Incident Response and Digital Forensics

Lab 4: Anti-Forensic Analysis of a Removable Disk

Lab Objective

This lab deals with the investigation of a set of anti-forensic attacks conducted to hide data within a
removable device. In fact, in this lab, you are asked to analyze forensic evidence (provided in the form of
raw image of a recovered removable device) seized from a fictional drug-related suspect. You will be
asked to recover the data and answer the provided questions.

Step 1: Checking the integrity and the type of the provided evidences

Before conducting an investigation, an investigator should firstly check the integrity of the provided
evidence and identify their types. To this end, you are asked to:

1. Verify the integrity of the provided evidence (image.zip) file

​ The Linux command md5sum allows checking MD5 message digest. It is executed as
follows: # md5sum [OPTION]... [FILE].

​ The MD5 corresponding to image.zip is equal to: b676147f63923e1f428131d59b1d6a72.

2. Decompress the archive and identify the type of the obtained file, using the Linux command
“file”. What represents the digital evidence?

=> Nous avons un secteur boot (DOS /MBR boot) et un fichier disquette (FAT 12 bit)

Step 2: Examining data using the standard Linux tools

In this step, you will try to access the data integrated in the provided evidence using only the standard
Linux tools.

3. Mount the provided evidence under the folder /mnt/lab (you should create that folder first, if it
does not exist). Use the linux command mount which allows you to mount a file system. It is
executed as follows:
 # mount [-t fstype] [-o options] device mount-point.

Take care of choosing the adequate options to preserve the security of your system, and the
integrity of the evidence you are analyzing.

4. Describe the content (files or folders) of the evidence using the Linux command “ls”. How many
files seem to be contained in the evidence? Are you able to directly access or visualize these files?

Indication: pictures can be visualized using shotwell or eog commands

5. Can you identify at this stage the potential existence of data hiding attacks? Explain.

=> At this stage, we have noticed the existence of two files in the evidence, but the format of these
files is corrupted and we cannot see their contents which means that their contents can be hidden
using data hiding attacks
Step 3: Installing forensic tools

In this step, you are in charge of installing Sleuthkit and Autopsy, which are forensic tools useful for
conducting investigations.

6. Install Sleuthkit tool which is a library and collection of command line tools allowing you to
investigate file systems and volumes of a computer.

# apt-get install sleuthkit

7. After installation, run the following command to verify that the tool was installed correctly, and to
display the version:

# mmls -V

8. Install Autopsy tool which is a graphical interface to the digital investigation tools in the Sleuth
Kit.

# apt-get install autopsy

9. Start Autopsy using the following command: “./autopsy”

Step 4: Analyzing the evidence files using autopsy

During this step, you will use the previous installed tool Autopsy to analyze the provided evidence. To this
end, you should conduct the following steps.

10. Once Autopsy is started, open the web browser using the given link
“http://localhost:9999/autopsy”. Proceed with configuration using the wizard: create a case, add
a host, and append the image file by specifying its location (indicate its path in the disk), its type
(select: partition), and the import method (select: copy).
11. Determine the information returned by “image details” and “sector allocation list” features of the
Autopsy tool.

12. Identify the contents of the File Allocation Table (FAT). Which sectors are allocated?

13. Examine the evidence content by selecting ‘File analysis’. How many files does it seem to
 contain?

14. Analyze the document file by selecting the corresponding directory entry number (#5).
 ​
​ Does the file type match the extension?
​ => The file file type does not match the extension
​ How many sectors are occupied by the file? Is the information consistent with its size?
​ => The file occupies 40 sectors. Each sector has a size of 512 bytes so the 40 sectors
​ have a size of 20480 which corresponds to the size of the file.
​ What actions could have been done to this file to make it unreadable using system
commands when you mounted the evidence previously?
​ => This file has been deleted, we see that directory entry 5 is not allocated
​
15. Examine the executable file by selecting the corresponding directory entry number.
 ​ Does the file type match the extension?
​ => the file type does not match the extension
​ How many sectors are occupied by the file? Is the information consistent with its size?
​ => 2 sectors are taken up by this file, which means that its size should be 1024, but it is
​ indicated that it's 1000.
​ According to FAT contents, which sectors are allocated to this file?
=> According to FAT content, sectors 104 to 108 are assigned to this file

16. Analyze the picture file by selecting the directory entry number (#8).
​ What about the file name?
​ Which sectors are occupied by the file? Do you notice something suspicious?
​ => The file occupies a single sector which is sector 451 but the file size is 15585. This
​ means that a hidden data attack has been carried out on this file.
​ Check that sector 451 was not allocated in the File Allocation Table (FAT).

​
​ Is the information related to the number of sectors physically occupied by the file,
consistent with its size?
​ => No, according to the size of the file information, this file should occupy 31 sectors.
​ Which actions could have been done to this file to make it inaccessible?
​ => the directory entry is pointed to sector 451 which indicates EOF
 ​ According to FAT contents, which sectors are allocated to this file?
​ => According to FAT content, sectors 73 to 103 are assigned to this file.

Step 5: Conducting file recovery using autopsy

In this step, you will be asked to extract and recover the three files that are previously identified.

17. According to the previous identified conclusions, try to extract the three identified files by
executing the following steps:
​ Select “Data unit”
​ Identify the sector number that corresponds to the file starts sector
​ Identify the number of sector occupied by this file.
​ Select “view” then display “ASCI strings”. What can you see? (For the image display
“ASCI strings of the last sector (103))
​ Export the document by selecting “Export contents”
​ Try to open the exported document.

​ => The doc file: occupies sectors 33 - 72

​ => The image file: occupies sectors 73 - 103
​ => The executable file: occupies sectors 104 - 108

● The doc file :

​
● The image file :

● The executable file :

18. Based on the content of the recovered files, answer to the following questions:
​ Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
​ => Jimmy Jungle. His address is 626 Jungle Ave Apt 2 Jungle, NY 11111.
​ What crucial data is available within the coverpage.jpg file and why is this data crucial?
​ => The crucial data available in the coverpage.jpg file was the password needed
​ to extract the contents of the zip.

​
​ What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
​ => Key, Leetch, Birard, Richter, Hull
​ For each file, what processes were taken by the suspect to mask them from others?
​ => For the doc file, it has been deleted. The image file, its extension has been changed and
the starting block in the root directory entries has been changed. For the zip file, it was
​ protected by a password, its extension was changed and the size and number of sectors were
​ changed
19. Which Microsoft program was used to create the picture file? What is your proof (Proof is the
key to getting this question right, not just making a guess)?

=> The program that Microsoft used to create the image file is MS paint because the image
contains its signature.