Digital Media Forensics Essentials Labs

Students will confirm the validity of event-data analysis to eliminate false-positive events.

Students will run Windows Forensic Toolchest against an existing system to create a baseline that will be used for future analysis.

Students will ingest and process a previously acquired forensic image using Autopsy. The focus of the lab will be on recovering data from the image, reviewing the supplied forensic report and verifying that the image is forensically sound.

In this lab, the student will simulate browsing and downloading a malicious file from a website then learn how to detect the introduction and executions of malicious activity on a Win7 machine.

Students will use utilize two virtual machines, inside a protected network, to observe configuration changes on a known good / clean system and all of the unusual network traffic generated by the suspect software they will be analyzing. On the clean system they will use Regshot, Argon Network Switcher, Process Hacker, Process Monitor and Noriben to gather details on what the suspicious program is actually doing. On another support machine they will set up a fake DNS server to receive all suspicious traffic, and pass that traffic over to Wireshark for further analysis. This lab will continue to foster tool familiarization and will provide the students an introduction to capturing network traffic by using a simple "man-in-the-middle" system.

Students will identify access to a PFSENSE firewall through the forwarding of SYSLOG (System logs) from a Firewall to the SYSLOG service we have configured and set up on the Network. Students will then identify malicious activity through system logs.

Students will detect malicious files and processes using various tools. Students will then remove the malicious files and/or processes.

Students will identify known IOCs for Stuxnet and save them for analysis. Students will then identify malicious drivers associated with the malware, and identify AES keys in memory.

The highest risk systems are the ones with Internet facing Applications. One an attacker from the Internet is able to compromise the internal network, then it is very likely they will attempt to move to other machines on the network. The machines in the Demilitarized Zone (DMZ) are at high risk because they are not usually as protected as the computers which are part of the Internal Network.

Students will create a live image using FTK Imager and verify that the image was created successfully.

Students will use FTK Imager Lite to create a forensic image of a Windows 8 workstation. After they create the image they will perform a hash check to ensure that the image that was created is the same as what is currently running on the live system.

This is one of the labs for the Advanced Digital Media Forensics class.

This lab exercise is designed to allow the trainee to become familiar with using Network Miner.

Students will use John the Ripper and Cain and Abel to crack password protected files.

Students will participate in attack analysis/incident response, including root cause determination, to identify vulnerabilities exploited, vector/source and methods used (e.g., malware, denial of service). Students will then investigate and correlate system logs to identify missing patches, level of access obtained, unauthorized processes or programs.

In this lab we will replicate the need for Analysts to be able to analyze network traffic and detect suspicious activity. Tools like Wireshark and Snort can be utilized to read, capture, and analyze traffic.