Computer Forensic Methodologies: Autopsy and WinHex
VerifiedAdded on 2023/06/04
|16
|1704
|269
AI Summary
This article discusses two digital forensic tools, Autopsy and WinHex, and their features. It also provides answers to 20 questions related to the investigation of a Dell laptop disk image, including information about the operating system, user accounts, installed software, web browsers, and more. The article concludes with a bibliography of relevant sources.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: COMPUTER FORENSIC METHODOLOGIES
Computer forensic methodologies
Name of the Student
Name of the University
Authors note
Computer forensic methodologies
Name of the Student
Name of the University
Authors note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
2COMPUTER FORENSIC METHODOLOGIES
Table of Contents
Section 1.....................................................................................................................................3
Autopsy......................................................................................................................3
WinHex.......................................................................................................................4
Section 2.....................................................................................................................................5
Question 1..................................................................................................................5
Question 2..................................................................................................................5
Question 3..................................................................................................................5
Question 4..................................................................................................................6
Question 5..................................................................................................................7
Question 6..................................................................................................................7
Question 7..................................................................................................................8
Question 8..................................................................................................................8
Question 9..................................................................................................................9
Question 10..............................................................................................................10
Question 11..............................................................................................................11
Question 12..............................................................................................................12
Question 13..............................................................................................................12
Question 14..............................................................................................................13
Question 15..............................................................................................................13
Question 16..............................................................................................................14
Question 17..............................................................................................................14
Question 18..............................................................................................................15
Question 19..............................................................................................................15
Question 20..............................................................................................................15
Bibliography.............................................................................................................................16
Table of Contents
Section 1.....................................................................................................................................3
Autopsy......................................................................................................................3
WinHex.......................................................................................................................4
Section 2.....................................................................................................................................5
Question 1..................................................................................................................5
Question 2..................................................................................................................5
Question 3..................................................................................................................5
Question 4..................................................................................................................6
Question 5..................................................................................................................7
Question 6..................................................................................................................7
Question 7..................................................................................................................8
Question 8..................................................................................................................8
Question 9..................................................................................................................9
Question 10..............................................................................................................10
Question 11..............................................................................................................11
Question 12..............................................................................................................12
Question 13..............................................................................................................12
Question 14..............................................................................................................13
Question 15..............................................................................................................13
Question 16..............................................................................................................14
Question 17..............................................................................................................14
Question 18..............................................................................................................15
Question 19..............................................................................................................15
Question 20..............................................................................................................15
Bibliography.............................................................................................................................16
3COMPUTER FORENSIC METHODOLOGIES
Section 1
Autopsy
This is a cross platform digital forensic tool which can be used on the Linux, OS X and finally
on the Windows platform. This open source tool supports Ext2/3/4, NTFS, FAT, UFS and HFS/HFS+
file types. Following are the features that makes it an exceptional tool for the experts are listed
below;
Web based artefacts like browser history, cookie, bookmarks, downloads from the different
browsers such as Chrome, Firefox, Safari and IE can be investigated.
With Autopsy and its great text indexing engine (Apache SOLR) it is possible to use the
keyword searching features from an evidence digital hard drive image. There are some Pre-defined
lists regular expressions and keywords that searches the complete disk image file at the time of
ingestion in the Autopsy. Following are the regular expressions which Autopsy searches in the disk
images while the image is ingested; phone numbers, email Addresses, IP Addresses and finally the
Uniform Resource Locators (URLs).
For the support to the users the vendor provides Wiki page for the product that provides a
brief overview of the product. In addition to that there are forum that include users question and
answers for the product and finally the blog to provide information about the latest releases and
their features.
Section 1
Autopsy
This is a cross platform digital forensic tool which can be used on the Linux, OS X and finally
on the Windows platform. This open source tool supports Ext2/3/4, NTFS, FAT, UFS and HFS/HFS+
file types. Following are the features that makes it an exceptional tool for the experts are listed
below;
Web based artefacts like browser history, cookie, bookmarks, downloads from the different
browsers such as Chrome, Firefox, Safari and IE can be investigated.
With Autopsy and its great text indexing engine (Apache SOLR) it is possible to use the
keyword searching features from an evidence digital hard drive image. There are some Pre-defined
lists regular expressions and keywords that searches the complete disk image file at the time of
ingestion in the Autopsy. Following are the regular expressions which Autopsy searches in the disk
images while the image is ingested; phone numbers, email Addresses, IP Addresses and finally the
Uniform Resource Locators (URLs).
For the support to the users the vendor provides Wiki page for the product that provides a
brief overview of the product. In addition to that there are forum that include users question and
answers for the product and finally the blog to provide information about the latest releases and
their features.
4COMPUTER FORENSIC METHODOLOGIES
Start screen of the Autopsy.
Following is the screenshot of the emails that are recovered using one of the provided disk
images using the Autopsy tool.
WinHex
Winhex is another digital forensic tool which is mainly used as disk/hex value editor with the
target of data recovery from any digital evidence disk image. According to the official site the tool is
only compatible with windows operating system.
WinHex can recover data from the Ext2/3/4, FAT12/16/32, exFAT, Next3®, CDFS, NTFS, and
ReiserFS files. Through the use of the WinHex tool splitting of data files, concatenation and odd and
even bytes combination can be done. Moreover, the tool provides help in disk cloning (using X-
Ways Replica) for better analysis of the data without impacting the actual evidence.
Start screen of the Autopsy.
Following is the screenshot of the emails that are recovered using one of the provided disk
images using the Autopsy tool.
WinHex
Winhex is another digital forensic tool which is mainly used as disk/hex value editor with the
target of data recovery from any digital evidence disk image. According to the official site the tool is
only compatible with windows operating system.
WinHex can recover data from the Ext2/3/4, FAT12/16/32, exFAT, Next3®, CDFS, NTFS, and
ReiserFS files. Through the use of the WinHex tool splitting of data files, concatenation and odd and
even bytes combination can be done. Moreover, the tool provides help in disk cloning (using X-
Ways Replica) for better analysis of the data without impacting the actual evidence.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
5COMPUTER FORENSIC METHODOLOGIES
The vendors of WinHex provides information as well as for different issues and related to
the application on their user forum.
Section 2
Question 1
The checksum values are given by
MD5 hash: 2a6bc388f30572fa2d52f03d0905
SHA-1 hash value 455318f9dfe13add1dbc334edd7b31c87b8185b9
Question 2
From the investigation of the provided Dell Disk image using the Prodiscover basic it is
found that Windows XP. The product ID for the installed OS was is given by 55274-640-0147306-
23486. The version ID for the installed operating system was 5.1 (build number 2600). Following is
the screen shot for the information from which registry directory the information collected.
Question 3
The installation date for operating system is 20th August in the year 2004.
The vendors of WinHex provides information as well as for different issues and related to
the application on their user forum.
Section 2
Question 1
The checksum values are given by
MD5 hash: 2a6bc388f30572fa2d52f03d0905
SHA-1 hash value 455318f9dfe13add1dbc334edd7b31c87b8185b9
Question 2
From the investigation of the provided Dell Disk image using the Prodiscover basic it is
found that Windows XP. The product ID for the installed OS was is given by 55274-640-0147306-
23486. The version ID for the installed operating system was 5.1 (build number 2600). Following is
the screen shot for the information from which registry directory the information collected.
Question 3
The installation date for operating system is 20th August in the year 2004.
6COMPUTER FORENSIC METHODOLOGIES
Question 4
Through the investigation of the given image it was found that the name of the owner of
the computer is Greg Schardt.
Last recorded shutdown time for the given system is 08/26/2004 at 9:16:28 PM. In order to
find this shutdown time, we tried the Event log view option of ProdiscoverBasic tool. From this event
logger the last event with the Event ID with 6006 is searched for the last shut down time of the
system with the windows XP operating system.
Question 4
Through the investigation of the given image it was found that the name of the owner of
the computer is Greg Schardt.
Last recorded shutdown time for the given system is 08/26/2004 at 9:16:28 PM. In order to
find this shutdown time, we tried the Event log view option of ProdiscoverBasic tool. From this event
logger the last event with the Event ID with 6006 is searched for the last shut down time of the
system with the windows XP operating system.
7COMPUTER FORENSIC METHODOLOGIES
Question 5
For the system the user that used the system most of the time is Mr.Evil after the operating
system is installed on the system.
Question 6
Time zone for the given disk image is set to the Central standard time. This time zone is
available in order to represent the central time of USA and Canada. The Screen shot from the pro
discover is given below;
Question 5
For the system the user that used the system most of the time is Mr.Evil after the operating
system is installed on the system.
Question 6
Time zone for the given disk image is set to the Central standard time. This time zone is
available in order to represent the central time of USA and Canada. The Screen shot from the pro
discover is given below;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
8COMPUTER FORENSIC METHODOLOGIES
Question 7
Computer name recovered from the disk image is given by; N-1A9ODN6ZXK4LQ and the
accompanied screenshot is available from the Prodiscover basic tool.
Question 8
The users account other than the administrator and other network account are listed
below;
Help Assistant,
Mr. Evil,
and support_ 388945a0.
Following is the screen shot of the registry from which the information is collected,
Question 7
Computer name recovered from the disk image is given by; N-1A9ODN6ZXK4LQ and the
accompanied screenshot is available from the Prodiscover basic tool.
Question 8
The users account other than the administrator and other network account are listed
below;
Help Assistant,
Mr. Evil,
and support_ 388945a0.
Following is the screen shot of the registry from which the information is collected,
9COMPUTER FORENSIC METHODOLOGIES
Question 9
Installed software’s on the system of the given disk image is listed below;
Forte agent;
Question 9
Installed software’s on the system of the given disk image is listed below;
Forte agent;
10COMPUTER FORENSIC METHODOLOGIES
Clain & Abel v2.5 beta;
CuteFTP;
Network Stumbler;
WinPcap 3.01alpha;
FaberToys published by FaberBox;
CuteHTML;
Anonymizer Bar 2.0;
Etheral 0.10.6;
123 Write All Stored Passwords;
Look@Lan_1.0;
mIRC;
The screen shot of the Prodiscover basic dashboard for this investigation is given below;
Question 10
The last user who logged in to the system is Mr. Evil.
Clain & Abel v2.5 beta;
CuteFTP;
Network Stumbler;
WinPcap 3.01alpha;
FaberToys published by FaberBox;
CuteHTML;
Anonymizer Bar 2.0;
Etheral 0.10.6;
123 Write All Stored Passwords;
Look@Lan_1.0;
mIRC;
The screen shot of the Prodiscover basic dashboard for this investigation is given below;
Question 10
The last user who logged in to the system is Mr. Evil.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
11COMPUTER FORENSIC METHODOLOGIES
Question 11
The last shut down time for the given disk image is given by Thu, 26 August 2004. Following
is the screenshot of the dashboard for this investigation.
Question 11
The last shut down time for the given disk image is given by Thu, 26 August 2004. Following
is the screenshot of the dashboard for this investigation.
12COMPUTER FORENSIC METHODOLOGIES
As it can be seen in the screenshot that, the time is encoded in the hexadecimal format thus
we used an online tool in order to decode the value. Which resulted in 26th August 2004.
Question 12
The DHCP IP assigned to the system is 255.255.0.0.
In the investigation it is found that the value for the EnableDeadGWDetect parameter is
set to 1(i.e. true). With the true value of this parameter to true value represents that TCP uses Dead
Gateway Detection characteristics. Through the use of this feature the system can ask for change of
the IP address to another backup gateway in case the existing gateway is dead or not responding
against the requests. This feature is very useful in case any port or application retransmits some
data request numerous times but does not receive any response.
Question 13
Internet explorer and MSN explorer are the two web browsers used by the suspect on the
system.
As it can be seen in the screenshot that, the time is encoded in the hexadecimal format thus
we used an online tool in order to decode the value. Which resulted in 26th August 2004.
Question 12
The DHCP IP assigned to the system is 255.255.0.0.
In the investigation it is found that the value for the EnableDeadGWDetect parameter is
set to 1(i.e. true). With the true value of this parameter to true value represents that TCP uses Dead
Gateway Detection characteristics. Through the use of this feature the system can ask for change of
the IP address to another backup gateway in case the existing gateway is dead or not responding
against the requests. This feature is very useful in case any port or application retransmits some
data request numerous times but does not receive any response.
Question 13
Internet explorer and MSN explorer are the two web browsers used by the suspect on the
system.
13COMPUTER FORENSIC METHODOLOGIES
Question 14
Directory to the web browser history related data is given by;
HKEY_USER-> CURRENT USER->SOFTWARE->MICROSOFT->MICROSOFT->INTERNET
EXPLORER->TYPED URLS.
Question 15
Following is the list of the sites that are visited by the suspect;
www.4.12.220.25/temp
www.yahoo.com
www.drudgereport.com/
www.majorgeeks.com
www.ethereal.com
www.wardriving.com
screenshot of the pro discover tool is given by;
Question 14
Directory to the web browser history related data is given by;
HKEY_USER-> CURRENT USER->SOFTWARE->MICROSOFT->MICROSOFT->INTERNET
EXPLORER->TYPED URLS.
Question 15
Following is the list of the sites that are visited by the suspect;
www.4.12.220.25/temp
www.yahoo.com
www.drudgereport.com/
www.majorgeeks.com
www.ethereal.com
www.wardriving.com
screenshot of the pro discover tool is given by;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
14COMPUTER FORENSIC METHODOLOGIES
Question 16
Last allocated DHCP address to the system is given by;
192.168.1.111
Question 17
Outlook was the email communication tool used by the user or the suspect as found in the
investigation Dell laptop disk image.
Question 16
Last allocated DHCP address to the system is given by;
192.168.1.111
Question 17
Outlook was the email communication tool used by the user or the suspect as found in the
investigation Dell laptop disk image.
15COMPUTER FORENSIC METHODOLOGIES
Question 18
After analysis of the different installed software’s on the seized laptop disks it is found that
the following applications can be used for hacking activities;
Anonymizer Bar 2.0 (this application is helpful in making a user untraceable on the internet,
thus it becomes very difficult to find out the user who completed any hacking activity);
Clain & Abel v2.5 beta application: This is a password recovery tool that can crack encrypted
passwords through the use of the dictionary. In addition to that, it also uses Cryptanalysis attacks,
Brute-Force, decoding scrambled password and uncovering the cached passwords from the system.
Etheral 0.10.6: This is a network traffic sniffing tool that helps the attackers in the carrying
out the phishing attacks, men-in-the-middle and keylogging attacks to a network to get to a specific
system or server to get sensitive data.
Network Stumbler is another hacking tool which can be detection of unauthorized ("rogue”)
access points inside a network to reach a system inside a network.
Question 19
The mIRC is used as the IRC or the internet relay chat service in the seized system. The
application is developed using the client-server architecture. It is considered as very robust and
flexible IRC service that allows conversation between the hundreds of clients at a given instance.
Question 20
While investigating the given disk images of the Dell laptop in the recycle bin two files were
found that had file extension. MAP. with some research it is found that the files in the recycle bin
are Debugging maps which were deleted by the user.
Question 18
After analysis of the different installed software’s on the seized laptop disks it is found that
the following applications can be used for hacking activities;
Anonymizer Bar 2.0 (this application is helpful in making a user untraceable on the internet,
thus it becomes very difficult to find out the user who completed any hacking activity);
Clain & Abel v2.5 beta application: This is a password recovery tool that can crack encrypted
passwords through the use of the dictionary. In addition to that, it also uses Cryptanalysis attacks,
Brute-Force, decoding scrambled password and uncovering the cached passwords from the system.
Etheral 0.10.6: This is a network traffic sniffing tool that helps the attackers in the carrying
out the phishing attacks, men-in-the-middle and keylogging attacks to a network to get to a specific
system or server to get sensitive data.
Network Stumbler is another hacking tool which can be detection of unauthorized ("rogue”)
access points inside a network to reach a system inside a network.
Question 19
The mIRC is used as the IRC or the internet relay chat service in the seized system. The
application is developed using the client-server architecture. It is considered as very robust and
flexible IRC service that allows conversation between the hundreds of clients at a given instance.
Question 20
While investigating the given disk images of the Dell laptop in the recycle bin two files were
found that had file extension. MAP. with some research it is found that the files in the recycle bin
are Debugging maps which were deleted by the user.
16COMPUTER FORENSIC METHODOLOGIES
Bibliography
[1]C. Grajeda, F. Breitinger and I. Baggili, "Availability of datasets for digital forensics – And
what is missing", Digital Investigation, vol. 22, pp. S94-S105, 2017.
[2]C. Hargreaves and J. Patterson, "An automated timeline reconstruction approach for
digital forensic investigations", Digital Investigation, vol. 9, pp. S69-S79, 2012.
[3]A. Irons and H. Lallie, "Digital Forensics to Intelligent Forensics", Future Internet, vol. 6,
no. 3, pp. 584-596, 2014.
Bibliography
[1]C. Grajeda, F. Breitinger and I. Baggili, "Availability of datasets for digital forensics – And
what is missing", Digital Investigation, vol. 22, pp. S94-S105, 2017.
[2]C. Hargreaves and J. Patterson, "An automated timeline reconstruction approach for
digital forensic investigations", Digital Investigation, vol. 9, pp. S69-S79, 2012.
[3]A. Irons and H. Lallie, "Digital Forensics to Intelligent Forensics", Future Internet, vol. 6,
no. 3, pp. 584-596, 2014.
1 out of 16
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.