M4A1: Textbook Activity- Forensic Tools
IT406: Computer Forensics
Hands-On Project 7-3 In this project, you create a test drive by planting evidence in the file slack space on a USB drive or small disk partition. Then you use Hex Workshop (which you downloaded in a previous chapter from www.hexworkshop.com) to hide the data and in a 7-4 you will use FTK to verify that the drive contains evidence. Follow these steps:
1. First, you format the drive in Windows Explorer. Right-click the drive icon and click Format, click to clear the Quick Format check box, if necessary, and then click Start. If you see a warning message, click OK to continue. 2. Create a C7Prj03 folder on the USB or disk drive. Warning: This drive should contain data you no longer need. 3. Start a new document in Word and type Testing for string Namibia. Save the file in the C7Prj03 folder as C7Prj03a.doc. 4. Close the file, start a new Word document, and type Testing for string XYZX. Save the file in the C7Prj03 folder as C7Prj03b.doc. Exit Word.
Next, you use Hex Workshop to hide information in file slack space:
1. Start Hex Workshop. On a sheet of paper, create a chart with two columns. Label the columns Item and Sector. 2. In Hex Workshop, click Disk, Open Drive from the menu. Make sure the USB or disk drive is selected, and then click OK. 3. Click File, Open from the menu. Navigate to and double-click C7Prj03a.doc. Scroll down until you see “Testing for string Namibia.” 4. Click the tab corresponding to your USB or disk drive, and then click at the beginning of the right column. Click Edit, Find from the menu. In the Find dialog box, make sure Text String is selected in the Type list box. Type Namibia in the Value text box, click the Either option button, and then click OK. (If Hex Workshop doesn’t find “Namibia” the first time, repeat this step.) 5. In the Item column on your chart, write C7Prj03a.doc. In the Sector column, write the sector number containing the search text, as shown on the Hex Workshop title bar. 6. Scroll to the bottom of the sector, if necessary. Type Murder She Wrote near the end of the sector in the right pane, and then click the Save toolbar button. (Note: If you’re asked to enable Insert mode, click OK, press Insert, click to select the Disable notification message check box, and click OK, if necessary.) 7. Click the C7Prj03a.doc tab. Click Edit, Find from the menu, type Murder in the Value text box, and then click OK. Hex Workshop can’t find this text in C7Prj03a.doc. Click Edit, Find from the menu, and then click OK to verify that Hex Workshop doesn’t find “Murder” in the document. Close the file by clicking the lower Close button in the upper-right corner. 8. Click File, Open from the menu. Navigate to and double-click C7Prj03b.doc. Scroll down, if needed, until you see the “Testing for string XYZX” text you entered earlier. (Hint: You might need to use the Find command more than once to find this text.) 9. Click the tab for your USB or disk drive, if necessary, and then click at the beginning of the right column. Click Edit, Find from the menu, type XYZX as the value you want to find, and then click OK. On your chart, write C7Prj03b.doc as the filename in the Item column, and in the Sector column, note the sector number containing the search text, as shown on the Hex Workshop title bar. 10. In the tab for your USB or disk drive, type I Spy near the end of the sector in the right pane, in the slack space, and then click the Save toolbar button. 11. Verify that “I Spy” doesn’t appear as part of the file by clicking the C7Prj03b.doc tab and searching for this string twice. 12. Close the C7Prj03b.doc file, and exit Hex Workshop.