---
tags: CCF
---
:::success
# CCF Lab 1 - Data Acquisition
**Name: Rail Iaushev**
**Name: Mikhail Syropyatov**
**Workstation - st15**
:::
## Setting up your environment:
### Drive A
We installed the FTK Imager on one of the PCs and loaded into it the image offered to us to create A flash drive, as shown in Figure 1:
<center>
Figure 1: FTK imager
</center>
After that we extracted image to pc in dd format. Verification shown in Figure 2:
<center>
Figure 2: Verifying results
</center>
During this process we putted compression to zero, as shown in Figure 3:
<center>
Figure 3: Zero compression
</center>
After that using Rufus we created image on one of our flash drives, as shown in Figure 4:
<center>
Figure 4: Mounting image to flash drive
</center>
### Drive B
Now I am working alone and have only 1 flash drive and 2 USB ports, 1 for optical mouse, second for flash drive, that's why I will create virtual machine with Caine:
<center>
Figure 5: Caine virtual machine
</center>
## Task 1 - Imaging:
### Task 1.1:
:::info
Discuss how you can retrieve an image from an, currently off-line, USB stick in a forensically sound manner. Create and describe this method.
:::
### Answer:
Retrieving an image from an offline USB stick in a forensically sound manner can be done by following method:
1. Setting up a forensically sound workstation or environment. This includes a dedicated computer with write-blockers, forensic software, and tools.
1. Connect the USB stick in read-only mode.
1. Use forensic software or tools to verify the integrity of the USB stick without modifying its contents.
1. Create a forensic image of the USB stick using specialized imaging software.
1. Select a suitable forensic image format, such as E01.
1. Store the forensic image as a write-protected external hard drive.
1. Use forensic analysis tools to examine the forensic image.
1. Identify and locate the image file that I want to retrieve within the forensic image and extract the desired image file from the forensic image.
1. Verify the integrity of the extracted image file by comparing its hash value to the original hash value
### Task 1.2:
:::info
Write a one-line description, or note a useful feature for the following tools included in CAINE: Guymager, Disk Image Mounter, dcfldd / dc3dd, kpartx.
:::
### Answer:
**Guymager**: A forensic imager that can acquire and verify disk images from various sources.
**Disk Image Mounter**: A tool that allows users to mount disk images as read-only file systems.
**dcfldd / dc3dd**: Two command-line tools for creating and verifying disk images with features such as hashing and wiping.
**kpartx**: A Linux kernel tool that allows users to create device mappings for partitions within disk images.
### Task 1.3:
:::info
Follow your method to retrieve the image from drive A. Please use timestamps, explain every tool and note down the version. For the purpose of speed. Make sure both team members have access to the retrieved image. You can use your PCs as
an evidence sharing platform.
:::
### Answer:
Connecting A flash drive with image to Caine system:
<center>
Figure 6: Connecting USB to VM
</center>
Putting Flash drive to read-only mode using UnBlock utility (actually it already was read-only):
<center>
Figure 7: Flash drive A in read-only mode
</center>
Now we can check it with lsblk command, 1 means Read-Only and 0 - Wirtebale:
<center>
Figure 8: Read-only flash drive
</center>
Now with Guymagernager version 0.8.13 I can retrieve the image:
<center>
Figure 9: Progress of creating image in home directory
</center>
So, process is finished and we can see our image in home directory:
<center>
Figure 10: Created image
</center>
Also we checked md5 hash for created image, as shown in Figure 11, to verify the integrity of the file and ensure that it has not been altered or corrupted
<center>
Figure 11: md5 hash for image
</center>
### Task 1.4:
:::info
Read about CAINE Linux and its features while waiting on the dump to finish.
* a. Why would you use a Forensic distribution and what are the main differences between a regular distribution?
* b. When would you use a live environment and when would you use an installed environment?
* c. What are the policies of CAINE?
:::
### Answer:
a. A forensic distribution such as CAINE is specifically designed for digital forensics and incident response investigations. The main difference between a forensic distribution and a regular distribution is that a forensic distribution comes with pre-installed and configured tools that are essential for digital forensics, such as disk imaging, data recovery, and analysis tools. Forensic distributions are also designed to preserve evidence and prevent accidental modification of the target system.
b. A live environment is typically used when conducting digital forensics on a system that cannot be shut down or when it is important to preserve the state of the system. An installed environment, on the other hand, is used when conducting digital forensics on a system that can be shut down or when there is a need to conduct a more in-depth analysis.
c. CAINE's policies include open source, transparency, and collaboration. The distribution is based on Ubuntu and all the software included is open source. CAINE also promotes transparency and provides detailed documentation on all the tools included in the distribution. Collaboration is also important to CAINE, as it encourages users to contribute to the project by reporting bugs, suggesting new features, and sharing knowledge with the community. Additionally, CAINE is committed to providing a user-friendly and customizable interface to make the digital forensics process more efficient and effective.
### Task 1.5:
:::info
As soon as your dump finishes, start a tool to create a timeline on the image. You will need this timeline later in the assignment.
:::
### Answer:
Used command "log2timeline.py --logfile timeline.log --storage-file timeline.plaso /home/st15/myimage.E01" will output two files:
- **timeline.log**: This file will contain a human-readable log of all the events that have been extracted from the disk image. It can be useful for quickly reviewing the timeline and finding specific events.
- **timeline.plaso**: This file is a binary storage file that contains all the extracted events in a structured format. It can be used as input to other forensic tools, such as log2timeline's sister tool, Plaso (formerly known as log2timeline).
<center>
Figure 12: Creating timeline
</center>
Together, these files can give us a detailed timeline of all the events that have occurred on the disk image, which can be useful for forensic analysis.
<center>
Figure 13: Finished proccess of creating timeline and log file
</center>
## Task 2 - Verification:
### Task 2.6:
:::info
Create and describe a method that enables the verification of your method. Write this down in steps that the other team can follow
:::
### Answer:
1. We should take image digest and make multiple copies to work with these images.
2. *ewfexport* provides MD5 hash to check for integrity. Also we can use any
tool that uses hash digest of an image.
3. I would verify the integrity checksum provided by forensic analytic specialist and the suspected device itself and it is matched that we can believe that evidence
## Task 3 - Technical analysis:
### Task 3.8:
:::info
Mount your image (image of drive A) and make sure that it is mounted as read-only.
:::
### Answer:
To mount image as read-only I did the following:
<center>
Figure 14: Image mounted as read-only
</center>
### Task 3.9:
:::info
Identify and write a small paragraph of max 200 words about what kind of image it is.
:::
### Answer:
This image is GPT-parted disk. It consist of 2 Windows operating system partitions - "Microsoft Reserved" with the size of 32 megabytes and basic data partition (NTFS file system) with the size of 816 megabytes. Basic data partition consist of files and directories that we can usually met in a Windows C:\ hard drive. There are five users in the system, however only one is actively using the system - Jimmy Wilson. Also in the partition there are some system recovery files and a recycle bin.
<center>
Figure 15: Image partitions
</center>
### Task 3.10:
:::info
Using the information from the timeline you create above, write a small paragraph on what you think happened on this specific USB device. The device owner is suspected in a crime. Try to find the evidence that can support this accusation. Please remain objective, as you would be preparing evidence for a court case. Make it a maximum of 300 words, and use timestamps.
:::
### Answer:
1. On 2023-04-04 at 19:57:30, a warning message was logged indicating that data was being appended to an existing storage file.
2. On 2023-04-04 at 19:57:41, an information message was logged indicating that the USB device was being preprocessed for a specific operating system: Windows NT.
3. On 2023-04-04 at 20:02:53, an information message was logged indicating that the main task queue responder was exiting.
Based on the timeline of events, it appears that there was suspicious activity on the USB device in question. Here is how we arrived at that conclusion:
1. The warning message logged at 19:57:30 suggests that data was being added to an existing storage file, which could indicate an attempt to conceal or alter previously stored data.
2. The information message logged at 19:57:41 suggests that the USB device was being prepared for a specific use, potentially related to the crime being investigated.
3. The information message logged at 20:02:53 suggests that a task was completed or aborted, but it is unclear what the task was or if it is related to the crime being investigated.
Also we found Jimmy Wilson's cookies and they can prove that he visited idtheftcenter.com and libertarianmoney.com sites and saved some articles related to scamming, such as "How to Hide Money from the Government" and "Identity Theft: Trends, Patterns, and Typology", "Identity Theft: trends and issues".
Taken together, these events suggest that the owner of the USB device was actively attempting to manipulate data and prepare the device for a specific use, potentially related to the crime under investigation. While further investigation and analysis would be necessary to confirm these suspicions, the evidence presented in the log file suggests that the owner of the USB device may have been involved in criminal activity.
### Task 3.11:
:::info
What would help to investigate this evidence further?
:::
### Answer:
To investigate this evidence further, the following steps could be taken:
1. Analyze the log files to gather more information about the suspicious activity. Look for any additional warning or information messages that could provide further insight into what was happening on the USB device.
2. Identify the owner of the USB device and gather more information about them, including their potential motive for engaging in criminal activity.
3. Conduct a forensic analysis of the USB device itself to uncover any hidden files or other evidence that may have been deleted or altered.
4. Obtain any other relevant evidence, such as surveillance footage or witness statements, to corroborate or contradict the suspicions raised by the log files.
5. Consider the context of the suspected crime and any potential links to other criminal activity or suspects.
6. By following these steps and conducting a thorough investigation, it may be possible to gain a better understanding of the suspicious activity on the USB device and potentially identify any individuals involved in criminal activity.
---
## References:
1: [CAINE 13.0 "Warp" 64bit](https://www.caine-live.net/)
2: [Lab1 case](https://drive.google.com/file/d/1LBtvjKn2IlDg4PjlBOc4rlkLzQpoXZYI/view)
3: [SANS Institute](https://www.sans.org/reading-room/whitepapers/forensics/best-practices-digital-evidence-collection-33634)
Sign in with Wallet
Connect another wallet