IAA ISM09204 Dr. N.M.

M[A1202]

Lab 03: Data Recovery

Working Scenario
Suppose you are investigating a case of one employee who is suspected of a misconduct. The
evidence collected is a ash drive, but the suspect was smart enough to delete the two word
documents that might incriminate him before the ash drive was con scated. Create a group of
at most four students and your task is to recover those two documents and write a short
report. NOTE: These tool can do more than what this lab asks you to achieve, it is now
your task to work with it and discover other interesting features.

The investigation team has provided you with the image le acquired from the ash drive that is
downloadable at https://drive.google.com/ le/d/1rhjTGnp2W-_Olsjb5WKe34NivE58dnKm/
view?usp=sharing

Objectives
The objectives of this lab is for the students to:
1. Get introduced to Autopsy Lab and understand its basic functions in investigation
2. Learn how to recover deleted les
3. Use of Autopsy Lab to create an investigation report

Autopsy lab
Download and install Autopsy Lab from: https://www.autopsy.com/download/

Lab-03-1: Instructions.
1. Create a new case with a name DFLab03 and chose your base directory. We will do more
on organization of your folders and documentation in other labs. The case type in this lab
will be Single-User, this means only you will have access to this case. We have an option
for a Multi-User case type, which will involve setting up a network with severs and multiple
people can work on the case at the same time. In Multi-User case type, all involved
investigators can process and analyze di erent data sources in that case at the same time.
fl
fi
ff
fi
fl
fi
fi
fl
IAA ISM09204 Dr. N.M.M[A1202]

2. Provide the case number, of which in actual investigation should have been provided. The
case number should be as informative as possible, it may include initials of investigators, or
members requesting the case. In our case, use the case number on the screenshot below.
Name (for this lab, you must provide your name), phone (not necessarily your number) and
email(for this lab, it must be your email) should be provided so that of any question, it
should be known who to contact. Use IAA as the Organization. To add the organization, go
to Manage Organizations and create IAA as one of the organization.
IAA ISM09204 Dr. N.M.M[A1202]

3. A computer can have multiple hard drives in, we can specify a host name and attach
multiple data sources to that host. Specify a new host name, let us use Lab_03 and click
next where you can select they data source type as shown below. In our case, our source is
a row disk image.

4. Select the path to your data source on your computer. The time zone for our case should
be (GMT+3:00) Africa/Nairobi. Keep the sector size on auto detect unless you know the
 IAA ISM09204 Dr. N.M.M[A1202]

sector size. Hash values are used to do veri cation and end up in your nal report you do
need them. There are many tools used to create Hash values as discussed in our lectures,
but you can just use AccessData FTK Imager to create hash value for Lab_03.dd.

5. Next step is the con guration of ingest modules where we specify how we are going to
process the data we just loaded (i.e., Lab_03.dd). What you see are the default modules,
you can add more modules and even con gure your own modules. Here is a summary of
few modules, you can study more modules on the documentation of Autopsy
- Recent Activity: Will go through and look things like web activities, user activities,
recent documents, recent installed programs. Any recent activities from system, it will
extract those and then have that category easily available for investigator.
- Hash Lookup: We can set hash databases of known good les and known bad les
and use good les hash database to lter les that we know are good as we don’t
want to necessarily see them in Autopsy. The les that matches the known bad hash
database will automatically be agged for us to review. To add a hash set go to
global settings, however, we won’t do that in this lab.
- Extension Mismatch Detector: Once set, it will check le and its extension if there
is a mismatch, the le is agged as suspicious.
- Embedded File Extractor: Files that are compressed like zip les, this module will
go in and decompress and index all the les.
- Picture Analyzer: The modules look at images and extract things like EXIF
(Exchangeable Image File Format) for JPEG. It might have locations, timestamp, the
applications that were used to modify the photo, the camera settings.
- Keyword Search: You can search by email address, phone number, IP addresses,
fi
fi
fi
fl
fl
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 IAA ISM09204 Dr. N.M.M[A1202]

6. Find deleted les by going to File Views, File Types, By Extensions, and we can see
Documents has 5 les. Clicking on these o ce les, more information is then displayed in
the DataResult Window Listing. Take your time to explore all columns and clicking each le
to view the information on les in di erent views. The red x on the les implies these les
were deleted.
fi
fi
fi
ff
ffi
fi
fi
fi
fi
IAA ISM09204 Dr. N.M.M[A1202]

7. Before you recover these les, you can create labels for the deleted les. This step is
important in the report generation. To create a label, right click the le and create a tag.

8. Once all tags are created, you can extract the selected les which will be exported to the
export folder in the le structure created for the case.
fi
fi
fi
fi
fi
IAA ISM09204 Dr. N.M.M[A1202]

9. At this point we have recovered the deleted les and we can present our ndings on the
investigation. We can create a report on the case by going to Generate Report. An HTML
report will look like this.

fi
fi
IAA ISM09204 Dr. N.M.M[A1202]

Lab Report
For this lab, your report is just a one page including a screenshot of you a stage 8.
Print your report and submit in class by 16th June by Midnight

A sample report for this lab is shown below:

Institute of Accountancy Arusha (IAA)

Masters in Information Security (MIS)

Course: Computer Forensics

Code: ISM09204

Group Members
1. Nicodemus Msa ri Mbwambo | Adm No. A1202

Lab 03 Report
The following is a screenshot of my work at step 8 and 9. The screenshots shows …..
(write your discovery and your understanding of the lab. Your explanations should still keep the report in
only two pages)
fi