Lab Report 2

The investigator’s Office and Laboratory

Course ID: CPS 4498

Student: Joseph So

Instructor: Dr. Jing-Chiou Liou

Due Date: October 13th 2021

CPS5498 Computers Forensics

Lab 2: Investigating Digital Evidence with OSForensics

Description:

From lab 1 we learned how to use a different digital evidence tool which was
prodiscover a digital forensic program, to preserve evidence and perform
forensic examination on a duplicate of the data - the picture of the original source
file. There are numerous additional digital forensic programs, such as
ProDiscover, that can be used to acquire and analyze digital evidence. Such as
OSForensic which i will be using for Lab 2

OSForensics is a computer forensics software application. It may be used to

gather and analyze information from a multitude of file systems. We may also
utilize it to find vital information relevant towards the inquiry. It can tend to be
time consuming due to load time and wait times of evidence found.

This lab employs the OSForensics software to collect a picture from a fictitious
M57 Patents scenario and afterwards analyzes the evidence obtained from the
images. It is important to note that if you are not doing the lab procedures on
campus, you may have trouble viewing some results.

System Specifications:

The system that was used for this lab is a custom PC with a 6700xt Amd Gpu and
a Ryzen 7 3700x. I am connected to wifi using an ethernet cable.

My OS version is Windows 10 Home 10.0.19042 build 19042 running on AMD

Ryzen 3700x with 32gb of ram installed

Verizon Network Adapter

Geolocation- Off campus, Newark New Jersey

ISP: Verizon

Procedure:

Lab 2.1 Installing OSForensics and Creating a Work Folder

1. Install the OSForensics from the DVD included with the textbook. To run
OSForensics, you need to have root privileges. (See pages 140 for details)
Screenshot of OS OSForensics tool

2. Create a work folder for all forensics labs on your computer.

a. Create a sub-directory, e.g., Lab2, for this laboratory

Screenshot of sub-directory, e.g., Lab2,

3. Download the M57 case files from
http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario. Scroll down to
click the “USB Driver Images” link, and download all four images to your work
folder.

Screenshot of Original files downloaded from scenario

Screenshot of copies of the original files downloaded from scenario

Lab 2.2 Acquiring Evidence with OSForensics

1. In Windows 7 or earlier, click “start,” “all Programs,” “OSForensics.” In
Windows 8, click the “OSForensics” icon in the start screen.

a. If prompted to allow the program to make changes to your computer, click

“OK,” or “Yes.”
1. No prompt was shown.

b. In the OSForensics message box, click “Continue Using Free Version,” if

necessary.
1.

Using trial version of OSForensics

2. “Continue Using Free Version” was hit

2. In the main window, click “Start” from the left pane, and then click “Create
Case” in the right pane.
Screenshot of creating new case

3. In the New Case box, enter your name. Type M57-USBdrives in the case
name. Fill in the contact information and the organization, and then click
“Investigate Disk(s) from Another Machine.”
Screenshot of New Case Created

4. Click “Customer Location” for the case folder.

Assuming “Custom location”
a. Click the “Browse” button on the lower right
Click the “Browse” button on the lower right

b. Find and click your “work\Lab2” (replace it with your actual path) folder.
And click “OK” twice. You should see the Manage Case window (See Figure L2-1).

According to OSForensics, a case cannot be formed since the work folder

contains the four USB images that were previously retrieved. To get around this
issue, I deleted the four photos from the folder and retried the process again
Screenshot of folder after creating new case

Screenshot of New case created

I was able to figure out figure L2-1, however the documents are no longer in the
subfolder. I re-filed them in the work folder and proceeded t with the next step.
When I look at the manage case page, I notice the title "M57-USBDrives," the
create date, the location, which is my work folder, and the default local drive.

Moving the images back into the work folder reveals that OSForensics generates
two new files in the OSFCASE format (.OSFCase). Moving the picture files back
into the work directory caused no problems or errors, therefore I believe I am
okay to proceed because I have the essential files in the work folder and my case
is produced and reflects Figure L2-1.
Figure L2-1.
5. Click “Add Device” to open the “Select device to add” Window, and then
click “Image File” option button

Screenshot of “Add Device” Function

a. Click “browse” button, find your work folder where you copied the USB
drive image.
So in my case, I will navigate to the work folder.
Screenshot of adding “Charlie-work-usb-2009-12-11.E01,

b. Click “Charlie-work-usb-2009-12-11.E01,” and click “OK.”

6. In the message box asking which partition to use, leave the default setting
“use entire image file,” and click “OK.” Click “OK” on the “Select device to add”
window.
a. Seeing the message box and step 6, I went ahead and hit “Use entire image
file”
I noticed that we would be uploading an image file (device), and the destination is
on my Computer inside the Lab 2 work folder, particularly file
Charlie-work-usb-2009-12-11.

Integrity:

Before proceeding, I feel it would be best to take the hash values of all of the USB
files found in the scenario. I'll begin by calculating the hash value of
Charlie-Work-USB-2009-12-11.E01.
On Verify / Create Hash, since I am hashing the FULL image, I am choosing the
“Volume option”

I can grab the hash values of Charlie-work-usb-2009-12-11.

MD5 hash of charlie-work-usb-2009-12-11.E01:

9c0de6c8532d7a66ddcf01861dfb6535
SHA1 hash of charlie-work-usb-2009-12-11.E01:
9c447061522365407af77a0b42b57e8d8b4d78c1
SHA256 hash of charlie-work-usb-2009-12-11.E01:
51bc7df6398b28b698dd4df0e18504f96e2e4c3a57e8aa75dce4e2b21673e659

Moving back to
Screenshot of copies made for USB each file

7. Click the “Charlie-work-usb-2009-12-11.E01” filename in the bottom pane

on the right, and then click “Open” button on the left to open the File System
Browser window.
Here i am using a copy version of the image to view the contents and not the
original

a. View the file structure. Do you see anything special to you? If yes, what is
it?
I see that I am able to view emails and other files from this image file, also i can
see dates.
charlie-work-usb-2009-12-11.E01 viewing contents.
Email viewed in the image file opened.

b. Close this window now

8. Click “File Name Search” button in the left pane on the main window. Type
Charlie* in the Search String text box.

a. Does the start Folder specify Charlie’s USB image file?

Yes it does
b. On the far right, click the “Search” button.

Results of Search after using filter “Charlie”

c. How many files do you see? Which one has earliest time stamp?

Items found where 93 in total the earliest time stamp is 17:19:12 which is the first
file listed

File with earliest time stamp

9. Click “Create Index” button in the left pane to start the Create Index Wizard.

Creating Index with “create index function”

a. In the step 1 window (there are totally 5 steps), click “Pre-determined File
Types” option button, if necessary. Check all the file types listed, and click
“Next.”

b. In the step 2 window, click “Add” button, click

“Charlie-work-usb-2009-12-11.E01,” click “OK,” then click “Next.”
Added “Charlie-work-usb-2009-12-11.E01, for indexing

c. In the step 3 window, check “Index all file types” in the Index Title text box,
and click “Start Indexing.” Step 4 window flashes by quickly.
Index process will begin after this step is complete

d. Step 5 window shows he file processing. When the indexing is finished,

click “OK” in the message box, even it shows that some errors might occur.

10. Click “Open Log” button at the lower right of the step 5 window. A new
window shows the files that were indexed, any errors that occurred, and a
summary of what was done.

Index Process is now complete, we will move on to the logs

This is the window of the “Open log” or “Show logs function.

a. Examining the summary, Can you draw any conclusion of your own?

From what I was able to see, I was able to open some files, but not all. I think
some files may be encrypted so further access is need to view these files

b. Close the window.

11. Click the “Manage Case” button in the left pane. Notice that the index is
now listed in the bottom pane on the right. Score to the bottom of the left pane,
and click “Exit” to close the OSForensics.
We can see the created index when we view the “Manage case” section.

Hash Verification:
These are the hash values collected at the start of the lab

MD5 hash of charlie-work-usb-2009-12-11.E01:

9c0de6c8532d7a66ddcf01861dfb6535

SHA1 hash of charlie-work-usb-2009-12-11.E01:

9c447061522365407af77a0b42b57e8d8b4d78c1

SHA256 hash of charlie-work-usb-2009-12-11.E01:

51bc7df6398b28b698dd4df0e18504f96e2e4c3a57e8aa75dce4e2b21673e659

This is the verification of hash values for the charlie-work-usb-2009-12-11.E01:

MD5 hash check of charlie-work-usb-2009-12-11.E01
SHA1 hash check of charlie-work-usb-2009-12-11.E01:
SHA256 hash check of charlie-work-usb-2009-12-11.E01
Hash Verification process for charlie-work-usb-2009-12-11.E01:
Replication of procedures for 3 other files

These are the hash values taken before index process for
jo-favorites-usb-2009-12-11 - Copy.E01

MD5
Ad1d03cbdb8d81e918899479360f50dc

Sha2-256
693bbb82163bbd017984e09a2f2e225cf8ad0d5a81bf8cec9ef888465b6558b5

Sha-1 - 7da02a13f0effab5fdb02fe82d3596cc3a10aa2f

created index for jo-favorites-usb-2009-12-11 - Copy.E01, some of the files were

able to open however others need further access to view.
HASH VERIFICATION for jo-favorites-usb-2009-12-11 - Copy.E01

These are the hash values taken before index process for jo-work-usb-2009-12-11
- Copy.E01

MD5- 8f23279deb398c3245829a98bc8fc1bd
SHA-1- 9a2933b2391e5994745710ab317c702b82a9b141
SHA-2- fa2af1590f3e0ad12969660dc68b3499f49a070773d9d824ee02db24a14c3be8
created index for jo-work-usb-2009-12-11 - Copy.E01, some of the files were able
to open however others need further access to view.
Hash Check for jo-work-usb-2009-12-11 - Copy.E01
Hash Verification for jo-work-usb-2009-12-11 - Copy.E01

These are the hash values taken before index process

forterry-work-usb-2009-12-11 - Copy.E01

MD5- e07f26954b23db1a44dfd28ecd717da9
SHA-1- 5ac072fe65d67a9cc03e8003bdd4d60945680dec
SHA-256-
60e3a30c234c4a7ea001c581bfa35d23447ada9d27ecc8e1ffbae677e9a9c279
Created index for terry-work-usb-2009-12-11 - Copy.E01, i was able to view some
file but not all. This one took longer than the other to create a index
Hash Check for terry-work-usb-2009-12-11 - Copy.E01
Hash Verification forterry-work-usb-2009-12-11 - Copy.E01

Notes and Suggestions:

• Different computers may have different operating systems and hardware
configurations. If you use your own computer for this lab, the above procedure
may not be completely applicable. For example, you cannot follow the same
procedure for MAC computer.
• Make sure that the computer is back to its original condition. Do not leave a
computer in a non-functioning condition.

Lab report:
• Your report should include all information required to be noted in the
procedure, any problems/issues you encountered during the lab and how did you
resolve them.

This lab was very informative and engaging. I learned how to use the OSForensic
tools for analyzing and extracting data from a digital investigation scenario. The
lab took me a total of 2 hrs to complete. This lab includes text and images, in
order to replicate if needed. The only problem i ran into was creating a case, i got
past the obstacle by removing files in the Lab 2 folder and then re running the
process which fixed the problem, then i added those files back in and everything
worked at optimal level.