Scribd
Upload
88 views

Forensics Lab Experiment: Task1 - Recovering Jpeg File

This document provides instructions for completing several forensics lab experiments using tools in BackTrack. The experiments include: 1. Using "recoverjpeg" to recover deleted JPEG files from a USB stick and examining the files. 2. Using "hashdeep" to create MD5 hashes of a text file before and after alteration and comparing the hashes. 3. Using "missidentify" to search a hard drive or USB stick and list hidden or renamed executable files. 4. Using "fcrackzip" to crack the password of a zip file using a brute force attack. 5. Instructions are provided for setting up, running, and analyzing the results of each experiment. The goal is to

Uploaded by

Prathamesh Mhatre
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
88 views

Forensics Lab Experiment: Task1 - Recovering Jpeg File

This document provides instructions for completing several forensics lab experiments using tools in BackTrack. The experiments include: 1. Using "recoverjpeg" to recover deleted JPEG files from a USB stick and examining the files. 2. Using "hashdeep" to create MD5 hashes of a text file before and after alteration and comparing the hashes. 3. Using "missidentify" to search a hard drive or USB stick and list hidden or renamed executable files. 4. Using "fcrackzip" to crack the password of a zip file using a brute force attack. 5. Instructions are provided for setting up, running, and analyzing the results of each experiment. The goal is to

Uploaded by

Prathamesh Mhatre
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Forensics

Lab experiment
Task1_Recovering jpeg file
In this experiment you are going to use a BackTrack tool called recoverjpeg. To recover deleted JPEG files on a USB stick. Under Applications choose: o BackTrackForensicsForensics Carving Toolsrecoverjpeg Now you need to create a directory to store the recovered files in it. For this experiment we are going to create a directory named JPEG (or any name you prefer) on the Desktop. Change your directory to Desktop o root@bt:~#cd Desktop Make a new directory: o root@bt:~/Desktop#mkdir JPEG Change your directory to JPEG o root@bt:~/Desktop#cd JPEG o root@bt:~/Desktop/JPEG# recoverjpeg command to extract the files to JPEG directory. But before issuing this command you need to know the path to your USB stick. To find out use fdisk command: o root@bt:~/Desktop/JPEG#fdisk l From the output find out the path then use recoverjpeg command o root@bt:~/Desktop/JPEG#recoverjpeg /dev/sdb1 It might take sometimes to recover all the files. You also might be able to retrieve the files from formatted USB stick. Open JEPG and check the recovered files. This tool is only capable of recovering .jpg files and not other image formats like .png. Save the files and attach them to your report.

Task2_ create an MD5 of text file alter it and compare


In this experiment you are going to use a BackTrack tool called hashdeep, to compare the hash values before and after altering a text file. Run hasdeep from ApplicationsBackTrackForensicsForensic Hashing Toolshashdeep Create a text file on the Desktop called test.txt type something in this text file and save it Create a hash file from test.txt and save it in a file called HASHES1.txt. To do this issue the command below in hashdeep terminal: o root@bt:~#hashdeep e /root/Desktop/test.txt > /root/Desktop/HASHES1.txt If you open up HASHES.txt you can see the created hash values. Now open test.txt and change some words or letters in it. Create a hash again and store it in HASHES2.txt o root@bt:~#hashdeep e /root/Desktop/test.txt > /root/Desktop/HASHES2.txt Compare the values in HASHES1 and HASHES2. Are they same? Save hash files and test.txt before and after altering for your report.

Task3_ Missidentify
In this experiment you are going to use a tool in BackTrack called missidentify. This tool searches a Windows hard drive (or in our case USB stick) and finds the entire Windows executable files even if they are hidden or renamed and lists them. Run missidentify from: ApplicationsBackTrackForensicsForensic Analysis Toolsmissidentify Mount the Windows hard drive Find the path to your hard disk or USB stick o root@bt:~#fdisk -l o E.G /dev/sdb1 you need to mount the Hard disk or USB stick Mounting USB stick: o root@bt:~#cd /mnt/ o root@bt:~#mkdir usbflash o root@bt:~#mount /dev/sdb1 /mnt/usbflash Issue the command below to save the file name with their path to a text file called list.txt o root@bt:~#missidentify -ralv /mnt/usbflash > /root/Desktop/list.txt Save list.txt for your report.

Task5_ Crack Zip file Password


fcrackzip is a utility used to crack Zip file password protection. There are many Zip crackers out there, however, fcrackzip excels in speed and features, especially the brute force option. First you need to create a password protected zip file 1. Using Windows Explorer, locate the first file you want to zip. 2. Right click on the file and select Send To and Compressed (zipped) Folder. This will create a new compressed folder with the same name as the file, except with the extension .zip. 3. Right click any other file you want to compress and select Copy. Right click on the compressed folder you created in step 2 and select Paste. 4. The copied file was pasted into the compressed folder. 5. Repeat this until your compressed folder contains all the files you want. 6. Right click on the compressed folder and select Explore. 7. In File, select Add a Password. Enter the password and confirm the password (chose 5 character, letters, and lowercase only to make the procedure faster. Eg cisco, admin). Run fcrackzip terminal from: o ApplicationsBackTrackForensicsPassword Forensics Tools fcrackzip Issue the command below to perform a brute force and crack the password: o root@bt:~#fcrackzip -b c a l 5-5 -u your_zip_file.zip

Task6_Rrecordmydesktop
Recordmydesktop is a screen casting software witch helps you record your work in a video format. Run recordmydesktop from: o ApplicationsBackTrackReporting ToolsMedia Capturerecordmydesktop In the terminal type: o root@bt:~#recordmydesktop It starts capturing all your activity. Stop the process by ctl+c Check home folder (placesHome Folder) You can find a file with .gov extension. This is a video file that can be played using media players like VLC.

You might also like