Lab 1: Preparing a Virtual Windows Machine

What You Need for This Project

 A computer with VMware Player. You can use any host OS you like, and if you
prefer to use some other virtual machine software like VirtualBox or Xen, that is fine
too. You can download VMware Player here:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0
 The instructions below assume you are using Windows 7. You can use VMware on
the Mac and other operating systems, but the steps may be somewhat different.
 You need the DVD that was handed out in class, which contains a Windows XP SP 3
virtual machine. It also contains a machine named "Win XP Target" -- don't use that
one.
Starting VMware Player
You can get VMware player here:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0
VMware Player is installed. Double-click the "VMware Player" icon on the desktop to start
it.
Opening your Virtual Machine
In the VMware Player window, click "Open a Virtual Machine". Browse to the VMs drive
and open the folder with your name on it. Open the "WinXPSP3" folder and double-click the
"Windows XP Professional.vmx" file.
In the VMware Player window, click the green "Play virtual machine" button.
VMware Player will pop up several dialog boxes, asking whether this machine was moved or
copied, telling you details about the processor, etc. Just accept the default choice for all those
boxes.
You should see a Windows XP desktop in the VMware Player window, as shown below:
Changing Your Virtual Machine's Name
All the virtual machines now have the same name. This will cause warning messages to
appear on the desktops, and it is confusing. So you should change your machine’s name to
contain your name, with the following steps.
Click the Start button on your virtual machine’s desktop, right-click "My Computer", and
click Properties.
Click the Computer Name tab.
Click the Change button.
Change the computer name to "XP-YOURNAME", replacing "YOURNAME" with your
own name.
Click OK.
When a Computer Name Changes box appears saying: You must restart..., click OK.
In the System Properties box, click OK.
In the System Settings Change box, click Yes.
Wait while your virtual computer restarts. Log in as you did before.
Click the Start button on your virtual machine’s desktop, right-click "My Computer", and
click Properties.
Click the "Computer Name" tab. The "Full computer name:" should contain your name, as
shown below.

Saving a Screen Image

You have now completed Lab 1. The only thing that remains is to turn it in. To do that, you
need to capture an image of the screen and email it to the instructor.
Note the hand symbol on the image above: that indicates screen images that you must capture
and turn in.
Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine
listen to the keyboard, instead of the virtual machine.
Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole
desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
On the host machine, not the virtual machine, click Start.
Type mspaint into the Search box and press the Enter key.
Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears
in the Paint window.
In the upper left corner of the "untitled - Paint" window, click the little blue square icon (it
looks like a floppy disk, something people used to use long ago--you might never have seen
one).
Save the document with the filename "YOUR NAME Lab 1", replacing "YOUR NAME"
with your real name.
Email the image to the instructor as an attachment to an e-mail message. Send it
to: [email protected] with a subject line of "Lab 1 From YOUR NAME", replacing "YOUR
NAME" with your real name.
Send a Cc to yourself.
Shutting Down your Virtual Machine
In the VMware Player window, in the upper right corner, click the X. A box pops up, offering
three choices, as shown below.

Suspend freezes your VM in its current state. This is usually the best choice.
Power Off is only for emergencies, when the guest operating system has crashed. It's the
equivalent of pulling out the power plug on a real computer.
Click Suspend.
Part 2: Carving file
Download Hxd tool from https://mh-nexus.de/en/hxd/
Recovery the image (jpg) from the raw file - Carve2.bin, carve1.bin
Carve 2
Download the bin file from the GitHub
https://github.com/thehexninja/BlogDownloads/blob/master/Carve2.bin
Again we search for FFD8FFE0.

We find it at offset 13B6. In this second example we see that it is embedded in other data
(other deleted or allocated files), this is more typical of what we might see.
Again we search for FFD9 for the end of file marker. It is at 0x2360. We select the block and
copy it out into a new file. Carve2_13B6_2360.jpg.
 Carve2_13B6_2360.jpg

This seems simple enough, just a search from the start and end and we a have carved two
deleted files of the Hex Ninja.