reading each of these reports! Do not just make a big pot of copypasta from TSK output and dump it into a single, run-on Word document. Your report needn’t be a masterpiece of the English language, but it should be organized, concise, and well written.
If you are working in a group (as noted above: up to three students per group), only one group member should submit the report to Gradescope. Be sure to mark it in Gradescope as a group submission, and be sure that all of your names (and which course, 365 or 590F you are enrolled in) are on the report.
Other information
The NTFS volume may contain copyrighted material. Do not distribute it.
The NTFS volume starts 206,848 sectors into the case.dd
file. If you wanted to extract the list of files in the MFT to a text file, you might use the following command:
fls -rp -o 206848 case.dd > file-list.txt
The file’s SHA1 sum can be computed as follows: sha1sum case.dd
and should be b8e1e6fd771f87d3c075ff8d7971be2eeba3abfa
.
When entered at the terminal, the following is the expected output:
> sha1sum case.dd
b8e1e6fd771f87d3c075ff8d7971be2eeba3abfa case.dd