Data Carving

1. Insert the USB flash drive. The flash drive will seem empty, but you will soon discover if any files have been deleted.

2. Open Win32DiskImager. This is a free program for making images (exact copies) of flash drives onto your computer. Win32DiskImager is already installed on your laptop.

3. In Win32DiskImager, select the Device. The device is the letter that your laptop has assigned the flash drive. This is probably the Device labeled D:\. It may already be automatically selected.

4. In Win32DiskImager, type the name of the Image File. You can name this whatever you want. Flashdrive is a fine file name. After you type the file name, hit Enter.

5. In Win32DiskImager, select Read to create the new Image File from the flash drive. This will take a few seconds. By default, the Image File will be stored in your Downloads folder. Downloads is the best place to store it for this lab.

The Sleuth Kit (TSK) is a powerful digital forensics tool that runs using a command line interface with only text input and output. This means that TSK will not have a Graphical User Interface (GUI), so no pictures, buttons, or visuals of any kind. We have already installed this for you, but you can install it on your own computer at home after camp. Reach out to the instructors as installation can be a little tricky!

Before you can use TSK, you will need to open Command Prompt in Windows. This is a text-only environment and will be the program that you use to "run" the TSK commands. 

To open Command Prompt:

1. Open the Start menu in Windows by hitting the Windows key.

2. Type cmd to filter results. This is the name of the application and will immediately find the Command Prompt app.

3. Hit Enter to select Command Prompt.

The Command Prompt is just another way to access the information on the computer without opening other apps or using a graphics interface. You will also be located within a specific folder, or directory, when using the Command Prompt. By default, you will start in C:\Users\GenCyber. This means you are in the GenCyber folder located in the Users folder that is on the hard drive labeled C:. The slash \ between each item just indicates a new folder.

To help orient yourself in Command Prompt, let's type in a command. Type the following in Command Prompt, then hit enter:

dir

Note: dir is short for directory; this lists all the contents of your current directory, or folder.

Entering this command gives you information about what is currently located in the C:\Users\GenCyber folder. You may recognize some folders such as Desktop, Documents, Music, and Downloads.

Notice the Command Prompt is ready for a new command. This is how it goes: you will enter a command, then the prompt will wait for the next command. Next, move location to the downloads folder by typing the following in Command Prompt, then hitting enter:

cd Downloads

Note: cd is an acronym for change directory; you specify the new directory by typing a space and then the name of the directory. This is case sensitive.

Notice the line on the command prompt, called the path, has now changed to C:\Users\GenCyber\Downloads

Now, use the dir command again and verify that the image file of the flash drive you created is shown in the Downloads folder.

Next, we will begin using commands from The Sleuth Kit (TSK) through the Command Prompt. When you are referencing the commands below, whenever you encounter the phrase FILENAME, replace it with the name of the image file you created. Type the following line in the command prompt:

certutil -hashfile FILENAME

This command returns the SHA1 hash value of the image file. When dealing with evidence in digital forensics, it is important to check and compare the file hash. This is compared with the hash of the original evidence drive to ensure no data has been modified since the evidence was taken into custody.

QUESTION 1: What are the first five digits of the SHA1 hash of the image file?

Next, you will check some basic information about the image file. Type the following line in the command prompt:

img_stat FILENAME

QUESTION 2: What is the size of the image file?

Finally, check what information is inside of the file. When you read an image file directly, you are reading the raw data that will appear to be gibberish. Warning: this will output a large amount of data to the command prompt and may crash the app, you can skip this step if you want to. Type the following line in the command prompt:

img_cat FILENAME

Your command prompt may get stuck. You can try to save it using the key commands Ctrl + C. In the worst case, you will just need to open a new Command Prompt.

Next, you will check if any files or folders are discovered on the image. This will also discover deleted files. Note that this command only displays the names of files and folders.

Type the following line in to the command prompt and hit enter:

fls FILENAME

This command lists all files and directories in the image, included deleted files.

The 'd' at the beginning of a line indicates a discovered Directory, or Folder. The 'r' at the beginning of a line indicates a discovered File.

QUESTION 3: What kind of file types are on the flash drive?

Finally, you can recover any deleted files. Note that this command requires a third parameter: there is an additional space after the FILENAME and you must add the location where you want to store the recovered data. Since we are using Command Prompt and working in the Downloads folder, use the path C:\Users\GenCyber\Downloads. Type the following line in to the command prompt and hit enter:

tsk_recover FILENAME files

QUESTION 4: How many files were recovered?

Next, you will analyze the files and answer questions about them. Leave the Command Prompt and open a File Explorer, then navigate to your Downloads folder. All your recovered files should be here (unless you saved them elsewhere). Use the recovered files to answer the next set of questions.

QUESTION 5: What is the poem and haiku about?

QUESTION 6: Describe the sounds that play in each of the audio files.

QUESTION 7: What kind of information is in the Word document?