Forensics - E-Mail and Social Media Investigations

CompTIA Cybersecurity Analyst (CySA+)

Forensics - E-mail and Social Media Investigations

Introduction Exercise 1 - Using OSForensics to Recover E- mail Exercise 2 - Email Examination Example Exercise 3 - Image Examination Example Exercise 4 - FaceBook Forensics Summary

Introduction

The Forensics - E-mail and Social Media Investigations lab provides you with the instructions and devices to develop your hands on skills in the following topics.

Using OSForensics to Recover E-mail Email Examination Example Image Examination Example Facebook Forensics

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

CS0-001 1.1 Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes. CS0-001 3.2 Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation. CS0-001 4.2 Given a scenario, use data to recommend remediation of security issues related to identity and access management.

Lab Diagram

During your session you will have access to the following lab configuration. Depending on the exercises you may or may not use all of the devices, but they are shown here in the layout to get an overall understanding of the topology of the lab.

Connecting to your Lab

In this module you will be working on the following equipment to carry out the steps defined in each exercise.

PLABWIN810 (Windows 8.1 - Standalone Workstation)

Each exercise will detail which device you are required to work on to carry out the steps.

To start, simply choose a device and click Power on. In some cases, the devices may power on automatically. For further information and technical support, please see our Help and Support page.

Copyright Notice This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved. Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following: 1. You may print or download to a local hard disk extracts for your personal and non-commercial use only. 2. You may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material. You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

Exercise 1 - Using OSForensics to Recover E-mail OSForensics isn’t task or file specific, as other tools are. However, it indexes data on a disk image or an entire drive for faster data retrieval. It can also filter or find files specific to e-mail clients and servers.

To get a better understanding of this technology, please refer to your course material or use your preferred search engine to research this topic in more detail.

In this exercise you will complete the following tasks.

Extract Drive Image Recover E-mail Messages

Task 1 - Extract Drive Image

To extract the drive images that will be used by OSForensics, perform the following steps:

Step 1

Ensure that you have powered on the required devices and connect to PLABWIN810.

Click File Explorer on taskbar. Expand Local Disk (C:) > Work > Data files > Ch09. Right-click gcfi-ntfs-dd application and select Open.

Step 2

On the WinRAR self-extracting archive. Type in the Destination folder C:\Work\Data files\Ch11\Drives folder.

Click Extract. Figure 1.0 Screenshot of PLABWIN810: WinRAR Self Extracting Archive

Please wait while the drive image is being processed.

Close File Explorer window when the file is successfully extracted.

Figure 1.1 Screenshot of PLABWIN810: WinRAR Self Extracting Archive

Keep the devices powered on in their current state and proceed to the next task. Task 2 - Recover E-mail Messages

You can configure these filters when you enter search parameters. In this activity, you will learn how to use OSForensics to recover e-mails.

Step 1

Access the Start screen then type:

osforensics

Select OSForensics in the Search fly out menu. Figure 1.2 Screenshot of PLABWIN810: App Search

Click Continue Using Free Version in the welcome screen.

Under Case Management section, select Create Case. Figure 1.2 Screenshot of PLABWIN810: OSForensics

Step 2

In the New Case dialog box, for the case name, type:

InChap11 Enter your name in the Investigator field.

Fill in the Contact Details and the Organization with your custom information.

Click OK.

Figure 1.3 Screenshot of PLABWIN810: OSForensics starting a new case

On the Manage Case window, click the Add Device… button. Figure 1.4 Screenshot of PLABWIN810: OSForensics Manage Case

Step 3

On the Select device to add dialog box, select Image File option button.

Then click […] button. Figure 1.5 Screenshot of PLABWIN810: OSForensics selecting a device

Navigate to C:\Work\Data files\Ch11\Drives path. Figure 1.6 Screenshot of PLABWIN810: OSForensics selecting an image

Step 4

Click the hard drive file gcfi-ntfs.dd, and click Open. Figure 1.7 Screenshot of PLABWIN810: OSForensics selecting an image

Click OK to close Select device to add dialog box. Figure 1.8 Screenshot of PLABWIN810: OSForensics selecting a device to add

Step 5

Back on the Manage Case window, click the Create Index button in the left pane to start the Create Index Wizard.

In the Step 1 of 5 window, click the Use Pre-defined File Types option button, if necessary. Click the Emails and Attachments check boxes then click Next. Figure 1.9 Screenshot of PLABWIN810: OSForensics creating an index

In the Step 2 of 5 window, click the Add button. Figure 1.10 Screenshot of PLABWIN810: OSForensics creating an index

Step 6

In the Add Start Location dialog box, click the Whole Drive option button, if necessary. Click the list arrow, click gcfi-ntfs-0:\, and then click OK. Figure 1.11 Screenshot of PLABWIN810: OSForensics creating an index

Back in Step 2 of 5 page, click Next. Figure 1.12 Screenshot of PLABWIN810: OSForensics creating an index

In the Step 3 of 5 window, click Start Indexing. Figure 1.13 Screenshot of PLABWIN810: OSForensics creating an index

Please wait while indexing is in progress. Figure 1.14 Screenshot of PLABWIN810: OSForensics creating an index

Step 7

When the indexing has finished, click OK in the message box informing you that errors reading some files might have occurred in the indexing process, if necessary. Figure 1.15 Screenshot of PLABWIN810: OSForensics creating an index

Click Search Index in the left pane. Figure 1.16 Screenshot of PLABWIN810: OSForensics creating an index

In the Enter Search Words text box, type:

money

Click Search. Figure 1.17 Screenshot of PLABWIN810: OSForensics search index

Step 8

Click the Emails tab, if necessary. The search should have returned an e-mail. Right-click the first e-mail and click Open. Figure 1.18 Screenshot of PLABWIN810: OSForensics search index

Note: If you get a scripting error dialog box, click Yes.

To see more details, click View, Headers from the menu. Figure 1.19 Screenshot of PLABWIN810: OSForensics Email Viewer

Step 9

Additional information about this email can be viewed in the headers.

When you’re finished examining the e-mail, close the Email Viewer window, and exit OSForensics. Figure 1.20 Screenshot of PLABWIN810: OSForensics Email Viewer

Before proceeding with the Hands-on projects, open File Explorer.

Create a C:Work\Data files\Ch11\Projects folder on your system for this chapter’s projects. Exercise 2 - Email Examination Example

For this project, you use Aid4Mail to examine an Enron employee’s e-mail.

You will use PLABWIN810 lab workstation to complete this project.

In this exercise you will complete the following tasks.

Email Search

Task 1 - Email Search

We will now perform an email search to examine data key to strings searches.

Step 1

First, create a subfolder under work folder C:\Work\Data files\Ch11 called HandsOn11-1. Then start your Web browser, on the Tools and resources intranet, click Tools > Data Forensics. Download and unzip Aid4Mail_Setup.zip and install Aid4Mail using default settings.

Step 2

Open the Downloads folder and you will see en_office_professional_2007.zip, extract the zip file in the folder path.

Double-click en_office_professional_2007 folder.

Double-click setup.

Install Office using default settings. Figure 2.0 Screenshot of PLABWIN810: Office Professional 2007 setup file

On the Enter your Product Key page, click Continue.

When Setup asks again to enter a Product Key, click No. Figure 2.1 Screenshot of PLABWIN810: Office Professional 2007 setup

Step 3

Follow the screen prompts for a successful installation of Office 2007.

Click Close and exit from File Explorer windows

Keep Internet Explorer open. Figure 2.2 Screenshot of PLABWIN810: Office Professional 2007 setup

Step 4

Open a new web browser tab. Then go to https :// en . wikipedia . org / wiki / Enron _ scandal to read more on the Enron scandal. Eric Saibi was a trader for Enron, which gives you some clues for search keywords. Note: Traders are responsible for making prices and executing trades in equities, bonds, commodities and foreign exchange, dealing on behalf of or for the benefit of investment banks.~www.targetjobs.co.uk

Go back to the tab where you have Tools and resources intranet open. You will be in the [..] > Tools > Data Forensics page.

Step 5

Click eric_saibi.zip file. Save the file in c:\Work\Data files\Ch11 folder. Close Internet Explorer when download is successfully completed.

Then uncompress eric_salbi.zip file in the C:\Work\Data files\Ch11\eric_saibi\ folder.

Start Aid4Mail.

Click Next button when it becomes available in the Welcome window. Figure 2.3 Screenshot of PLABWIN810: Aid4Mail setup

When asked about checking for Internet updates and announcements, click No. Figure 2.4 Screenshot of PLABWIN810: Aid4Mail setup

On the Mail Source window, locate Office Outlook and Microsoft Exchange (requires Extended MAPI) section.

Click Office Outlook PST file, and then click Next. Figure 2.5 Screenshot of PLABWIN810: Aid4Mail selecting main format

Step 6

On the Source Location page, navigate to Local Disk (C:) > Work > Data files > Ch11 > eric_saibi. Figure 2.6 Screenshot of PLABWIN810: Aid4Mail selecting main format

Click the eric_saibi_000_1_1.pst file, and then click Next. Figure 2.7 Screenshot of PLABWIN810: Aid4Mail selecting file

In the Source MAPI Folders page, keep the default selections and click Next. Figure 2.8 Screenshot of PLABWIN810: Aid4Mail selecting MAPI folders

Step 7

In the Filter Options page, you can select a range of dates and words to search for. For now, leave the default settings, and click Next. Figure 2.9 Screenshot of PLABWIN810: Aid4Mail selecting filter options

In the Target Format page, scroll to the bottom and examine the export options shown. You can export metadata in CSV or XML format, for example.

Click Convert emails to CSV, and then click Next. Figure 2.10 Screenshot of PLABWIN810: Aid4Mail target format

In the Target Settings window, in the Folder text box, type:

C:\Work\Data files\Ch11\HandsOn11-1

Then enter the File name text box: ericsaibi.csv

Click Next.

Figure 2.11 Screenshot of PLABWIN810: Aid4Mail selecting target location

Step 8 On the Start Processing Mail page, then click Start.

Figure 2.12 Screenshot of PLABWIN810: Aid4Mail processing

Please wait while the .pst file is being saved to .csv. Figure 2.12 Screenshot of PLABWIN810: Aid4Mail processing

Step 9

After Aid4Mail has finished converting the e-mail to CSV format, open the file in OpenOffice Calc (or any spreadsheet program), and exit Aid4Mail. Figure 2.13 Screenshot of PLABWIN810: Open file with OpenOffice Calc

On the Text Import - [ericsaibi.csv] window, click OK. Figure 2.14 Screenshot of PLABWIN810: Text Import

Scroll through Eric Saibi’s e-mail data and look for messages that might contain personal information or be related to the Enron scandal.

Go to the Aid4Mail Web site and read the user manual.

Close OpenOffice Calc and Aid4Mail when finished scanning the .csv file.

Similarly, close Internet Explorer. Figure 2.15 Screenshot of PLABWIN810: OpenOffice Calc

Keep the device powered on in their current state and proceed to the next task.

Exercise 3 - Image Examination Example In this project, you use ProDiscover Basic to retrieve mail in the M57 case.

You will use PLABWIN810 lab workstation to complete this project.

Jo Smith, one of the M57 patent researchers, likes to trade illicit photos, illustrated in the M57 case as cats and kittens.

In this exercise you will complete the following tasks.

USB Image Search

Task 1 -USB Image Search

To download the USB drive images that will be used by OSForensics, perform the following steps:

Step 1

Ensure that you have powered on the required devices and connect to PLABWIN810.

Click Internet Explorer on taskbar. On the Tools and resources intranet page, click Tools.

On the [..] > Tools page, click Data Forensics.

On the [..] > Tools > Data Forensics page, click USB.zip.

When the notification toolbar appears, click Save.

Figure 3.0 Screenshot of PLABWIN810: Intranet - Tools, Data Forensics Step 2

When download of USB.zip is successfully completed, click Open folder.

Figure 3.1 Screenshot of PLABWIN810: Intranet - Tools, Data Forensics, USB

File Explorer window opens.

Right-click USB compressed file and select Extract All… Figure 3.2 Screenshot of PLABWIN810: Extracting the USB zip file

On the Extract Compressed (Zipped) Folders - Select a Destination and Extract Files page, type over the folder path in the text box with the following:

C:\Work\Data files\Ch11\USB\

Click Extract. Figure 3.3 Screenshot of PLABWIN810: Extracting the USB zip file

Step 3

When the USB drives have been successfully extracted, close File Explorer and Internet Explorer windows. Figure 3.4 Screenshot of PLABWIN810: Extracting the USB zip file

Launch ProDiscover Basic from desktop, and start a new project.

On the Welcome screen, enter today’s date for the Project Number and Jos hard drive for the Project Name. Click Open.

Step 4 In the tree view, click to expand Add, and click Image File. Navigate to C:\Work\Data files\Ch11\USB where you stored the USB drive image files, click jo-favorites- usb-2009-12-11.E01, and click Open.

If the Auto Verify Image Checksum message box opens, click Yes.

Click the Search toolbar button, and then click the Content Search tab, if necessary. In the Search for the pattern(s) text box, type:

kitty

Press Enter. Then on the next line, type:

kitten

Under Select the Disk(s)/Image(s) you want to search in, click the .E01 image file, and then click OK. Step 5

Few search results are returned. Click on the files that were found.

On the details pane at the bottom, look for instances of kitty or kitten.

Close ProDiscover Basic. If asked if you want to save this project, click No.

Figure 3.5 Screenshot of PLABWIN810: ProDiscover Basic search Step 6

Once you have found the files close the project.

Exercise 4 - Facebook Forensics

In this project, you use Facebook Forensic Toolkit by Afentis Software to discover the friends and other information of a public Facebook profile. Although you can use your own Facebook logon for this project, creating a logon connected to your professional e-mail account is highly recommended for working on actual cases.

You will be using PLABWIN810 lab device to complete this project.

In this exercise you will complete the following tasks.

Facebook Evidence Acquistion

Task 1 - Facebook Evidence Acquisition

We will now work on acquiring information using a specific tool applied to Facebook. Step 1

Launch Internet Explorer. The Tools and resources intranet page is displayed.

Click Tools.

On the [..] > Tools page, click Data Forensics folder.

Click Facebook_Forensics_v2-94.zip.

Select Save to save the file.

When download is successfully completed, select Open Folder.

Extract Facebook_Forensics_v2-94.zip in the default directory.

A new folder path This PC > Downloads > Facebook_Forensics_v2-94 opens.

Double-click on FFT-setup-v294 to install the application. Figure 4.0 Screenshot of PLABWIN810: FFT- setup file

Step 2

On the Welcome to the Facebook Forensic Toolkit (FFT) Setup Wizard page, click Next. Figure 4.1 Screenshot of PLABWIN810: FFT- setup file

Click Install Now to continue with the application setup. Figure 4.2 Screenshot of PLABWIN810: FFT- setup file

Step 3

Accept the default settings to install the application successfully on the lab computer.

Click Install. Figure 4.2 Screenshot of PLABWIN810: FFT- setup file

Click Run Facebook Forensic Toolkit (FFT) button. Figure 4.3 Screenshot of PLABWIN810: FFT run

In the opening window, click the Examine Profile and Clone Data option. Figure 4.4 Screenshot of PLABWIN810: FFT home page

Step 4

In the New Case - Information window, click the browse button next to “Location of examination results.”

Create a subfolder under Local Disk (C:) > Work > Data files > Ch11 called HandsOn11-3, and click OK. Figure 4.5 Screenshot of PLABWIN810: FFT searching for directory

For the Case number enter:

today’s date

For the Examiner. your name

Enter Test for the other information. Click the blue right arrow in the upper-left corner.

Figure 4.6 Screenshot of PLABWIN810: FFT new case

Step 5 On the NEW CASE - TARGET ACCOUNT page, append the following name in the URL, type:

alberteinstein

Click forward blue button.

Figure 4.7 Screenshot of PLABWIN810: FFT new case On the NEW CASE -ACQUIRE EVIDENCE www.facebook.com/alberteinstein page, Adjust the Profile/Content information as needed or you can click All slider button.

Click the blue forward button.

Figure 4.8 Screenshot of PLABWIN810: FFT new case

On the Profile information on Facebook page, click LOGIN AS ACCOUNT HOLDER. Figure 4.9 Screenshot of PLABWIN810: FFT new case

Step 6

When prompted to authenticate with a valid logon, enter valid Facebook logon credentials, and click Authenticate. Figure 4.10 Screenshot of PLABWIN810: FFT authenticated

Step 7

If you’re asked to allow fbcrawler to post to Facebook for you, click Not Now.

You have Investigate, Results, Report available.

Near Internet Available section on the right, click Start on the right. Figure 4.11 Screenshot of PLABWIN810: FFT investigating URL

You are redirected to the next page.

Examine the information in each category.

Important: Please note that due to network firewall security policies you will not get information when you click on the different categories indicated in the toolkit. You may try installing the Facebook Forensics Toolkit on your home PC to see how the categories work when you click on them.

Figure 4.12 Screenshot of PLABWIN810: FFT case information

Step 8

Next, click HOME at the top, enter the Facebook page of a famous person, repeat the authentication process as in the previous steps. When you’re finished, exit the program. Figure 4.13 Screenshot of PLABWIN810: FFT case information

Click OK when the message Case data is saved is displayed. Figure 4.13 Screenshot of PLABWIN810: FFT saving case data

Step 9

Once completed shutdown the program and the devices.

Shut down all virtual machines used in this exercise using Practice Labs power button function to revert these devices to their default settings. Alternatively, you may sign out to power down all devices. Summary

You covered the following activities in this module:

Using OSForensics to Recover E-mail Email Examination Example Image Examination Example Facebook Forensics