Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.003
Property Record Number:
________________________
Anywhere Police Department
EVIDENCE CHAIN OF CUSTODY TRACKING FORM
Case Number: ________________________ Offense: ______________________________
Submitting Officer: (Name/ID#) _______________________________________________
Victim: ______________________________________________________________________
Suspect: _____________________________________________________________________
Date/Time Seized: __________________Location of Seizure: ______________________
Description of Evidence
Item #
Quantity
Description of Item (Model, Serial #, Condition, Marks, Scratches)
Chain of Custody
Item #
Date/Time
Released by
(Signature & ID#)
Received by
(Signature & ID#)
Comments/Location
APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See back)
EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM
(Continued)
Chain of Custody
Item #
Date/Time
Released by
(Signature & ID#)
Received by
(Signature & ID#)
Comments/Location
Final Disposal Authority
Authorization for Disposal
Item(s) #: __________ on this document pertaining to (suspect): ____________________________________________
is(are) no longer needed as evidence and is/are authorized for disposal by (check appropriate disposal method)
☐ Return to Owner ☐ Auction/Destroy/Divert
Name & ID# of Authorizing Officer: ____________________________ Signature: ______________________Date: _______________
Witness to Destruction of Evidence
Item(s) #: __________ on this document were destroyed by Evidence Custodian ___________________________ID#:______
in my presence on (date) __________________________.
Name & ID# of Witness to destruction: ________________________ Signature: ______________________Date: _______________
Release to Lawful Owner
Item(s) #: __________ on this document was/were released by Evidence Custodian ________________________ID#:_________ to
Name _____________________________________________________________________________
Address: ________________________________________________ City: ____________________State: _______ Zip Code: __________
Telephone Number: (_____) ___________________________________
Under penalty of law, I certify that I am the lawful owner of the above item(s).
Signature: _______________________________________________________ Date: __________________________
Copy of Government-issued photo identification is attached. ☐ Yes ☐ No
This Evidence Chain-of-Custody form is to be retained as a permanent record by the Anywhere Police Department.
APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See front)
Technical Working Group on Biological Evidence Preservation. The Biological Evidence Preservation Handbook: Best Practices for Evidence Handlers. U.S. Department of Commerce, National Institute of Standards and Technology. 2013.
Technic.
Advanced LI PDF.001Advanced LI PDF.002Advanced LI PDF.00.docx
1. Advanced LI PDF.001Advanced LI PDF.002Advanced LI
PDF.003
Property Record Number:
________________________
Anywhere Police Department
EVIDENCE CHAIN OF CUSTODY TRACKING FORM
Case Number: ________________________ Offense:
______________________________
Submitting Officer: (Name/ID#)
_______________________________________________
Victim:
_____________________________________________________
_________________
Suspect:
_____________________________________________________
________________
Date/Time Seized: __________________Location of Seizure:
______________________
Description of Evidence
Item #
2. Quantity
Description of Item (Model, Serial #, Condition, Marks,
Scratches)
Chain of Custody
Item #
Date/Time
Released by
(Signature & ID#)
4. APD_Form_#PE003_v.1 (12/2012) Page 1 of 2 pages (See
back)
EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM
(Continued)
Chain of Custody
Item #
Date/Time
Released by
(Signature & ID#)
Received by
(Signature & ID#)
Comments/Location
5.
6. Final Disposal Authority
Authorization for Disposal
Item(s) #: __________ on this document pertaining to (suspect):
____________________________________________
is(are) no longer needed as evidence and is/are authorized for
disposal by (check appropriate disposal method)
☐ Return to Owner ☐ Auction/Destroy/Divert
Name & ID# of Authorizing Officer:
____________________________ Signature:
______________________Date: _______________
Witness to Destruction of Evidence
Item(s) #: __________ on this document were destroyed by
Evidence Custodian
___________________________ID#:______
in my presence on (date) __________________________.
Name & ID# of Witness to destruction:
________________________ Signature:
______________________Date: _______________
Release to Lawful Owner
Item(s) #: __________ on this document was/were released by
Evidence Custodian
7. ________________________ID#:_________ to
Name
_____________________________________________________
________________________
Address:
________________________________________________ City:
____________________State: _______ Zip Code: __________
Telephone Number: (_____)
___________________________________
Under penalty of law, I certify that I am the lawful owner of the
above item(s).
Signature:
_____________________________________________________
__ Date: __________________________
Copy of Government-issued photo identification is attached. ☐
Yes ☐ No
This Evidence Chain-of-Custody form is to be retained as a
permanent record by the Anywhere Police Department.
APD_Form_#PE003_v.1 (12/2012) Page 2 of 2 pages (See
front)
Technical Working Group on Biological Evidence Preservation.
The Biological Evidence Preservation Handbook: Best Practices
for Evidence Handlers. U.S. Department of Commerce, National
Institute of Standards and Technology. 2013.
Technical Working Group on Biological Evidence Preservation.
The Biological Evidence Preservation Handbook: Best Practices
for Evidence Handlers. U.S. Department of Commerce, National
Institute of Standards and Technology. 2013.
8. Forensic Analysis with Linux
Digital Forensic Examination Assignment
Instructions
Part I.
Examination Request:
You have been hired as a computer forensic examiner by the
FSB (Federal Security Bureau). Mel
Torme, your supervisor, brings you a hard drive containing an
acquired forensic image. Mr. Torme
tells you that the image was created from a suspect hard drive
that was found on the side of the road
by a Deputy Sheriff.
Factual Case Background:
The Sheriff’s Office examination request report says that an
anonymous caller telephoned the
9. Sheriff’s Office and told a Sheriff’s Investigator where the
suspect hard drive could be found, and
that it contained evidence of possible illegal hacking activity.
The Sheriff’s Office investigators
obtained a search warrant from a judge that authorized the
Sheriff’s Office Investigators to search the
suspect hard drive for possible evidence of illegal hacking
activity.
Examination Tools:
You will use Linux to conduct a logical digital forensic
examination and analysis of the suspect drive.
Your Examination Responsibilities:
Your job is to conduct a digital forensic examination and
analysis of the suspect image in order to
identify any possible illegal hacking activity PER the search
warrant (password hacking).
Practice Note: It is not uncommon for a digital forensics
examiner, while conducting a digital forensic
examination , to inadvertently come across or discover evidence
of other illegal activity that is NOT
PART OF THE AUTHORIZED SCOPE OF THE ORIGINAL
SEARCH WARRANT. When this
10. inadvertent discovery occurs, the examiner MUST stop the
examination, report the suspected new
evidence to his/her supervisor(s) or case agent, and a NEW
search warrant authorizing a broader digital
forensics examination scope must be obtained, based on the
newly discovered evidence.
For example, if you have a search warrant for suspected illegal
hacking activity (as in this digital
forensics examination assignment you are working on) and you
inadvertently come across ANY
OTHER possible evidence of a different type of criminal
activity than you are originally authorized to
search for, you MUST obtain a new search warrant to continue
your digital forensic examination.
Possible Illegal Activity Clues You May Find
If I were a betting Professor, I would assume that there might be
some evidence of other illegal activities
on the hard drive, besides hacking (hint hint, nod nod, wink
wink). The following is a list of possible
illegal activities that come to mind. If any evidence of these
possible illegal activities exists on the
suspect hard drive, it will be very apparent to you during a
thorough digital forensics investigation.
11. Your examination might reveal any of the following illegal
activities:
• Gun running
• Underage drinking
• Insider trading
• Kitty porn (any photos of underage kittens)
• Credit card fraud/theft (stolen credit card numbers)
• Impersonating an officer
• Jay walking
Based upon our limited knowledge of the background case facts,
I am certain the owner of the
hard drive was NOT involved in ALL of the above listed illegal
activities, but I am confident
he/she was involved in a FEW of them. Let’s see what your
examination reveals.
Part II.
Getting Started -Known Tool Hash Values:
We’ll start our examination by searching for password cracking
12. tools. Listed below are some known
SHA-1hash values of popular password cracking tools:
• 620aca6bff27950df3ec81e9909be3e05b6bed81 john.exe
• 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe
• c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe
• 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe
• 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe
Case Examination Assumptions:
1. IF YOU FIND EVIDENCE OF ANY OF THE ABOVE-
LISTED ADDITIONAL CRIMINAL
ACTIVITIES, YOU MUST ACKNOLEDGE IT IN YOUR
NOTES AND IN YOUR LAB
REPORT AS A BASIS FOR REQUESTING A SEARCH
WARRANT.
a. You must tell me WHAT you found and request a new search
warrant
2. You will download the “UpdatedLab.dd” file from the project
resources download page to
your lab virtual machines “Downloads” folder as instructed in
Step II below. Then, you will
work from the “Downloads” folder of your lab Virtual Machine
13. “NIXATK01”, as your
evidence folder.
3. All commands will be run from the “~/Downloads/lab2”
command line prompt unless
otherwise noted.
4. Important: You should run the date command before running
each command identified in this
examination assignment. Although I don’t indicate running the
date command in each of the
following command instructions, running the date command
should be your continuous practice
to get valid results, as you perform your lab examination.
5. Complete your Lab Notes WHILE you are working through
this exercise!
Steps Taken (A Simple Version)
1. Received evidence
2. Mount the drive read only
3. Hash files
4. Use hashes to search for password cracking tools
5. Identify last usage of password cracking tools
6. Find other evidence of password cracking, such as password
hashes
14. 7. Search for graphics files
8. Search for compressed files
Important: Your “Steps Taken” notes should be a bit more
detailed than above)
Access to Virtual Lab Environment
Virtual Machine Credentials
Username: StudentFirst
Password: [email protected]
Steps to access the Linux Virtual Machine
Part II.
Step 1. Login to “NIXFOR01”
Enter the VM Credentials to connect to it.
Press the space bar on your keyboard to get the login prompt
15. Enter the StudentFirst for the “Username” and [email protected]
for the password.
Step II.
Double Click Lab Resources
Click on > Applications
Click on > Download Project Resources
Click on > “UpdatedLab.dd” under Project 2 > Save File
16. Note: Depending on the browser being used, the above step
might be different.
Go to the Applications menu > Click on “Terminal” to open a
Terminal window
Step 3
Forensic Procedures
1. Receive the evidence (see examination tasking) [Can’t
follow this-Review]
In the NIXFOR01 VM:
Type:
cd Downloads
Then Type and Enter :
17. ls
Note the listed file name :____________________
2. T o v erify the hash value of the image file, Type and Enter:
sha1sum UpdatedLab.dd
_____________________________________________
Note: the sha1 hash value number displayed
3. Compare your hash value number above to the
Original file hash value below for the
“UpdatedLab.dd” file image;
Original
42ba069b68620a8c0ea6c4804c9e371d1bb358ba
“UpdatedLab.dd”
4. N ow , c reate a new directory “lab2” in the
“~/Downloads” directory of “NIXFOR01”.
a. Type and Enter:
18. mkdir lab2
b. To verify the lab2 directory exists, Type and Enter:
ls
5. Mount the image on the new directory:
a. Type and Enter :
sudo mount –t auto –o ro,loop ./UpdatedLab.dd ./lab2
b. To verify that the image mounted is properly by running,
Type and Enter:
mount
6. Change directory to lab2, Type and Enter:
cd lab2
7. Create a hash set for all the files on the hard drive (mounted
image).
a. Type and enter the following command:
19. sudo find . –exec sha1sum {} ; >
../updatedlab.sha1 2>/dev/null
Note: This command finds all files, then, runs sha1sum on
them. Then, it saves the file into the
directory above in lab2. The commands at the end tell the shell
to ignore any errors.
b . T o view the file “updatedlab.sha1”.
Type and Enter:
less ../updatedlab.sha1
Note that the list is not sorted.
c. Run the command below to sort the list by hash value and
then save results to a new file.
Type and Enter:
20. sort ../updatedlab.sha1 > ../sortedupdatedlab.sha1
d. To view the file, Type and Enter:
less ../sortedupdatedlab.sha1
e. You should see a display that looks like the
display below:
Note: The lines are now sorted by hash value N o w , w e can
search the sorted list for the hashes of
the password crackers listed in Part I. “Getting Started -Known
Tool Hash Values” Hint section above.
f. Press “Q” on your keyboard to exit
8. Search for “John the Ripper” first. The first few characters
of the sha1 hash are
620aca
21. a. T y p e the forward slash ‘/’ and then type the first few
sha1 hash characters
“620aca”, then, press “Enter”.
________________________________________________
Note: Whether you found the John the Ripper hash value?
b. Continue looking for the remaining password cracker hash
values listed in the Part I. “Getting
Started -Known Tool Hash Values” Hint section above.
Repeat Steps 8 and Step 8a above to locate the following hash
value strings:
• 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe
• c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe
• 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe
22. • 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe
__________________________________
How many did you find?
________________________________________
Identify where each hash value you found is located?
Report your hash value findings in your notes!
c. Press “Q” on your keyboard to exit
9. View the date and time stamps for John.exe
a. Navigate to the directory where John.exe is located (the
location is listed in the
sorted_updatedlab.sha1 file)
- Please see illustration in the screenshots that follow
(Make sure to that you are in the run directory where the
“John.exe” file is located.
b. Type, cd Documents and Settings
23. Type and Enter: cd hax0r
Type and Enter: cd Desktop
Type and Enter: cd john179
Once in the “john179”directory, navigate to the “run”
directory).
Type and Enter: ls
Type and Enter: cd run
c. R un the following command:
stat john.exe > ~/Downloads/john.stat
d. To display the content of “john.stat” type the following
command while still in the “run”
directory shown above:
Type and Enter: less ~/Downloads/john.stat
Note the different file date and time stamps above (access,
modify, change).
24. List the file changes below:
John.exe was changed on _______________at
______________.
John.exe was last accessed on ___________ at ______.
Explain what this date and date stamp data means?
____________________
_____________________________________________________
______
_____________________________________________________
___________
e. The John.exe password cracking program saves
passwords it has cracked to a file called
‘john.pot.’ See if the “john.pot” file exists using the following
command to list all files in a long listing
format.
Type and Enter: ls –al
f. If you find that the “john.pot” does exist in the file list, you
can view the text file contents of
the “john.pot” file using the following command in terminal
while still in the “run” directory:
25. Type and Enter: less john.pot
__________________________________________
Explain what you found?
10. View the date and time stamps for all other password
crackers you found by Repeating
Steps 9a through 9d above for the following password cracker
program strings:
• 13f26a0a1ad0bcd0ed92f876bc4d44fdd4ca86fb Cain.exe
• c81e9909be3e05b6ed92f876bc4d44fdd4ca86fb password.exe
• 6c2ff2727411e627cb65782203d8858028dbab15 Abel64.exe
• 6d1eb2c876e3d8e648d27c7cd8ecaee0515efb24 badcracker.exe
Look at the date and time stamps and make a note of your
observations.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _
a. Is there any indication that the programs were used?
26. Explain.
Password Hash Search
11. Now, search for password hash strings. Password hash
strings for a md5 hash are formatted as
follows:
a. $1$<8 character salt>$<22 characters>
b. R e t u r n t o yo u r l a b 2 d i r e ct o r y :
T yp e a n d E n t e r : c d Dow nloa d s/lab2
c . U se the following grep expression command in Step “d”
below to perform your md5
hash string search:
d. Type and Enter: grep -R
'$1$[[:graph:]]{8}$[[:graph:]]{22}'
27. e. Review the output list above and make a note of your
observations..
- --- -- --- -- --- --- --- --- --- -- --- -- --- -- --- - --- --- ---
-- --- -- --- -
List the md5 - related files you found here
____________________________________________________
Where were the file(s) located?
f. What is the password for the following Users?
i. Vilkp?___________________________________
ii. Showe?__________________________________
iii. Damad?__________________________________
12. Continue to search for evidence of password hacking
(authorized in your original warrant).
Search for Graphic Files
Now, let’s search for graphics files.
a. Make a “graphics” file directory under “~/Downloads”. Call
it ‘graphics’.
Type and Enter: cd ~/Downloads
Type and Enter: mkdir graphics
b. T o f ind the graphics files by their common file extensions
in Lab 2:
28. Type and Enter the following:
find -name *.jpg -or -name *.png -or -name *.tiff -or -name
*.gif -or -name *.bmp -
exec cp {} ../graphics ;
13. Change directory to the “graphics” directory and run the file
command on each file:
Type and Enter: cd graphics
a.Type and Enter: file *.* > graphics.file
b.Type and Enter: less graphics.file
b. Review and describe whether all file types match the file
extensions displayed?
_______________________________________________
Examining Graphic Files
14. Go to the Applications menu >Click Graphics> Click and
open “gThumb”
29. 15. In “gThumb”, view the files contained in the in the
“graphics” directory.
a. Do you see anything that might make is necessary for you to
request another search
warrant to expand your authority to conduct a broader
examination of the suspect hard
drive? (Hint- You can refer to the list in Part I. Possible Illegal
Activity Clues You
May Find above) ________________________ If no, proceed to
the next step.
Searching for Compressed Files
16. Let’s search further for the possibility of finding other
hidden information.
To search for compressed files:
Type and Enter: cd .. to go back to the Downloads directory
prompt
30. Type and Enter: cd lab2 to go to the “lab2” folder
Type and Enter the following command:
find -name *.zip -or -name *.tgz -or -name *.tar.gz >
../updatedlab.compressed
a. The above commands should find all the compressed files
related to the file extensions
provided in the command.
b. T yp e a n d E n t e r : less ../updatedlab.compressed to
view the content of the file
“updatedlab.compressed”.
_____________________________________________________
___________________
c. What did you find? Do you see any file that is
“interesting” to you?
31. d. Make a new directory called “compressed” in the Downloads
directory.
Type and Enter:
mkdir ~/Downloads/compressed
e. Copy the “interesting” compressed file above into that
newly created “compressed”
directory.
(Note: You may use the Graphical User Interface to copy and
paste file into the evidence
folder as seen below).
_____________________________________________________
____________________
f. Do you feel you need to obtain a new search warrant at this
point? Explain.
Unzipping a File
g. Let’s try to unzip the file using this command format
“unzip <name of file>”:
h. Type and Enter: cd ../compressed
i. Type and Enter: ls
32. j. Type and Enter: unzip kitty.zip
g. What happened?
You can do one of two things,
Option 1: Ask the suspect for the password, or
Option 2: You can guess. Try to guess first.
N o t e : f i r s t , Google “most common passwords” and use
some of those to see if any
work. The password should be within the top ten of most lists
and starts with “P”.
Note: What password worked for you?
___________________________________________
17. Assume now that you have an additional search warrant
authorizing a search for stolen credit
card numbers.
Type and Enter: cd ..
Type and Enter: cd lab2
Then, Search Lab2 using the following grep expression:
33. a. Type and Enter:
grep -R -n '[45][[:digit:]]{15}' > ~/Downloads/creditcards.txt
b. This regular grep search looks for Visa or MasterCard
number formats.
c . Use the “less” command to display the contents of the file.
Type and Enter: less creditcards.txt
Are there any notable credit card numbers?
End of Lab
Sheet1Revised CSEC 650 Lab 2 Grading Rubric 7/07/17CSEC
34. 650 2175 3131CriteriaComments and Feedback 100 pointsPart
II, Step 3 -1.a.(5 points)You included screen shots of file
results after using :ls" command Part II, Step 3 -1.a. - NotesPart
II, Step 3 -2. (5 points)You included screen shots of results
after using " sha1sum UpdatedLab.dd" command, Part II, Step 3
-2. - NotesPart II, Step 3 -5.b. (5 points)You included screen
shots of results after using " mount" command, Part II, Step 3
-5.b. - NotesPart II, Step 3 -8.a. (5 points)You included screen
shots of results after using “/620aca” command, Part II, Step
3 -8.a. - NotesPart II, Step 3 -8.b. (5 points)You included screen
shots of results after locating hash value strings for "Cain.exe,
password.exe, Abel64.exe and badcracker.exe" files, Part II,
Step 3 -8.b. - NotesPart I Step 13 (5 points)You included screen
shots of results noting file change differences for "John.exe,
with last access date and date stamp data, Part II, Step 3 -9.d. -
NotesPart II, Step 3 -9.f.(5 points)You included screen shots of
results using “less john.pot” file, Part II, Step 3 -9.f. -
NotesPart II Step 3 (5 points)You included screen shots of
results listing “md 5-related files and where they were located,
Part II, Step 3 -11.e. - NotesPart II, Step 3 -11.f. (5 points)You
included screen shots of results passwords for "Vilkp, Showe
and Damad", Part II, Step 3 -11.f. - NotesPart II, Step 3 -13.b.
(5 points)You included screen shots of results after using
“less graphics” command, Part II, Step 3 -13.b. - NotesPart II,
Step 3 -13.b. (5 points)You included screen shots of results
after using “gThumb” command, Part II, Step 3 -13.b. -
NotesPart II, Step 3 -15.a. (5 points)You included screen shots
of graphic results to determine necessity of requesting a search
warrant, Part II, Step 3 -15.a. - NotesPart II, Step 3 -16.c. (5
points)You included screen shots of results after using “less
../updatedlab.compressed” command, Part II, Step 3 -16.c. -
NotesPart II, Step 3 -16.g. (5 points)You included screen shots
of results after using passwords to unzip files, Part II, Step 3
-16.g. - NotesLab Notes Sheet (10 points)You completed Lab
Notes Sheet, including screenshots and relevant
informationChain of Custody Form (5 points)You completed a
35. Chain of Custody Form to include in your final Forensics
Examiner Report for Lab 2Report Writing Format Step 10 (20
points) (6 Parts I,II, III, IV, V & VI)You completed Final
Report using format, answering all questions, incorporating
relevant Lab Notes, including using chain of custody form.DFCI
Revised 7/07/2017
Sheet2
Sheet3