Digital Forensics Labs

To download the contents for each lab please send an e-mail to ia@mgt.unm.edu and the school where you teach or research.

The following Information Assurance labs are available for download:

Digital Forensics

• Digital Forensics, Part 1 - Disk Imaging and Cloning
• Digital Forensics, Part 2 - Unallocated, Slack and Swap Space Analysis
• Digital Forensics, Part 3 - Data Unit Level
• Digital Forensics, Part 4 - File Recovery with the Meta Data Layer
• Digital Forensics, Part 5 - Data Layer Revisited in File Recovery
• Digital Forensics, Part 6 - Timeline Analysis
• Digital Forensics, Part 7 - Ethereal Network Analysis

Digital Forensics, Part 1 - Disk Imaging and Cloning

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders.
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
The purpose of this tutorial is to familiarize students with performing digital analysis for a computer hard drive under investigation. This tutorial is designed so that students will feel comfortable adding virtual disks in Vmware, imaging the disks, verifying the disk image using hashes, accessing individual partitions for a multiple partition disk, mounting partition images, creating a clone drive and achieve a successful completion of the digital forensic lab.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 1 - Disk Imaging and Cloning (1,923,413.192 KB)
SHA1: a0affea6a810ff39ba1b7bddc082229ad9d6dd85

Digital Forensics, Part 2 - Unallocated, Slack and Swap Space Analysis

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
When given a system to analyze for evidence, you need to develop a method for learning what to look for. You will need to create a search list that is relevant to the case to aid you in finding that evidence. Conducting interviews is one of the most important steps during the process of forensics to begin creating a search list. The individuals to be interviewed may be the suspect, the system administrator, coworkers, or other key witnesses. During the interview process you should make a list of important names, dates, IP addresses, email contacts, documents, project titles, etc. that may aid you in finding the critical data that can be used as evidence.

If a person who was engaged in illegal activities is careless, he or she may leave undeleted or "in the open" files on their machine which can be used as evidence. In the event that someone is under investigation, browse through their system's directories (on a mounted image or cloned drive of course) searching for files that may be of interest. You may be looking for emails, Internet addresses, images, personal word documents, spreadsheets, etc. From these discovered files, record important search words relevant to the investigation.

Even if you find evidence in this allocated space, your search is not complete. You will next use your search list to find additional evidence in unallocated, slack, and swap space. Your investigation will consist of multiple searches as your search list grows with the evidence you find.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 2 - Unallocated, Slack and Swap Space Analysis (431,038.416 KB)
SHA1: 97209369868f4df64f5094b743e68320173ca032

Digital Forensics, Part 3 - Data Unit Level

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
The purpose of this tutorial is to familiarize students with performing digital analysis for a computer hard drive under investigation. This tutorial is designed so that students will feel comfortable extracting unallocated space, extracting plain text from unallocated space, locate a file by block numbers, recover files in contiguous and noncontiguous blocks, use the autopsy forensic browser and achieve a successful completion of the digital forensic lab.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 3 - Data Unit Level (1,785.759 KB)
SHA1: 1db2e79f8e1cd11dd33e3325aca01c86db35b13e

Digital Forensics, Part 4 - File Recovery with the Meta Data Layer

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
The purpose of this tutorial is to familiarize students with performing digital analysis for a computer hard drive under investigation. This tutorial is designed so that students will feel comfortable recovering a file based on meta data, observe file deletion at the meta data layer for various file systems, use autopsy forensic browser at the meta data layer and achieve a successful completion of the digital forensic lab.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 4 - File Recovery with the Meta Data Layer (2,092.195 KB)
SHA1: dcadbb9af5f64ff12b757223de57a6474d7e18f2

Digital Forensics, Part 5 - Data Layer Revisited in File Recovery

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
Your search may not always be based on evidence in the form of plaintext that is found in the content of a file. For example, you may wish to search for all Word documents without having knowledge of their content. As another example, think of an image file. All the data in an image is binary so a search list is of no use.

You are going to learn another method for recovering deleted files at the data layer. This method will recover files based on their file types. Computers recognize files types by a binary header contained at the beginning of the file. Linux does not care about file extensions because it simply reads these headers to determine the type of file. Some files will have a footer as well.

Different file types will have unique headers. You are going to determine what the header is for a Word document.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 5 - Data Layer Revisited in File Recovery (649.843 KB)
SHA1: 861647c497c4df0d9bbd9c0376d5f9a263660552

Digital Forensics, Part 6 - Timeline Analysis

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
You are going to learn another method for recovering deleted files at the file or directory layer. The purpose of this tutorial is to familiarize students with performing digital analysis for a computer hard drive under investigation. This tutorial is designed so that students will feel comfortable extracting mactimes for allocated files, unallocated files and inodes, generate timeline using mactime and autopsy and achieve a successful completion of the digital forensic lab.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 6 - Timeline Analysis (179,549.670 KB)
SHA1: 507d2acbbb3861cd77c5b78e096a37cb91df1f72

Digital Forensics, Part 7 - Ethereal Network Analysis

Author: Regis Cassidy, Sandia National Laboratories College Cyber Defenders
Revised: Jessica Dillinger, Patricia Watson and Joel Nunes, Summer 2005
Alessandro Seazzu, Fall 2006

CNSS/NSTISSI Mapping: n/a

Abstract:
Ethereal is a utility that allows you to see EVERYTHING that your computer receives from the network. Often, your computer will receive much more information from the network than it will allow you to examine. This information can be administrative (DHCP requests, resource notifications), functional (the source, destination and size of the data), or even malicious. In this lab, you will become familiar with ethereal, its applications as a diagnostic tool, as well as its applications as a forensics tool.

Requirements:
The requirements include using VMWare with Linux - Forensics. It is recommended that the user take a few minutes to read the entire tutorial before starting any computer interactions.

Download Digital Forensics, Part 7 - Ethereal Network Analysis (317.416 KB)
SHA1: 918df4df7872fceb1900581d3d8a59a226cf003c