Digital Forensic Analysis Lab Exercise
Digital Forensic Analysis Lab Exercise
Objective: This lab is designed to provide hands-on experience with digital forensic analysis
tools, focusing on investigating digital crimes through a real-world scenario. Participants
will learn to utilize standard tools and understand the basics of the digital forensic
investigative process.
Tools Required:
1. VMware or equivalent virtualization platform
2. Autopsy Forensic Browser
3. A digital corpora scenario (2012 National Gallery DC Attack)
4. Notepad++ or another advanced text editor
Instructions:
Step 1: Setting Up the Environment
Start by setting up a Virtual Machine (VM) using VMware or a similar virtualization
tool. This VM will act as your isolated environment for the forensic investigation.
Install a Windows Operating System on the VM, as it is a prerequisite for the Autopsy
software.
Step 2: Autopsy Installation
Download Autopsy from the official website here.
Follow the installation guide to install Autopsy on your VM. Ensure all the required
plugins and modules are correctly set up.
Step 3: Scenario Setup
Access the DigitalCorpora.org website and navigate to the “Scenarios” section.
Download the “2012 National Gallery DC Attack” data.
Tracy’s phone on 2012-07-15 (other extraction tools) [EO1] [tar]
Review the scenario’s background information to understand the context of the
digital crime you will investigate.
Step 4: Starting the Investigation
Open Autopsy and start a new case. Name it appropriately, then add a new data
source: select the system image you downloaded from DigitalCorpora.
1- Opean new case :
Configure the ingestion modules based on what aspects of the data you intend to
analyze (e.g., file type identification, keyword search, etc.).
Step 5: Analyzing the Evidence
Utilize Autopsy’s tools to analyze the file system, recover deleted files, inspect the
registry settings (for a PC scenario), and any web artifacts. Look for anything out of
the ordinary or indicative of malicious activity.
Document findings of interest. This can include text files, images, logs, or other
artifacts that might shed light on the incident.
Step 6: Log Analysis
Use Notepad++ or your chosen text editor for an in-depth analysis of log files that
you’ve identified as relevant. Look for IP addresses, URLs, timestamp inconsistencies,
or suspicious entries.
Caution: Remember, don’t alter the original evidence. Always work on copies or images of
the data, as preserving the integrity of the evidence is paramount in digital forensics.
Lab Completion: Upon finishing the investigation and compiling the report, participants
should submit their findings to the instructor for review and feedback.