CHFI Lab Manual

Operating System
Forensics
Module 06
 Module 06 - Operating System Forensics

Performing OS Forensics
Operating System (OS) forensics involves obtaining and analysing digital information

for nse in evidence in civil, criminal, or administrative cases.

I C O N K E Y

Z
Lab Scenario
■ Valuable
information
A computer forensics examiner, Steve, called to investigate the laptop of a 26-year-
old man who was arrested. Steve started searching the contents of the laptop. He
Began his investigation on Windows® event logs and processes using various
Windows forensic tools and checked all the registries, event logs, and processes for
W
Web exercise evidence of any crimes. During the investigation, Steve found the paths for several
images and videos of child pornography. He checked all the pictures and confirmed
\X 'c irk book re vi ew
the existence of child pornography on the laptop. Other evidence on the laptop
proved that the man in custody was its primary user.

Lab Objectives
The goal of this lab is to explain the process of finding pieces of evidence from
Windows and Linux OS. Evidence in Windows OS includes Windows event
logs, Windows processes, search key values, and data in Windows while in
L b untu system includes volatile and non-volatile data. Accomplishing this task
will include:
Tools
Viewing system information and memory processes
demonstrated in
this lab are available Viewing disk raw sectors
in C:\CHFI-
Tools\CHFIv9 Module
Verifying the integrity of files
06 Operating Creating drive images
System
Forensics Recovering deleted files and viewing cookies
Scanning for pictures
Analysis of volatile and non-volatile data in Linux System

Lab Environment
This lab requires:
■ A computer running Windows Server 2012, Ubuntu OS (Linux Distro),
Kali Linux

■ A web browser with Internet connection.

■ Administrative privileges to install and run tools.

Lab Duration
Time: 1 20 Minutes
C FI a
H L b
 or Copyright© by EC-COUflCll
Rights. Reserved. Reproduction is Strictly Prohibited.

Manual Page 143 Computer Hacking Forensic

All Investigat
 Module 06 - Operating System Forensics

~ TflSK 1 Overview of OS Forensics

Overview C with the
use of computers. Various laws have been passed against cy hercrime, but it still
exists, and the guilty parties are difficult to find due to the lack of physical evidence.

Computer forensics helps in solving this problem.

Lab Tasks
Recommended labs to assist you in XX indo ws Forensics:
■ Discovering and Extracting Hidden Forensic Material on Computers
Using OS Forensics.
■ Extracting Information about Loaded Processes Using Process
Explorer.

■ Viewing, Monitoring, and Analyzing Events Using the Event Log

Explorer Tool.

■ Performing a Computer Forensic Investigation Using the Helix Tool.

■ .Analyzing Volatile Data in Linux System.

■ Analyzing Non-volatile Data in Linux System.

Lab Analysis
Analyze and document the results related to the lab exercise.

P L E A S E TALK T O Y O U R INSTRUCTOR IF Y O U H A V E Q U E S T I O N S
RELATED TO T H I S L A B .
C Manu Page 144
H al
FI
L
ab
Compute Hacki Forensic EC'COIJIlCil
r ng Investigat Prohibited.
A or
l
l Copyright
© by
Rights.
Reserved.
Reproduct
ion is
Strictly
 Module 06 - Operating System Forensics

Discovering and Extracting Hidden

Forensic Material on Computers Using
OSForensics
OSForensics is a computer forensics application for locating and analysing digital

e in computer rj stems and digital storage devices.

I C O N K E Y

Z __ V
Lab Scenario
S
stack of hay unless you know what to look for and where. Another wav around is to
find a tool that would help you out. A system store logs for events along with the
identity of the programs that perform any small task. A forensic
Web
exercise investigator should be able to differentiate the data and evidence. This lab will help
you use the OSForensics tools that will assist in finding evidence from loads of
data.

computer to locate evidence of a crime. In this lab, you will learn how to use the
OSForensics tool.

Lab Environment
This lab requires:
TV Tools
■ OSForensics, located at C:\CHFI-Tools\CHFIv9 Module 06 Operating
demonstrated in
System ForensicsWVindows Forensics Tools\OS Forensics.
this lab are
available in C:\CHFI- ■ You can also download the latest version of OSForensics from
Tools\CHFIv9 Module www.osforensics.com/download.html,
06 Operating
System ■ If you decide to download the latest version, then screenshots shown in
Forensics the lab might differ slightly.
■ A computer running Windows Server 2012.
C ab Manual Page
H
FI
L
 r ng Investigator Copyright© by EC-COlinCil
All Rights. Reserved. Reproduction is Strictly Prohibited.

145 Compute Hacki Forensic

 Module 06 - Operating System Forensics

Administrative privileges to install and rim tools. A

web browser with an Internet connection.

Lab Duration
Time: 25 Minutes

You can also download,

the latest version
Overview of OSForensics
of OS Forensics from the link
wwvv.osforensics.com/ d The OS forensics suite effectively simplifies the task of analyzing vast amounts of
ownload.html
data on live systems and storage media with an easy-to-use modular interface.
OS forensics includes tools that can identify evidence material in seconds (such as
searching for a particular file name), as well as more sophisticated tools for
identifying harder to locate digital evidence artifacts (such as tracing incriminating

data in deleted files).

T A S K 1
Lab Tasks
Creating a New 1. Navigate to C:\CHFI-Tools\CHFIv9 Module 06 Operating System
Case Forens icsWVindows Forensics Tools\OS Forensics.

2. Double-click osf.exe to launch the setup and follow the wizard-driven

installation instructions.
Note: If an Open File - Security Warning pop-up appears, click Run.

3. In the final step of installation, check Launch OSForensics option and

click Finish.
4. OSForensics GL 1 appears, along with PassMark OSForensics pop-up.
Click Continue Using Free Version.

Start

PajiMarfcS OSForensics
By default, a case is created in the
OSForensics folder situated in the user's My Rrcmt Activity
Documents folder. Upon the
creation of a Fie Name '□micJi Hisnuic
case, a subfolder will be created HslF -19 ft File Identib

at the target location

that will contain die case.
There is no need to select an empty
folder.

www.asfanensics .:
5QLteDB EinslVieHr
FIGURE 1.1:

OSForensics main window

CHFI Lab M Page 146 Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M
06 - Operating System
o
d
ul
e
 Forensics

5. Click
ht e Create Case icon in the main window to create a new case.
OSFcreraia

Start

4BC
Once a case is
created or opened; rhe
contents of the case can also
be managed from this window.
Case items can be opened,
deleted, or have additional
properties
viewed. The property
newer also allows for SDLiwDE

editing user-defined
properties of the item.
E5EDB
Vwe<

TTns is normally lhe First step m an investigation

Creating a case allows you io group together an find) ngs
from

FIGURE 1.2: OS Forensics Creating a Xew Case

6. Complete the required fields of the New Case wizard, and choose to
s
click OK.
Note: If you want to create a new case in a custom location, click the
B
Case Name is Case 1 and the default Case bolder has been selected.
CSFcrenjK?

j Manage Ca$e
S
SeecICue
M
Seei Cue.. Tih
We Name Search

CrraRr Index I
Z The start window
New Caw
contains a brief description of Search Index

each feature as vou Receert Antir/ity

Case :
mouse over it. clicking Deleted tiles- Swch

once will take vou to that Mtamatdi Fie Search Oroaritation ECCOJ-H
feature. Additional! v, vou can
Hemarv Virwrr Contact 0*18*5 wwwjKOMKJ.trq
click the buttons on the left.
If a button has a Prefetch Vlewe* Tmrnre

pulsating green light next to it. Raw fjrik Uh-wlt DeSidi One C '.[LocaT

this means that the Registry- vm Anjrstion T\pe * Lire Acquauf-of Cbrrefit Hath™ Q’-.estrjaie Dd&J from Arore' Hachns
S' We System
feature is currently Cm foifer De Wl UxtifrT c i.iirm lowben
Btawtcr
performing a task. A blue ’
C:
n i
Light means that the task S
log M fruity

has been completed, but you WebBrowser

ex
have not yet navigated back Paitwurtk

to that window to System Information

view the result. Verity / Cteate Hash

1.3:

Creat Signature
e
f

FIGURE OS Forensics. Xew Case Wizard

C Man Page
H ual
FI
L
ab
14
Com Hacking Forensic Investigator Copyright© by EC-COlinCil
puter All Rights Reserved. Reproduction is Strictly Prohibited.
M06 - Operating System
o
d
u
l
e
 Forensics

A new case is created as shown in the below screenshot:

OS F drensks - Caw 1

Manage Case

Ntmaijr Cwt
HhUiJ-
Me Harare Search
IrpcX t«M

Lori tare

Search
Index OefcteCaK

W-jnarp CuirrJ Csw

Deleted
Search
t C D J G n V
Lcd
D A.I-hH
AddAllachiwi Add Note Add Dane*.

Prefetch Cose llenw Tile Cw l>n

Viewer |:w.
"

Ficpetle:
Regirt»v viewer
Veiiy

WebBrowser

Information
System

Slgnatwe
Create

FIGURE 1.4: OSForensics XewCase Created

8. Click File Name Search in the left pane of the window.

T A S K 2
Start
OSForensics - fid
File Name Search
Hc|p
File Name Search

Mdridge CdM? Search String Presets Search

File Ndnie Search StaitFcHer CA CwiIq..

v r Create Index
File List Thumbnails ] Timdric
A basic search simply involves entering a search string
Search Index
and location. Any
files or folders that contain Recent Activity
die search string within their name will be displayed Deleted Fries Search
Mismatch File Search
in the search results. For
instance. searching for "File" will match "file, txt", "test, file 11 or 11 MyFile.doc' 1. The basic Memory Viewer
search is case
Prefetch Viewer
insensitive.
Raw Divk Viewer

Registry Viewer

tern Browser

Qi SQLite DB Browser Items Fmmd Soitmff N are

WebBrowser Items Searched: Ctnetii Felder

To file file name or extension in the Search String of

sea
FIGURE
s, t
rch
l..Tt typt
10. File
for ea
9. In this lab, Images have been selected from the Presets drop-down list.

CHFI Lab Manual Page 148 ComputerH EC-COURCll All

Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

11. In the Start Folder field, indicate the path to search by clicking the
browse button, and then click the Search button.
12. Here we are specifying the location C:\CHFI-Tools\Evidence Files to
search for images in it.
OSForenstcs -

Ifa wildcard is Entered Help

anvwhere in the search

field. wildcard Search Sling Pieseis 8 each
matching is enabled on all
C:\CHFl-Tools\E vidence Files
search terms. When wildcard matching
is enabled, you will need to explicitly add '“'to the Create Index Fi e Lit Thurtnais
start and end of the search term if you are trying to match a
word that may appear in die middle of a filename.
t Recen Activity

FIGURE 1.6: OSForensics File Name Search

13. This displays all the images present in the specified location. You may
analyze these files, to see if any suspicious or unwanted image /images
are stored in the location.
OSForensics - Case T

Help

Search Slihp 'D 1 -' FYesels Images

Sl.nl FnHci

FfleLhl “hjiribnii

locationi Ct\CHF]'Tools\Evidencel rtes\Web

H i
AM, Modified: 6/20/201 J
Recent ActivityS 3 J
Accessed: 5/25/2016, 5:46 AM

•: 11-08 K8 h Created:
CT7 By clicking the Config button you will
be taken to the File Name Search
Memory Viewer

Configuration window, where more see; 13.23 KB, Created; 5/25/2016, Accessed:
5/25/2016, 5:44 AM
advanced options can be
selected. Sze; 12.72 K8, Created; 5/25/1 Accessed;
5/25/2016, 5:4 3 AH

Sza; 16.11 KB, Created; S/25.'2O16, 5:43 AM. Modified: 6/20/2011, 11:5? PM

A
SQLRe r>u Browser
Location:
Web Browser
Accessed: 5/25/ 16, 5:43 AM
20
Items
Found b ama

Item!
Searched 10372 Cureni Fokfei: S earch Ccmplele

FIGURE 1.

: OSForensics File Name Search

CHFI Lab Manual Page 149 Computer Hacking Forensic Investigator Copyright £ by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

14. Y
The Timeline tab allows you to see/sort the tiles according to their
m
W T A S K 3 15. Xow click Create Index in the left pane of the window. It will create an index
I
of the content.
Creating
16. It is a five-step process to create an index:
■ Step 1: Select the Use Pre-defined File Types option for creating
the Index and check the required options listed below (here, Images option
has been selected} for selecting the file types, then click Next.
OSForensirsC■ 1

Help
Create Index

Whal types of file: wcUd you I k.e lo hoew?

The Indexer Advanced

System Hbeinaton arid
r Search Index
Configuration
p
Oflice + PDF [tecumerts □ Web Fites OWL
Window allows, users to configure various indexing [

parameters. This window can be yi Images □ UrArwin Fites

accessed by clicking the Config

button in the Create Terrplate Retypes Create T emplate...
Index window. Impoil Template...

Edfl Templa'e...

Nerf

FIGURE l.S: OS Forensics Create Index Step 1

■ Step 2:X ow click the Add button to select the drive you want to
index.
OSForensics ■ Case 1

Help
Create Index

WT*di drivels] or Wderls) woJd you Ike to index?

Start Folder A cd
Scareh Index
Rcrxyvc

The list of file types whose

contents will be scanned
are configured here. Typical
file extensions are added to
the list by default. To add
a new file extension, click
Add button.

Ne«t

Password
s
FIGURE 1.9: OSForensics Creating Index Step 2

CHFI Lab Manual Page ISO Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

■ S
to add folders. For this lab, select the C:\CHFI-Tools\Evidence
Filesimage Files folder and click the O K button.

sa Pages, and folders Add

S
containing particular words can
be excluded from the scan by
adding the words to the list.
Xote that the
folder the created index files are written to
Drive indexing options:
are also automatically added so that the
indexing process does not index the
files it is creating. This folder
is a subfolder of the currentlv active
case folder.
OK
FIGURE 1.10: OSForensics Creating Index Step 2

■
Click the Next button in the Create Index section.
OSForensics -

Help
Create Index

S 2 5
WWch diMels) os loHa(s) would you ike to witfaf?
Stemming refers to similar words
derived from die search terms. For
StertFddtf Add..
example. searches for "fish 11
would return results for "fishing, 11 R&W0V6
' Activity
11fishes.' 1 and "fished. 11 To
enable stemming, check
the Enable stemming
for: checkbox and select
a language.

Registry VrtVJtr

Back

FIGURE 1.11: OSForensics Creating Index Step 2

■ S Title (Case *1) and Index Notes (optional),

then click Start Indexing.
OSForensics -

HekJ
Create Index

Manage c»5t

Tith
I
Cisel

into Note? ImfeKol list

in:
f C CHFl Tod$\Ev fence age Files
F
.png. bw

Registry viewer

Back
FIG URE 1. 12: OSForensics to start Indexing Step 3

CHFI Lab Manual Page 151 Computer H ac ki ng Forensic Copyright U by EC-COlinCil

Investigator
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Step In Step 4, the application Begins to perform a

4: Pre-Scan on
the specified folder.
Note: if a Maximum page limit in
Free Version dialog box appears
while scanning, click OK to close it.
I'rlp
Create Index
Binary String
Extraction Level:
When trying to get words
out of binary data, the indexing Reifoiming Rre-Se*t please wait ..
process has to make a decision as
Create Index
to what is a word and what is just random
data. Changing this
Free Version
option will determine how lenient or strict Recent Activity

the indexer is when making

this decision. Leaving this on of files the free version of OSForensics will index. You muy still
index this location however not all files will be included in the index.
default, the most stringent option, is
recommended, as
OK
this will aggressively ie move Prefetch Viewer

irrelevant data and keep the index to a

more manageable size. The Code Words
setting is useful if you are trying to find
things like passwords missed by die
default option.

FIGURE 1.13: OSForensics to start Indexing Step 4

■ Step displays the status of the Indexing, Once the Indexing is

5
completed, an OSForensics - Created Index pop-up appears, click
OK
OSForensics -

Help
> Create Index

The log file shows manv

errors about files being
locked. If you are
indexing an active system drive (the drive that OSForensics - Create Index
Windows is running from), this is nuite common
as many programs, and Indexing finished-
the index.
Windows itself will be using the files
on the drive, making them inaccessible. variety of reasons including documents
Usually, these files are system files
without much interesting text in
them, and this should not be
DjirentFic
a problem.
CK

New index

FIGURE 1.14: OS
Fo
ren
sic
s
Ste
p
 5

CHFI Lab Manual Page 152 Computer Hacking Forensic Investigator Copyright C by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

17. Select Search Index section from the left pane, enter the keyword to
search in the Enter Search Words field (optional), select the Index to
Search (here, Case 1) from the drop’ down menu. Click the Search
button.
Note: The free version of OSForensics returns a maximum of 250 results.
So, if the Search results exceed this number, an OSForensics - Notice pop
up appears where you need to click OK.
OSForensics
- 1

f
Search Index

E niffl Search Woids Seaich Advanced

During the pre -sc an step,
rch
OSForensics tries to Mere.
detect the number of files that will 1 Files |2) nages (19| Emais [O0[ EmailMachmeritM
| j Unalocetsd (Dt TmaJne ] Bw/se IndsK ] Htrta m
be included in the index and sets
this as the maximum which the
1
1 Recent Acirvitv
indexing process will scan. Because X Deleted Files Search
C C1 C:'fH=[-iMls evi.
,
C I . c ., ..
R FJes'Jmase Ries', .. Fies maoe Ftee Hes'Jmafle Bies\. .. FfesVmageFfesU.
the pre-scan is a .

basic and fast scan, it mav sometimes Mismatch File Search

get this wrong. If this is the case, Memo tv Viewer

you should try indexing again
| Prefetch Viewer C:\:j-FI-Tr. 'Ev... C; C:\0-F[-Totfs'£v...
by setting the maximum pages 3

Fies'Jmaqe Files', ..
=
C
HF[-Toob¥vi...
C
Fies l 'T*qe Fies'i. .. Fies'Jmape Files', .. Hits 'Jr age FiesV. .
F .
manually in the
Rcgretry Viewer
advanced options.

FIG

W T A S K 4

Searching Recent
Activities 19. Select Scan Drive radio button, select C: Drive and click Scan to scan
for evidence such as browsed websites, USB drives, recent downloads,
and Wireless networks in the drive.
Note: If a Warning pop-up appears, click Yes. If an OSForensics Error
appears during the scan, click OK.
20. On completion of scan, a Recent Activity - Summary window appears,
click OK.
Lk'eAoqusbion of CunerB Machine Eonltg

r ■ Been Drive: C:\ A

F
File Name Search
■All(1S3j Fie Delate Fie- List | Timdrie 8Told Hews. 1

y 4 Create Index
X
TH Whdovts ■ Recall Deo
Recent Activity - Summary
Search Index

OSForensics scans
Recent Activity Summa ry:
known locations for web T3 instalcdUO]
browser profiles and their ,\j Shelbaal21 1 M
M
related historv and cache files Cookies | 55B 1

to detect cookies, DciANoodsf 20 J

@ URLs | U4 j
visited URL historv. M
f Bouhndki ) 13 |
downloads. and saved -? Mixnled Vakrnes ] - j
P
logins and passwords. .5 U$BtA$sist I lews f FO I
R 1
-J JunpUst Her s I 33 1

Regretry Viewer
Total Items: 1S-S3

q SQtftc O€ Browser
OK
nr
FIGURE 1.1 (i
□SI-Drens.icRRecent Activity

CHFI Lab Manual Page 153 Computer Hacking Forensic Investigator Copyright© by EC -COUPIC 1 1
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

21. To recover the deleted tiles from the filesystem, click Deleted Files
TASK 5 Search in the left pane, select a disk on which you want to perform the
Searching Deleted deleted file search (here, Partition 1, C:), and click the Search button.
Files
Deleted He?p
Fite Search
Disk
Seaich Carrig...

Af Ries

Deleied FitLisI Thurribnak TrrcJiie

Sorting

Items SMrehedt

FIGURE 1.1 : OS Forensics Deleted Files Search co recover files

22. The application searches for the deleted files in C: Drive and displays
them as shown in the following screenshot:

5tort Deleted File Search

Case Disk W VPhyjicalDrrrteQt Paihiian 1 . [? [20 93GB NTFS | Seaich

:
i
Ccn

Manage
Filo - String AppJp Filer
y/ File Name Search prowls AllFies

t J Create index Meted Timeine

F r

Search Index

Recent Activity

Mismatch File Search

Memory Viewer

Prefetch Viewer

Raw Disk Viewer

Registry Viewer

File System Browser

Hems Fojnd 554 Sorting: Heme

SQLile DB Browser

Hems
Seaid'isd ?74 Cmert Fte:
FIGURE display
1.18:
OS Forensics Deleted Files
CHFI Page
Lab
Manu
al
154 i tU-UOUflCII All
Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

g* T A S K 6 23. To locate files whose contents do not match with the file extensions,
Searching c
Mismatch File 24. Click the Browse button to give the location path to search. In this lab,
n
S

25,T
extension, and it also verifies the actual file format.
OSForensics
-

Manage Case Stall folder

Filer Defaiil |Budl ln| Coring .

Thurbiak Medona.pog
Location: C;\CHFI-T00l
Connected USB
,EvdenCe Fiestfrnage FieS
devices:
USB devices that have been AM

connected to the computer, and include Location: c:\CHFT-voois\Evxjence FtesMmage f1m identfi&d
USB memory sticks, portable hard Type: JPEG image data, iff standaid 1 Size: 49.65 KB,
Created: 5/25/2016, 5:33 AM, Md 7:03 AM
drives and other external USB devices Giri Model. raw
,

like CD -Rom Memory Viewer

Size- 70.23 KB, 7:03 AM
drives. A manufacturer
name, product ID, serial Location: c:\CHFi-Toote\Ewianc? FUasUmaoe Fie?

number and the last connection date See: 6.62 KB, Created: 4:09 AM

should be
Loratnn: C:\CHFt-Toois\Evdence
displayed for each device. I
Centric; T.'p.j: ;fec- nvigc data,
Size: 12.97 KB, Created: 5/25/201 bnages.txt 4:10 AM
Mjute l>n Brovrsrr Location: C;\CHFI-Tool5\E7dence
I
.01
Web Browser

Hem} Fcumct 8 F wen sign

Curcrt Folds: S&aich Ccmplele

FIGURE 1.19: OS Forensics Mismatch File Search

W T A S K 7 26. To view the processes that are running on the system, click Memory

Viewing Memory V
Processes 27. An OSForensics - Warning pop-up appears, click OK.

5ta*t

Refresh

MD
lit
OSForensics checks several
known registry roe
locations that store MRU data; this includes OSForensics - Warning
locations for Microsoft Office, PlCCtSS
Microsoft WordPad, Microsoft Faint,
Pio«$
Microsoft Media Flayer, Windows Search,
recent documents, connected network drives,

Prefetch Viewer Piiysi& _________

OK 137438953109
and the Windows Run command. V/oikino sei liolai) Toial Private
Raw Disk Viewer Wqikrij ;.*1 Ipriu.Mc) Allocated
OK

OK
FIGURE
1.20: OS
Forensics - Warning pop-up

CHFI Lab Manual Page 155 Computer Hacking Forensic Investigator Copyright £ by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
M
06 - Operating System
od
ul
e
 Forensics

28. Select a Process from the list of running processes, and select eth
MemoryS

Bcfrcsh

Hie Name Search Pracass PlD 340

Create Index 412

Search Index 1348

Z ■ Performing a process memory Mnmrr il..- ct*

dump saves the concents
J

of a process' Addies? Range Protection Module

virtual memory space (both CbiO-ftJFFDFFFF 2046 MB 4 KB Ma

ChTFFEQOK) UcTRFECFFF DK7FFE1 ODO - Commit RO
in physical memory or paged out to hard 0U7FFEFFFF &7FFFMIM ■ Cbfl0C7FEFf FF 60 KB 7671 04 Reserved Riwate
disk) into a file. This is useful OwBBCTFFOKO 0-BBC7FRFFF.- .. 64 KB MA
especially if there is a particular &BBCSODOOOO■ Q.BBC3C03FFF 16 KB Commit Commit Mop pod
Prefetch Viewer CtdEBCBQWOCO■ MBCaMKFFF OhBBCSOOTOOO■ Received Pfrvaie
process that the user has identified 12 KB
Q-BBCSOOFFFF ftiBBC8010000 ■ OxBBCSOlEFFF 36 KB Free
to contain information of interest QxEBCSOIFQCO■ Ox0BC8BlFFFF 60 KB NA RO
potentially. &<BBC802tB0O■ 0,BBCSG98FF : 4 KB MA
484 KB Reserved
Private

FIGURE 1.21: OSForensics Memory Viewer

« T A S K 8 29. To analyze the raw sectors of all physical disks and partitions, click Raw
R
Viewing Disk D

Sectors Hrb
' Start Raw Disk Viewer

Manage Cdw Disk | WAFfysicaBihteO: Palilim 1,1? [20.83GB NTFS/HPFS;mFAT] Ccniij .

Jump to , Swich Bookmorks . Decode RigHt-cick h the disk viewer for additional opli
F Maine Stare h

00 4 8 8 9 9 5 8 8 0 0 0 0 0 0 4 C 08 0123456789ABCDEF
Create Index
0x0000000 O4EAB305D FF48BB0048894530 8EE9488DO507OD3A H . . . . .1. . H . . . . :
0x000 0000 D4EA2386 D 0000000848C74510 4 8 8 9 6 5 0 0 4 8 C 7 4 5 0 B .0. H . E O H . b h . e .
Search Index Ox000000004EAB387 0 28082OOOOOO84920 0000000033DE89SD . . . H . E .......... 3 . . ]■
Ox000000004EAB3980 24488D0DA8F3A0FF EO4C9D64242O90O4 ) . - ■ . H+ . L . dS ..
Generating a physical R Actryity OkOOOOOOOO4EAB309O E86B2F79FF41B81F E9432979FF498BC8 50. . . . . C(y 0
Cx000000004EAB38AU OCE8923379FFB820 000100489BD0498B . k/y . A . . . . H . . 1
memory d u m p in the iJk000000004EAB38BO 000000482BE0488D . . . 3y ............. H+ . H
Microsoft Crash Dump Deleted Files Search OkOOGOOOOCi4EAB38CO | 4424204889452093 0424488D0DSF1FAL D$ H . E $B
Om800000004EAB38DO FFE80A2879FF488B C8E8322F79FF41B8 . . . ( y . 1] . 2/y . A
format allows the user to Mismatch Tile Search jx000000004EAB38EO 030001004083D048 895D18B4D20E8S83378FF . . . H . . H . M K3y
OxQOOQOOQ04EAB38FO
perform a deeper analysis D
083FE63FF0 1 OF809C0000008BDF [ k ..................
of the system state at the time Memory Viewer QxOOOOOOOO4EAB30OO 83C3000F8031 0 0 0 000 4 48RCB4C8D8588 ■ ■ . . D L . 8BCCE81 1
QX000000004EAB3810 00000048BD5S0848 3379FF4C . H U I . 3y.L
the snapshot was taken. OxOOOOOOQO4EAB302O 8D85B8000000488D 5508498DCCE80E33 ■ ■ ■ . ■ H U. r . 3
Prefetch Viewer
OxDOODOOGD4EAB393D 79FFC74SL80 1 00448BCE4C8D858B y . .E. . . . D . L.
0 x 0 0 0 0 0 0 0 04EAB394 0 8E4D20E8E03279FF . H U.H.N . 2y.
Raw Disk Viewer OxOOOOOOOOlEABSBSD 8B4D104 40BC6488B .E. . . . L . M . D .H
GxOOQ 000GD4EAB396 0 C74518010000404C U . I A . . E . . . ®L 55 1
OxOODDOOOO4EAB307O 0488B4D20E8 A5 . . . . . . . H O H N .
Registry Viewer
0x000 000004EAB3980 0 0 4 0 C 7 4 5 2 8 0 0 0 0 0 0 2 y . E . . , 0 . E ( . . EB06E8
□xDOODOOD04EAB399D 312779FF9D . .E. . ............. i ' y
File System Browser 0x00000008 4EAB39AO OkOOODOOOO4EAB30BO
 7F3D817D1 8020000 9596OOODOO4B0B4D ■:?~4E3. H .......... H.li
7
1 Cx000000004EAB39CD 488E45104C8B400B H } . . t.H.E L.ff.
SQLite DB Browser

Bjrte Qjfsel: OdCOOZOODOODOOD! 52

OSForensics Raw Disk Viewer

FIGURE 1.22

CHFI Lab Manual Page 156 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll All
Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

T A S K 9 30, To retrieve detailed information about the core components of the

Viewing System
Information 31.Y the List drop-down
menu:
Basic DOS commands used
Basic system information
System Information Prom Registry All
commands used
OSForensics
-

X'ew third-party tools Cai nmards

R
can he easily added to rhe rest Carmand GetComputerName
Internal Architecture Live System
32/64 32/64 Yes
suite. Many ap plications can be 0
p 32/64 32/64
helpful in retrieving system information. These 32/64 32/64
tools must be Installed first if these 32/64 32/64

commands are to run correctly. Get U SB Ida

32/64 32/64
32/64 32/54
Get Disk volume Into Get Disk drive Info
Get Optical drive Info Get Network Info
Get Pai? Info
Yes
Get Molhtrtoord I nfo

FIGURE 1.23 OSForensics System Information

I
32. Prom the List drop- down menu, select the type of information that you
w
33.H
selecting this, the application executes all the commands displayed under
the Commands tab on the machine.
OSForensics
-

Edl.

Architecture specifies
Commarnfe Result
whether this command
rekiteclure Lire System
should be restricted to 32 or 64 bit systems. Command
I
rtc mol No
32/64 Yes
■il.e>:e gciroc.cw hMlname.twe
live system specifies whether tk 32/64 Yes
ipccnirj ore /al 32/64 Yes
this command is
Na 32/64 Yes
32/64 Yes
safe to run during a live acquisition. nbtstaLew n No No 32/64 Yes
32/64 Yes
nttsial.ers S nbtstal.eMe c No No No 32/64 Yes
32/64 Yes
net ere share No
32/64 Yes
System Informatkur
net
ewefla No 32/64 32/64
32/64
No Yes

FIGI." RE
I
1.24:
OSForensics
Svstem
Information
All
Commands
CHFI Lab M Page 15 Computer Hacking Forensic Investigator Copyright© by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

34. It displays me commands executed, with complete details in the Result

Raw Viewer tion
t Sys
tem
OS Info - Case 1
Forensicsrma
<1
Help

E asio System Infamalion Edl... Go Expert Id Case.. Expert Id Fie.

R V L

ijcq us don a! Curert Machine C'ScanOrwe: C.'

File Syitem Brawler
rrr.rvi'irk. | Resul
SQLite OB Brawler

W■’y./
ipconfig.exe /all
srvcheck.cxc:
„ fi Date: Tuesday, May 31, 2016, 3:3S:J7 AM
SrvCheck is a simple ping Pdbiwordl

like program, which can

System Information
check the availability of a Windows If Contiguration
given server. It is part of the Windows Server 2003
1 II 1| Verify ? Create Hash

f Hasli Sets
Resource Kit Tools Bost Udine WI M- 5EOMNGDMTRQ

package. It supports Windows Server 2003 and Create Signature

Primary Dnx S u f f i x
Compare Signature
Windows X P but is not Hoctc Type Hybrid

supported on a 64 -bit platform. Drive Preparation

IP Renting Enabled HO

Drive Imaging
WINS Proxy Enabled. . Ho
Mount Drive Image

Forensic Copy
Ethernet adapter Ethernet 3:

Install to USB

F
W T A S K 1 0 hash values, click
Verify / Create Hash from the left pane
Verifying the
Integrity of Files 36. You can also create a hash of a complete partition, a
or a simple text string by selecting the respective opti
- 1OSforensics
<1
Haw Drek
Viewer Verify l Create Hash Het

Registry Fife ■ TeWt

Viewer OV

Fie CJuulale
q Filesystem Browser
Hash Funciton SHA-1 Upper paw aufpU fj

. Q
SQLrte OB Browser To calculate a hash Web Browser Piogiess

for a file, just input the file

Dote Hashed
path, choose one of rhe S I t Cafcdated Hash
I V /C H
available hash functions P
Comparison Hash
and click Calculate. To
roiips'iiDn heqh:3 an opJicniJ held
T
verify rhe calculated hash
Selected Hash Funclion Description
with a known hash value, i H S
copy the known hash value 5 HA'1 k pat of ihe- bioadar sei 01 SHA hash functicris developed b? Ihe NSA Although not the mast weme,
fai Hie mpjl wdeb
SHA-1 k by

into rhe Comparison

Al thk point h time SHA-t is consicfeied tn have been broken, however f bring colisions is slil b somewhat
Hash field. c i
C S

Drive Preparation

Drive Imaging

Mount Drive Image

Forensic Copy

Id USB
Imtall

FIGURE 1. 26 OSForensics Verify / Create Hash

CHFI Lab Manual Computer Hacking Forensic Investigator Copyright £ by EC-COUDCll

All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

37, Click the Ellipsis button to specify a File or Volume or Text to

calculate the hash value. (In this lab, navigate to the file C:\CHFI-
ToolsEvidence Filesimage Files\lmages.txt to calculate the hash
value of lmages.txt:.
38. Select Hash Function (here, MD5 from the drop-down menu and then
click Calculate.
39. The calculated hash value appears in the Calculated Hash field as
shown in the following screenshot:
OSForensics -

Hep

VCHR-Tadj Evii Calcdate

C

H ash Funciton MD5

A SQLrte RB Browser
Regies

Data Hashed 5.46 KB

. _ _ To create a hash of a
Line of text, select the text option Dated ated Hash MD5
and type or paste the text
Comparison Hash
vou want to hash into the text field.
he oampaison hash an optional Jield
I
Selected Hash Function Descriptim
MD5 I i an internet standard cijtptzgiaphc hash famcticti MD5 has been found

pupoies.

FIGURE 1.2? OSForensics Verify / Create Hash result

« T A S K 1 1
40. To identify known safe tiles or known suspected files, click Hash Sets
to reduce the need for further time-consuming analysis.
Hash S
OSForensics -

Help
Hash

NbwDB... Impart... Make Active

New Set ..

L-d Origin:
The origin of the files belonging to the hash set. Depending on
the scope of the database this could be as accurate as "Bob's PC" or
as broad as an entire organization.

Forensic Copy
FIGURE 1. 28: OSForensics Hash Sets

CHFI Lab Manual Page 159 Computer Hacking Forensic Investigator Copyright £ by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

41. T the new database name in

the Database Name field, and click OK.

orens:cs
-
Hilp
Hash Sets

NewDB... Make Active

Hew Set ..

Produ

for example, word processor,

image editor, operating system.

Forefisbe Copy

FIGURE 1.29: OS Forensics Hash Sets new data base create

42. R Make Active

option from the context menu.
OsPotctsics -

Hash
Sets

Ili-Hcaoahl
Ksite Xdr-ie

wjlitr OB Ci

43. To generate a new hash set, click New Set... in the Hash Sets wizard,
FIGURE
OSForensicscomplete
the required fields in the New Hash Set wizard, and then click
Xew
Create.

CHFI Lab Manual Page 160 Computer Hacking Forensic Investigator Copyright U by EC'COIJIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
M
06 - Operating System
o
d
ul
e
 Forensics

44. To add a folder, navigate to C:\CHFI-Tools\Evidence Files\Disk

Partition Raw Image.

OSForerJcs - Case 1
Start anage- Caw Mew Hash Set
He|p
M Hash Sats

FUeHante Sfrarth New Hash Set

+ jj Eicerrcte
In Kligition Current DU: Ir'Hes-tqatixi More Lnfo:

Search Index Qi>1:

Recent Activity Product Type:

MaftActurei Mciowh
De eted rtes Search
The Hash Sec Viewer SetType:
HiJ.|iidk<i Fite Search
window allows che user co OS
Memory Viewer
view che details about an existing hash sec. This window
can be accessed bv Prefetch Viewer
SetlSarrec
Raw Dis-k. Viewer
double clicking on a hash Verwnr Slandarc

sec or via che right click context menu in che main Req±rtrv Viewer
Langkage:
Al* 5y$t*m Bwwmi-
Hash Secs window. Folder:

SiJLite DU Browser
Ctrr ent Pte:
VJeb Brawur

Passwords
Ftes -iadHC:

Syatem Information
Fiet Sapped;

Verify I Crwte HmJi

Process:
Hash Sets

Create

Create
Signature

FIGI RE 1.31: OS Forensics Hash Secs Xew Hash Sec

45.
It takes some time to create the new hash set.
46.
Double click the newly created set of hashes to view the hash value of
t

Hash Seta

MdRcAttr®
Seych Hadi Sets:

L_ Multi File Hash Lookup:

S Hash Viewer
When hash compares multiple
files, che individual matches are
noc shown, cache r
summary of how manv
files found a match are shown.

laUMB
:
FIGURE 1.32: OS Forensics Hash Sec

Viewer
All

CHFI Lab Manual Page 161 Computer Hacking Forensic

Investigator Copyright Rights . oducti Strictly Prohibited.
U by Reserved Repr on is EC-COlinCil
 Module 06 - Operating System Forensics

47. To generate exact copies of partitions or whole drives on an active

T A S K 1 2
s
Creating Drive
48. Select the source volume (E: drive) from the drop -down list of Source
Image
Disk.

49. Mention the path to store the Target Image File by clicking the Browse
button. Complete the respective fields, check the Verify Image file
Afte

f
O5Fo r ens: cs -

Drive Imaging

Hidden Aims ■ HFWDCD | RfliDRebuid |

Source Disk 'A ikei F'a'.litsi 1 , i

Teroet Image Fie:

A wt Image

Drive imaging. where

possible, uses the Volume Shadow Copy service Des cr pt bn;
built in to Windows. This allows □SF to LdMlion/PlaCC. ECCcuidlOffcs
make copies of drives that
are in use without resulting in data
corruption from reading files that are currently Web Browser
being written to. Stew Imaging Aboiled
Passwords

Data Refldfc Duk Sue;

Speed UmeedatieDala: None
RE 1.33:

Signatur
Create e Oco'e I mage

FIGU CJSForensics Creating Drive Image

CHFI Lab M Page 162 Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Fo ren sic s

w T A S K 1 3
50. To mount a drive image and to view the content of that drive image,
click Mount Drive Image.
Mounting Drive
Image 51. PassMark OSFMount window appears, click Mount New... button and
navigate to C:\CHFI-Tools\Evidence Files\Disk Partition Raw
lmage\DiskPartition Rawimage. dd in Image File path. Leave the other
settings to default click OK.
jcticm
D

PasiMi rk OSf Mount

Mounted virtu OSFMOvflt - Mount doTO

ter» frwiOS]
This, is especially important for
imaging main system drives that
Windows is continously modifying. Once
a shadow copy has started, a Raw Inage

snapshot state of the drive is frozen then,

so even if necessary evidence is being re
moved by another
process in the background, it will still appear in the KBi es

image OS Forensics creates.

Diwe kHin:

HOD

i«ter OK

FIGURE

T A S K 1 4

Creating a
Forensic Copy 54. Mention the Source Directory and Destination Directory by clicking
the Ellipsis button and then, click Start.
55. l

named Test Files on Desktop and navigate to it.

OSForensirs
-

The log, in add ition co general C T ods\E vidence Files\Di& Pat lion Ra Imags Stall

status messages, will

also oucpuc error messages
about any files chac failed co
copy. The mosc common reason
Curiert Path
for
iailure is chac anocher process locks chem Tine Rrmahng

or che currenc user does noc have permission

co access chem.
Lqrj

FIGURE 1.35: OSForensics Ci rearing Forensic Copy

CHFI Lab Manual Page 163 Computer Hacking Forensic Investigator Copyright U by EC-COlinCil
All Righcs Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

56. A forensic copy has been created in the following path, with the results
in the bottom pane of the window.
OSForensics
-
Hep

F C:'i CH T cch'.E vitfetice Files

I Disk Pertitiai Raw maoe Stall

Destination Oirectoiy:

Z ■■■O’S FC lone is a free, self- CunentFte

boo ting solution that
enables vou to create or clone exact raw disk images Cuirert Path:

Time Remantig
quickly and independently
of the installed OS. After creating or cloning a disk
image, you can mount the image with PassMark
OSFMount before conducting analysis 2016,51554 M
A
with PassMark OSForensics.
Fies Faied Io Cep/ 0 FoWcrs Coped: 0
Folderf Failed to Cap : 0
ForensK Copy Fies owcMitterc 0
Tolai Data Copied 1024 M3

,3016.51619 AM

About

FIGURE 1.36 OSForensics Creating Forensic Copy Result

Lab Analysis
Document the complete results of this lab.

P L E A S E TALK T O YOUR INSTRUCTOR IF Y O U H A V E Q U E S T I O N S R

ELATED TO T H I S LAB.

Internet Connection Required

□ Yes 0 No

P Supported 0
Classroom 0 iLabs

CHFI Lab Manual Page 164 Computer Hacking Forensic Investigator Copyright £ by EC'COIJIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Extracting Information about Loaded

Processes Using Process Explorer
Process Explorer shows you hi formation about which handles and DIPL processes

have opened or loaded.

Lab Scenario
I C O N K E Y
Processes are the instances of computer programs running on a system and
Z Valuable contain the code required activity. Any program or malware will have various
information
m
d
f
loaded processes on the victim computer.
\X ork book re vi c\v

Lab Objectives
The purpose of this lab is to help students learn how to investigate loaded
processes. In this lab, you will learn how to use Process Explorer.

Lab Environment
Z Tools
demonstrated in
This lab requires:
this lab are available ■ Process Explorer, which is located at C:\CHFI-Tools\CHFIv9 Module 06
in C:\CHFI- Operating System ForensicsWVindows Forensics Tools\Process
Tools\CHFIv9 Module Explorer.
06 Operating
System ■ You can also download the latest version of Process Explorer from
Forensics https://technet.microsoft.com/en-
us/sysinternals/processexplorer.aspx.

■ If you decide to download the latest version, then the screenshots

sho

CHFI Lab Manual Page 165 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights. Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Administrative privileges to install and run tools.

Lab Duration
Time: 15 Minutes

Overview of Extracting Information about Loaded

Processes Using Process Explorer
The Process Explorer display consists of two sub -windows. The top window always
You can also download shows a list of the currently active processes, including the names of their owner
the latest version
of Process Explorer from
accounts, whereas the information displayed in the bottom window depends on the
die link mode that Process Explorer is in. If it is in handle mode, you’ll see the handles
http:/ / tec hnet. micros oft.
com/ eli
opened by the process selected in the top window. If Process Explorer is in DLL
te/ sysintemals/bb89665 mode, you'll see the DLLs and memory -mapped files that the process has loaded.
3
Process Explorer also has a powerful search capability that will quickly show you
which processes have particular handles opened or DLLs loaded.

Lab Tasks
W TASK 1 1. Navigate to C:\CHFI-Tools\CHFIv9 Module 06 Operating System
ForensicsWVindows Forensics Tools\Process Explorer.
Viewing System
Information 2. Double-click the procexp.exe tile, and accept the license agreement, if
you are running this tool on your system for the first time.
Note: If an Open File - Security Warning pop-up appears, click Run.

3. Process Explorer GL1 appears, displaying the details of all the processes
r

Process

Process CPU Pnvale Bytes PID Description Company Name

iystern Ide Process 97 95 OK
0.16 104 K O K 140 K DK
0.24
276 K 248 Windows Session Manager
1.724 K
Process Explorer also has a 1.284 K 860 K
728 K 236 K
powerful search capability
2.304 K 2.97EK Wcrasoft Corporalion
that will quickly 0.02 3.248 K 5.008 K
show you which processes have particular 1.540 K 2,812 6.156 K 2952 WMI Provider Host

handles 0.01 K
716 Host Process for Windows S..
opened or DLLs loaded. 12.824 K 9.820 K
<0G1 16.672 K 22.432 K
2.736 K H 3.468 K 2420 Rrpcws for Winders T
4.548 K 6.836 K Wcrasoft Corporation
0.G2 7,120 K 9.664 K
svehost exe 9,296 K 6.804 K
5.120 K
svehost axe 9.132 K 4,016 K
0.34 4C.444 K 44.260 K Windows S..
4.820 K 6.292 K
2.580 K 1,280 K 1480 Host Process for Windows 8 Wcrasoft Corporation
1,200 K 1684 Mcroscfl®
. Vdurr.e Shadow . Mcrosoft Corporation
FIGURE 2.1:

Process Explorer Main Screen

CHFI Lab M Page 166 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

4. Process Explorer lists all the running processes in the left pane, and
details of each process (such as CPE usage, PIE), etc.) in the right pane.
ro s xplore y&inlemah w ysnitemals'corTnWI SEOMNGD TK ATninistr tor - I n T x

I File O
1
Company Name Mciosdi
p S Corporation
Precess CPU Private Bytes FID Description
Microsoft Cecpiiabon
|?7 avchost axe D.D3 2.®8K 12.964 5® Host Process for Windows 5 ..
Mcroaoft Corporation
svthos! exe K 716 Host Process for Windows 6 752 Host
b Microsoft Cftpoiabon
■ ' svehost jhxb o.oi 15.468 K Process for Windows 5 ..
2.672 K 2420 Host Process for Windows T ..

[i "svchostjexB 4.548 K 7.116 824 Host Process for Windows 5... 844Wcroscfi Corporation
■ svchost.exe K 9.296 K Host Process for Windows S .. 576Microsoft Corporabon
[■ ■ svehost .cxe 5,144 K 5.123K Host Process for Windows S .. Microsoft Corporation
II The unique dsveae 1 0® Spooler Suh System App Mcrascfl Corporation
capabilities of Process Explorer [■'■5vch0s.exe 9.132 K
1
4.016 K 144 Host Process tor Windows S .. Mcrascft Corporation
0.19 45,128 K 14D8 Host Process for Windows S .. McroscA CoTKcebon
make it useful for tracking down 4D440K
1.740 K 3.224 K 652 ROP Opboard Monter Mcros l Corporation
D EE ve rsion problems |k svchost.exe 2.580 K 1,704 K 14® Host Process for 'Windows S .. Mcnosofl Corpurabon
or handle leaks, and it (fjVSSVC.TO 1.260 K 1.200 K 856 1684 Mcroscft® Volume Shadow .. 8® Mcrosr/l Corporation

provides 2256K K Mctoscfl Ehstrfouled Transa. . Microsoft CoiMrabon

[■"7 TiuS&dhstaller.rsre 1 1.380 K 2.1B8K 2463 Windows fAodJes inSalcr Mcrosofl Corporation
insight into the way 3.468 K 4,444 K 5M Local SecuTy Axhonty Proc...
'feass.fflce M
w Windows
o A and applications ■ii, -nnn~n ffxn r»Ti~ rri, i*~J'*1
work. Type Name 1FIGURE 2.2:
Taken Wl N-5EO M t'#jDMTRQ\Ainri5trator:2225«3 Process
s
Thread Explorer
Thread
Thread
Processes
Thread Derails
Thread

5. Thread

spMl£v.exe(108B
Thread

Thread
and
Token NJ AU THQFU tY' SYSTEM:3a 7
_________________________________________________________________________ 1click
To view system information, go to View from Menu bar 9 on the
System Information... or click the System Information icon
t

View

Process ’ID Description Company Name

716 Host Process for '.Vindows S ..

Tne Process
Explorer window illustrates two 420 Host Process for Wlndowa T ..

panes by default: the upper pane is

944 Host Prorees for Windows S ..

Ctrl
always a process list and the bottom Lower Pant View
OSB Spooler 5_b System App

either shows
die list of Dl.Es loaded into the process w Refresh No

selected in the top pane, or the list Update Speed

4® Host Process for Windows 5 ..
of ope rating system resource
468 Windows Inhaler
handles (files. Registry keys, Load Column Set
M

synchronization objects) 412 Windows Logon tpftcaton Mcroscf: Corosrabon

SeIecI Columns
the process has open. The view mode
12,308 K 9,684 K
determines which information 15.184 X
0 05
is shown in the bottom pane. 1.184 K 540 K 1996 Windows Logon .4ppicaton
045 13.676 K 32.440 K
loner .axe 36.356 K 59,592 K 808 Windows Bdoner
0 01 32.172 K 72.5® K Google he
chrome, ewe
0 01 37.560 K 46.6M K Google Inc.
chrome.™ 30.752 39.952 K Google Inc.
6,8® K Sysiitemals - wrov sysiHer . .
11808 K 28.1® K Sysiitemals ■ www sysrrter. .

FIGURE 2.3: Process Explorer View menu svstem information

CHFI Lab Manual Computer Hacking Forensic Investigator Copyright© by EC-COURCll

All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

6. The System Information wizard displays global system performance

metrics as shown in the Task Manager in a Graphical view.

CPU

Malware, including
System Commit
viruses, spyware, and
adware, is often stored in a packed 1.2 GB
encrypted form on disk to attempt Ph vsizal Hemcry
to hide the code it contains
from antispyware 1.0 GE
and antivirus programs.
Process Explorer uses
a heuristic to determine if an KB
image is packed. If it is.
Process Explorer changes the text
above the full path display field to
include the message "(Image
is probably packed)."

FIGl.'RE 2.4: Process Explorer System Information- Global system performance metrics

7. C Information wizard.

TASK 2 8. To view the DLLs, select a required process and click the View DLLs icon ES
from the toolbar, or navigate to View Lower Pane View
Viewing D
DLLs on the Menu bar.

Mini Graphs: Process

Process Explorer includes a View Process Find Users
toolbar and mini graphs for CPU, Ctrkl
memory, and if on Windows 2000 Process Ctscrtpton ComiHny Name
or higher, I / O history- , at the top
of
Sc roll to New Processes
die main window. They can lie resized with
respect to one another or
dragged such that each is on a
824 Host Process lor Wndows S. .
separate row. The mini
Windows S. .
graphs show a history of system activity, Show Lower Pane Lower Pane View
DLLs Handles
and moving die cursor over a point on a graph Refresh Now Update
S
displays a tooltip containing the
associated
dme and process information for a point in time. For example, the Save Column Set
Select Columns.
tooltip for the mini- CPI.' graph shows the
12,308 K 9.684 K 15.192
process that was the largest 0.01 K 540 K

consumer of CPI.'. Clicking on any of the 0.20 13.2MK 36.288 32.568 K

K 32.03'5 K 59.596 K 80S Windows Exphrer
mini-graphs opens the System Information
0.02 1,256 K 72.532 K 4.412 1900 Goo c Chrome
dialog box. 37.&GaK K 4£ 6QQ.K
r

chromc.cwc Q.Qi

FIGl 2.5: Process Explorer DLLs view

.'RE
CHFI Lab Manual Computer Hacking Forensic Investigator Copyright C by EC-COIJIlCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Select a process. You can view the list of DLLs for the selected process
i

Options Users

Process CPU Pmate Bites Working Company Name

728 K 832 K 424 Wndcw* Slart-LUj .Appleabcn M crowft Capet;
2.630 K 3,300 K 512 Services and Cortrdler acq M erowfl Caper;
Highlight Relocated 5,452 K
. 576 Host Process fa Wmdews S. M crowfl Capo-;
DLLs: <0.01 3.044 K 3,680 K
.
62C1 Hoti Process fa Window* 8. McrowflCapo-;
XXhen you select the Relocated 21.D60K 8,904 K
. 740 Host Process fa Windew* S. M crowfl Capa;
17.0% K 19.7E0 K
DLLs entry in the Options 2.764 K
2,804 K i/zfi
Configure Highlighting K 7,812 K
dialog box, anv DLLs that 0 &1 10.524 K 7.900 K
6.640 k 4.760 K
are not loaded at their 6.132 K
programmed 320K

base address are show in 4.584 K 1.552 K

yellow. DLLs that cannot load at Nam Description Compare Name Path
S£AF0638tD55&4 .. C. Program Daia\MiefOsaft\Wriows\CaehM;\{6AFD69i8E-D
their base address [DDF571F2-BE9M

because other files are already Ktrveda.dl MtNedE.dljmrJ ADb Router M Layer OIL CcGWBtori C:\Wndow3\Sy1twn SZacHverfc .dl C:\Wlndowa\S
em321sn-US\aclweds.dlnkji
mapped there are
relocated by the loader, which idsidtc.d: 3dvem32.dl C:\Wndom\Sy5twn3Z\ad31dpc di
consumes CPU and makes parts of ippirfo di Advanced
M
Wndows 32 Base AP I crosoft Coewat on C:\WkidowB\System32\advapl 32dl
ill dl
the DLL,
that are modified as part of die relocation, ftihzdl Hcrosoft CcCuTC on CAWndoYisVSyrtem 3Z'j&j1hz.dl
jed .dl C:\Wridtifte\Systerr IZ'ixtd.dl
un-sharable.
32MKiypCpr4nitrvH.dl C:\
C
jt&Qd.dl Background hleligent Transfer Se .. Mcfosoft Caporaton WhdowflXSyjtem SZbrtalgd.dl CAWirtdows\
System3Zihisperf.dl

CPU Usage: 1148% 57.76% Physical Usage: 93.49%

FIGURE 2.6: Process Explorer DLLs view

10.
To view DLL properties, select a dll, choose DLL Properties from
t c
displayed for a particular process, and select Properties...,
Viru
sTot
0.02 al

View Protest dll] U«rj

Process Ipton Company Name

Check
12,036 K 3.240 K
<0.01 15,304 K
1 3fifl K
2,672 K 3.436 K
4.464 K 6.560 K
9.660 K 6.
8.235 K 748 K 5.368
On systems that include K 4.0'16 K
Terminal Services, Process Explorer 9.112 K 45.860 K
displays a User’s menu that lists the 40,716 K 3.268K 1.704
1.768 K K 1.200 K
currently connected sessions. £52 RDP Opbeard Morrtor
0.01 2,580 K 856 K 1480 Hast Process for Windows 5. .
Process Explorer creates a menu entry 1.260 K
for 2,256 K

each session with a name that includes the Name * Campany Name Path
b072afe BUD
session ID
and the user logged into the session. . Microsoft Corporation C .■‘■.Wndcw,s x ,System 32' all dl

FfPlprimili'/es dl
Eidspl DLL C\Wftd&ws\S y s:em32'bk!isel dl
j-abnet.cfll Microsoft® Cab net Fie AP I
Mirrosdt C

lusapi.dl crnbase.dl O rndJ32.rJl COM* Ca-figirdtbri Oid&g Microsoft Co

Cluster .V] Library Microsoft Co Search Online.., Ctrl+ M
M Microsoft Co
c f Check VirusTotal
Micrwdt Co
rypt32.dll ryptbaae.dl Crypto API32 C ■‘‘.Wndtws'.System 32''jcryp1 32. dl
C
:

Processes: 37

FIGURE 2.T Process Explorer DLLs Properties view

CHFI Lab Manual Page 169 Computer Hacking Forensic Investigator Copyright C by EC-COURCM
All RightsReproduction
Prohibited.
Mod 06 - Operating System
ule
 Forensics

11. This displays the DLL properties in the Image and Strings tabs.
cabin
[noage Strings

Description: Mcrosoft® Cabinet File API

Microsoft Corporaaon
Version : 6.3.9600.16334
Show Unnamed Handles:
By default. Process P
i\V/ndOAs\6ystem32 Ip abnet.dl Explore
Explorer shows only handles to objects
that have names. Select the Show
Unnamed Handles item under the View Explore
menu to
Address:
L
0x26000 bytes
have Process Explorer list Mapped
S
all the handles opened by a selected process, even Mapping i ypc:

ViruSTotal :
those to objects that are nameless. Xote Image: 64-bt
that Process Explorer consumes significantly
more CPU resources when this option is selected.

OK

FIGURE 2.8: Process Explorer DLLs Properties wizard

12. The Image tab contains details of the DLL such as Company . name
V
13. Click Verify button to check for signature of a process.

image

Description: Mcrosoft®- Cabinet File API

Company;
Mcrosoft Gorporation~|
Version ;
6-3.9600. 15 384
BuldTme:

Path: C:\WhdDiv5

Vi ystefflJZ'iizabinet.dl Explore

OxTFFeOBDDOOOO

Mapped
Size: 0x36000 bytes
Mappng
Type:

OK Cancel
FIGURE Process
2.9:
Explorer DLLs Image tab
All

CHFI Lab Manual Page 1 0 Computer Hacking

Fore I ves tor Copyright COlinCll Rights Reserved. Reproduction is Strictly Prohibited.
nsic n tiga C by EC-
 Module 06 - Operating System Forensics

14. O if the company’s name appears to he

Microsoftp Windows, then the
i

Image
You can also download the latest version
Descriptian:
of Process Explorer from die link ompany:
(.erihedj Microsc
6-3-9600,16384
ersion:

http: / / technet.microsoft. com/en- Bu:d Time:

ie/ sysintemals/bb89665
3

Load Address: Verify

Mapped
Size; 0x26000 bytes
Mapping Type:
image
Virus l otal:
Siijmit

FIGURE 2.10: Process Explorer DLLs Image Signature Verified

15. Click the Strings tab. The Strings tab lists any Unicode strings found in
t s
i
16.W
image and memory strings. Click either the Image or Memory radio
b
s

Strings

By default. Process
Explorer sorts processes into
the system process
tree. The process tree reflects VS_VERSI0NJNFO
the parent-child String Fdehfo
relationship between rileVereion

processes where child processes are Jan FsbMar.ApcMayJunJulAugSepOct NovDac

Settings
shown directly beneath
their parent and right-indented. Processes Rich
that are left- justified are orphans; their parents
have exited. To change the
sort order, simply click on the column bv which vou pdarta @ idata
wish to sort. To return the sort to the process
tree, choose Vie Show
WJAVH
Process Tree, click the Process
Tree toolbar button or ATAVAWH ISHH

EOH M0H3 xAVH DSPH

Process Explorer DLLs Strings

FIGURE 2.1 1:

CHFI Lab Manual Page U1 Computer Hacking Forensic Investigator Copyright C by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

17. You can also save the Image or/ and Memory strings in text file format.
I
button, and click Save.
18. Save Process Explorer Settings window appears, specify a location
(
c

m On Windows NT
based systems, Process
Explorer shows two
artificial processes: Th!5 PC :ti Corporation rf

Interrupts and DPCs. These Corporation

Nevj folder A Corparrfion yft
processes reflect the amount of rime
Corpontion ft
the svstem spends servicing Name Date modified Corporation :ti
hardware Documents Corporation
5/31/2016 4:1 5 AW File folder
interrupts and deferred £ Down lends yft Corporation
V.'ampEerver 5/26/201 6 0:06 P M F il e folder
Procedure Calls (DPCs), Music 1 /I Corporation iff
CorponTion
respectively. High CPI.'
jit Corporation :ti
consumption by these Corporation jft
activities can indicate a cabinet, dHttf Corporation yft
hardware problem or device Corporation jft
driver bug. To see the total Corporation

number of
Cancel
interrupts and ID PCs executed Hide Folders

since the svstem

booted, add the Context Switch ISHH cw&XSystem J2'advapi32.dl
column. Another sometimes
EOH M0H3 xAVH owaVSystwn SZxboytt dl ow5\Sy5teni32!\
useful metric is the number of bayp<prtmtiv¥5 dl
interrupts
and ID PCs generated per refresh DSPH 1 cw&\SyBtem .dl

interval, which you see when vou Jbci

add the Hus;
Save
cwsXSysleni 32'jconibdse.dll
CSwitches Delta column.

Cancel c/.'s' .System 32'otyp: 32 dl

FIGURE 2.12: Process Explorer DLLs saving strings

19. On saving the file, click OK in the DLL’s Properties window to close it.
20. The Search Online option searches the selected DLL on the Internet by
l
21. To search online, choose a DLL, and select DLL Search Online from
t
tldll ■ J s
hups. .</Mrttfw.gQaglex0.in?ce.v!-h ■ q = cabinet -d ll&rl? = ’ = I
Find Windows Process: E eta Check X'lrusTcte* cabinel.dll
- T - SL-'<ces tote

You can highlight the ■~sv:l~os;eM

Videos New Images Maps Mcve

process that owns a i~1svchoszjewa
■ "svzFoe e « " svd-
All

window visible on the Hjfi.™

■ laffdlMtK w Abom 2. 12. MO results (0.37 seconds}
desktop by dragging the target- ■"ivchontM

like toolbar button ever ■~1iveho« era

eabinet.dll fr&e dawn load - DLL-fil es.com
■“ ivehoi.eKe
the window in ese T"
y wdli-fiies.com/ciilindexWil-fiies.sbtmPcabin** «
DdAfikiad and insiai 1 caliiitet dll tor free- 1 Fix Cll niisaiiy ai Ctxiuplet
question. Process Explorer will -
jvdxHtja®
■ zvzlo cw
solicit yourself or gel hop by using uur Fixes software

select the owning p

rfco p ™
■ ivthos.ra

process entry Name ■* Desrater Ccrroany IXarro Pah

n i t p 5aD7irfe.E\.C C XV/ndowV-. - wwsoMisoil.co*ni'enfflie5' , nitesing-nQt dll- eablnet-dll- ■»
Advanced Wndcus 32 Base API Ccr&zrar.ori C XWhdoM< Mar 21, 20 16 - Cabinetdll is a type o4 DLL fie asscclaled with Wu Update
M
Al I ModU* tor '.’.r.Juiil KF (Urie Wndcvi li'i C '■.WndawiX
W 1.0 fut Visual Stuffs .Net Bela 2 MSDN Disc 0958 dewelope< lhe Winders
OytrZZi'eU - c Frrrfr.nj Wockrvj Gcweri C.WndwreV
P"- J. vw.di
f
Crytrzoc' P1 ' c Pnr4rrea .. faz i Del
Operating System . Quite simply, it Windows cannot cabinet
CorpcraO on CAWWwiX
l dll file, you wil crcncnicr an error
____________________ Ccrporar.ari C XWndzwisX
L
FIGURE 2.13:
Process Explorer DLLs searching online

CHFI Lab M Page 1 2 Computer Hacking Forensic Investigator Copyright© by EC-COURCM

All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

2 view the handles of a particular process, select the process and

c oo Lower Pane
V

View Process DLL

Ctrl

Highlight Services:
Show Precesses From All Users 716 Host Process for Windows S...
mi Windows XT and higher, 752 Host Process For Windows S.
this option has 420 Host Process for Windows T Micro&sft Corparatian
824 Host Process tor Windows S...
Process Explorer show L
Show ower Pane

proc esses that are running Lower Pane View

DLLs

Win32 services in the service Refresh Now Handles Ctrt*H

process highlight color. The Services Update Speed

tab of
652 A DP Cipboard Montw
the Process Properties dialog box shows
the list of
services running within a process. Name Path C:\Window5\SySfem32\sparf\Y4Dr3\9D4D8E8D-F29C-44 .
9o072ofe.eUD C:\WMro\Stfem 32\*Kapi32 .dl C;\
Bdvap 32 dl Wndaws\Slyslem 32 \al.dl C:\WAndows\
3ystam 32'bcrypt.d I
Window* Dyptographc Pflmllvea .
.

>displ dl
cobinct.dl
C [JTigr32 dl CorfiSLiratiCin -Morflgcr DLL COM* C:\Wndow\Syslem 32'<f rjn y32.dl
Configuialion CataJoc C:'..'Ainddws ,' Sys!enL 32 ■dLealq dll
Merasoft Corporation
ccnoase dl ccna M craaoft COM for Wndsws C:\VAndows\SyBtem 32 <ombase.d I C:\Windows\WnSxS
32 dl oypt32.dl User Expcrcnce Cortrals Library Crypto amd64_mcfP3oft.wFidow3 .common c...
API32 C:\Window3XSy3tem3Jciypt32.dll

FICil'RE 2.14: Process Explorer to view handles

23. To close handles running in the process, right-click the handle to be

closed and click Close Handle, or select a handle and then, choose
Handle Close Handle from the Menu bar.

View Find Help

U
Close Handle
Sei PID D&scnption
Z Highlight Jobs: O n
723 K
Windows 2000 and higher choose this 236 K
2.848 K
option to have Process Explorer show 0.02 0.02 3.164 K 5.140 K
processes that are part of a Win32 2.840 K
Job in the Job object highlight ■ svcho3t.exe 12.160 K 716 Host Process for Windows S..
15.304 K 21.104 K
color. Jobs group processes together
2,672 K 3,436 K
so that they can be managed as a 4.464 K 6,656 K
single item 7.064 K 8.876 K
9,236 K 6,895 K 576 Host Process for Window* 8...
5.36ft K
9.132 K 4.236 K
and are used by the Run as command, for 0.48 0.03 40,968 K 46,863 K 1408 Host Process fee Window* S...

example, l.'se the Job tab of 3.332 K

the Process Properties dialog box to Name

see the list of

Close Handle
processes running in the same job as Thread Threads
1 DBS) 1724
Thread Thread
the selected process and to see Thread Trrwd
spods7.eKe(1DSB): 15D4 spodsv.eocefl
DBS): 1 IE4 spool37.exe(10&S): 11 [4
job limits that have
Thread Token spodsv.cxeflOftft): 1
been ap plied to the job. Token Token
D

NT AUTHORITYY5YSTEM
NTAUTHORJTYXSYSTEM 3e7
NT AUTHORl TASYSTEM 3c 7
3e7

Process Explorer to close handles

FIGURE 2.15:
F ab Manual
C I Computer
H L
 Investigat Copyright U by
or

Hacking Forensic EC-COlinCil

All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

24. A Process Explorer Warning dialog-box appears; if vou are sure you
w

Z __ Highlight Packed
Images: Malware. including
viruses, spyware, and
adware is often stored in a
packed encrypted form on disk
in order to attempt to hide the
code it contains from
antispyware and
antivirus.

FIGURE 2.16: Process Explorer Close Handle: Warning

25.
To view handle properties, right-click on the required handle and select
P

□ ns View Process Handle

Close Handle _________,

Process Set FID C’cscnpflion Company Marne
•j csrssexe 4 rfeOK Microsoft Ccrpcration
—
[-1 wimnrt.exe 728 K 236 K
2.948 K
0 02 0 02 5.140 K
5
2.S92 K 3.812 K
<0.01 9,460 K
15.304 K 21.108 K
Q Highlight .NET 2,724 K 3.448 K
Processes: This option 4,464 K 6,656 K
appears on Windows NT based 7,084 K 5 9.896 K Microsoft Corporation

svstems that have the NET in 9.340 K 6.940 K Microsoft Corporation

iolsv.exe 5.368 K
Framework installed. the
4.236 K 1 1 44 Host Process for Windows S. Microsoft Corporation
When the option is checked, .NE
40.968 K 46.940 K 1408 Host Process for Windows 9. . Microsoft Corporation
managed T <0.01 Microsoft Corporation
3.332 K 652 RDP Clipboard Moritor
applications (those that use die
.NET Framework) are highlighted
Tread spools* exei 1083) 1820
process highlight color. Close Handle
Thread Thread 1 spools* ,exe(1 088). 1724 spools* ,exe(1 088).
Thread Thread 1504 spools* ,exe(1 088). 1104
Thread Thread spools* .exe(1 088): 1
Thiead Token 1 spools v.exe(1 088): 1
Token Token s 1DC
spools* ,exe(1 088). 1092
Token NT AUTHORITYXSYSTEM ,3e7
NT AUTHORITYXSYSTEM .3e7
NT AUTHORITY YSTEM ,3e7
NT AUTHORITYXSYSTEM .3e7
NT AUTHORITYXSYSTEM ,3e7 HKUX.DEFAU
LTXSoftwareXMcnjscft'
.WndowsXCuraltVerscnX...
Processes; 36
FIGURE 2.1":
Process Explorer Handle Properties

CHFI Lab Manual Page 1 4 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

26. Properties window appears for the selected handle. The Details tab
displays basic information about the selected handle.

Details

Name: ioolsv.exe (10S3): 13201

Description:

Kill: TLils. item terminates, a process

: Address QXFFFFEDDO2CA745D0
with the Terminate Process API. Note that a
process terminated in this wav is not
warned of its References Quota Charges

References: 6S536
termination, and therefore does not write anv Handles' Non-Paged: 1912
unsaved data.

OK

FIGURE 2. 18: Process Explorer Handle Details tab

27. The Security tab displays the level of security assigned to each group or
u

Details

or user names:

OWNER RIGHTS

lod Highlight Own Processes: In

Windows NT and higher, checking this Add... Remove
option results in Process Explorer
showing the processes that are Alow
running in the same user account as Process
Full Control
Explorer in the own -proc ess
Read Write
highlight color.

Advanced.
, click Advanced

OK
Process Explorer Handle Security

28. Click
FIGURE OK to close the Properties window. tab

CHFI Lab Manual Page 1"5 Computer Hacking Forensic Investigator Copyright C by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Lab Analysis
Analyze the DLLs and handles in the process, and document the respective details.

P L E A S E TALK T O Y O U R I N S T R U C T O R IF Y O U H A V E Q U E S T I O N S R
E L A T E D T O T H I S LAB.

Internet Connection Required

□ Yes 0 No
All

P Supported 0
Classroom 0 iLabs

CHFI Lab Manual Page 1’6 Computer Hacking Forensic

Investigator
Copyright© by
Rights. Reserved.
Reproduction is Strictly

EC-COUflCll
Prohibited.
 Module 06 - Operating System Forensics

ng, and Analyzing Events Using the

Event Log Explorer Tool
EzW Lag Explorer is a software solution for viewing, nwnitoring, and analysing events

recorded in security, system, application, and other fogs of Microsoft Windows OS.

Lab Scenario
As an expert computer forensic investigator, to examine the security posture of a
target network, you must know how to view, monitor, and analyze the events
V
recorded in security, system, application, and other logs of the OS.
i Lab Objectives
e of this lab is to help forensic investigators learn how to view, monitor, and
The objective
analyze various events. Here we monitor and analyze:
w ■ Security logs
■ System logs
I C O N K E Y
i ■ Application logs
o n
Z __ ■ V
n ■ C )ther 1
gLab Environment
This lab requires:
Web exercise

Workbook
, ■ Event Log Explorer located at C:\CHFI-Tools\CHFIv9 Module 06
r
Operating System ForensicsWVindows Forensics Tools\Event Log
M Explorer.
■ You can also download the latest version of Event Log Explorer from
o www.eventlogxp.com .

n ■ If you decide to download the latest version, then the screen shots shown in
the lab might be slightly different.

i
t
Tools
demonstrated in
this lab are available
o
in C:\CHFI-
Tools\CHFIv9 Module r
06 Operating
System
Forensics
i
CHFI Lab Manual Page 1 Computer Hacking Forensic Investigator Copyright© by EC-COURCll
All Rights. Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

A computer running Windows Server 2012.

Administrative privileges to install and run tools.

Lab Duration
Time: 15 Minutes

Overview of Viewing, Monitoring, and Analyzing

Events Using the Event Log Explorer Tool
Event Log Explorer is a software solution for viewing, monitoring, and analyzing
events recorded in security, system, application, and other logs of Microsoft
Windows operating systems. It helps to quickly browse, find, and report on

problems, security warnings and all other events that are generated within Windows. Lab
Tasks
w T A S K 1
1. Navigate to C:\CHFI-Tools\CHFIv9 Module 06 Operating System
Launching Event
Forensics\Windows Forensics Tools\Event Log Explorer.
Log Explorer
2. Double-click elex_setup.exe to launch the setup, select the language as
English, and follow the wizard -driven installation steps to install the
application.
Note: If an Open File - Security Warning pop-up appears, click Run.

continuing.

or

Cancel
FIGU E nt orer startup installer wizard
RE v
3.1: e
Log Expl
C M Page 1
H a
FI n
L u
ab al
8 C Hacking Forensic Investigator Copyright© by EC-COUflCll
o All Rights Reserved. Reproduction is Strictly Prohibited.
m
p
u
te
r
Mod 06 - Operating System
ule
 Forensics

3. I step of installation, check Launch Event Log Explorer and

click Finish.

FIGURE 3.2: Event Log Explorer startup installer wizard

4. On completion of installation, a web page related to Event Log

E
5. An Event Log Explorer pop-up window appears, click OK to close it.
Event Log Explorer
|

Event Log Explorer is running in evaluation mode

*• Continue evaluation
30 days left
Event Logi Explorer
p "
Event Log Explorer helps, you to after installation,
quickly
OI
browse, find, and report on problems,
security License
warnings, and all other activities created
Event Log Explorer is free
within Windows. f
l you cannot use it with more than 3 computers
in your home network. Get

FREE License Now

O Enter license key

you should complete the registration
If you received a license key,
process by entering the key,

Quit program

| | Do not show dialog at start OK

FIGURE 3.3: Event Log Explorer pop-up window

CHFI Lab Manual Page 1"9 Computer Hacking Forensic Investigator Copyright© by EC-COURCll
All Rights. Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

6. Event Log Explorer main window appears, displaying an empty log view
T A S K 2
area and Computer T
Opening Event machine’s computer name.
Untitled.elx -
Log
View Event Advanced Window

<Ldi3d filters-

led Event Log Explorer provides a powerful event search and filtering engine.

FIGURE 3.4: Event Log Explorer Main Window If the

local computer name does not appear in the Computer Tree pane,
t
Event Advanced Window
View

New
Workspace Shift+Ctrl- ad fitter?-

O Workspace Shift

Ctrl

Ctrl

Merge Log,..

Every filter can be saved into a file.

It saves vour time when vou want to
reapply the filter in future.

ClCie Close All

P references ...

FIGURE 3.5: Event Log Explorer Xew Work space

CHFI Lab Manual Page 180 Computer Hacking Forensic Investigator Copyright U by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

8. To open an event log of your local computer, click the ' button near

t
elx - Eventlog Explorer
Untitled.
: File Tree View Event Advanced
Window Help

] J Computers Tree x
<Loadfilter>
WIN-V725VGHTU11 QcxzaJ)

R&dtty

FIGURE 3.6: Event Log Explorer Computers Tree

9.
It will expand the computer node to display all available event logs as
shown in the following screenshot:
Untitled. elx -

Event Advanced Window

<Lojd filter <

Event Log Explorer can print event logs or even separate

events. You can also export your event logs to other
formats. At the time of writing. Event Log Explorer supports exports
cd HTML, Microsoft Excel, and tab-separated text files.

Setup (270)

Expanding the Computers Tree of Event Log Explorer

FIGURE 3.7;

CHFI Lab Manual Page 181

Computer Hacking Forensic Investigator Copyright© by EC-COURCll All Rights
Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

10. Double-click Application in the Computers Tree pane to view the

application events. The Application event logs will be displayed in the
right pane of the window as shown in the screenshot:
Untitl ed.elx” rvemt t.<iq Expiorei

: Fi'e Tret View Event Advanced Mndoui Hdp

< R 0 . l"3 d ta V ■'Load fitter*

Computer Tree K Appl catmn an WJH-5EDMNGE2MTHQ X HEM

App
Showing 1713 everrtfs)
t
Dale |Tne
9:13:44 PM
J) |wf«r«afcn 5/31/2016 9: 13: +4 PM
JT SeorrtyCm® 'i'i j-ifarrabai 5/31/3016 4: J3:+4PM
■jP Syiten- (344)
; i i I'-itwrabor 5/31/2016 9:12:41PM
jf Wndjwy. AjwiiiSW (37) , j* FimwM&Vlft (0)
Jj 3Tfixn-jtan 5/31/3016 9; 1141 PM lo.::- 6torasoft-9lfcid(ms-5eN<ne N/A 8198 MiiOttfl-
-jp hk: osif: Pen s ■-iiAcr-'r (0) Kkriwaftlli s yoperataiai E ,rt,r 5/31/3016 9; 121 11 PM J) ZhrtAwi-SeNtne N/A
(0) 1-ilii rr.ifiCfl E.i3i,QC:S 4: 12:1: PM j i l-itwrrab:<i 1003 MiiCSiin '.t'rVixS Sct.iw N/A 902
■ _) Mcnreoft-Wndows Mtrauft-WS-LkerdnaiAdirtn (I) 5131/2016 9: 12:05 PM Miraaft-'.'.Vriaz.s-Sd-Icne N,'A MBS Htnafbmdnn&Nore
-jf Hetotwt tSjlrtm Cperatkod (0) ■ i lyftxrabon 5/31/3016 9:12:05 PM jj jnftrrrjbon N,'A 1966 Ktooaafi-V.'rxfaw -
Setup (270) 5/31/3016 9r 11 04 PM J) lif WAljen
SeNrre N/A Wfl MCHJWH4ASrt*wt-i!N«
'AltndsOertAdm K
5/31/30H 9: 1104 PM
ri.'A
'i'i :-ifarat>:r 5/31/2016 9:12:00 PM 1 1 IrfinroUon
5617 Moosaft-ZfcKtowi’W Nene
5/31/3016 9:11:40 PM i I Znfirn-jlKr
' ’TTHd 561! McrasnfrmKtow W None
5/31/3016 5; 11: 25 PM
'p’STTM 1331 Kfcrccaft-i’.vncla s-UtNme
j'j Jnhrrr l.iin 5/31/3016 9: 11:2+ PM
Vi-'JIIM 4625 HTVJwfl-ZXmtowrf-.He, N/A
( i ( Sntiv i?atiw 5/31/3016 i Znfwrrabcn 5/31/2016 6:42:32 AM 6:42: I53J Moosaft Usrwe ' TSTHd
32 AH 103 ESE',1 Gmerd H,'A

Frit -Kj stssjc.: 7 M*wc S.'= :.73lt 10 Jfc IS PM.

FIGURE .3.8: Event Log Explorer viewing the application events

11. Event Log Explorer also displays the events of Applicate DES
aisii Main features and
benefits of Event Log R t
Explorer at a glance: s
• Favorite computers and
their logs are 12. Selecting any event displays the description of the event in the
grouped into a tree.
• Manual and D
automatic backup of event logs. (Jntftfed.elx - Event I ng Explorer
• Event descriptions File Tree View Event Advanced Window Help
;

and binary data are in I 4 ■= *3 ./ d d $ 7 <Laad filter* ■»

the log window. Computers Tree A x
NEM
• Advanced filtering by [r y WIN-5EOHKDM7RQ Oxi)
Apptobon (1713) E'.eri Source 'cateoory lifter Cornputer
T
any criteria, including event -jj8 IMemet ftpiorw (0} Ijj Infnrmabon 5/3 1/20 IB 9:13c44ffl :UD3 Mouuift-VifrKfcrA5-5«ij-TtY-£H Hone KfA Vi3N-5EOMNCiDXT
■j> Key Management Senate (: fj'; tnftHmabon 5/31/3916 9:13:44 PM IflM Mico5oFt-6v»±rni-5enjrrtY-'SPl None N/A WlN-5EEMNGDMf
description text ► ■■J Security (7733) # 9QQ M{rasoftAWrKfawe-5eajritY-9 l4<™ WM-5KWJGDMT
(j) TfyfixmaBon 5/31/3116 91 IS 44 PM M/A
• Quick Filter feature allows System (2944) i ) Infarmaban S/3I/3J16 9:]2z4LFM 902 MswaftAytrKkrAS-SearTty-saNDhE K/A Vi3N-5EOM.L JGD v T
nWicbMS PtarerSM (37)
vou to filter an event log F ■jpl ijj Ir tHmabon 5/31/2016 9; 11-41 PM :63fl4 MdrtSoft4NiMkhrt-5«u4ty -EPt None N.'A WlN-5EOf*IGDMr

N/A l57H- =Frw rnvT

with a couple (> &ror 5/3L/W16 9I1SLIPM 8)98 Morowrft-lMndwEearitY FfNone
KTCcoFl-Rans-US/Acmn I) i Lriformaban S/31/2P1B 9: It 11 PM 1002 <3Csaft-ȴind{ms-5eajTty-SA None M/A WN-SECHNGOMT
of mouse clicks. Microsofl-Mm-Ul perati ijj D-.lu:mdbVl 5/31/2016 9;1M5PM 902 HooMft-Mfaddws-EearitY-SPfNohe N/4 Wffl-5EDMNGDMT
j Mimoft VjmdoA
• Log loading options Ijj rrifwmnbixi 5/3L/ret6 9UM5PM 1003 MppwftAWKio w5oftrttv<PI NflOf K/A l53N 5FCMNGDXT

pre -filter event logs. -jjp Neir,ock isolation Ooe-aba i j Infonrabon S/31/3018 9:1M4PM :0U “JocsbftAatidjAi-Seiirrtv-iPlNDie N,(A Wm-SeCHNGOMT

JjTjJ rnlO«nidQO*i 5/31/2016 9;1M4PM 900 MiaerMruwxiOAS-SeajnLY-g NMe r.,’. 3N-5EBHNGDMT

qSseimd’V)
• Color coding by ViltressCter-Adnr (3) :Jj Infoimabon S/3L/2D1B eni-.aoFM 56’7 Wccsaft Wr-idoAS-W'Ml None '5Y5TBM WIN- EECM uBD , -r T

Event ID. fi) InfnrmabDT 5/31/2016 9:11:43 PM Eli 15 ■-'c'Mbft-Cii-idb.-.s-'.'.T I None (SYSTEM WlH-SECNhGDMr

• Print and export to (j) (i.t'oiniaooi 5/31/3016 9:11:25 PM 153 1 MawoftAWKiMrt-LNef Profit None 'SYSTEM Wffl-5E0f*KDMT

j : Infiumaban 5/3 1/20 IB 9:!!:24PM 4625 MarouFHMndawS'euentiystei None wm-KM«twr

different formats. (jf) Infnnnabm 5/31/2016 6:42:32 AM
N
System V.1N-5ECHNGD*4T
1532 Hfcrceaft-WndoHS-Ulser Profit None

(i ( InfwfflatkHi 5/31/3016 6:41=32 AM 103 ESB4T Gerteral N/A W3N-5EaWKDW

• Export logs to The Software Protector service is star tog.

different formats. ParB«*le<s: (r er-nflTAOrtTjeBsonid-j

• Read damaged EVT

files and generate EXT files from event views.
X Oats
_

Log Explorer Descri pane

FIG ption
URE

3.9:

Even

t
CHFI Lab Manual Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.

D
Mod 06 - Operating System
ule
 Forensic s

13. You can also filter the events. To filter the events click the filter
icon in the toolbar, or choose View Filter.

T A S K 3
Window
Help

Applying Lc d filter-’-
a Filter

Internet Dp oner (0} N/A WIN-!

5
1/2016 1065 SOO WIN-SEOMKOMT

5/31/2016 5/3 903 WIN-5E0NNGDMT

1/2016
(37}

H Ci I.' RE 3.10: Event J.og Explorer Filter option

14. It will pop up a new Filter window. Choose Source, Category, User
and Computer and then, click OK.

Apply filter to:

Event types

Depending on the user interface style,

log views are presented either as MDl child Category: "General
windows or as tabs.

Computer: |WIhf-5EOMNGDfrf!Ri

Event ID(s):

1,100,250 “4501 10,255?)

: Exdude

Hew condition Delete conditcn Clear hst

RJame Value

led Event Log Explorer allows sorting the List by

a specified column. To sort
the list, click the column header. Click a Separately

second time to reverse the sort order. From: 5/31/2016 12:00:00 AM 5/31/20 16 12:00:00 AM

hours

Clear Load...

FI Ci I.' RE 3.1 1: Event Log Explorer applying a filter

CHFI Lab M Page 183 Computer Hacking Forensic Investigator Copyright C by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

15. Event Log Explorer displays all the events related to your Filter
Settings.

Untitfed.dx -
View Event Advanced Window

■;Load filter *
Date Event

WIN-5E0MNGDMTRQ
I NEW
■ j* Appication (1713)
me Computer

Internet
Explorer (0) Information 5/31/2015 ESENT WIN-!

5/31/301 9:14:1 PM ESErrr WIN

9
6
 - EEOhNGDMTRQ
Secunty (773fi)
9 5/31/20 15 14:19 ESENT -SE'OMMGDNTRQ
W
Information 9 5/31/2016 14:19 ESENT W1N-5EOM4GDMTRQ
5/31/2016 1:19 PM N/A WIN-SEOfflGCMTRQ
ESErrr

Mcrosoft
■Management HJI/. 5/31/30 9: 14: 19 PM ESENT

9: 14:19 PM ESENT
 WIN - EEO bTlGDKIR Q
M crKDft-Ridms-Ul/Operat’i
9: 14; 15 PM 327 ESErJT WIN -5EOM4GDM7RQ
IVIN- 1

Network Isolator Opera boi « Setup (270)

o.oco, i, [2] 0.000, [3] 0.000, [4] 0.000, , 0.000, 17] 0.000, (a)
1.015, [12] 0.000.
0 0
:
Description
Data

F L E f e logs

16. To clear the Filter settings, click on the clear filter button on the
toolbar, or go to View Clear Filter.

Note: The Clear Filter option will be active only when a filter is applied.
17. You can save the event logs for future reference. To save the event logs
T A S K 4 choose File Save Log As... and select any option according to your
Saving
Event Logs requirements. In this lab, Save Event Log (Backup)... option is selected.
Untitled.efx -
Advanced Window
View

New PM N/A
Workspace Shift* Ctrl
O
Workspace Shrft
Save
Workspace
Filtered; shovng 2J6 of eventfr)
1713
Open
Log,
'31/2016 9:14:19

jrmahcn S/3 1/2016 S/3 k]9PM 326 ESENT General N/A W1N-5EOM4GDMTRQ
Merge Log .. jrmaboo 1/2016 326 ESENT N/a WIN- 5ECfTJGDNTRQ

J
wmaben 5/31/2016 9: 14: PM General N/A
19
Gena-al N/A
 WIN- 5EDMVGD MTRQ

Save Event Log (Backup),

m Event Log Explorer’s friendly and ESENT N/A

powerful user interface lets you ESENT General N/A W1N-5KMNGDMTAQ

choose between two styles: multi - General N/A W1N-5EOOTIGDMTR.Q

Close N/A
5
document or tabbed - document Close All
:rmnhon 1/2016 S/3 N/A
wmaben 326 ESENT General
interface. 1/2016 N/a
arrraboo 5/31/2016 9: 14: 15 PM 105 General
N/A
umaLcn 5/31/2016 102 General WIN-5Et»mGDMTRQ
N/A

Print
Preview. 5/31/2016 S/3 6:42:32 AN 103 N/A WJN-SEQNNGDMTRQ MN-
jrmaben 1/2016 6:42:33 AM 327 ESENT Ge-cral N/A 5E0MNGDWTRQ

Preferences...
0 seconds)

iternal Timing $*Jjenc=: [1] 0.000, (2] 0.000, ’3] 0.030, [4] 0.030, [5] 0.000, [6] O.OlS, [7] Q.DOD, [3] O.COD, [9] 0.003,

FIGURE 3.13: Event Log Explorer Save Log As options

CHFI Lab Manual Page 184 Computer Hacking Forensic Investigator Copyright© by EC-COlinCll All Rights
Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

18. N we
are saving the file to the Desktop), type the file name (here, Application Events)
in the appropriate field, and then click Save.

5/26/2016 10:06 PM

8 Event Log Explorer Supported

OS: Windows XT, 2000,
XP, 2003, Vista, 200

Hie name- Save

Windows V-sta

FIGURE 3.14: Event Log Explorer Save Log As window

« T A S K 5 19. Navigate to the location where von saved the event logs and double
c
Opening Event
Log Files 20. The saved logs appear in the Event Viewer window as shown in the
f
Event Viewer
Action View Help

Application Events Number of events; 1 71 3

P

r Custom Vievrs l
Level Date and Time _______ Source ESENT Event i D Task Category
Windows Logs
5/27/2016 1151:32 AM ESENT 527 Genes-s
5/27/2016 12:31:32 AM SecuritySPP
formation 5/27X2015 1131:32 AM 903 Hone

Subscriptions 5/27/2016 1151:32 AM ESENT 16584 None

5./27/2016 12:31:30 AM ESENT
5/27/2015 1231:30 AM ESENT 326 Genera)
5/27/2016 1151:30 AM ESENT General
Event Log Explorer al lows 5/27/2016 1131:29 AM ESENT
book marking. 5/27/2016 1231 :29 AM ESENT 105 General Save All Events As.

Bookmarking is a handy way 5/27/2015 1151:29 AM M5DTC2 102 General

to navigate between events 5/27/2016 1151:26 AM gupdnta 4202

Delete
5/27/2016 1131:28 AM Npnr
in rhe log view. 5/27/2015 1131:02 AM -SPP - 8198 None
5/27/2016 1151:02 AM EPP 1003 None SeTreih
5/27/2016 12:31:02 AM 1003 Nona

Event 10001. Restart...

Event Properties

General Details

Ending sesten 2 started 2016-06-01T05:06c1 8,7042074002.

Refresh Help

RestartManaget 10001 Logged: 5/31/201 10t1ft12 PM

6
Event D: Taste Category. None
FIGU
RE .3.1
3:
Event
Log Explorer Event Viewer

CHFI Lab Manual Page 183 Computer Hacking Forensic Investigator Copyright U by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

21. A

It will open the saved file.

Untitied.elx Event Log Explorer Mt—,
Tree View Event Advanced Window Help
S
New Wortspace

□pen Workspace
Save Workspace
NEW
z
S
Lser Camuter

i
14: LSPM 326 E5EKT General N/A 0/IN-5EOMNGi> , 4 7 RQ N/A

Merge Log... Direct.. 326 ESENT General 327 E5ENT XVEU-IECMNQOHTnQ N/A
:
Merge Lag File General 326 ESENT WIN‘5E0MNGCMIRQ

General N/A i™-5E0MNGDMIHQ

Save Log As... f
5/31/2016
j E L Explorer’s Clear Log K7 E$errr General N/A l\'IN-$gCHNGCMtflQ N/A
5/31/2016
326 ESENT General WIN-5E0MNGCMIRQ

backup file name has this form at: Log Properties... 5/3 1,0016 5/31/2016 N/A XY1NI-5ECMNGDMTRQ N/A

1 .ogX am e -ye ar- month- d Close 9

5/31/2016 5/31/2016 xvin-sechngcmirq

N/A WIN-SEOHNGWiRQ
av-ho u r- m Inute- Close All
9:14c LSPM N/A XVIN-EOMHQOMTRQ
se conds- milli se cond.e vt.
|5PM L05 ESENT General
9 1 5/31/2016 N/A
Export Log... X

Pirnl F P
5/31/2016 9:14c 14 102 ESENT General N/A WIN-5ECMNG0MIR1Q
O
Pri nt Preview... Prwil.. 5/31/2016 6:42:32 AM !M ESENT General N/A WEN-SEOMNOOMIRQ
5/31/2016 6:42:32 AM General N/A WIN-5E0MNGmiRQ
Ctrl-P 3
—-_ "■—■ 1
Preferences... Language —

Exit
te-nalTmnq Sequence: (l| O.DCO, 0.030, (3) C.COO, Hl 0.000, |5) 0.003, (6| 0.315, [7] 0.030, [0/ C.COO, [9| 0.000.
Ctrl* Q [
i 0
HcvTvec Cadre: 0 0

Dcscnpnor,

Data

FIGURE 3.16: Event Log Explorer Direct

To clear the logs, select File -> Clear Log.

Untitied.elx - Event Log Explorer I ’ ’ □■ x

Tree View Event Advanced Window Help

New Workspace
Shift* Ctrl* N id filter? S' to
□pen Workspace ’
Shift* Ctrl* O
afron on WEN-5E0MNGDMTRQ *
Save Workspace Shift* S
Save Workspace Al.. zl | RtererS: daonng 276 of 1713 event® |Oqrtc
| I |
ICgtcyry |Uw ICcwyobg
Open Log.™ Ctrl+O
Open 5/31/2016 |9: 141 IP PH 327 esent General |m/a WIN- sedmngdmtrq
I
L F I tr-abur 5,31/2016 9: 14419 PM 326 ESENT WIN-SEOrtMDMmQ
N/A

Merge
Log,.. amaaban 5/31/2016 9:14:19 PM 326 ESEhT N/A V.'tH-5K«NGbMMQ

Merge Log I jrmatJ&n 5/31/201 9:1 19 PH 327 ESENT N/A

File 6 4:
 WtN- 5EOWK»4IWi

Event Log Explorer’s Save Log As,,, i

jirebar 5/31/2016 9:14c LSPM 326 ESENT N/A MN-5ECMNG0MIRQ

irratwi 5/3 1/2016 9:14: 15 FH 327 ESENT

log view control toolbar trj Clear Lag
N/A WIPJ-SeOMNGtXrtlftQ
wratfon 5/31/2016 9:14:19 PM 326 E5ENT
displays log view status N/A WIN-5E0MNGDiWQ
Log Properties,.. Mmatkrn 5/3 9: 14:15 PM 327 ESENT
1/2 N/A
016
 1YIN-EOMNGOMIRQ

message (e.g. Loading, Filtering, i Close ymaton

9: 14: 15
5/31/2016 N/A FH 326 ESENT
WIN'SEOMNGDMIRQ General

5/31/2016 9:14t 15 PM 327 ESENT General

Showing events), event list navigator Close All
jmaBoc
5/31/2016
N/A WIN-5ECMNGCMIRQ
9: 14:15 PM 326 ESENT General
jn-wbor N/A WIN-IOMNGDMIRQ
buttons
(First, Previous. Xext.
s Last) and Export Lag... Print
xmaQon 5/31/2016 9:14:15 PM 105 E5ENT General N/A l¥[N-5EOMN®|4iRQ
Jinalkar? 5/31/2016 9:14; PM 102 ESENT General N/A WlN-5ECNNG0MiRQ
different Options
1
„J_ xrrwtkxi 5/31/2016 6:42:32 AM 103 ESENT General N/A WIH-5EOMNGDMTRQ

i Preview... irmaDor 5/31/2016 6:42:32 AM 327 E5ENT General N/A WIN-5EOMNG2M-RQ

P
Print™

Preferences.,

Language i database eng ne delated a database (2, C:VflTdQws yFtem321otf4tesl5un zste'’iIden6l¥.mdb).

ime ”3 seconds)

Exit
[2] 0.030, [3 C.COO, Hl 0.000, |5) 0.003, [6| 0.315, [7| 0.030, [3 0.000, [9| O.ODC.
Ctrt*Q ite-nalTmng
S
_ =“ 0
l 0

Description Data
> 111

FIGURE 3.1 ’’t Event Log Explorer Clear Logs

CHFI Lab Manual Page 186 Computer Hacking Forensic Investigator Copyright V by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

24. A Clear Log pop-up appears; click Yes if you want to save the logs. If you
do not want to save logs, click No. It will clear all the event logs of the
selected category in the Computers Tree pane on the left.

Lab Analysis
Analyze the security, application, system, and other logs of the computer, and
document the results related to the lab exercise. Give your opinion on the target
computer’s security situation and exposure.

P L E A S E TALK T O Y O U R I N S T R U C T O R IF Y O U H A V E QUESTIONS
R E L A T E D TO T H I S LAB.

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs

CHFI Lab Manual Page 18 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights.
Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Performing a Computer Forensic

Investigation Using the Helix Tool
I lelix focuses on Incident response and forensics tools. It is meant to be used by
individuals who have a sound understanding of Incident response and forensic
techniques.

I C O N K E Y
Lab Scenario
/ Valuable information

Web exercise
 s ity breach should be able to aptly respond in the situation and take necessary steps to avoid
In a
e occurs, the further damage. In case, there is no proper person to take an action, the company
company,
c network would hire an investigator for Incident response. To be an expert computer
when a
usecurity forensic investigator, you must be able to offer Incident response activities. This
cyber-
r admin lab discusses how an investigator can respond to the Incident
La Workbook review
using the Helix tool,

L
based crime using the Helix tool.

Lab Environment
ZT Tools
demonstrated in
To carry out the lab you need:
this lab are available ■ The Helix tool, located at C:\CHFI-Tools\CHFIv9 Module 06 Operating
in C:\CHFI-
System ForensicsWVindows Forensics Tools\Helix.
Tools\CHFIv9 Module
06 Operating ■ A computer running Windows Server 2012.
System
Forensics ■ Ad ministr a tive privileges to install and run tools.

Lab Duration
Time: 30 Minutes

CHFI Lab Manual Page 188 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights. Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Overview of Performing a Computer Forensic

Investigation Using the Helix Tool
Helix uses software that is licensed under various additional licenses such as the
GPL. Individual software maintains the original license for that prospective
software, e-fense does not license, control, or support the individual software on the
Helix CD. In no wav does the title or copyright that e-fense holds on the name or
packaging of Helix affect the additional third-party software included on the Helix
CD. All rights and provisions for the additional third-party software included on
Helix still apply.

Lab Tasks
Note: This lab is based on the free version of Helix 3.
1. Navigate to C:\CHFI-Tools\CHFIv9 Module 06 Operating System
ForensicsWVindows Forensics Tools\Helix.

2. To launch Helix, double-click helix.exe.

3. It will display a warning message. Read it thoroughly and select your
preferred language from the Choose Your Language drop- down menu. 4.
Click Accept to continue.
HEL1X2009R1 [01/06/2009!

You are running this application in a LIVE Windows

environment There is ABSOLUTELY NO WAY to protect
this live environment from changing.

This application WILL make changes t

s m
take.

If you are not willing to accept this risk or do not

understand what you are doing then exit now, otherwise
agree and proceed at your own risk. ..

Brought to you by:

Choose Your Language: English

e.com
helix@e-fense.com
http:/
/ Accept Exit
www
.e-
fens
FIGURE 4.1: Helix Warning message
All

CHFI Lab Manual Page 189 Computer Hacking

Forensic or Copyright© by EC-COUDCll
Investigat Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

5. After clicking the Accept button, Helix GUI appears as shown in the
f

Quick Launch Help

live"' ii
Helix is a fast and powerful Live CD originally
based on Knoppix which provides all necessary tools for Live
forensics. Incident response, and e -discovery.

FIGURE 4.2: Helix Main Interface

g* TASK 1
6. Click the System Information icon on the left side of the window to see
Viewing System
t
Information
Quick Lounch

Helix is a customized
version of Ubuntu Linux,
allowing you to boot into a linux
environment containing
customized
linux kernels, hardware
detection, and a large number of
applications designed for
Incident response and forensics. i live system.

FIGUR He Lx Svstem Information icon

E 4.3: r

CHFI Lab Manual Page 190 Computer Hacking Forensic Investigator Copyright £ by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

It displays the OS information, owner information, network information,

drives and their file types.
I4ELIX2009R1 {01706/2009}
Quick Launch Help

Owner Windows User Ho Si.

Organization' Admni
No IP 10 0. 0.12
Helix does not touch the host NIC 0QlS€dG0b403
computer in any wav ami is fore n sic Domorn-

aLv safe. It will not auto mount swap

space or attached devices. Label: Size:

(Logical drive) 192047.9 MB

iCD/DVD-ROM drive)

FIGURE 4.4: He Lx Svstem Information details

I

Click the button to go to the second System Information page.

This page displays the processes running on your system.
H E (
Quick Launch
Help

System Idle Process C. \Wi ndows\

; System32 .svchost.exe

C: \Wi ndows\System32 ;,svchost.exe C:\Wi ndows\

System32 \svchostexe C:\Wi ndows'exp
Helix mainly provides Incident lorer. exe
response and forensics
l
tools, and is intended for C:\Wi ndows\System32 '.winlogon .exe C/Prog ram F i
users with solid knowledge of C cati on'.cti rom e. exe
these techniques.
n

CAWindQws_\Svstem325SYchost.exe

4.5: Helix System Information Running Processes

FIGURE

CHFI Lab Manual Page 191 Computer Hacking Forensic Investigator Copyright© by EC-COUDCll
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

9. Click the Acquisition icon to acquire physical memory or disk drives.

* T A S K 2

Acquisition 10. Select the desired disk drive from the Source drop-down menu. In
L
p
Options field to default, then click Acquire.
HELIX2O09R1
I
Quirk 1 .ninth

Source:
{NTFS} [99 66 GB]
i=s=i Securin’ firm e -fence released a new version
of
their popular 1 an ux- based forensics Live CD. ched Sha
Helix. This new version is Ubuntu -based. Destination:
which seems to be a C.'Mefix Result
popular choice among this genre of tools.

noerrnr
default

Helix Acquisition Step 1

FIGURE 4.6:

11. T M button. To create an image of a

folder with the help of AccessDataI
RT(61 /06/200D
Quick I .Hindi

Helix is a customized distribution

of Ubuntu linux. Helix is
AccessData
more than just a bootable liv e
CD. You can still boot into a
customized Linux environment to truly multi-task < creasing multiple images mom ; ultarwously
that includes custom ized Linux kernels, FTK Jmager o rsles DO. SMART and

excellent hardware detection.

and manv applications
dedicated to - systems

'Acquire locked system files {such ss

incident response and forensics.

Page 2 of 3
FIGURE 47:
Helix Acquisition Step 2

CHFI Lab M Page 192 Computer Elacking Forensic Investigator Copyright© by EC-COURCM
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Note: \X e can also create an image of a physical drive, logical drive, image
file, the contents of a folder, and a Fernico device (multiple CD/ DVD) .
T A S K 3
12. It will launch Access Data 1’TK Imager. Now go to the File menu from
menu bar and click Create Disk Image...,
Creating Disk
HELIX2009R1 (01/06/2009'
Image

View Mode Help

idd
Evidence Item...
Add
AE Attached Devices Fie Lirt

Dale Modified
Evrfence Items

Preview files and

folders on local hard drives, network drives. floppy dskettes, Zip disks, CDs, Add to Custom Content image (ADD
and DVDs.
Qbran Protected Fles...

Hew Edit Rerrove Rerove All Create L-iage

Properties d |Hex Value Int... Creates a

new

FIGURE 4.8: Helix Acquisition AccessData FTK Imager

13. C type, and then

click Next to create an image.
H EH
LIX2009 R

yew Mode

Select Source
Date Modified

C ' Pbr/scal Drive

O Lentil Drive

Preview the contents of forensic images stored on the ; Imsae Fla

focal machine or on a network drive.

Hesi <

Properties Custom Cante...

4.9: Helix Acquisition AccessDaca FTK Imager Select Source

FIGURE

CHFI Lab Manual Page 193 Computer Hacking Forensic Investigator Copyright C by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

14. AccessData FTK. Imager will prompt you with a warning; if von want to
continue click Yes.
HELIX20Q9RT (01/06/20097
Help

M V tew od ■■

Select Source
Date- Modified

i=i Mount an image for a

(such as -EQ1 (
read-mly view that
leverages Windows
Explorer co see rhe concenc of che image exactly as the
user saw it on the original drive.

E New

Properties Custom Conte...

i press FI
r

El Ci I.' R E 4.10: Helix Acquisition AccessData FTK Imager Warning

15.N s a case, C:\CHFI-

T
olsEvidence Filesimage Files, and then click Finish.

HEL1X2DO9R1
(

Mode

Select File
Date Modifi sd

See and recover files diac

have been deleted from die
Recycle Bin. bur have not yet
been overwritten on rhe
EwdenceiFUe System Path pi
drive.

Properties

Page 2 of 3

4.11: Helix Acquisition AccessData FTK Imager folder path co create an image
FIGURE

16. Click the Add Button.

CHFI Lab Manual Page 194 Computer Hacking Forensic Investigator Copyright © by EC-COURCll
All Rights Re s er v ed. R eprodu ction is Strictly Prohibited.
 Module 06 - Operating System Forensics

1 . Evidence Ite
m Information wizard appears, fill in the details, and click
Next.

HELIX2009R1 (01/06/2009)
Quick launch Pjge Help

View Mode

Image Source
Member ; 245
C

Image DestnaHonfs)

Z Create hashes of files using

either of the two hash functions Motes:
available in FTK
Imager: Message Digest 5 (MID
5) and Secure Hash
Algorithm (SIIA-1). Add... Edt. Cancel Help

Start Cancel

MeA Edt Remove Remove AH

PfODerties Custom Conte...

FIGURE 4.12: Helix Acquisition AccessData IH’K Imager Evidence Item Imager

18.
N we have
created a folder named Helix Result in C:\ and saved the result in
C:\Helix Result), enter an Image Filename excluding the extension, and
click Finish.

Ou■ c k .Launch Pane.

AccessData FTK Imager

View Mede

Image Source

Result Bro'./se

Generate hash reports

Image Dertinatjonte)
for regular files and disk images
(including files inside disk images) that
image Fragment Sze (MB) mats: 0 = do ]5QQ
you can later use as a benchmark to not fragment
prove
:. ...... 9=SmaleEt)
die integrity of your case evidence.

Add... Edt... Cancel Cancel

4.1 3: Helix Acquisition AccessData ITK Imager Select Image Destination

FIGURE

CHFI Lab Manual Page 195 Computer Hacking Forensic Investigator Copyright U by EC-COlinCil All
Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

19. Now click the Start button in the Create Image wizard to create an
image of the folder contents.
HELIX2009R1 (01/06/2009)

file View Mode Heb

Image Source
Date Modified

Starting Evidence Humset :

Helix is also unique in that

it includes a Win.32- based autorun
toolset. giving users quick
access to common forensic tools
not found in Linux,
Evident® :Fie
System

Cartel

New Edt Remove Rcto'/c AE

value
lot...

FIGURE 4.14: Helix Acquisition AccessData FTK Imager Create Image

20. A pop
up. Click Close and then click Close in the Create Image wizard.
HELIX2009R1
(

Image Sourcet

D=£tinatior:

Image treated successMIy

Date Modified

Elapsed titre: 0:00:01

Helix is a customized distribution of the

Knoppix live Linux CD. Helix is more than just a
bootable live CD.
General
Result. a <11

Evident® :Fie
System Path -lie MOS Haih
SSeJa bS1 f dc672a3*lrfea
b

Match

f47f99747c6eddf5O8b0e3cOtM2d8#9t8$1 1r 929

SHA1 Hash
Edt Remove Remove Al

Custom
Close
FIGU Helix
RE Acquisition
AccessData
FTK
4.1.5: Imager Drive/ Image Result

CHFI Lab Manual Page 196 Computer Hacking Forensic Investigator Copyright £ by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

21. Access Data FTK Imager created an image of a folder, to check , this
n
Helix Result
Homs Share View

► This PC ► Local Disk (C:) ► Helix Result Search Helot Result

A
34" Favorites Name Date modified Type Size

M
Mount an image for a £ Downloads

read-only view that Recent places

leverages Windows
 RKult.adl 6/1/2016 34)2 AM AD1 File 5.033 K6
J Reuft.ad1.bct 6/1/2016 34)2 AM Tert Document 1 KS
Explorer to see the
content of the image exactly as the user saw it on the original drive.
 T r* PC

it Desktop

22. Document
* Downloads
j' 1 Music
L Pictures
3 Videos
Local Disk (C:)

Network
**

FIGURE 4.16: Helix Acquisition AccessData FTK Imager destination folder

this lab, we already have an evidence item/Disk Image located at
NC:\CHFI-Tools\Evidence Files\Disk Partition Raw Image
; DiskPartitionRawImage.dd :, and we will be analyzing this image,
i
23. G
evidence item for investigation.
HELIX2DD9RT (OW/20091
Quick Launch

View Mode Het?

Item...
A D
Add Al attached
 Date Modified

To prevent accidental or intentional manipulation of the original evidence. TTK Create Disk image...
Imager makes a bit- for-bit duplicate image of the media. The Export DSk Image...
forensic image is identical in every way to the original,
Detect efs Encryption
including file slack and unallocated space or drive
Export
free space. F4e Hash List...
Export

Remove image
C Edit
Custom Conte...
or folder

: Helix Acquisition AccessData FTK Imager Add Evidence Item

FIGURE 4.1

CHFI Lab M Page 19" Computer Hacking Forensic Investigator Copyright U by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

24. Choose Image I'ile option for investigating the image file, and click
Next.

File Quick Launch Page Help

Uiew Mode tfeb

x
Select Source I Date Modified

FTK Imager can be

installed to the computer where it ■ Physical Dnva

will be used, or it can be run from Lagcal Drive

a portable device such as
a USB thumb drive
connected to a O Corfcnij of a Folder
(ogcal fie4evd anilyiij znty, exclides deleted unallocated, ett.)
machine in the field, so die re is no need
to install it on a suspect’s computer to capture Custom Content Soirees

its image. S
EvdenceiFle pi i

> Bick Can eel Hep

III

EcM Remove Remove AH Create Jmjge

| ■■ ■ In- Custom Conte...

Far Help, press Fl

FIGURE 4.18: Helix Acquisition AccessDara FTK Imager Select Source

25. Click Browse, navigate to C:\CHFI-Tools\Evidence Files\Disk Partition

Raw lmage\DiskPartitionRawlmage.dd and then, click Finish.

HELIX2OO9R1 (
Quick Launch
direct fold
Cre ory er
Dir listing wher Fie View Ma
ting= file e de

createsin
a the Select File
Date Modified
Flease enler the Bourse path:
FTK Imager.exe is run from. / Verify Image=
verifies an image when you specify the image path and
filename.
/ Enable Debug I .og=
enables logging to the FTKI m age D e bug. log fi le
created in the folder vr ou run FTK Imager.exe from.
Ev denctiFie System IP ath pi >

Rnsh

Remove All Create Image

lex Custom Cante...

Far Help HUM
FIGURE 4.19:

Helix Acquisition AccessDara FTK Imager Selecting File

CHFI Lab Manual Page 198 Computer Hacking Forensic Investigator Copyright £ by EC-COURCM
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

26. The image hie is displayed in the the window. Now, expand left pane of
DiskPartitionRawImage.dd -> Drive [NTFS] -> [root] and click on Set of
Images updated folder. The contents of the folder are displayed in the
right pane. Click on the desired image file to view the respective image
in the lower section of the window.
Note: The application may not be able to open other file formats.
iager
View

£ar

UdtFarttcnRsKhiaqe de Name 513ft Mudrfirfi

D
h Owe [NTFS]
NTFS index all... 9/28/2011 9:32:

If you fail to specify sfladdus

Regular file
3
9/21/20114:51:

Regular file 10.7/2010

an image when using the /Create 12/21/2010 6:0.

Dir Listing or /Verifylmage= 50 KB 9/20/2011 102.

7/26/2010 1:51:
options, an error message appears
31 KB Regular life 9/20/2011 4:51
indicating no image was found. 266 KB ■a/2&C3t)l 1 5:11;

111 K8 Regular life 9/20/2011 :55:

9/21/2011 4:53:
51 KB 12:5.
9
*. Horse.jpg 12 KB 9..'2C/2O1 14:53:

fujfeu
File Class Regular fire
File Size 274,302

274.432

Date Accessed 9 '28/2011 5:32:18 AM

FIGURE 4.20: Helix Acquisition AccessData FTK Imager evidence content

27. The properties of the image file can be viewed by clicking the
P
GL1. Further details of the image file can be obtained by clicking other
tabs besides the Properties tab.
' -lelbt
- Name S« Type Date Modified
l
[j5l3O 4 KB NTFS index all... 9/28/20 I I 9:32: 47 KB

* Anna.jpg Regular file 9/21/20114:51:

P. Elackberry.png 346 KB Regular lite 10.7/201 3 3:3ft 53 KB

3. Building. pr.g Regular file 12,1'2 1/201 3 6:0.

H. Building I. png 50 KB Regular file 9, '20/2011 102. 32 KB

D. Cate- Ent. png Regular life 7/26/2010 1:51; 31 KB

-i- Ca41.gif Regular file 9/20/201 1 4:55;

*, cornpuLer.bmp MKB Regular file 9/20/2011 Sill: 111 K8
V Dog. gif Fastiion-MagMine-modtes.jpg Regular 1i-e 9/20X20114:51
The Evidence Tree pane .ir. Flowers.jpg *6 KB Regular file 9/21/20114:53:
£. Hocse.jpg
(up per- left pane) displays added 51 KB Regular fife 9/20/2011 12:5.

12 KB Regular file 9/20/201 1 4:53:

evidence items in a hierarchical
<
tree. Ar the root of the tree are x

die selected evidence sources. Listed below

p each source El Getieral
Name eompiiter.bmp
are the folders and files it contains. File Class Regular Ore
File Size 2X502 [ff Help,
Physical Size 274.432 itr? .. .

Stan duster 127,224

Helix Acquisit Date Accessed

Date Created
9/28/2011
9/2B/2D1
9:32:18
1 9:29:0e
AM
AM
Properties tab
FI GE RE ion Date Modified
9
4.21:
□
E
f r

pru3flrtitt__|-i

Imager
AccessData ITK
M
06 - Operating System
o
d
ul
e
 Forensics

28, Now clo

s e the Access Data FTK Imager by clicking Exit in the File
menu.

Hode Help
Add E [tern...
' e
*dd
Al Attached Oevtes

Name Date M
4 KB 47 NTFS index all... o/za/al
KE 34fi KB 9/21 /a
Blackberry.png 1W7/21
53 KE 50 Regular file 1191/2
Export Logical Image (AD1J... KB 32 KE 31 9/20/3
KB 26BKE 7/26/21
111 KB
Regular file 9/20/21
9/20/3
Protected Rtes...
o - Fasten -Magazine- med les jpg 46 KE 51 9/21 .'2D
KB

xport
- Horsejpg 32 KE Regular file 9/20/21
E [lies...

Ext

File Clasa
File Size Physical SiiEC 274,302 274,432

9/26/2011 9:32:18
Date Created Date Modified S/28.’20l1 9:29:08 AM
9/2W2011 5: AM
1
AM

FIGURE 4.22: Helix Acquisition AccessData ITK Imager Closing

W TASK 4 29. Now click Incident Response 1 9 icon in the left pane of 1 Helix Ct

Disk Preview 30. Click Agile Risk Management’s Nigilant32 icon on Page 1.
HELIX2009R1 (OT/06/2D09}
Quick Launch Hfrlp

Z __ Xigilant32 is an incident
response tool designed to
capture as much
information as possible from
a running svstem with the anage merits Nlgilant32
smallest potential impact.

that allow user to col I

feature die ata
s
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

31. It will prompt you with a Notice. Click Yes.

H UX2009 R 1 (01706/2009>
Quick Launch

Notice
Xigilant32 For First Responders:
Using rhe Snap-Shot! of
Xigilant32, me can review and
save a report of the running system
is r n SOK?
that includes processes,
services, user accounts,
scheduled casks, network ports, etc.

FIGURE 4.24: Helix Incident Response Xigilant32 notice

Nigilant 32 pop-up appears, click the pop-up.

lie Quick Launch Page Help

Response
Incident

°
Agile LLC
FIGURE 4.25:

Helix Incident Response nigilant 32 pop-up

CHFI Lab Manual Page 201 Computer Hacking Forensic Investigator Copyright C by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
M 06 - System Forensics
od Operati
ul ng
e
 33. Nigilant32 - Windows Afterdark Forensic window appears as shown in
the screenshot:
Nigilant32 - Windows Afterdark Forensic - Bela Release 0.1
Edit Tools Written

Created Inod?

Xigilant32 For First Re spondees: File

system Review: Using Xigilant32 we can
explore the file system ami possibly
locate hidden files, folders, or recently deleted content, or
extract files for offline analysis with limited risk of
contamination.

FIGURE 4.26: Helix Incident Response Xigilant32 main screen

34, hoose File Preview Disk... to view the preview

o the hard drives.
Nigilant32 - Windows Aftercfark Forensic - Beta Re’ease 0.1

T Hdp

Preview Disk— Crested Inode

Close
D
Quit

l=s=i Xigilant32 For First Responders: Using

Active Memory Imaging: of Xigilant32, we can
image die active physical memory (RAM) of
the suspect workstation or
server to secure portable media.

Helix Incident Response Xigilant.32 Preview Disk

FIGURE 4.2

CHFI Lab Manual Page 202 Computer Hacking Forensic Investigator Copyright C by EC-COlinCil All Rights
Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

35. Select the drive to preview, and then click the Apply button.
Note: Do not select the C Drive (Contains system file).

D t Select

a physical d.sk parObon to preview

Select

PhysicalDnve Name Par bbon Number Paibbon Length Starbng Offset Drive Num.
PhysicalDriveO:Totalsize: 107372805120 Bytes Partition: 1 36700 1600 Bytes 1048576
Phy5icalDriveO:TotalsiEe: 107372805120 Bytes Par btion: 2 10700 50836 48 . . . 3680 50 176

Cancel Apply

FIGURE 4.28: Helix Incident Response Xigilant.32 selecting drive to preview

36. It displays the files and folders pertaining to the partition. Double-click
on file to view the file content in the bottom pane of the window.
3 . . You may double -click a folder to view the contents in it.
- A F - R 01
Nigiiant32
Fife
Edit Tools Help

JN a me
| SAttrDef
1=) Written Tue Accessed Created Size 1 1- | Typ
P=] SBadClus May 24 17:26:15 2016 Tue May 24 17:26:15 2016 Tue Tue May 24 17:26:15 2016 Tue 2560 4 0
Y| 5 Bitmap Tue May 24 17:26:15 2016 May 24 17:26:1 5 201 6 Tue May 24 17:26:15 2016 Tue May 366997504 9 0
- | SBoot _J S Extend Tue May 24 17:26:15 2016 May 24 17:26:15 2016 Tue May 24 17:26:15 2016 Tue May 24 112W 6 0

H 5LogFile S SMn Tue May 24 17:26:15 2016 24 17:26:15 2016 Tue May 24 17:26:15 2016 Tue May 24 8192 7 0

iz| JMFTMirr Tue May 24 17:26:15 2016 17:26:15 2016 Tue May 24 17:26:1 5 2016 Tue May 24 11
7 1 2 0
Tue May 24 17:26:15 2016 17:26:15 2016 7 uc May 24 1 17:26:15 2016 Tue May 24 1 3670016
j=l SSecure
T uc May 24 17:26:15 2016 7:26: 262144 0 0
24 17:26:15 2016 4096 1 0
SVolume Tue May
Tue May 24 17:26:15 2016 27563c 9 0

Tue May 24 17:26:15 2016 131104

10 0
Tue May 24 17:26:15 2016 0 3 0
5 1
Tue May 31 03:00:06 2016 4152
_J
Boot Tue May 31 03:0008 2016 8352 35
I> <
00000010 00 00 00 00 00 F8 00 00 3F OOFFOO 00 08 00 00
1 00 00 00 00 80 00 80 00 FF EF OA 00 00 00 00 00
loooooaao AA 74 00 00 00 00 CO 00 02 00 03 00 00 00 00 00
I F6 00 CO 00 01 00 00 00 AB C2 3D DC E7 0D0C 16
100000050 00 00 CO 00 FA 33 C0 8E DO BC 00 7C FB 58 CO 07
. 100003060 I F IE 68 66 00 CB 88 16 0£ 00 66 81 3E 03 00 4E
00003070 54 46 53 75 15 84 41 BE AA65CD 13 72 0C81 F B TFSuAU.r...
00003080 55 AA 75 06 F7C1 01 00 75 03 E 9 D D 00 IE 83 EC U.u. .... u ___
00003090 18 68 1A0O B4 48 8 A 1 6 DE OD SB F4 16 IF CD 13 ,h...H ____
_ X O OF 83 04 18 DE 58 IF 72 El 3E36DE DO 75 DE A3
IdDOOOOEO OF 00 Cl 2E OF 00 04 IE 5A 33 DE B9 DO 2D 2B C8 ..._...Z3 ... +.
f DDOOODCO 66 FF 05 I T 00 03 16 OF DO 8E C 2 F F 36 15 DO ES ........
loDOOOCDQ K>.w......iff.u-
4E00 2ECS 77 EF B8 00 BE CD 1A66 23 CD 75 2D
|000030EQ f.TCPAuS .... r_
66 81 FE54 43 5 0 4 1 75 24 81 F9 02 31 72 IE 15
pOOOOGFO tt..hR..h..fSfSf V
6S37BE 16 68 52 11 16 68 09 Q3 66 53 65 53 66
t
NTFS 9416
ft\.\
Physical
Preview of the file
DriveD FIGURE 4.29: Helix Inciden Response Xigilant.32

C Manu Page 203

H al
FI
L
ab
Compute Hacki Forensic EC-COUflCll
r ng Investigat Prohibited.
A or
l Copyright
l © by
Rights
Reserved.
Reproducti
on is
Strictly
M
06 - Operating System
o
d
ul
e
 Forensics

38. To take a snapshot of the computer, choose Tools Snapshot

Computer.

Nigilant32 - Windows Afterdark Forensic - Beta Release 0.1

File Edit [Tods | Help
_ _ ___________________
Name
c Ac essed Created Size I I... I Type
S
SAttrDef SBadClu 5 20 16 Tu 7:26: 1 5 20 1 6 Tut May 24 1 7:26: 15 2016 2560 4 0
Image Physical Memory... I AT e
Bitmap SBoot 2016 Tu May 24 17:26: 15 201 6 Tue May 24 1 366997504 8 0
Scanner e 7
2016
e
Tu May 24 17:26:15 2016 Tue May 24 17:26:15 2016 11300 6 0
Backup Event logs-.. 2016 Tu May 24 17:26:15 2016 Tue May 24 17:26:15 2016 8192 7 0
e
L 2016 Tu May 24 17:26:15 2016 Tue May 24 17:26:15 2016 448 11 1 =
e
SLogFile i uc rviay i riztr i j 2016 Tu May 24 17:26:15 2016 Tue May 24 17:26:1 5 2016 3670016 2 0
e
T ue May 24 1 7:26: 15 2016 Tu 7:26: 15 2016 7 ue May 24 1 7:26: 15 2016 262144 0 0
e
Tue May 24 1 Tu May 24 17:26(1 5 201 6 Tue May 24 1 4096 1 0
S 7 e 7
Secure bUp T ue May 24 1 Tu 7:26: 152016 Tue May 24 1 7:26: 152016 275636 9 0
7 e
ase T ue May 24 1 Tu 7:26: 15 2016 Tue May 24 1 131104 10 0
7 e 7
JVolume Tue May 24 17:26:15 2016 Tu May 24 17:26:15 2016 Tue May 24 17:26:15 2016 0 3 0
e
Helix also has a special Tue May 31 03:00:062016
e
Tu May 31 03:00:06 201 6 Tue May 3 1 03:00:08 201 6 4152 5 1
Tue May 31 03:00:06 201 6 Tu May 31 03:00:00 2016 Tue May 31 03:00; 172016 8352 35 1
Windows autorun e

side for Incident response i _

<

and forensics. 00000010

00003020 0000- 00 OO 00 00 00 F8 00 00 3F OGFFOO 00 08 00 00
3030 0000-3040 00 00 00 00 80 00 80 00 FF EF OA 00 00 00 00 00
AA 74 00 00 00 00 00 00 02 00 00 00 00 00 00 00
0000-3050 0000-
F6 00 00 00 01 00 CO 00 AB C2 0D 0C E7 0D0C16 00 00 00
3060
00 FA. 33 COSE DO EC 00 7C F0 68 CO 07
1P1E68 66 00 CB S3 15 OE CO 66 81 3E 03 00 4E
0000-3070 54 46 53 75 15 B441 BB AA55CD 13 72 0C81 F B TFSu.A.U.r..
ODOO-3DBO 0000-3090 OOOOOOAO ODOOOOBO ODOOOOCO ODOOOODO ODOOOQEO 55 AA 75 06 F 7 C 1 01 00 75 03 E 9 D D 00 IE 83 EC U.u ..... u _ _ _
CDOQOOFO 18 63 1A0O B4 48 8 A 1 5 0E CD SB F4 16 IF CD 13
9F83C4 13 DE 58 IF 72 El 38 06 OB 00 75 DB A3 .... jCr.:...u..
GF 00 C l 2E OF 00 04 IE 5A 33 DB E9 DO 20 2B CS ........ 23... +.
W\PhysicalDriveD 66 FF 05 1 1 00 03 1 6 OF DO BE C2FF 06 15 GOES f. ..............
4BOO2BCB 77 EF B8 00 EB CD 1A65 23 CO 75 2D K>.w ...... iff.u-
6681 FB 54 43 5 0 4 1 75 24 81 F9 02 01 72 IE 15 f..TCPAuS....r..
6S07BB 16 68 52 11 16 58 09 DO 65 53 55 53 66 h...hR..h..fSfSf V

NTFS 9416

FIGURE 4.30: Helix Incident Response Xigilant.32 Snapshot Computer

39. I
the snapshot, click the Save button.
Live Machine Snapshot

=1 Helix focuses on Incident

response and forensics tools. It is
meant to be used by individuals
who have a sound understanding
of
these techniques.
FIGU Helix Incident ine
S Cancel
RE av
4.31: e

Response Xigilant32 IJve Mach Snapshot

CHFI Lab Manual Page 204 Computer Hacking Forensic Investigator Copyright © by EC-COlinCll
All Rights Resewed. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

40. The Save As window appears, select the location in which the snapshot
h
c

New folder

| Desktop
L Downloads

Network

Network

hFiai

Hide Folders

FIGURE 4.32: Helix Incident Response Xigilant32 Save As window

41.
To create an image of physical memory, choose Tools -> Image
Physical Memory.

- Windows Afterdark Forensic - Beta Release 0.1

dit
E
Accessed Crerted
SAftrDei SSadClu 2016 2560 366M7504
11200
8192
2016
TueMay 24 17-26:15 2016 448
TueMay 24 17:26:15 2C 16 357M15 262144
SMFT SMFTMiir 4096 275636
JSeture 131104

SVolume

icu Nigilant32: Free

Tue Mery 31 03:00:08 2016
Windows Incident Tue May 3 1 03:00:06 2016
TueMay 31 03:0106 2016 TueMay Tut Moy 31 03:00032016 TueMay 4152
31 03:00:08 201 6 31 03;00t1 7 201 6 8352
response tool. As such, we have recendv
released
FB 00 00
Xigilanc32 a freeware Windows GUI.
h
00000010 0 00000020 00 00 00 00 00 OD 00 00
C D 3D 00
3F 00 FF 00 FF EF DA 00 OS 00 00 00 DC DC-
00000030 3 00000040 AA 74 00 00 F6 OD GOOD 00 02 00 00 00 AB C2 DO 00 00 00 00
00 00 00
0
00000*350 00 00 00 00 OD 00 OD OD 0C E70D0C 16 F 6 68
0
00000060 00000070 IF 1E68 66 54 46 53 75 A 33 CO &E DO BCC-3 /■:; 0E DO 66 CO 07 3E 03 00 JE 72
F
0D0DC080 S5AA75 06 IB 68 1AO0 00 8 1 AA55 CD 13 75 03 E9 DC SI FB DO 1EE3 EC
00006390 ODOOCDAO 9F S3C4 18 5B4 41 BB DD 0E OD SB F4 E1 38
1 00 75 DB A3
7C1 01 OO 06 OB
F
E 4 43 SA 16
0D0DC3EC OOOOOOCO DOODG3DO OF ODC1 2E 6 6 F F 0 6 00 04 IE 5A 33 DB B9 00 SE 00 2G2BCE 0 6 1 6
O
OOOOOOEO 11 4E C D 2B 03 16 OF C2 FF BE CD 1 A 6 6 00 E3 23 CO 75 2D
0
C3 EF B3 00 24 81 F9 02
7
66 81 FB 54 43 50 41 75 f. TCPAuS . r
OOODOOFO 68 07 BB 16 B52 11 16 63 09 DO 66 53 66 53 66 h...hR.h .fSiSf
6
FIGU 4.33: t
RE Helix Inciden Response Xigilant32 Image
Physical Memory
All Rights
Reserved.
Reproductio
n is Strictly
CHFI Lab Manual Page 203 ingrorensic Investigator Copyright & by
tU-UOUflCII Prohibited.
M
06 - Operating System
o
d
ul
e
 Forensics

42. Click Start to create an image of a Physical memory.

FIGURE 4.34: Helis Incident Response Xigilant.32 Imaging Physical Memory

43. The Save As window appears, select the location in which the snapshot
has to he saved, mention the file name in the File Name field, and click
Save.

Desktop

New folder

Administrator

This PC

Hide Folders Cancel

FIGURE 4.35: Helix Incident Response Xigilant32 destination path to save

44. Xow go to Page 2 by clicking the U button.

hf!.fx?0O9ri (ffWono;
Quick Ldunch

MD5:

FIGURE Incident Respo Pag 2

4.36: nse e
Helix
 Hash

CH F I Lab Manual Page 206 Computer Hacking Forensic Investigator Copyright £ by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

45. To generate an MD5 hash value of a file, click the Browse button and
T A S K 5
select a file (in this case, C:\CHFI-Tools\CHFIv9 Module 06 Operating
MD5 Hash System ForensicsWVindows Forensics Tools\Helix\EULA.pdf).
Calculation
46. Click the Hash button to generate the hash value of the file.
HELFX2009R1
(
Quirk Launch

FILE: Module 06 die rating System

MD5: Hash

The Message- Digest 5 (MD5)

Algorithm is a widely used
cryptographic hash function that
produces a 1 28-bit (16- hyte) hash
value. It is specified in RFC 1321.

Paramvex

FIGURE 4.3"': Helix Incident Response Page 2 MD5 calculation

47. A hash value is generated, as shown in the screenshot:

Quick Launch

C:\CBFI-Tools\CHFIvS Module 06
Hash ]

mand Shell

MD5 has been

I Rootkit
employed in a wide variety of
security applications and is also
commonly used to check data
integrity.

Page 2 of 3
FIGURE 4.38: Helix Incident Response Page 2 MD5 value

CHFI Lab M Page 20 Computer Hacking Forensic Investigator Copyright C by EC-C(HinCil

All Rights Reserved. Reproduction is Strictly Prohibited.
M
06 - Operating System
o
d
ul
e
 Forensics

W TASK 6 48. Now click the File Recovery icon to recover the deleted files.
Recovering Deleted HELIXZOOSiTfOVOG/ZOO'P)
Files Quick Launch

FILE:
MOS: Hash

Server

i/Off Time

FIGURE 4.39: Helix Incident Response Page 2 File Recovery

49. It will prompt you with the Notice window. Click Yes to run
Filerecovery.exe.

Notice

Supported file
systems: FAT 12/16/32,
NTFS (used by hard disks,
IS THIS OK?
disks. Smartmedia™,,
Compact Flash™, Memory
Stick™ and others)
No

Notice 50.
F H I R P 2 F R C

Select a language and click the 3 button in the Language

led Select your file (for

several files use the Ctrl or Shift
keys) and save it to another Danish
drive by selecting Save to
from rhe Object menu. Estonian French
German Italian
Russian
Also, you can search for a
deleted or lost file (or for
several files) by selecting
Find from Object menu.

Helix Incident Response Page 2 File Recovery language selection

FIGURE 4.41:

CHFI Lab Manual Page 208 Computer Hacking Forensic Investigator Copyright C by EC-COlinCll All Rights
Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Inspector File

Welcome to PC Inspector File Recovery

Re cover deleled files

O Select logical diive
Select Find lost data O Select your files in folder 'Deleted -

from the Tools menu. The appearing dialog windows O Save your lies

allow you to delimit the search (e.g. if you know the Find lost data
file /directory is situated more behind, |> data is lost due to quick-formatting, system crash, etc.)
move the track bar Start sector to the right;. Select logical diive
Find lost data
Select your files in folder 'Lost'
o Save your lies
Find lost diive
(i the dove tetter is lost or lhe drive is inaccessible)
Select physical drive
Find logcal drive

o Select your files in folder 'Root'

Save your lies

Page 2 File Recovery wizard Welcome window

FIGURE 4.42: Helix Incident Response

52.
Navigate to Object Drive.

PC Inspector File Recovery

Object
Edit View Infc Tools Help

Drive.., Ctri - O

Rename... F2
roM\
Properties...

a View ►

Save to.,. Ctd+5

I Find.,,
Important: If a file is found with
Options...
unknown name and size (e.g.
cluster40.jpg), you can correct the Exit

name and size by choosing

Properties from the Object menu.
If the file is too small, simply
change the file size to
a higher value.

Small but. sa

Watchl
•wWiw pc Inspect e

LU

Helix Incident Response Page 2 File Recovery Object Menu

FIGURE 4.43:
C Computer Hacking
H
FI
La
b
M
an
ua
l
Forensic Copyright C by EC-COURCM
Investigator
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

53, Now select a drive from the Logical drive or Physical drive tabs. In
t

54. Select any drive from the Logical drive tab and click the button.

Notice: logical drive

disk 111 Review

S
NONAME cn hxed disk ffl NONAME

In addition to the cluster scan, vou

can search
for a dele ted /Lost file (or for several files) Rescan diives
by selecting Find from the
Object menu.

FIGURE 4.44: Helix Incident Response Page 2 File Recovery select drive

55. It will take some time to retrieve the files and folders of the drive, as
s

Please wait...
Important: To open die drive and to save vour data, choose the option no FAT
(consecutive) since die FAT has been deleted by L{uick -formatting.
57. FIGURE 4.45: Helix Incident Response Page 2 File Recovery Retrieving files

In the left pane of the window, it will display a tree structure. In that
56.
s
Expand the Deleted node; select a folder from the left pane. The
c

CHFI Lab Manual Page 210 Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

58. You can save those tiles to another hard drive or disk by right- clickin
g
on the respective file and clicking Save to, and then, specifying the
location to store the file.
PC Inspector File Recovery

Folders F Content of Deleted Us er Data'

ks=l After the search has been __| Root Deleted
L S Date marffied _ IF 52

I
completed and a logical J <57 te24 c24
: __I 7
drive has been found c24 t24 c24
' (23 MFT 3G80
select the drive under J:24
■£j MFT 76951
logical drive if the format seems to :
■( _ | User Data j 5 ale Browsing Resource. . . 1140 01 . 06. 201 6 06:24
be correct. It is not exceptional if E Jj| Windows ■ Safe Browsing UwS5 List 1
more drives are found than has 3 2j seivicing
been installed. The reason is T I Sessions
that there are several copies (■■■■[ ( Lost
of the boot sector on the hard disk \j Searched

(that's the unit that contains

the information about a
logical drive). So first use
the function Preview to get the
right logical drive. in
mail but !
ui
pc wpeeroa

Watch I
wwufKlnsprctc

Helix Inciden Response Page 2 Fi Reco to option

FIGUR t le very
E 4.46: Save
Mod 06 - Operating System
ule
 Forensics

W TASK 7 60, To know the contents of vour drives, click the Browse icon in the left
pane, it displays all the drives in the middle pane of the window.
Browsing
61. Expand the drive of vour choice and expand the folders within the
Contents in Hard
Drives d
62.N file
properties in the lower right pane of the window as shown int
s
EUX2009R1 (01/06/2009)
Quick Launch

CHFhS Module 08 Investigating Wi

Evidence Files
.png
Al-Qaida Hard Disk
Helix is a customized version of Ubuntu Audio Files
Linux, allowing you to boot into a Linux Disk Partition Raw image Extol Files
environment containing
customized
l og Files
Linux kernels, hardware detection Metadata investigation Felder
and a large number of Mobile Evidence Files
applications designed OuUooX Files
PDF Files
for incident response and forensics.
btednna.
RAR Files
Raw DD image Testing Files
Tide d Files
WetJ History

Word Files zip Files

3W82215Z9

FIGURE 4.48: Helix Browsing Contents

W T A S K 8 63.T for Pictures

icon, and then click Load Folder to view the images.
Scanning for
HELIX2009R1 (OW/2009)
Pictures Quick
L

Helix is also unique in

that it includes a Win.32- based
autorun toolset.
giving users quick access to
common forensic tools not found
in linux. He Lx
is a customized
distribution of the Knoppix live
Linux CD. Helix is
more than just a bootable live
CD.
FIGURE 4.49:

HeLx Scan for Pictures

CHFI Lab M Page 212 Computer Hacking Forensic Investigator Copyright L by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

64. Navigate to C:\CHFI-Tools\Evidence Filesimage Files to load the

pictures for scan then click OK.

Browse For Folder

s Please
af t

Helix will not aatomount Disk Partition Raw Image Excel Files
swap space, or auromount Forensics Challenges
anv attached devices. Helix also has
a special W indows autorun side for
Incident response and forensics.
Log Fil
Helix has been modified very
carefully not ft) much the host com purer in Metadata Investigation Folder
anv wav, and it is forensicallv sound.

<
Folder:

Make New Folder OK Cancel

F I G U R E 4.30: Helix Scan for Pictures location

65. It will prompt with a Notice window asking you to be patient. Click OK.
Notice

OK

FIGURE 4.51: Helix Scan for Pictures Notice

66.
You can view the images scanned by Helix as shown in the screenshot:
HE UXZWW R.1
i
File
Quick Launch Paje Help

Anrij.jpg BlKktxcry.png Building. png Building! .png

|Cetl.giF| computer.bmp De q. gif Feihicn-Magaiin. [Flowers jpg

a 0

m FIGURE
1 Northern Lujhi
□ackgruund.jpg

4.52: Helix scanned images

CHFI Lab Manual Page 213 Computer Hacking Forensic InvestigatorCopyright C by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Lab Analysis
Analyze drive image creation and extraction, file recovery, and cookie viewing and
document the respective details.

P L E A S E TALK T O YOUR INSTRUCTOR IF Y O U H A V E Q U E S T I O N S R

ELATED TO T H I S LAB.

Internet Connection Required

□ Yes 0 No
All
Platform Supported
0 Classroom 0 iLabs

CHFI Lab Manual Page 214 Computer Hacking Forensic

Investigator
Copyright© by
Rights. Reserved.
Reproduction is Strictly EC-COUflCll
Prohibited.
 Module 06 - Operating System Forensics

Acquiring Volatile Data in Linux

System
Linux OS stores user and session related data in RAW when the system is live. Lab
I C O N K E Y
Scenario
Z __ A
The data that changes when the system is turned off is volatile data. The
i
knowledge t
understand how to gather volatile data from a live Linux system and analyze it.
W Web exercise
Lab Objectives
Workbook review
The objective of this lab is to help students learn to gather volatile data from a
live Linux system and analyze it to find traces of attack to define the type,
impact points, path as well as the perpetrator.
ZT Tools
Lab Environment
demonstrated in
this lab are available To carry out the lab, you need:
in
C: CHFI- Tools\CHFIv9
■ A computer running Ubuntu OS ; Linux Distro).

Module 06 Operating ■ Ad ministr a tive privileges to run tools.

System
Forensics ■ A web browser with an Internet connection.

Lab Duration
Time: 15 Minutes
All

CHFI Lab Manual Page 215 Computer Hacking Forensic

Investigator Copyright© Reproduct
by ion is
Strictly EC-COUflCll
Rights. Reserved.
Prohibited.
 Module 06 - Operating System Forensics

Lab Tasks
T A S K 1 1. Launch a Terminal in the system
Note: Create a copy or image of the hard disk before acquiring any volatile
Launching
Terminal in Linux
data, as the commands and actions used to analyze it can make changes to
t
a inst rat o r@>adm Inst rat or-Virtu a (-Machine: - idntnst
rat orfladmtnst rater -Virtual -Machine ; ~ 5 |

FIGURE 5.1: Ubuntu Terminal

m T A S K 2 2. U u

Gather Volatile sequence including kernel name, hostname, kernel release and machine
Data
h
-
a

dfilnts t r a to r@admtnistrator- Virtual- Mac htne luname -a~l

iriux administrator-Virtual-Machine 4♦ 4. 0- 21-generic #37-Ubuntu SMP
t

FIGURE 5.2: Ubuntu Terminal uname -a command

3.
Type sudo su and press Enter. You will be prompted to enter a
p
4 T in the
screenshot:
roQt(djjasonVirtual-Machine: /home/jason
ason@jason-virtual-Machine:~$ |sudo su| sudo]
password for jason: |~
oot@ jason- Vi r t u a l - Machine : /hone/ jasonff |
FIGURE 53:

Ubuntu Terminal change user jason to root

CHFI Lab M Page 216 Computer Hacking Forensic Investigator Copyright C by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

3 T
the

[ - ;
1/W path Device Class Description

system Computer
0 bus Motherboard
0/0 memory 1475MIB System memory
0/1 processor Intel(R) Core(TM) 15-2400 CPU
0/100 bridge 440BX/ZX/DX - 62443BX/ZX/DX H 0/100/7
bridge 82371AB/EB/MB PIIX4 ISA
0/100/7.1 storage 82371AB/EB/MB PIIX4 IDE
0/100/7.3 bridge 82371AB/EB/MB PIIX4 ACPI
0/100/8 display Hyper-v virtual VGA
0/2 scsil storage
0/2/0. 0.0 /dev/cdrom disk DVD reader
0/3 scsi2 storage
0 / 3 / 0 . 0.0 /dev/sda disk 102GB SCSI Disk
0/3/0. 0.0/1 /dev/sdal volume 93GiB EXT4 volume
0 / 3 / G . 0.0/2 /dev/sda2 volume 1521MiB Extended partition
0/3/0. 6. 0/2/5 /dev/sda5 volume 1521MiB Linux swap / Solaris
/I etho network Ethernet interface
2 ethl network Ethernet interface
ootfladmt ni s t r a t o r - V i r t u a l - Machine: /home/admini s t r a t o r # ■

FIGURE 5.4: Ubuntu Terminal svsrem hardware derails

6. To know uptime details, type w and press Enter.

oo root administrator-Virtual-Machine: /home/administrator
oot®admtnistrator- Virtual-Machine : /home/administrator# [w]
1 5 : 4 3 : 5 3 up 1:03, 3 users, load average: 0 * 0 0 , 0 . 0 5 , 0 . 2 3
JSER TTY FROM LOGIN® IDLE JCPU PCPU WHAT udminist
tty7 :0 14:42 1:03m 1:16 0.13s /sbin/upst
jfianda ttyB :1 14:55 1:03m 4.86s 0.10s /sbin/upst
jose tty9 :2 14:56 1:03m 5.16s 0.12s /sbin/upst
oot@administrator - Virtual-Machine : /home/administrator# F

FIGURE 5.5: Ubuntu Terminal uptime details

.
To gather the details of last login sessions, issue the command last -a.

r
_

J : :

Jun 14 . o-21-generic . o-
Jun 14
Jun 14 21-generic

■,'tmpbegins Mon Jun 6 1 4 : 3 7 : 6 6 2016

■oot@adniinistrator- Virtual - Machine: /horie/administrator# F
FIGURE
5.6: Ubuntu Terminal last login session details

CHFI Lab Manual Page 21 ing Forensic Investigator Copyright & by tU-UOUflCII
All Rights Reserved. Reproduction is Strict ly Prohibited.
Mod 06 - Operating System
ule
 Forensics

8. Use the netstat command to check network status of the system.

rootfjlj admin ist ratcu - - Virtual-Machine: /home/administ rator

netstat
o

Local Address Foreign Address State

sockets (w/o servers)
r S
roto ftefCnt Flags Type State I - Node Path
jntx 2 ] [ DGRAH 333BB / r u n / u s e r / 1001 /systemd/nottfy
jntx 2 ] J DGRAM 3062S /run/user/lOOZ/systend/notlfy
jnix 2 ] [ DGRAM 175BB /run/user/1000/systemd/notify
jntx 27 ] 1 DGRAM 9953 / r u n / s y 5 tend/ journal /dev- log
nix 9 ] [ DGRAM 99S6 / r u n / s y s tend/ journal/ socket
jnix 2 L [ DGRAM 10B7B / r u n / systemd/ jour nal/sy slog
jntx 3 ] J DGRAM 9940 / r u n / systemd/notlfy
ntx 2 ] [ STREAM CONNECTED 4196B
jnix 3 L [ STREAM CONNECTED 34B3S /tmp/dbus -NrCx22x0nH
jnix 3 ] 1 STREAM CONNECTED 32667
nix 3 ] [ STREAM CONNECTED 24056 @/tnp/dbus-npuz¥zOj5X
jntx 3 L [ STREAM CONNECTED 1B31B tnp/dbus -AmCo3EZGdB
jnix 3 r J STREAM CONNECTED 35140 p / trip/ . X l l - unix/X2
mix 3 ] [ STREAM CONNECTED 34624 /con/ubuntu/ ups t a r t - session/ 100 1/4582
.ntx 3 L [ STREAM CONNECTED 1B376 @/tnp/dbus -mpuzYzfl j 5X
jnix 3 ] [ STREAM CONNECTED 10232 /tmp/ .Xll - untx/XO
jntx 3 ] [ STREAM CONNECTED 17694
nix 3 I [ STREAM CONNECTED 13S7B / r u n / s y s tend/ journal/ stdout
jnix 3 1 [ STREAM CONNECTED 36409 @/tmp/.Xll-untx/X2
Jnix 3 ] [ STREAM CONNECTED 32922 G/tnp/dbus -GXFEppSuAf
nix 3 ] 1 STREAM CONNECTED 32B9S /run/systemd/ journal/ stdout
jnix 3 ] [ STREAM CONNECTED 32171 /tmp/dbus -CXFEppSuAf
jnix 3 ] [ STREAM CONNECTED 32134
.nix 3 ] J STREAM CONNECTED 19610
jnix 3 L [ STREAM CONNECTED 19607 @/tmp/dbus -mpuzYzfl j SX
jnix 3 ] J STREAM CONNECTED 35725 /var/run/dbu5/5ystem_bu5_5ocket
ntx 3 ] [ STREAM CONNECTED 19204 @/tnp/dbus-mpuz¥zCij5X
jnix 3 L [ STREAM CONNECTED 1BS42 /run/user /10D0/ pul se/native
jnix 3 ] [ STREAM CONNECTED 35675 /tnp/dbus -NrCx22xOnH
ntx 3 ] [ STREAM CONNECTED 3130B
jnix 3 L [ STREAM CONNECTED 31B24 ft/com/ubuntu/upstart- session/ 1002/3752 jnix
3 r i STREAM CONNECTED 329SR
FIGURE .5. : Ubuntu Terminal system network status.
9. You can review the current network settings using the command
i

ifconfig -a
roottcbadnUnistrator-Virtual-Machine: /home/adminlstrator
'oot a
e L
152 Beast : 192 . 168.© . 255 Mask: 255.255 . 255 . 0
inet6 addr: fe80: : 3fdb: 107f : f8c3: 4©4c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric:!
RX packets :277219 e r r o r s : © drcpped:238 overruns:© frame:©
Tx packets:5302 e r r o r s : © dropped:0 o v e r r u n s : © c a r r i e r : ©
collisions txqueuelen : !©©©
RX b y t e s : 41649145 (41.6 MB) TX bytes: 530226 (53©. 2 KB)

ethl Link encap: Ethernet HWaddr 0© : 15 : 5d : 00: b4: oe

t r e t addr : 1©.O. 0 . 9 Beast : IO. 255.255 . 255 Mask : 255.0 . 0. 0 tneto addr:
feso: : b796:6523 : f f e f : 14bb/64 scope:Link
UP BROADCAST RUNNING MULTICAST MTU: 150© M e t r i c : !
RX packets:8072 e r r o r s : © dropped:© o v e r r u n s : © frame:©
TX packets:6599 errors:0 dropped:© o v e r r u n s : © c a r r i e r : © collisions:©
txqueuelen : 100©
RX bytes:69©522 ( 6 9 0 . 5 KB) TX bytes:6B7777 ( 6 8 7 . 7 KB)

o Link encap: Local Loopback

tnet addr :127. © . 0 . 1 Hask:255. 0 . 0 . 0
tnet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU: 65536 Metric:!
RX packets:8213 e r r o r s : © dropped:© o v e r r u n s : © frame:©
tx packets:8213 errors:© dropped:© o v e r r u n s : © c a r r i e r : © collisions:©
txqueuelen:!
RX bytes: 566270 ( 5 6 6 . 2 KB) TX b y t e s : 56627© ( 5 6 6 . 2 KB)

ootflad'M nistrator-Vl rtual -Machine : /home/admi n i s t r a t o r # I

FIGURE current network settings

5.8:
Ubuntu
Terminal
 review

CHFI Lab Manual Page 218 Computer Hacking Forensic Investigator Copyright© by EC-GOIJIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

10. T
f
command Isof < openfiles.txt to save a text file in home directory,
c
t

o .
‘ /run/uStr/lO0&/gvf$
Output information may be incomplete. \
oot jason - V i r t u a l ’ Machine: /home/ Jason# |~~| \

apentEles.txt [Read-Only]
(-/) - gedlt

Op Save

xB6_64- Linux -gnu/libuuid . so . 1 . 3 . 8 systend 1

root xB6_G4- Linux -gnu/ Li
bblkid. so. 1.1.0 systend 1
root xB6_fl 4 - Lin ux - g nu/ Li bd I - 2 . 2 3 . so
systend 1 root xB6_64-linux -
gnu/li.bpcre . sc. 3. 13.2 systend 1
root x86_54 - Lin ux - g nu/ Li be - 2 . 23 . s o
systend 1 root xB6_64-Linux -
gnu/libpthread-2 . 23. so systend 1 root
x86_6 i - 1 tn ux - g nu/ Lt bmoun t . so . 1 . 1 . 0 systend 1
root x8d_64-Unux-gnu/Ubappar
m o r . 5 0 . 1 . 4 . fl systend 1
root xecj_64- Linux -gnu/Ubknod
, so , 2 , 3 . 0 systend 1
root
 F TYPE DEVICE 5IZE/0FF NODE E
B c D4 NAM
8 r D4 2
8 txt REC 1573136 /
2
1053353 /Itb
mem REG 8,1 13976 1053970 /Lib /

mem REG 0,1 262408 1053773 /lib /

mem REG e,i 14608 1053810 /Lib /

mem REG 8,1 456632 1053915 /Lib /

mem REG 8,1 1864886 1053786 /lib /

men REG 8,1 138744 1053932 /lib /

men REG 6,1 266824 1053862 /lib /

men REG 6,1 64144 1053763 /lib /

mem REG 8,1 92804 1053849 /lib /

mem REG 6,1 1172B8 1053776 /lib /

...Tab Width: B t. Ln l . l O l l INi.

1 1.
 open files
FIGURE 5.9:
Ubuntu
loaded modules in a Linux system
You can view the Terminal using the command
Ism
od.

r
oot(J)ad
ministrat
of-
Virtual-
Machine
:
/home/a
dministr
ator
root@a
dpiinistr
ator-
Vtrtual-
Hactnne
:

/home/a
dmtnistr
ator#
Module

Used by
crctiod
tfpclmu
l
0
CrC32_p
ClMlll

0
aesni._i.
ntel

0
aes_x86
_64

1
aesnti
ntel
Irw

1
aesnt_i
ntel
gf!28nul

1 Irw
gliiehel
per

1
aesniin
tel
ablkhel
per

1
aesnit
ntel
cryptd

2
aesnltn
tel
ablkhel
per
12c_pttx
4 24576
hypervfb 2048© par ip 2048© 0
4 port parport 49152 3 Ip , ppdev , p a r p o r t p c
82SO_fintek 16384 pc autofs4 4096© 2
input leds 16384 3276 hld_generi.c 16384 © Ismod
hv_balloon 24576 8 hvnetvsc 36864 0
serioraw 16384 ppde hvuttls 24576 0
joydev 2048© v hypervkeyboard 16384 0
0 2O4 hid hvperv 16384 0
machtd 16384 80
FIGURE 5.10: Ubuntu Terminal loaded modules

CHFI Lab Manual Page 219 Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights. Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

1 the
co
the
repositories using the commands apt-get update and apt-get upgrade.
rootijladministfatai' -Virtual-Machine; /home/ad ministry tor
dm i n l st r a t or - Vl r t u a I ’ h tfte ; /h ome/ ddml n is t r » to r W [ d p t i n s t u l l audit'd]
eadtng package lists,, , Done
□tiding dependency tree
aadtng s t a t e information... Done
he following additional packages will be installed;
llbauparsed
.iggested packages:
audispd - plugins
he following NEW packages will be installed:
auditd libauparscG
upgraded, 2 newly Installed, € t o remove and 269 not upgraded.
Jeed t o get 227 kB of archives.
. f t e r this operation, 733 kB of additional disk space will be used,
o you want t o continue? [Y/n] y
■et:l h t t p ; / / i n . archive, ubuntu . com/ubuhtu xenial/maih a*id64 Ubduparseft arnddi 1 : 2 . 4 , 5- lubuntu2 [
■ k
etched 227 kB tn Os (242 kB/s)
electing previously unselected package libauparse0:amd64.
■leading database . . . 172899 files and directories currently installed.)
■repdring to unpack . . ./Ilbauparseo_l%3d2.4,s-lubuntu2_amd64.deb ...
inpacktng llbauparsee :amd64 (1 : Z . 4. 5-lubuntu2) ...
electing previously unselected package auditd.

FIGURE 5.1 1: Ubuntu Terminal Linux auditing tool installation

13. T
a
1 G
command sure port.

root@)administrator-Virt ual-Machine: /home/administrator

oot @ad
minis
trator-
V i r t u al
’Machine: /
home/
administrat
or#

Summary
Report

Range of

time

in

logs:

Monday 96
June 2016
17:19:05.36
5
0

06 June
2016
17:24:44.35
5
lumber of
changes in

configuratio
n: 0
lumber
of changes to Nu Number of AVC’s: 0
laureport
accounts, mbe lumber of MAC events: 0
r lumber of failed syscalls: 0
g r o u p s , or roles: 0 of lumber of anomaly events: 0
lumber of logins: 0 com Number of responses to anomaly events: O
ma - Monday
lumber of failed logins: Number of c r y p t o events: 0
lumber of authentications: nds: Number of integrity events: 0
1 - Monday
lumber of failed Number of v i r t events: 0
Nu Number of keys: 0
authentications: 0 mbe Number of p r o c e s s IDs: 3
'lumber of u s e r s : 1 r lumber of events: 7
'lumber of terminals: 1 of
lumber of host names: 1 file FIGURE 5.12:
Number of executables: 2 s:

CHFI Lab Manual Page 220 Computer Hacking Forensic Investigator Copyright© by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

15. D
then, track all the user events pertaining to the userid with au search
command. Syntax of the command is ausearch -ui <userlD> —
inte

i
i
-ui 0 - -interpret)

ype=5ERVICE_51ART msg=audit (Monday 86 June 2016 17:19:05.302:25) : auid=unset ses=unse

p
m addr=? terninal=?
c
 r

auid=unset ses=unse
y : u

r
 cron All Files
Recent

cro
Doc nta
bs
um

ents

Do

wnl

oad

Pictures

Network sched casks location

uled
FIGU
RE
Floppy 5.14:

Disk

Connect

to Server
CHFI Lab Manual Page 221 Computer Hacking Forensic Investigator Copyright © by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

17. The cron files also store data about the tasks scheduled hourly, daily,
weekly and monthly. To view the daily scheduled task files go to
/etc/cron. daily.

ooe
c
0 etc cron.daily

0 Recent cron.daily All Files

Home

III Desktop
Oanacron apache2 apport
□
Documents

Downloads i~~ l • — r
"

J3
F ~

a pt-com pat bsdmainutils cracklib-runtime

Music
Q
Pictures
>■
videos
LU dpkg log rotate man-db
Trash

Network
0 mlocate passwd popularity-contest
D Computer

Floppy

9 Connect to Server

u p date-no ti fier ce mmon upstart

FIGURE 5.15: daily scheduled task files location

18. The .bash_historyfile contains the command history in the Linux

system. To view the history, navigate to the Home directory and double
click .bash_history to view the entire bash history.
apache2 i p t - g e t install
apache2
Eudo su Save
O
p inane - a
e fconftg
n Tup ethl
Tdown ethl
i retc/init. d/networking r e s t a r t
p Lfconf ig
t i f down ethl
ling 1 0 . 0 . 0 . 1 1
- Clear
g mane ’□
e
t sud Ishw ’ S h o r t
sudo Ishw - s h o r t
i
n iudo su
s .bash h i s t o r v
t P T
a FI Ci l." RE 5.16: Linux svstem command historv
l •
l 1 y
ins .

CHFI Lab Manual Page 222 Computer Hacking Forensic Investigator Copyright© by EC-CHURCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensic s

19. Find the ARP Cache of the system using the arp command.
roc t@administrat or- Virtual-Machine; / home/adm mist ra tor c o t @adninistra
t o r - V i r t u a l - Ma chine; / home/ adnint st rat or#parp
A |
1 Mask Iface
lo.o.o.n ether O0:15:Sd:OO:b4:O6 C e
1 e
192.168.6.219 ether ac :16: 2d: 3a : f 0 : c l C e
1 e
■ oo t a d m i n i s t r a t o r - Virtual-Machine; /hone administrator# I etho

2 U
can use the option auxww to view all details of the running processes.
O root@)administrator-VirtuaL-Machine; /home/admimstrator
oot@adnintstra t o r - virtual -Machine: /home/admlntstrdtor#| ps auxw
JSEA PID fcCPU &MEM vsz RSS TTY STAT START TIME COMMAND
root 1 0.0 0 . 3 119732 5900 ?
Ss 10:07 0:01 /sbtn/init splash root
2 0.0 0.0 0 0 ?
S 10:07 0:00 ’kthreadd]
root 3 0.0 0.0 0 0 7
S 10:07 0:00 ksoftirqd/O]
root 5 0.0 0.0 0 0 - S< 10:07 0:00 k w o r k e r / O t e H ]
root 7 0.0 0.0 0 0 7 S 10:07 0:00 rcu_sched [
"OOt 8 0.0 0.0 0 0 7 S 10:07 0:00 rcu_bh]
root 9 0.0 0.0 0 0 7 S 10:07 0:00 migration/e]
root 10 0 . 0 0.0 0 0 7
S 10:07 9:00 watchdog/O]
root 11 0 . 0 0.0 0 0 7 S 10:07 0:OO kdevtmpfs]
oot 12 0.0 0.0 0 0 7 s< 10:07 0:00 netns]
root 13 0.0 0.0 0 0 7 s< 10:07 8:00 perf]
root 14 0.0 0.0 0 0 7 s 10:07 0 : GO khurgtaskd]
root 15 0.0 0.0 0 0 7
s< 10:07 0:00 writeback]
"OOt 16 0.0 0.0 0 0 7
SN 10:07 o:oo ksmd]
oot 17 0.0 0.0 0 0 7 SN 10:07 0:00 khugepaged]
root IB 0.0 0.0 0 0 7 s< 10:07 8:00 crypto]
root 19 0.0 0.0 0 0 7
s< 10:07 0 : 00 kintegrityd]
root 20 0.0 0.0 0 0 7
s< 10:07 9:00 bioset]
root 21 0.0 0.0 0 0 7
s< 10:07 o:oo kblockd]
root 22 0.0 0.0 0 0 7 10:07 O:O0 ata_sff [
"OOt 23 0.0 0.0 0 0 7 s< 10:07 0:O0 nd J
root 24 0.0 0.0 0 0 7 s< 10:07 0 : GO devf r e q w q ]
root 25 0.0 0.0 0 0 7
s 10:07 0:00 k w o r k e r / u l 2 8 : 1]
root 28 0.0 0.0 0 0 7 s 10:07 0:00 kswapd©]
root 29 0.0 0.0 0 0 7 s< 10:07 O:O0 vmstat]
oot 30 0.0 0.0 0 0 7 s 10:07 0:0© f snotif y m a r k ]
root 31 0.0 0.0 0 0 7 s 10:07 0:00 ecryptf s - kthrea [
root 47 0.0 0.0 0 0 7
s< 10:07 0:00 kthrotld [
root 48 0.0 0.0 0 0 7
s<10 I 07 0:00 "acpH thermal pm]
FI Ci I.' RE 5.18: I.' bunco Terminal view system running processes
21. You can find the ports related to a particular process using
the
command ss -I -p -n | grep <PID>.
Note: If any error related to grep appears, you need to install grep on t
machine. Issue the command, apt-get install grep to install grep
root@administrator-Virtual-Machine: / h om e/ad mini strato r
"oot administra t o r - Virtual -Machine : /hone/ administrator# |ss -I -p -n | g r e p 1147
|
c

fd=4))
oot admini s t r a t o r -Virtual -Machine: /hone /administrator#

F
5.19:
T

p
 process pores

CHFI Lab Manual Page 223 Computer Hacking Forensic Investigator Copyright C by EC-COlinCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

22. Y data of the system by viewing the state

of processes running in the /procf
proc

> < proc Q := :::

G Recent

Cr Home fs irq net scsi

to Desktop

P Documents

Downloads seif sys sysvipc thread-self

471 Music
Q Pictures
tty buddyinfo cgroups cmdline
4 Videos

(j Trash
H? Network consoles cpuinfo crypto devices
iS,
I

0 Computer
□ Floppyoisk diskstats dma execdo mains fb
U Connect to server

filesystems interrupts iomem ioports

kall&yms keorc keys key-users

FIGI. RE .1.20: Current state dataoi the svstem

2 C Copy and
review the clipboard contents using the xclip command.
roat(d>administrator-Virtual-Machine: /home/administrator
oot admtntstrator -Virtual -Machine: /home/administrator# cat .ba s
h h | xclip
■ f
ifup ethl
tfdown eth0
sudo su
a pt -get install apache2 apt-get install
apache2
sudo su
jname -a
ifconfig
ifup ethl
i f down ethl
/etc/init . d/networking r e s t a r t ifconfig
Lfdown ethl
ping 1O.O.0.11
clear
jname - a
clear
sud Ishw -s
s -
clear
sudo su
or bashhist
/ i
/ history < history.txt
SUDO su sudo su '-ootfladmtni

h m s sa t r a t or -Vi rtual
- i net i nt t r tor#
Mac /home
/ad copy clip board
FIGURE
5.21: Ubunt
u
Termi
nal
 concen ts

CHFI Lab Manual Page 224 Computer Hacking Forensic Investigator Copyright© by EC-COIJIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

24. You can analyze the headers and sections of ELF files using the readelf
command. Syntax of the command is readelf option <elf file>.

root@administrator-Virtual-MachLne: /home/administrator
oct iJ dFiinxs t r dtor - virtu a l - M3 chine , / horcs/aorcintstr 3 t o r * 1r /usr/lib/memte5tS6+/nentest66+.elf
Lr Header:
Magic: 7f 45 4c 46 61 61 01 06 06 66 60 60 06 06 60 60
Class: ELF32
Data: 2 ' s complement, little endian Version:
1 (current)
os/abi: UNIX - system v
ABI Version: O
Type: EXEC (Executable file)
Machine: intel B63B6
Version: 0x1
Entry point address: OxlOBOfl
S t a r t of program headers: 52 (bytes into file)
S t a r t of section headers: 164260 (bytes into file)
Flags: 0x6
Size o f this header: 52 (bytes)
Size o f program headers: 32 (bytes)
Number of program headers: 1
Size o f section headers: 46 (bytes)
Number of section headers: 3
Section header string table Index: 2
ootfaadmlnlstrator-Vlrtual-Machlne: /hone/admtntstrators 1

FIGURE 5.22:
U a t h a sections of ELF files

Lab Analysis
Analyze and document the results related to the lab exercise.

P L E A S E TALK T O YOUR INSTRUCTOR IF YOU HAVE Q U E S T I O N S R

E L A T E D TO T H I S LAB.

Internet Connection Required

□ Yes 0 No
o m Supported 0 iLabs
Platf r
0 Classroom
C Manu Page 225
H al
FI
L
ab
Compute Hacki Forensic EC-COUflCll
r ng Investigat Prohibited.
A or
l Copyright
l © by
Rights
Reserved.
Reproducti
on is
Strictly
 Module 06 - Operating System Forensics

Analyzing Non-volatile Data in Linux

System
Non-volatile data is the information that does not change when yon switch off the
sy stem. .Mostly investigators collect non-volatile data from the image of a system hard
f

disk.

I C O N K E Y
Lab Scenario
/ Valuable The non-volatile data remains the same even if the system is turned off This
information d
c
with numerous evidences. To be an expert forensic investigator, you must
understand the changes happening to a system when turned off and the process
Web exercise
of collecting information from it.
Workbook r
L

Linux hard disk and gather required evidence from it.

Lab Environment
To carry out the lab, you need:
Tools
■ Autopsy located at C:\CHFI-Tools\CHFIv9 Module 06 Operating
demonstrated in
this lab are available System Forensicslinux Forensics Tools\Autopsy
in
■ A computer running Windows Server 2012
C: CHFI-
Tools\CHFIv9 Module ■ .Administrative privileges to run tools
06 Operating System
■ A web browser with an Internet connection
Forensics

Lab Duration
Time: 20 Minutes
All

CHFI Lab Manual Page 226 Computer Hacking

Foren Investigator by il
sic EC'COIJIlC Rights. Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

Overview of Autopsy
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit®
a
retrieving deleted data, performing timeline analysis and weh artifacts, etc., during a

forensic investigation.

Lab Tasks
1. Before beginning this lab, navigate to C:\CHFI-Tools\Evidence FilesXinux
Image, right-click on Linux_disk1.7z and select Extract
Here. On extracting the file, delete Linux_diskl.7z.

T A S K 1
2. Navigate to C:\CHFI-Tools\CHFIv9 Module 06 Operating System
Forensics\Linux Forensics Tools\Autopsy.
Select t
3. Double-click autopsy-4. 0.0-64bit.msc to launch the setup, and follow
Forensics the wizard -driven installation instructions to install the application.
Image

4. Double-click Autopsy 4.0.0 shortcut icon located on the Desktop to

launch the application.
5. The main window of Autopsy will appear.
Note: You can also launch the tool from Apps screen. 6.
Click the Create New Case option.

Welcome

Autopsy
OPEN I EXTENSIBLE I FAST Close
FIGURE 6.1:

Autopsy Create Xew Case option

C Manu Page
H al
FI
L
ab
22~

Com Hacking Forensic Investigator Copyright© by EC-COUflCll

puter All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

In the New Case Information window, provide Case Name, Base

Directory and click the Next button.

Step * Case Info

Case info
Additional Information

Enter New Case Information:

Linux

Base Drectory: BTcivse

Case Tfl>e; © Single-user Multi-use

Case
data mi: be stored m tbe folowng directory:

Next Cancel

FICil'RE 6.2: Autopsy XewCase Information window

8. Provide the Case Number and Examiner details, and click Finish
button.

Examiner:
C Manu Page
H al
FI
L
ab
 FIGU Autopsy XewCase Information window
RE
6.3:

228 C omputer Hacking Forensic Investigator Copyright© by EC-COUDCll

All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

9. Click the Browse button.

Add 'Data Source

Browse

i. and copulate a local databas

6.4: Autopsy Enter Data Source Information wizard

FIGURE

0.
1 Navigate to the location, C:\CHFI-Tools\Evidence FilesLinux Image,
select the Linux_lmage1.img file and click the Open button.

Look in;
ii Image
Networ
k

Rec FIGURE 6.5:

ent
Item
s

Doc
ume
nts

name d
: i
s
k
l
.
Autopsy open Linux
CHFI Lab Manual Page
229 Comp Hacking Forensic Investigator Copyright C by EC-COURCll
uter All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

11. Click the Next button.

Add 'Data Source

i. and populate a lozal databas

Next <

FIGURE 6.6: Autopsy Enter Data Source Information wizard

12. Check the required boxes and click the Next button.
Add Data Source

this cats source.

Recent Acb/:tv Hash Lookup

Exif Parser Keyword Search Emai Parser

Scr.pt; enabled for string extraction from unknown fi e typ
EO I Verifier
Next

Encodings:

Advanced
Desel
ect
AH

FriSh
IGUR F onfigure
E 6.
: C Ingest Modules wizard

CH F I Lab Manual Page 230 Computer Hacking Forensic Investigator Copyright© by EC-COUDCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

13. Click the Finish button.

Note: The tool will t the image.
Add Data Source

Configure Ingest Hoddies

Fnish Caned Help

FIGURE (].8: Add Data Source wizard

14. The tool will display the result after analysis. Expand the Data Sources node
in the left pane. The Data Sources option will include the name of
t
W T A S K 2 15. Click the image name, here Linux_disk1.img, to expand and see its
c
Examine the
Case 1 - Autopsy 4.0.0

Forensic Image T File View ools Window Help

Cbse
Case Add D*t* Source Senerate Report S <■> ’ Keyv-.arc Lists Q7 Keyword Search

Directory Listrq T
/mgjjnux_dskl.img
- D Sources Linux_dis<l.mg
I Table Thumbnal

* ■» Views
- |E Results
* lid Tags
Reports

Autopsy Case I
FIGURE 6.9:
 Module 06 - Operating System Forensics

16. The image contains folders each of which stores data related to files,
process, services, tools and commands used on the Linux system.
1 7. The bin contains command binaries of all users, ('lick the bin option to
see its content. Click the option vou want to verify and review.
18. Select the auto partition-loop file option from the menu. Click the
Strings tab to view all the strings present in a selected file. You can
observe that the file contains Syslog information that stores Linux log
data.
_ H X
Case Autopsy AJtlJt]

£i> v.«w Twit Wirfaw HHp

QweCwe w-j *ttf M» Sore* h Generate seoxt I ■ KflvtoldLhtx ::d £■w:l:

Or ecttrv listed
.l r»; Liux_iUc1.ric.tar.
L» Chbl*S*rU3
Ifurirvd

Fta-ic MotiFcd Tn* 'J-a>;c Tirr kicj’rK GnkdTnc : U;1S'/| Ftadc ■Jxfclli C:ul-jXi Hl
«
. . piriwh hft>r]
3 3
. terete Stfer|

. vrdewc:
1SP0T
: J

:+:

.. WTffl
i I C.#
.. Ha STT55 | nt HeMH3 I Rada In
w |
(J1 CcluPxfp: Stiff. .2tn ' But
'4f(H □

15
5

TJJS RHXXT5 ”ht tp: . ri yilcq . Ens“t itaxt

5 55.12:17 ufr*f.tu. xyxt-nd'-Ecdulav-i.oad.LdSl] : !tn:lrd aodulv ' ip"
5 09.12:17 uhdiij f yt MB«-udiJlfe»-lMd.[921] 2 Eu>kEG*d cfriult
9 09:12:17 uf-eMJU ty*c-t*l-Mdult»-Lc4d [921] : ItaJEEtirtl iKdul* 'p*EpiX¥_pc '
9 09-13:17 lyfwtftll : Sti-rad Lstd XtTiul MMuIm.
6 05:13:17 ii'ri-~xu ayaE«ad(L] : 7USZ Oon.xxal Fl 3* SyaEM .
5 55:12:17 .i'ri--xu ayoE««d(l|: SE&rr.:ng Apply Zaxnal Z'Mriah-laa . . .
5 55:12:17 "dbamru ay8E«ad£l|: SLBFEl&q Tlnih Jcuxnal e* PixaiiEtzi Sxoxag*... 5 55:17:17 u±fi=.xu. ayBE«ad[l|: Scinid
ZAOG =axxdaxa dusc.-t.
5 55:12:17 ufx.tu xysmd'l | : Etinioij E=eax« 5xbe1e Dvrlca Ks-dai ia /dav...
5 55:12:17 ui-jE.xu. ayat wdCl | : 5bartad. Apply Kamal A'ariablaa.
9 09:12:17 u jEtu. ayabdodtli: lAMfiMd JX’SE Ccc.1xe1 Pi la Sya ax.
9 09.12117 lufjeLu iytMBdEl.il flHEMd udtv Ce-ldplug all Dtviett.
9 09:12:17 lAuaw ivitMtt 1 1 : Ar.ii.EC4d Cntu Swcic D*vlc« Hadtt lh. 7d*v.

FIGURE 6.1(1! Autopsy Case 1 auto partition- loop file option

Note: The files that are marked with a red cross are the deleted files, which
h
suspicious activities. It may also help in finding if the attacker has used any
anti-forensic techniques that delete files and folders after completion of
g

CHFI Lab Manual Page 232 ingrorensic Investigator Copyright C by tU-UOUflCII

All Reproduction
 Module 06 - Operating System Forensics

19. The update-dev file stores data about login sessions of different users in
t
v

Window

X. Alocsied

i bwlttf)

(91) Mt
(3)0) bore (6j .. 20164649 ... 2016-06-09 02. 2+62088 Unaflocdted

3016-02-16. 30164649... 301642-1S 05... 20144649 02:18:37 FOT 12658'1

root (6) run

(15}

p ( D ) lct
lr.Qic.up
(11)

FIGURE 6.1 1 : Autopsy Case 1 update-dev file information in textual format

20. Click the boot menu option to view the bootloader files of the Linux
o
21. Verifying these files helps you in finding the presence of any boot based
m
- AutoasydOQ
Windew

(pa-ent Tlderl 2CI6D6D3 02:

boot {!j] |
20L6-O6
. grit } IO]
I3OL0-W-L8 15:21:29 POT

dev (91) etc (SCO) 2tl6-0A(J9(JJ:23:5=:POT

a)L6-(M-18 ISJIiPPPT 20164649 03: 1 B:37 POT WL646

201646
*(38)
*05 CD
3316-06

20164649 02: 18:37 POT 20 16-01-28 CH:*4:53 2016-05;

«

□
(15) 2m ;'3LL)
EXPC5SI_S2MBM.

(3
(
0*p(19) ■J=r EXPWST.fYMBra,
sxpwii_srMHra.
EXPQSI_SIHHQ(L
EKK®I_SIMBOT. OhWSSIOBS
ekpqki_s™ql
EXPOKI_SIHBOT.
EKP5®T_aiH3M.
EKFtrai_52H3OL 3*cDH90<13

EKPOBI-SHIBOI.
EKPCXI_STHBC(L

EKWHI_S£HBOI.

FIGURE 6.12:

Autopsy Case 1. bootloader files

CHFI Lab Manual Page 233 Computer Hacking Forensic Investigator Copyright © by EC-COUflCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

22. The dev tile stores information about devices connected to the system.
C m ,
files connected to the system.
1 Case
File
View TchjIj. Window Help

9
Owe Cue •Md Dite Sown II Pewd s Ki'V.vWdL.SS Of 5*»cti

jVnoJjx. x di-: rri.-da-.

& L
TazXt
.- ~'i
(0) Hare Mocked rme Change Ire Access Ire Createc Ire
-
i k_. SUnaioc (0)
aWDWt
Q) bio (197) + ji
boot {I?} c±on (3
B
 201
291604-20 1 5:06X0 POT 201 606-09 031837 POT 20)6-0+20 15:98:00 POT 2016*6*902: 16:3? PUT 2016-04 .2D 1 5:00:00 &4
H-
POT 2fll£ 06.(W 021)8:37 PDT .ILlLE M 2C 15:09:03 TD7 2016 05 09 0?: 10:3? POT 20 |t
+ | drr (91)| FDl
2 1
1 F
P |Z 6 C
0 3 P P |E 1
1 P 'L , 0 L.
" *rc (3M) Here (6) a sudo) 2016*+20 L5;08;()0 POT 201 6-06*9 (£■ 1837 PDT 2016*4-20 15:08:00 MU 2016-06-99 02: 10:37 POT
bbta) 2016-04-09
2 3 I I 2 O P M 1 P M 1 P
hM4(3) ca-isole- 2016-94-20 1 5:C7:5BFDT 2OI 6-06-09 «?. PL.T 2016*4-20 15:07:53 FD* 20164)6-09 02: 18:37 PDT
1
201604-20 15:00 PDT SOLt- 06-09 0E: PCT 2OL6 FD’ 201+06-09 02:10
X0 16:77 -CH- :37
3C
15:03
:03
 >D|

reels (4) TFIt o cp: (2) £XK

cfcpl 2916*+ 20 15:08:00 POT 201 6 06 02: 1837 POT 2016*4-20 15:08:00 MU 2016-06-99 02:16:37 POT
0
(!)
t ' ret (51 run (IS)
Name fimg_LlnuK_ask1 iin 'dewaudiol Type File System
IM (3L1)
u
-
srrGJ Fue Name Allocation
sys (2)
A
tn* (19) u*(tl) Metadata Allocator) Allocated
var (16) Modilicd
8 2016*4-20 15 OS. 00 PDT
s
Accessed 2016*4-20 15 OS 00 PDT
H S. Created 2016- D6 D9 0218 37 PDT
D fol Ts?B
Changed 2016-06-09 02:16:37 PDT
Reports
MD5 Hot calculated
Hash Lockup Results UNKNOWN

Internal ID 4361

FIGI.’ RE 6.13: Autopsy Case 1 dev files

23. The etc folder contains system configuration files. Expand the etc node
and click on it to view internal files.
- AutoosyAOO
Windew

Add Date £wce

303

ILoJic (fl)
2016*609 02:21:38 MU

201604-29 15*8 02 PDT 2016*6*902:18:37 POT 2916-0+20 L5;ffl;O2 POT 2016*6*9 0318:37 PD1

(2)
■
dn (91) etc (300)

CD»-IB-M COXOX
U
2014-01-10 06*828 P51 2016*6*9 02:18:37 MU 201+01-10 06:36:28 P5T 2016*6*9 0318:37 PD’
a terr id H ces (165)
OCOOOO-OO 00*040 0000000003:05:03 0000-03-00 00:00:00 000000-00 00 00«

<W<W S
2D15-M-31

*w»N (t)

UuTOOTi ;s;

aradit 1'3) <wn.d(5)

cwi.telf (16) con. (-<>□■)>■

( E»C3£PI_CSMUn> ‘

FIGURE 6.14:

Autopsy Case 1 etc folder files

CHFI Lab Manual Page 234 Computer Hacking Forensic Investigator Copyright© by EC-COUflCll
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

24. The home file stores details of user home directories. It helps users to
v
of other user accounts present on the system.
- Autops/ 4.0.0
Window

. [amntfaHtri
f
IjMirnl. .Mr.r-i r.i i. ■ i:i.. 03:39-1? fOT < l-r.l r.-l f i: ,4 l + ; l . n
i
boot (13>

ttcOCC') home ffi)

■ cache {110
.confit (10

rr<n4sM)

□oh rkjdi
(1

(JO

Retires

Qj Ten-pates [2J
|jj videos [35]
W>[28j

. (2j
i
14.
iwda h;
X
nr+{2j

[6!

FIGURE (i.l.i! Autopsy Case 1 home file

Expand the log folder

.log tile that stores history of actions performed

contains histor
y Case i - ! n
x
Fie
V>ew TMk Help
W

JI O ’ bSU Ct Kf-rwtrd Sei-Ji

ArH n.tfl Sarr. Il, ;

DftCWf Ldt+g

, lie. filj rtLSM] >n0J.i'u'jfc41.i Afr.4 4L -1 Hr-kte-

| l>slo>vk>0
taw (ij Tatw rxo-dj 02:59;+! POT |aMMfr09 W;59 +! POT |3»6HM-3D J5ll7i5S PDT |MLT-0i+9 EJIlM FDT |jW3» |pl
lb (MJ f+eiLp; WIMfrTB M;P9H4 Ppr ZOIMt-W -H POT 301HM ~ra
IJ9 E:[yaj PDT 3JLMKSP
Uulcd "ntIE ’S-M PDT 3HW
Lur .’.(d
Hm
h r Ibutt
RwttffiftAta: MlbCfrW 02:23 dfSPOr 203b Ofr W 02:23 28 PDF 20:6 Ot 0) 02:13:21 PCT aib fe « 02=21:32 FCT 10M
bufcj.J U] r»Ja[<i
XJ bwufMler]
mt (fl ukr.
epl id <l
tratC?) He. Stmts HeiwiiMa ntn/a
TMtft - ar ? P«e - CaiahQt: 5 , Lath-Bwc
ui (15) l
Xbgiaarpl$-hvXKdil : ui4i <1.T
S-'-W (!.l JakkhI : JtrdiH 1 1 5 . 04 . L+1C. 04 . JOICZ-JOS-

sjrt <21
bwKBfi'
mr(lQ
vwOJi
i. badiXK (LU
.. cade(tt) D unc'iL,
i
ia : ■?. wto*mt1ch pyshoM-pt-ptct: *■*«$■* H . O . iVHMtiti , L Lb] aon-f L Lfr-i . t-J:
ji1 C.'dufl (4)
ft 2
■ait 4 17 . b . I’d ailyl! .0£ . OS M
un
bn
L
 .

- .
k>t fll) I nr ior - =h»=i : iod.44 14 . 1-0 . df iq . I"!.. iumm:1cI , libpcr-tlO - 3:
<
. *»(*■] UUMllel, Hbic*«2t&-C1>MC1.L. tvli-t
;
. apatSO
l

■ X
tjrjl ho[3? M4C-L ; l i L91J+15 ;<Lfb144-hibunwl Llbp«llslv-f£p]*at-i-0 16 Lbt-L* i .
r
X X rsWijr (9'| frdbunbul «u%m%X=I . LX»*p-l«k.■«*=.: 1L : 0 . t . ± - 2 . 1 -lut zcMt-icI ZXInpAO : uidOI (4.-S.1- 14'ifeuriTuj .
P P P

X AULXJt. j-: i j =J=w- ri-=jn*T4r-K-=p : irJ4{ ijl . L . il- Luet euI , ib TauxLa) llhiaup-fnciMS . 4- ■aX-fii
i I2.U.Z-1,
.J spseeb-itapaicta {2} - X i<eoe-<v,i-. ntcuTlc> r lli-in’.-jLlbri --_»x= : ia±:4 13 . S--27 . 1-B iuexmeIcI., hLuBExndH
P It-. 37“
. 4U4CMT1CI . Hbhr-t?-di<K<ri-p*ifi :tMii i(.01~i . p horrJ-Ott fc '.1.0.6-
- X ire«ta . x Nua P

,. >aetrt3(?l - ® wtfil dr-2tniildZ,

■UUA
■;r.:j=a"pavaz-sini. pii : ud.44
> iutcwllc; . llt-rditi-cerwcr,. *rt f i Id. It.
« : .
lutantini , llbcxDocJ :i
£ ,
ufcc—ti.e' 1 . llt nb - -.
l I
FIGURE 6.1 6:

Autopsv Case 1 var file

CHFI Lab Manual Page 235 Computer Hacking Forensic Investigator Copyright C by EC-COUflCll
All Rights Reserved. Reproduction is Strictly Prohibited.
Mod 06 - Operating System
ule
 Forensics

26, Select the cups folder. It stores access logs, error logs, and page logs.
Select the access log option in the Table tab to view the logs.
- AuTopsyl.0.0
Windtrw

etc (30?)
here (0) lb (MO Mod tied Tire
(
2016-06-0? 38:«PI>T 0J1M6-O9(E;3&+ift'T ifflfrOMN 0fi:i3:+L JOI 301 6-W-O9 02:21 38 POT
;
[perert fader]

rant (ft opt (ft 2016-06 0? 02:36:56 PbT I01WJ6-W 03:t&3l POT
30 1604-M =Di
root (6)

■An 01D

200

znp(l£

+05351 "KSI 200

Pft

tog (3ft

200

ho
ffl)

200

200

IDC

FIGURE 6.1 : Autopsy Case 1 cups file

27. The tool also displays deleted files. Expand Views option from the left
menu list, expand Deleted Files option and click All to view all the
deleted files.
- Autopsy i.OTr
Window

10M

,.. 33lo-C6-WO3;l6:G ltd 3 301 6-05-0? 03; 1 6:0? POT

FteSyrtw* (16584) Al {1550 9)1

3016-06-09
 03:16:0.
MB
50 ■ 20t™ (12; .Tiflltrc... 3016 06 m 00:16:0...
MB
MM - IOB (3)
MB ... 3jLi.-Ct.-09 CO: 20Lt-0&-traa3:
W0* W]
... 3016-06-0903:15:4 2016-06-0? 03: 15:9? PtT

E?T Hetedeta ffi

6.18:

L3LS [3100ft [2170)

IP Adeems

FIGURE Autopsy Case 1 deleted files

CHFI Lab Manual Page 236 Computer Hacking Forensic Investigator Copyright C by EC-COURCll
All Rights Reserved. Reproduction is Strictly Prohibited.
 Module 06 - Operating System Forensics

28, Select the Results folder from left pane. It contains sections such as
EXIF Metadata files, Encrypted Content and Extension Mismatch
Detected, Analyze these files to look obfuscated malware files as well as
metadata files.

Al IL55B4J

MB2C4M6-
MB LG6-> Wl

EXIF Kjtattala

Harris

F System
133E

File Name A'localion Aiccalcd

Metadata Allocated Afcjcaled

Modifed 2006-03-20 21 12:50 PST

Created 2016-06-09 03.06. J? POT

MD5
Hash Lookup Results internal ID UNKNOWN

5103

FIGURE 6. 1 9t Autopsy Case 1 Results option

29. Similarly, analyze lib, media, mnt, opt, root, sbin, and tmp folders to
analyze libraries and kernel modules, mount points of removable media, temporary
mount points, add-on application packages, root user’s home directory, system
binaries and temporary files respectively.
30. Other system files include srv containing data for services provided, usr file with
secondary hierarchy and user commands, var file with variable data such as log
files, mail spools, caches and lock files.

Lab Analysis
Analyze and document the results related to the lab exercise.

P L E A S E TALK T O Y O U R I N S T R U C T O R IF Y O U HAVE Q U E S T I O N S RELA

TED TO T H I S LAB.
All

CHFI Lab Manual Page 23" Computer Hacking Forensic

Investigator Copyright© Rights Repr is Prohibited.
by Reserved oduct Strictl
. ion y EC-COUflCll
 Module 06 -
Operating
System
Forensics

Internet Connection Required

□ Yes 0 No
Platform Supported
0 Classroom 0 iLabs

CHFI Lab Manual Forensic Investigator Copyright C by EC'COIJIICH

Rights. Reserved. Reproduction is Strictly Prohibited.

Page 238 Computer Hacking

All
 File Opiicrrt View Process find DLL | User: Hdp

.<] 3 JT X
> Process
I
Search Online.. Ctrl+M p
 2,300 K 2.976 K 4% Servrceaa-
DM 1236 K 5,1 52 K 5GC Ho£ P-z<t
D.CQ 2.B43K 3.MBK 5S3 HoS fioce =

12.556 K 156S K 716 h<js face

15.3MK 21.120 K 752 HnS Fcce
2.572 K H35 K 242D H-oS
4.4)54 K 5.6KK 624 H«n frac*
0 12 7,106 K 9.972 K 944 HiJt P-zcc
9,216 k 6.904 K 57t ttd P z<c
5,144 K 5368 K ■062 5poz4tr klH
■3.132 K 4.2*. K 1144 MoS P-oce
0.13 41.124 K 46.912K
l
0.01 1.744 K 133 K 552 RDF Octo *
> p III <
 327
G
E
326 E5ENT General

327 ESBTT General

326 ESENT General

hr

t |
I bas -------- u 0 31

h 2015 0031 . .. 2016-tK.tH ... 201*06 0) 02. .. 201*06 09 02 L&S7 POT 103MM ?La<icd Mooted r., Huu*ja- 'X 0 0 32
.. mit-iEj-LN ... 3014-4*4902— 301*0*09 02:3* i*pui 1? .fr-Jc-rda-: Akc fcid KH -------- □ £1

3MMMG, • 30IC-W-M .• 30I6-0649 02 , 301*46-09 0t9l;35P0T w;o i»w*ed r:iH-FW-- 1000 1000 05
aufrOMO . . 20I6-06 M ... 2016-06 09 0 2 . 2016-06 09 0 2 38; 39 POT 0 Jrclccjtal “ «6t:d PH -------- 0 0 36
1
bjufjj 2015 06.10. .. 201*06 09 ... 2316 (6 19 22... 201*06-09 0211&3? POT 3

bKOt 3015-35-19. . 3015-W-OT ... 3015-05-19 32. , 301*0649 OS l*37PDT 31200 *X6ted ur.rV-rl nrrer-w-x 0 0 39
bsof' 300H6-19. . 201*05-09 ... 201*45-1922 . 2016-06 09 02 IS3? POT 3H0 O’ :<6te! fltoolted IfWW-W-OC 0 D ■4
OMMt 20150619. .. 201*0*09 ... 2015 (6 19 22. . 291*0649 021813? POT «3J7 4:««ed A’i>:«:d FCrtU’iT’X 0 0

<r III