MSIA 680 - Week 2 Investigation Manual

Regis University
Revision History
Version Date Change Notes Author Contact
1.4 4/24/2017 Updated for EnCase v.705
1.5 7/14/2020 Updated for Autopsy [email protected]

Week 2 Lab – Acquisition

Now that you have a little experience navigating the EnCase interface, you are ready for
your first case. Below is a brief description of the scenario:

Accusation (Investigation Trigger): Jane has just started working for a small software
company, BlacksuitComputing, as a junior developer in the Hong Kong satellite office. She
is replacing another junior developer who left on “ok” terms. She was given a laptop
configured with her corporate email account just after the Christmas holiday and told she
could install whatever software she needed to do her development. The Network Security
Monitoring team contracted by BlacksuitComputing has reported suspicious traffic to and
from Jane’s workstation.

Authorization and Scope: BlacksuitComputing’s CEO has authorized a forensics

investigator to examine Jane’s systems to identify the source of the suspicious traffic and to
determine whether any sensitive corporate data has been compromised.

The first responder has handed over a raw image of the workstation’s memory, and a copy
of the workstation’s hard drive in EnCase format. Your task for this lab is to convert the
memory image into the EnCase native format, load the memory and hard disk evidence into
EnCase, and process it for various artifacts.

Page 1 of 8
 Task 1: Add the evidence files to the case you have created in Autopsy.

1. Start Autopsy and select open existing case. Select the case you created in week 1. Click on Open.
Further instructions for opening a cases can be found here: https://sleuthkit.org/autopsy/docs/user-
docs/4.19.3/cases_page.html

2. Add a Data Source: To add a data source follow the instructions in the Autopsy User
Documentation. Make sure to navigate to the Evidence folder on the VM workstation E:\ drive
and select the janes_hd.e01 file. This is the forensic copy of Jane’s hard drive. The Autopsy user
documentation for adding a data source can be found here:
https://sleuthkit.org/autopsy/docs/user-docs/4.19.3/ds_page.html

3. Using ingest modules to analyze a case. Many of the ingest modules require configuration. This
is especially true for the Hash Database Lookup Ingest Module. Before starting the ingest
process make sure to properly configure the Hash Database(s) by reviewing the instructions
here: https://sleuthkit.org/autopsy/docs/user-docs/4.19.3/hash_db_page.html . Take the
time to review the documentation on each of the ingest modules to ensure they are configured
correctly. The following Table shows which Ingest Modules have Configuration Settings:

Ingest Module Configurable Recommended Settings

Recent Activity Module No
Hash Database Lookup Module Yes Set up NIST NSRL has DB
File Type Identification Module No
Embedded File Extraction Module No
EXIF Parser Module No
Keyword Search Module Yes Leave Email Enabled, add others as you like
Email Parser Module No
Extension Mismatch Detector
Module Yes Default settings are fine
E01 Verifier Module No
Android Analyzer Module No
Students can experiment with this module
as more information becomes available in
Interesting Files Identifier Module Yes the case
PhotoRec Carver Module No

4. Depending on the resources you were able to dedicate to your vm running the ingest modules
could take a long time (hours). A suggestion would be to start this process at the end of your
evening and allow the analysis to run over night. Once the ingest module completes you are
ready to begin analyzing the case.

5. Add the evidence file from Janes ram: janes_ram.001. Prior to adding the ram image ensure
you disable anti-virus on the VM (follow these steps: https://www.windowscentral.com/how-

Page 2 of 8
permanently-disable-windows-defender-windows-10). Adding a ram image requires turning
on the Volatility plugin. Follow these steps:

a. From the main Autopsy screen click on Tools→Plugins→Installed

Page 3 of 8
 b. Select Experimental and Click on Activate then click on Close

c. The Volatility plugin should now be active

d. Click on Add Data Source→Memory Image File(Volatility)→Next

e. Browse and select the Janes_ram.001 file in your evidence folder. Click on
Open→Next→Next. This should start the processing of the memory file

6. Using the Autopsy User Documentation familiarize yourself with the UI layout:
https://sleuthkit.org/autopsy/docs/user-docs/4.19.3/uilayout_page.html

7. Using the Autopsy User Documentation familiarize your self with the process of tagging
files and results of interest: http://sleuthkit.org/autopsy/docs/user-
docs/4.19.3/tagging_page.html

8. Navigate to the reporting module and produce an HTML report. Include an export or
screen shot of your report in your Week 2 Lab report.

Page 4 of 8