Overview

Introduction

Welcome to the Perform digital forensics Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Preparing a Target Drive for Acquisition in Linux
  • Deleting NTFS Files
  • Using Sleuth Kit and Autopsy

After completing this lab, you will be able to:

  • Connect to PLABWIN10 and Kali
  • Mount a disk volume
  • Collect User SID
  • View Deleted Files
  • Prepare Disk Image
  • Restart Apache Service
  • Examine a Case with Sleuth Kit and Autopsy
  • Download USB Drive Images
  • Use Autopsy for Windows 10

Exam Objectives

The following exam objectives are covered in this lab:

  • CAS-003 1.2 Compare and contrast security, privacy policies and procedures based on organizational requirements.

Lab Duration

It will take approximately 1 hour to complete this lab.

Exercise 1 - Preparing a Target Drive for Acquisition in Linux

The Linux OS has many tools you can use to modify non-Linux file systems. Current Linux distributions can create Microsoft File Allocation Table (FAT) and New Technology File System (NTFS) partition tables. Linux kernel version 2.6.17.7 and earlier can format and read only the FAT file system, although an NTFS driver, NTFS-3G, is available that allows Linux to mount and write data only to NTFS partitions. You can download this driver from http://sourceforge.net/projects/ntfs-3g, where you can also find information about NTFS and instructions for installing the driver.

Learning Outcomes

After completing this exercise, you will be able to:

  • Connect to PLABWIN10 and Kali
  • Mount a disk volume

Exercise 2 - Deleting NTFS Files

Typically, you use Windows or File Explorer to delete files from a disk. When a file is deleted in Windows NT, later, the OS renames it and moves it to the Recycle Bin. Another method is using the del (delete) MS-DOS command. This method doesn’t rename and move the file to the Recycle Bin, but it eliminates the file from the Master File Table - MFT listing in the same way FAT does.

When you delete a file in Windows or File Explorer, you can restore it from the Recycle Bin.

Learning Outcomes

After completing this exercise, you will be able to:

  • Collect User SID
  • Viewing Deleted Files

Exercise 3 - Using Sleuth Kit and Autopsy

Sleuth Kit and Autopsy can be installed on 32-bit or 64-bit Windows versions, and version 2 can be installed in Linux or Mac OS X. You can find current and past versions of Sleuth Kit and Autopsy Forensic Browser at www.sleuthkit.org.

Older versions of Sleuth Kit and Autopsy are available at Web sites listed on Sleuth Kit’s main page. The RPM Package Manager utility makes installing these tools in Red Hat and Fedora Linux much easier. Several other Linux distributions have tools for installing RPM packages. Check their documentation to see how they handle RPM packages.

In Linux, Sleuth Kit must be installed before Autopsy Forensic Browser, or Autopsy isn’t installed correctly. In Windows, however, the order of installation isn’t critical. In addition, when you’re running Autopsy Forensic Browser in Mac or Linux, you must preface all commands with sudo.

In this exercise, Sleuth Kit and Autopsy have been pre-installed on the PLABKSRV01 device.

Learning Outcomes

After completing this exercise, you will be able to:

  • Prepare Disk Image
  • Connect to PLABWIN10 and Kali
  • Restart Apache Service
  • Examine Case with Sleuth Kit and Autopsy
  • Download USB Drive Images
  • Use Autopsy for Windows 10

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.