Scribd
Upload
6 views9 pages

Forensic Tool Usage

This document provides a tutorial on forensic acquisition of evidence using VirtualBox and Autopsy. It outlines the steps to create and run a virtual machine with a VHD image, as well as the tools available for investigation, such as ADSSpy and Cports. The tutorial emphasizes the importance of prior knowledge and proper setup for effective forensic analysis.

Uploaded by

tomasjohn010
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
6 views9 pages

Forensic Tool Usage

This document provides a tutorial on forensic acquisition of evidence using VirtualBox and Autopsy. It outlines the steps to create and run a virtual machine with a VHD image, as well as the tools available for investigation, such as ADSSpy and Cports. The tutorial emphasizes the importance of prior knowledge and proper setup for effective forensic analysis.

Uploaded by

tomasjohn010
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Forensic Acquisition of Evidence

LO3 Tutorials
BACKGROUND
PRIOR KNOWLEDGE

To continue with these tutorials you should of completed the Image Acquisition
Tutorial on the forensics VLE. This would ensure you have an cloned image of a USB
pen drive and a VHD image of a physical HDD.

Both of these images should now be loaded into Autopsy for further investigation
and a MD5 hash of any “original” files that you are searching for should be loaded
into the ingest module “HASH Lookup”

We will be using the files that are loaded into Autopsy, as well as using the VHD
inside virtualization software, “Virtual Box”.

LOADING THE VHD INTO VIRTUAL BOX

Loading the VHD into Virtual Box can be done one of two ways:

The first is creating a blank virtual machine and attaching the HDD to the machine,
just like you would with a physical machine. This will create an environment that will
allow you to run the VHD as if it was running on a physical machine.

The second is to use an existing virtual machine set up with a configuration file.

CREATING A MACHINE FROM SCRATCH

To create a Virtual Machine from scratch consists of following a wizard and choosing
the right options, the key here is reading the wizard as you go through so you
understand what it is you are creating.

STEPS TO CREATING A VIRTUAL MACHINE:


1. Open Oracle VM VirtualBox Manager

1
2. Click on the NEW button

3. Give Your Virtual Machine a Name, and select what type of operating system
you are going to be putting on it. (This doesn’t really matter as we can
change all the setting afterwards)

4. On the next page change the amount of RAM to that which you computer can
handle for a Virtual Machine (and that a potential OS would need)

5. On the next page, you are asked about a Hard Disk, this is where we are
going to attach our VHD we created in the last tutorial

6. Click Create
7. Back on the main screen, you should now see your Virtual Machine has been
created, and that it is powered off, to start this Virtual Machine click the big

2
green arrow, that says start underneath it

8. Once you have the machine up and running you can deploy tools to examine
its contents, check running services, and investigate the HDD in a live
environemt.

RUNNING A VIRTUAL MACHINE FROM A SET OF CONFIGURATION FILES


If you have previously set up the Virtual Machine or move the folder where it is kept
to a different machine, you can easily (if you have the files) set up the same
environment that you had before by opening the configuration file with Virtual Box
Manager.

1. Open the location of the Virtual Machine you created earlier


2. You should have 2/3 files with the names of the machine you created

3. The smaller of the two Virtual box files (ones with the little cubes) is the
configuration files

4. Double click on this and it should load the virtual machine , into the Virtual
Box Manager software. There may be some errors about network adaptors,
we will tackle this in the next few steps.
5. To ensure everything will run smoothly (as we may have moved to VM to a
computer with different physical hardware) open up the settings cog

3
6. The main ones we want to check are the network adapter (as this seems to
cause us most problems in our rooms)

7. Make sure it has some form of connection only if required.

USING THE TOOLS INSIDE THE VHD

The tools we are going to use inside the VHD are the following:

1. ADSSpy
a. Will search for Alternative Data Streams – which you would of created
using the command line in a previous tutorial (Secret Text).
2. Cports
a. Will check for all ports open on the computer, this will help us see if
any or anything is connecting remotely to the VHD once loaded.
3. Index.dat Viewer
a. Will show us any deleted browser history.
4. PSTools
a. A set of Microsoft tools to verify system and user information.
5. MSInfo32
a. Built in System Information tool for windows.

MSINFO32

Once your Virtual machine has loaded, you can use this built in tool gather
important system information to do this you would follow these steps:

1. Click the start button


2. Click run
3. Type the following:
a. Msinfo32.exe
4. Click OK

4
Using this tool, you would be able to gather information like the following:

 System Summary
o OS Version
o Service Pack
o System Name
 Hardware Resources
o IRQs
o Any hardware conflicts
 Components
o Devices installed onto the machine
 Software Environment
o Drivers
o Environment Variables
 Internet Settings
o IE Settings
o Versions
o Security Settings

PSTOOLS

These tools are command line base, you will need to put them into a folder and
share them to the VHD, the VHD that you will be given should have them pre-loaded
for your convenience. Follow these steps to gather information using these tools:

1. Click Start
2. Click Run
3. Type the following:
a. CMD
4. Once in the command prompt you will need to use the change directory
command to ensure your working directory is the same as the tools directory.

5. This ensures we are in the right directory (yours maybe different)

5
6. From here we can use a range of tools to gather information, if you just type
the tool name there should be some output that will be of use:

7. Each of the above .exe files are a tool you can use to gather information.
8. Try them all and see what information you can gather.
9. If you are unsure what you are seeing choose one of the tools and use the
help switch “/?” to get ingformation on that particular tool:
a. Ps.Exec.exe /?

CPORTS UTILITY

CPorts is a simple utility that has a graphical user interface, that displays the
current open ports on a system. You should be checking here to see if any unusual
ports are open on the virtual machine.

6
INDEX.DAT VIEWER

This utility will show us to see any deleted browser history. To gather information,
run the application and click ” scan”.

You will be given a list of documents that you can then view. Just double click the
entry to open up the document.

7
ADSSPY

When running the ADSSpy to find alternative data streams we need to set a couple
of settings so we can ensure we scan everything we need to and generate MD5’s so
we can verify what we find.

When and if you find one, you should see it populate in the bottom of the
application, it should show you a size in bytes, a location of the stream, and an
MD5.

If you right click on this and select “View Stream Contents” you should be able to
see what is inside the data stream

You might also like