UMGCINFA650 Computer Forensics Lab 1
Forensic Imaging and Hashing
In your virtual lab desktop environment, you will create a forensic image and use hashing to
verify it’s authenticity. The use of hashes is a methodology that is highly respected and used
when presenting evidence and reports in a court of law. It is important to understand the role of
a Digital Forensic analyst includes using tools to capture and analyze digital evidence as well as
report out what you found, how you found it, and verify the information. Utilize online guides
(you will need to Google for these – YouTube is also a very good resource)–to create a bitwise
forensic image of the Lab1 file in the appropriate folders (in the Lab Resources folder on the
Virtual Machine (VM)) using the forensic tool FTK_Imager.
Don't use plagiarized sources. Get Your Custom Essay on
lab work
Just from $13/Page
You will document and discuss the steps you took in the lab, and then answer the lab
questions found at the end of the document.
Virtual Machine Credentials
Username: StudentFirst
Password: Cyb3rl@b
Important Points to Remember
1. Discussing and illustrating the process is the most important part of this lab. Make
certain you intersperse your screenshots within the discussion and label them
appropriately.
2. You must complete this lab within your virtual machine environment. Remember
that the image may reset when you log off, so be sure you complete the steps for one of
the images and take your screenshots (saving them outside of the VM to your host
system) before logging out.
3. Use the Windows Snipping tool to take a screenshot of the appropriate Windows and
not the entire desktop.
4. Microsoft Office is installed within your VM within the VCL. You can
to create your PDF file.
5. All labs have a set due date and time. Labs can be turned in up to a week after the due
date and time, but with a penalty for each day it is late.
6. As we progress through the labs for this course, the virtual environment will keep your
work from prior labs, so you may need to destroy nodes or clear you cache to enable
smoother connections.
Deliverable
Filename: lastname-lab1 (this is how you should title your lab report submission)
In the dropbox folder under Lab1, submit your documentation via a PDF document with your last
name and page number at the bottom right of each page. Use an appropriate filename:
yourLastName-Lab1 . Using pdf format ensures that screenshots will be visible, as it is
common for other formats to lose graphics.
Preliminary Steps
Launch the UMGC virtual environment by following the “Accessing the Virtual Lab Environment”
instructions. Instructions can be found under Content > Session 3: Computer Investigations
> Accessing Lab 1.
1. Start the Windows virtual machine and open resources. If this is the first time in the
environment, or you have cleared your browser cache, you will need to first click on Nodes:
Once the Nodes are launched, click on Allocate Lab > Connect:
If you see the pop-up asking about PowerShell, click on Open Windows PowerShell:
If you see a security pop-up, check “Don’t ask me again for connections to this computer” and
click Connect:
Enter credentials, check the box next to “Remember me”, and click OK:
Virtual Machine Credentials
Username: StudentFirst
Password: Cyb3rl@b
Lab 1 Description
In this lab, you will be conducting Forensic Imaging. We will use a common tool, FTK Imager, to
image a directory folder on your machine. Typically, Computer Forensic Investigators will image
(i.e. make a bit-by-bit copy) a whole drive to make a duplicate of it. Once they have a copy of a
drive, they can use tools and techniques to analyze folders, files, and fragments of data for
digital evidence.
For this lab, we only want to image a single directory folder and its contents due to time and
space constraints. Over the next few steps, you will select to image a disk directory, choose the
directory in the tool interface options, and then select the output of that image. You will then
mount the resulting image and explore its contents to verify that it was in fact a captured image
of the directory you had specified. This final step in verification is extremely important to the
integrity of any investigation.
Part I Steps
1. Now that you are in the virtual environment, start by accessing and downloading the file to be
imaged. From the desktop go to Lab Resources > Project Resources and click to open and
download the file Lab1.exe.
2. Click once on “Lab1.exe” and then go to the right of the address bar of the browser window,
and right-click on the three cascading dots to get a dropdown menu. Locate and click on
Downloads:
3. If you get this message, click Keep:
And then Keep anyway (remember, this is a virtual machine, so your machine is safe):
To view where your downloaded file is saved, click on Show in folder. Note the full address of
the location of this file – you will need it in later steps.
You can close and return to the Desktop > Lab Resources.
Part II – Image a Directory File
1. On the virtual desktop, open Lab Resources > Applications > FTK Imager. This is the
Digital Forensic tool we will use for this Lab:
2. Select the View tab > Evidence Tree:
3. To make all drives and folders visible, go to File and select Add All Attached Devices:
4. Once ‘All Attached Devices’ are loaded, the system will scan the MFT for all files and folders.
At this point in the investigation, you can choose any folder or files under the Evidence Tree to
image. For this lab, we will select a picture that is in a system directory and alter the original. In
a DF investigation, this process would illustrate the originality of the picture through both file
contents and hashing (which we do in Lab #2). Now, select a picture from the ‘Sample Pictures’
folder using the path C > NTFS > root > Users > Public > Pictures > Sample Pictures:
You can see file information in the File List window, including size of file, type, and last date
modified.
At this point you could use the FTK Imager to image a drive, however as we are limited in
available storage space, we will complete the imaging process and verification with a file.
5. For this lab, you need to capture an original picture file and its corresponding hash report. To
do this, choose a picture and right click to both save the image and hash file to your machine.
6. Next, open the image file you saved, alter the image and save this new file to your machine.
7. Finally, you should have 4 files saved to your virtual desktop; the original picture, the altered
pictured, and the two hash files corresponding to the two pictures.
Lab Report
In the Lab Report that you will submit for this lab, you need to document the steps you took, the
original picture file you selected and altered, and compare the File Hash Lists for the two picture
images. Be sure that you have met the following expectations:
• Capture screen shots of each step.
• Include the File Hash List for both picture images.
Part III – Image an Imported File
In this part, you will image the file you downloaded and saved, in Part I. Finally, in the lab
analysis, you will compare the two methods you used (Parts II and III) for imaging and hashing
files using the FTK Imager tool.
1. On the virtual desktop, open FTK Imager and go to File > Create Disk Image:
2. Choose Image File and click Next:
3. Browse and locate the “Lab1.exe” you downloaded and click Finish. I had saved the file to
Computer > Local Disk (C:) > Users > StudentFirst > Downloads:
Select the file (Lab1.exe) and click Open.
In the Select File box, the Lab1.exe file should populate the Evidence Source Selection.
Click Finish.
4. In the Create Image box click on Add…:
5. You will be asked to type in evidence Information and click Next. Put in values, as with
example (the Examiner must be you):
Select Next >
6. In the ‘Select Image Destination’ dialogue, use Browse to save the image (I chose
StudentFirst > My documents), name the image file, and select Finish:
7. Back in the ‘Create Image’ dialogue, select Start:
Once the imaging is complete, you will see the Drive/Image Verify Results report – make sure
and take a screenshot of this information!
Lab Report
For this lab, you need to complete a Lab Report, which includes the following requirements:
1. Screen shots of each step in Part II and Part III,
2. The two File Hash Lists from Part II, and
3. Answers the following questions:
o How did you alter the original picture in Part II?
o What information can you retrieve from the File Hash List?
o What information can you capture from the FTK Imager tool to identify a file?
o What information can you capture to validate the authenticity of a file/image?
The following rubric will be applied for grading this lab:
