ACQUISITION OF A PEN DRIVE

During this tutorial you will be looking at forensically securing your computer so that
you are able to acquire an image of a USB pen drive (this will work for and USB
storage)
The first thing we need to look at is whether or not the USB drive you have with you
has been used in this PC before. This will hopefully show that the USB drive either
belongs to the person that uses this computer or that it has been used on the
computer at some point.
Every USB storage device has its own unique serial number, a product ID and
vender ID, using a combination of these three things we can identify the USB you
have in “Evidence” and see if it matches any that has been plugged into the
computer you are investigating.
The program we are going to use gives us the following information when opened:
 Device name
 Description
 Device type
 If it is currently connected
 A drive letter if it has been assigned one
 Serial Number
 Device ID
 Product ID
 Which firmware is currently on the device
 When the device was last plugged in / unplugged
There is other information which you can see for yourself once you open the
program.
On the VLE under USB tools, you will find a program called USBDeview, this is
freeware from NirSoft. Download this piece of software and run it on your computer,
it will take a few moments to load up as it collects the data but you should be
presented with the application showing a list of connected / disconnected devices.
Leave this up for the next part.

FORENSICALLY PREPARING YOUR PC

To ensure we do not corrupt the device that we are going to image, we must disable
the ability to write to the device. We can do this in two ways, we can either use a
physical write blocker, or we can use a software write blocker.
Today you are going to use a software write blocker called USB Write Protect again
this is a piece of freeware software designed for Windows. On the VLE under USB
Tools click the link that says USB write blocker, run the program, extract the files to
your desktop, and run the application inside called UsbWriteProtect.exe.
Once you have the program running ensure that the radial button “USB write
protection ON” is selected. This will ensure that any newly connected device to the
computer (the USB from evidence) will not get corrupted or modified in any way.
Leave the program running so you can disable it when you are finished cloning the
drive.
You need to ensure this procedure is followed, this will show to a court that the
evidence has been collected in a forensically sound manner.

CREATING AN IMAGE OF THE USB

Now we have secured the computer to ensure the drive does not get corrupt, we
now have to take an image of the file, to do this we are going to use a program
called USB Image Tool. This tool will clone the drive and package it into an IMG file
that we can later use with our Autopsy Software.
On the VLE there is a like that says USB Cloner, click on this and download the
archive, extract this to a folder on your desktop and run the USB Image Tool.exe
program.
Now insert the USB drive from evidence, ensuring that the chain of custody form is
filled out showing you have removed it from the evidence custodian.
Your USB should show in a list of drives connected to the computer.
On the options tab of the program ensure “Create MD% checksums during backup”
is selected, that way we will get an MD5 of the image so when we are working on it
we can prove it is the same image that we have always used.
Select the USB drive that you have plugged in, ensuring that the MD5 option is
selected, and click “Backup” button. Give the file a name that is associated with your
investigation, and click save.
It will take a while but you should be left with two files called,
“WhateverYouNamedIt”.img and “WhateverYouNamedIt”.img.md5
The IMG file we will use later but the MD5 file we can open in notepad and take a
note of the MD5 checksum for your evidence log.
In your evidence log you should take a note of the image name and the MD5 so we
can reference it later, along with the date and time of the acquisition.

DOCUMENTING THE USB’S CONTENTS

We have successfully taking a “best evidence “ copy of the USB drive, we now
create a copy of that IMG file and that will be our working copy. This will ensure we
have a copy to go back to if we corrupt the working copy resulting in only using the
physical hardware the once.
When the file has been copied, use the MD5 tool (WinMD5 on the VLE) to verify the
copy of the “best evidence” and log this in your evidence log, along with the date and
time.
To have a look at what is inside the IMG file we are going to use a free utility called
Autopsy you will find this on the computer you are sitting at.
To use this follow the steps listed below:
1. Open the program and wait for it to load
2. You will be presented with a “New Case Information” screen
a. Case Name: Something relevant to the case you are doing
b. Base Directory: I would probably use the C:\ drive, create a folder on
there and store your stuff there
c. Case Type: Single User
3. Click Next
4. You will be presented with the “Additional Information” page
a. Case Number: A combination of numbers and letters that are relevant
to the case: e.g. - FRE123
b. Examiner: You Name
5. Click Finish
6. You will be presented with a “Select Data Source” page
a. Select Data Type: Leave as default
b. Browse for an image file: The location of your IMG file
c. Leave all other options default
7. Click Next
8. On the Configure Ingest Modules page, leave as default and click next
9. When the wizard has finished scanning the IMG file click finish.
Once that is completed you can now investigate your captured image, the working
copy!
This is the layout you should receive:

Add Data Source: - Adds a new data source to the existing case, so if you have
multiple drives you can store them all in one case file. This is good if you have say 2
pen drives, a HDD and a back-up of a phone.
View Images/Videos: - exactly what you would think it does, open up a Gallery to
view all the images / videos found on the image of the drive.

Timeline: - Also good if you are using multiple drives, will show you a timeline of
when files were created, this could help in proving intent of a crime.
Generate Report: - Generates a report in multiple formats, you can select which
format to be produced and what type of evidence is shows (just tagged or all
evidence) Below is an example of an HTML report of all evidence.

Close Case: - Closes the case correctly

Keyword Searching:

Keyword Lists: - Searches for specific string combinations, like a phone number or
web address
Keyword Search: - Search for a string that you input
Down The side you will find the following:

Data Sources: - Will show you the different drives in the case, and their volumes.

Views: - Gives you list views of different files types found on the drive, also looks at
deleted files, and files by size.
Results: - Shows the results from the keyword searches, hash set hits (we will look
at this later!) email messages, interesting items, and accounts found on the image.

Tags: - Anything you have tagged during your searching, this can be a specific file or
a set of results. There is also an option to group the tagging

Reports: - Every report you generate for this case is stored as a quick link here.
Using you knowledge of your pen drive do some keyword searches on the contents
of it. Tag some files and have a general play around with the software.

USING MD5 TO VERIFY FILES ON THE IMAGE

This next topic will ensure that the files you are looking at can be compared to
originals that you may be in possession of. Or that you are given from a corporation!

To do this we need access to your original pen drive again, usually we wouldn’t do
this but as it is a tutorial its cool to do so!
Find a file on the pen drive, any file and put it into the WinMD5 program we used
earlier to generate an MD5 for a known file on the pen drive – it must be on that will
be in the image that we took of your drive.
With this MD5 copied to the clipboard, open up autopsy again and from the menu up
the top click:
Tools > Run Ingest Module > “yourImageName”.IMG

You should be given a screen that shows you all the modules that autopsy runs
when you put a new image into it.
Make sure only HASH Lookup is selected
Click on Global Settings

As you can see here there are no HASH sets in the module, we are going to create
our own one. So click on New Database
  Hash Set Name: Something relevant to the case
 Database Path: Anywhere you want to store it, probably best in the C:\ drive
folder you created earlier for the img file.
 Type: Keep as Known-Bad
Click OK

Once that screen disappears you should be back to the Global Hash Lookup
Settings tool, click on the “Add Hashes to Database” button to add our MD5 from
earlier to.

On the screen below click “Paste From Clipboard” then the “Add Hashes to
Database”, then click ok.
You should now have a HASH set to work with.
Click Ok again on the screen.
This should take you back to the ingest module page from earlier, still ensuring only
the HASH Lookup is the only one checked, click start at the bottom of this window.
Once the scan has completed you should have, under results > hashset hits >
Something that will look similar to this:

You should hopefully, find the files on the image that match you files on your original
pen drive. This is really important to show that the evidence hasn’t been tampered
with and that the files have been compared to originals.

ACQUASITION OF A HDD

Funnily enough exactly the same as above except we are going to use a Hardware
based write blocker (which you will be shown in class) and Disk2VHD instead of
USB Cloner.
Once you have hooked up a HDD to the write blocker it should show in you file
explorer as a drive.
Open the Disk2vhd program, which is a free program from Microsoft!
Load the program up and you should see the hdd in your list:

Select the disk you want to copy, ensure “Use VHDx” is unticked and “Use Volume
Shadow Copy” is also unticked.
Give is a relevant file name, store it somewhere accessible, and click create.
Once this is done, load it into Autopsy the same way we did with the USB pen drive.