HW Lab 1: Evidence Acquisition and Analysis Lab

For this lab, you will practice acquiring a digital image of your own laptop or computer and setting up a forensic analysis workstation. You will NOT have to turn in the image of your own laptop (for privacy reasons), but you will have to turn in evidence that you have completed this task. For all the required information that needs to be turned in, a Word document is sufficient.

For this exercise, you will need to do the following:

• Download a Linux-based forensics live CD (for instance, DEFT at http://www.deftlinux.net/).

• Use this to acquire the hard drive on your own computer by booting into the LiveCD and then storing an image file on a portable hard drive. You can use any of the command-line-based acquisition tools you like (Guymager).

• Take an MD5 and SHA256 hash of the drive before AND after you do the acquisition; turn these in. If you use a program that has on-the-fly hashing, turn that in as well. Compare your results to the hash of the image file; ensure that they match.

• Describe how you ensured that the drive you were acquiring was not modified during the acquisition.

• On your laptop, install the virtualization software of your choice to create a forensics workstation. Ideally this would be dedicated hardware, but use your own device. It is recommended you install the SIFT Kit (https://digital-forensics.sans.org/community/downloads),but any other Forensic distro will do.

• Using Autopsy, load the image into a new case and verify that the hashes still match.

• Create a file-system-based timeline and turn in the first 10 and last 10 entries as well as the hash value of the file.

• In Autopsy, perform a keyword search for the name of your university; how many files were returned that matched? (Just provide the count, not the filenames or their contents.)