Scribd
Upload
19 views

Lab2 Data Carving

Uploaded by

trinhse183413
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
19 views

Lab2 Data Carving

Uploaded by

trinhse183413
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Lab 2: Data Carving

What You Need for this lab


 Install Virtualbox : https://www.virtualbox.org/wiki/Downloads
 Install Kali 2021.4. : https://old.kali.org/kali-images/kali-2021.4/
 Notes: Suggest You configure the disk size of Kali VM 80G because the size
of each leakage cases image is 30G+
 Run a tool installation script instructions, or you can simply follow the commands
below : ( the script ONLY is tested on Kali 2021.4 )
 wget
https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/
tool-install-zsh.sh
 chmod +x tool-install-zsh.sh
 ./tool-install-zsh.sh
Example scenarios
 Scenario 1: A file (A) is hidden inside of another file (B). You can’t open the file B
because the B’s header is corrupted.
 Scenario 2: A suspect deleted files. The files contains an important information. A file
occupies a few clusters. Unfortunately, some clusters are reused (overwritten) by new
files.
A forensic expert really wants to recover files, even a partial files.
1. Extracting images from a corrupted Word document
Step 1.
 Prepare required files
Step 2.
 View the file in a hex editor

Step 3.
 Search file header start offset – 0F5E

 Search file trailer ends offset – 15B93


 Select hex from header to tail
• (0F5E)16=(3934)10
• (15B93)16=(88979)10

 Copy the selection


 Paste the selection

 Save the image


Step 4.
 Show the carved image

2. Carving/Recovering a USB image


 Prepare a USB image for file carving
Step 1.
 Download the zipped USB image

 Compute hashes

 List the content of the zipped file


 List the content of the zipped file

 Verify the hashes


Step 2.
 Exam the content of the USB
 Display partitions

 Find deleted files


 Decide which file types need to carve

 Save it and quit!


 Show help
Step 3.
 Carving the USB image

 Show carved files

 Show audit log


Step 4.
 Display two carved jpg image
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the document with the filename "YOUR NAME Lab 2.pdf", replacing "YOUR
NAME" with your real name.
Email the image to the instructor as an attachment to an e-mail message. Send it
to: [email protected] with a subject line of "Lab 2 From YOUR NAME", replacing "YOUR
NAME" with your real name.

You might also like