Scribd
Upload
13 views11 pages

Nhom 1-Lab 2

Lab 2 focuses on data carving techniques using Virtualbox and Kali 2021.4, requiring specific installations and configurations. It includes scenarios for recovering hidden or deleted files and provides step-by-step instructions for extracting images from corrupted documents and carving USB images. Students must submit a full-screen image of their work as a PDF with specific naming and emailing instructions.

Uploaded by

locpdtse171275
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views11 pages

Nhom 1-Lab 2

Lab 2 focuses on data carving techniques using Virtualbox and Kali 2021.4, requiring specific installations and configurations. It includes scenarios for recovering hidden or deleted files and provides step-by-step instructions for extracting images from corrupted documents and carving USB images. Students must submit a full-screen image of their work as a PDF with specific naming and emailing instructions.

Uploaded by

locpdtse171275
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Lab 2: Data Carving

What You Need for this lab


−​ Install Virtualbox : https://www.virtualbox.org/wiki/Downloads
−​ Install Kali 2021.4. : https://old.kali.org/kali-images/kali-2021.4/
▪​ Notes: Suggest You configure the disk size of Kali VM 80G because the size
of each leakage cases image is 30G+
−​ Run a tool installation script instructions, or you can simply follow the commands
below : ( the script ONLY is tested on Kali 2021.4 )
−​ wget
https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/to
ol-install-zsh.sh
−​ chmod +x tool-install-zsh.sh
−​ ./tool-install-zsh.sh
Example scenarios
−​ Scenario 1: A file (A) is hidden inside of another file (B). You can’t open the file B
because the B’s header is corrupted.
−​ Scenario 2: A suspect deleted files. The files contains an important information. A file
occupies a few clusters. Unfortunately, some clusters are reused (overwritten) by new
files.
A forensic expert really wants to recover files, even a partial files.
1.​ Extracting images from a corrupted Word document
Step 1.
−​ Prepare required files
Step 2.
−​ View the file in a HxD editor

Step 3.
−​ Search file header start offset – 0F5E

−​ Search file trailer ends offset – 15B93


−​ Select hex from header to tail
•​ (0F5E)16=(3934)10
•​ (15B93)16=(88979)10

−​ Copy the selection

−​ Paste the selection

−​ Save the image


Step 4.
−​ Show the carved image

2.​ Carving/Recovering a USB image


−​ Prepare a USB image for file carving
Step 1.
−​ Download the zipped USB image

−​ Compute hashes
−​ List the content of the zipped file

−​ List the content of the zipped file


−​ Verify the hashes

Step 2.
−​ Exam the content of the USB
−​ Display partitions

−​ Find deleted files


−​ Decide which file types need to carve

−​ Save it and quit!


−​ Show help
Step 3.
−​ Carving the USB image

−​ Show carved files


−​ Show audit log
Step 4.
−​ Display two carved jpg image
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the document with the filename "YOUR NAME Lab 2.pdf", replacing "YOUR
NAME" with your real name.
Email the image to the instructor as an attachment to an e-mail message. Send it
to: [email protected] with a subject line of "Lab 2 From YOUR NAME", replacing "YOUR
NAME" with your real name.

You might also like