Digital Forensic Analysis Lab Exercise

Objective: This lab is designed to provide hands-on experience with digital forensic analysis
tools, focusing on investigating digital crimes through a real-world scenario. Participants
will learn to utilize standard tools and understand the basics of the digital forensic
investigative process.
Tools Required:
1. VMware or equivalent virtualization platform
2. Autopsy Forensic Browser
3. A digital corpora scenario (2012 National Gallery DC Attack)
4. Notepad++ or another advanced text editor
Instructions:
Step 1: Setting Up the Environment
 Start by setting up a Virtual Machine (VM) using VMware or a similar virtualization
tool. This VM will act as your isolated environment for the forensic investigation.
 Install a Windows Operating System on the VM, as it is a prerequisite for the Autopsy
software.
Step 2: Autopsy Installation
 Download Autopsy from the official website here.
 Follow the installation guide to install Autopsy on your VM. Ensure all the required
plugins and modules are correctly set up.
Step 3: Scenario Setup
 Access the DigitalCorpora.org website and navigate to the “Scenarios” section.
Download the “2012 National Gallery DC Attack” data.
 Tracy’s phone on 2012-07-15 (other extraction tools) [EO1] [tar]
 Review the scenario’s background information to understand the context of the
digital crime you will investigate.
Step 4: Starting the Investigation
 Open Autopsy and start a new case. Name it appropriately, then add a new data
source: select the system image you downloaded from DigitalCorpora.
 1- Opean new case :

2- select the path to save your case :

3- New case information:

4- Select data source type:

 Configure the ingestion modules based on what aspects of the data you intend to
analyze (e.g., file type identification, keyword search, etc.).
Step 5: Analyzing the Evidence
 Utilize Autopsy’s tools to analyze the file system, recover deleted files, inspect the
registry settings (for a PC scenario), and any web artifacts. Look for anything out of
the ordinary or indicative of malicious activity.
 Document findings of interest. This can include text files, images, logs, or other
artifacts that might shed light on the incident.
Step 6: Log Analysis
 Use Notepad++ or your chosen text editor for an in-depth analysis of log files that
you’ve identified as relevant. Look for IP addresses, URLs, timestamp inconsistencies,
or suspicious entries.
Caution: Remember, don’t alter the original evidence. Always work on copies or images of
the data, as preserving the integrity of the evidence is paramount in digital forensics.
Lab Completion: Upon finishing the investigation and compiling the report, participants
should submit their findings to the instructor for review and feedback.

I wish you success

Eng.hassan alsufyani