Lab Exam Second Half
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download the test image is a 'raw' partition image (i.e. 'dd') of an EXT3FS file system. The file system is 5MB and is compressed to 4MB. The MD5 of the image is 30e7f792cc853e34e17335b243605d3a.
Search Terms
These should all be performed case-sensitively and not as regular expressions
1. Search string: first
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
2. Search String: second
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
3. Search String: third
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
4. Search String: slacker
How many hits:
For each hit:
Sector or Fragment and Offset:
File Name:
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single-cluster files to multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.
Download the test image is a 'raw' partition image (i.e., 'dd') of a FAT file system. The MD5 of the image is 4aeb06ecd361777242ab78735d51ace6.
Answer the questions:
1. Can you see the frag1.dat, frag2.dat, sing.dat, mult1.dat, and dir1 file and directory names in the root directory?
2. Can you see the dir2 and mult2.dat names in the dir1 directory?
3. Can you see the frag3.dat name in the dir1\dir2 directory?
4. Can you recover the sing.dat file? Does it have the correct MD5?
5. Can you recover the mult1.dat file? Does it have the correct MD5?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments. No data structures were modified in this process to thwart recovery. They were created in Windows XP, deleted in XP, and imaged in Linux.
Download the test image is a 'raw' partition image (i.e. 'dd') of an NTFS file system. The file system is 6MB and is compressed to 186 KB (lots of zeros). The MD5 of the image is e7dbb96759d9cd62b729463ebfe61dab.
Answer the questions:
1. Can you see any of the deleted file names? Which ones?
2. Can you recover the res1.dat file? Does it have the correct MD5?
3. Can you recover the sing1.dat file? Does it have the correct MD5?
4. Can you recover the dir3\sing2.dat file? Does it have the correct MD5?
5. Can you recover the mult1.dat file? Does it have the correct MD5?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.
Download the test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5.
Answer the following Questions:
1. What search procedure(s) were used to obtain the following results?
The following apply to the results from running an automated search tool for JPEG pictures. If more than one procedure was used to find the images, please note the procedure that was used to find each. Note that this was not designed to test data carving tools.
2. Did the search results include the alloc\file1.jpg picture?
3. Did the search results include the alloc\file2.dat picture? If not, then is it documented that JPEGs are found using only the extension?
4. Did the search results include the invalid\file3.jpg file?
5. Did the search results include the invalid\file4.jpg file?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.
Download the test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5.
Answer the following Questions:
1. What search procedure(s) were used to obtain the following results?
The following apply to the results from running an automated search tool for JPEG pictures. If more than one procedure was used to find the images, please note the procedure that was used to find each. Note that this was not designed to test data carving tools.
2. Did the search results include the picture inside of archive\file9.boo? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not?
3. Did the search results include the picture inside of archive\file10.tar.gz? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not?
4. Did the search results include the misc\file11.dat file? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not?
5. Did the search results include the misc\file12.doc file? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Download the test image is a 'raw' partition image (i.e. 'dd') of a FAT file system. The file system is 10MB and is compressed to 120 KB. The MD5 of the image is aa834dca822918de45792f4e115516b9.
Answer the following Questions:
1. In the file browsing mode of the tool, is the "dir1/FILE2.DLL"entry shown? Can you view its contents? What is its MD5?
2. If a keyword search is conducted for the ASCII string "over here", is it found? At what sector/cluster address is it located? Does the tool report which file it is allocated to?
3. Does the tool have a method of identifying all graphic files? If so, does it find the "dir1/FILE2.DLL" file?
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise Two.pcap”. You should see 176 packets listed.
a) In the first few packets, the client machine is looking up the common name (cname) of a web site to find its IP address. What is the cname of this web site? Give two IP addresses for this web site.
b) How many packets/frames does it take to receive the web page (the answer to the first http get request only)?
c) Does this web site use gzip to compress its data for sending? Does it write cookies? In order to answer these questions, look under the payload for the reassembled packet that represents the web page. This will be the last packet from question b above. Look to see if it has “Content-Encoding” set to gzip, and to see if it has a “Set-Cookie” to write a cookie.
d) What is happening in packets 26 and 27? Does every component of a web page have to come from the same server? See the Hint to the left.
e) In packet 37 we see another DNS query, this time for us.i1.yimg.com. Why does the client need to ask for this IP address? Didn’t we just get this address in packet 26? (This is a trick question; carefully compare the two common names in packets 26 and 37.)
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Question 18
In this question, you are going to capture live traffic from your computer. Open up Wireshark and use the “Capture” menu to save live traffic. Start capturing data, visit a live website using your standard Internet browser, and stop capturing data.
If you have a large amount of network traffic, the relevant data may be hidden among a lot of broadcast messages. To focus on just the key frames, you can set a display filter like this.
For the IP number enter the IP number of your client machine. Type it as shown (ip.addr==your.ip.address) in the graphic above. Then click on “Apply”.
Describe the set of frames that you captured.
a) What is the IP address of the client that initiates the conversation?
a) Use the first two packets to identify the server that is going to be contacted. List the common name, and three IP addresses that can be used for the server.
-------------------------------------------------------------------------------------------------------------------------------------------------------------