Anti-Forensics Detection & Analysis Lab

Anti-Forensics Detection & Analysis Lab

Purpose: Apply knowledge and skills learned about anti-forensics techniques. Practice detecting and overcoming a wide variety of anti-forensic techniques.

Instructions: • Obtain the following 512MB USB image files from BlackBoard: o AntiForensics_A.001 ▪ MD5: 14EA9F129B75747D8319118B123847AE ▪ SHA-1: 1B50931A0695D8E525D61C7DEBB4690B71B540EB o AntiForensics_B.001 ▪ MD5: C55F980DC4A7972A7113D86E55EFBC46 ▪ SHA-1: 70ADC62977210D70DFF399376DDF63643D92D969 o AntiForensics_C.001 ▪ MD5: 0C11D069D370851B3D92C884DA413746 ▪ SHA-1: 4892B9960547BAA5C37D36AC3E7E04A659C3489A o AntiForensics_D.001 ▪ MD5: 16AB542DF4D76EB2DB0242C1E9D46900 ▪ SHA-1: 2E7CEF5B9D4B2B2698964BD66CEDD76EF900C817 •

Find all the evidence you can. o Evidence is anything containing the word ‘EVIDENCE’ or anything containing a picture of your suspect’s dog. Information about your suspect is listed below. o There are approximately 13 instances of anti-forensics / data obfuscation techniques (depending on how you count an instance). o You may need to apply skills and knowledge learned in Digital Forensic Analysis I.

  • Report on all evidentiary or suspicious findings.o Standard forensic reporting – metadata, discussion of findings, etc.o Include screenshots of your findings, including tool reports, if available (e.g. for John the Ripper password cracking report, and any other tools you use that has a report or log function).o Include a brief overview of your analytical strategy, steps taken, tools used, etc. Organize this section of your report by anti-forensics technique.Rules, Caveats, Hints, etc.:• What you initially know about your suspect: Her name is Lily Quinones. She is a Cyber Security major at the University of Texas at San Antonio (UTSA). She is currently a Senior in the College of Business. This is all you know at this point. Perhaps the files on the USBimage contain more information…• Analyze the UserAssist Registry Key provided to discover traces of programs used by the suspect.• Do not use FTK (or any other similarly designed / featured “all-in-one” digital forensics tool) to complete the lab. Such tools tend to do a good job at automatically extracting and alerting you to some of the anti-forensics techniques applied here. The point of this assignment is for you to think through anti-forensic techniques and then intelligently look for traces of them; the point is not to have your tool do all the work for you. You may, however, use such a tool to check your work after you’re done, or find remaining things after you’ve put forth all the effort you can/want to put into this lab. Write your findings up before doing so, however. • You can (and are recommended to) use WinHex. However, do not use its “File Recovery by Type” feature.• You will be graded primarily on your investigative approach and application of knowledge pertaining to anti-forensics techniques, more so than the degree of actual evidentiary discovery.• Be careful downloading open source tools to aid you in your search. Follow lab procedures regarding software installation. Be sure not to infect your systems or the lab systems with malware when searching for tools.• Anything that requires a password is either guessable (as it’s a commonly used password), or quickly (<5 minutes) crackable with a properly selected and configured forensic dictionary. (So no lab machines should be set to run overnight trying to crack passwords/encryption in this lab assignment.)• Every entry in your biographical dictionary should be a single lower-case word. For example, Cyber Security would be entered as “cyber” and “security”.Hint: Anti-forensic technologies applied to the disk imagesRotational Cipher, XOR Cipher, Password Cracking, Steganography (advanced), Data caving, Data recovery

Powered by WordPress