Forensics Lab Experiment: Task1 - Recovering Jpeg File
Forensics Lab Experiment: Task1 - Recovering Jpeg File
Lab
experiment
Task1_Recovering
jpeg
file
In
this
experiment
you
are
going
to
use
a
BackTrack
tool
called
recoverjpeg.
To
recover
deleted
JPEG
files
on
a
USB
stick.
Under
Applications
choose:
o BackTrackForensicsForensics
Carving
Toolsrecoverjpeg
Now
you
need
to
create
a
directory
to
store
the
recovered
files
in
it.
For
this
experiment
we
are
going
to
create
a
directory
named
JPEG
(or
any
name
you
prefer)
on
the
Desktop.
Change
your
directory
to
Desktop
o root@bt:~#cd
Desktop
Make
a
new
directory:
o root@bt:~/Desktop#mkdir
JPEG
Change
your
directory
to
JPEG
o root@bt:~/Desktop#cd
JPEG
o root@bt:~/Desktop/JPEG#
recoverjpeg
command
to
extract
the
files
to
JPEG
directory.
But
before
issuing
this
command
you
need
to
know
the
path
to
your
USB
stick.
To
find
out
use
fdisk
command:
o root@bt:~/Desktop/JPEG#fdisk
l
From
the
output
find
out
the
path
then
use
recoverjpeg
command
o root@bt:~/Desktop/JPEG#recoverjpeg
/dev/sdb1
It
might
take
sometimes
to
recover
all
the
files.
You
also
might
be
able
to
retrieve
the
files
from
formatted
USB
stick.
Open
JEPG
and
check
the
recovered
files.
This
tool
is
only
capable
of
recovering
.jpg
files
and
not
other
image
formats
like
.png.
Save
the
files
and
attach
them
to
your
report.
In this experiment you are going to use a BackTrack tool called hashdeep, to compare the hash values before and after altering a text file. Run hasdeep from ApplicationsBackTrackForensicsForensic Hashing Toolshashdeep Create a text file on the Desktop called test.txt type something in this text file and save it Create a hash file from test.txt and save it in a file called HASHES1.txt. To do this issue the command below in hashdeep terminal: o root@bt:~#hashdeep e /root/Desktop/test.txt > /root/Desktop/HASHES1.txt If you open up HASHES.txt you can see the created hash values. Now open test.txt and change some words or letters in it. Create a hash again and store it in HASHES2.txt o root@bt:~#hashdeep e /root/Desktop/test.txt > /root/Desktop/HASHES2.txt Compare the values in HASHES1 and HASHES2. Are they same? Save hash files and test.txt before and after altering for your report.
Task3_
Missidentify
In
this
experiment
you
are
going
to
use
a
tool
in
BackTrack
called
missidentify.
This
tool
searches
a
Windows
hard
drive
(or
in
our
case
USB
stick)
and
finds
the
entire
Windows
executable
files
even
if
they
are
hidden
or
renamed
and
lists
them.
Run
missidentify
from:
ApplicationsBackTrackForensicsForensic
Analysis
Toolsmissidentify
Mount
the
Windows
hard
drive
Find
the
path
to
your
hard
disk
or
USB
stick
o root@bt:~#fdisk
-l
o E.G
/dev/sdb1
you
need
to
mount
the
Hard
disk
or
USB
stick
Mounting
USB
stick:
o root@bt:~#cd
/mnt/
o root@bt:~#mkdir
usbflash
o root@bt:~#mount
/dev/sdb1
/mnt/usbflash
Issue
the
command
below
to
save
the
file
name
with
their
path
to
a
text
file
called
list.txt
o root@bt:~#missidentify
-ralv
/mnt/usbflash
>
/root/Desktop/list.txt
Save
list.txt
for
your
report.
Task6_Rrecordmydesktop
Recordmydesktop
is
a
screen
casting
software
witch
helps
you
record
your
work
in
a
video
format.
Run
recordmydesktop
from:
o ApplicationsBackTrackReporting
ToolsMedia
Capturerecordmydesktop
In
the
terminal
type:
o root@bt:~#recordmydesktop
It
starts
capturing
all
your
activity.
Stop
the
process
by
ctl+c
Check
home
folder
(placesHome
Folder)
You
can
find
a
file
with
.gov
extension.
This
is
a
video
file
that
can
be
played
using
media
players
like
VLC.