M7 - Lab Assignment - Creation and Examination of VMs with FTK and Autopsy

Overview:

In addition to conducting examinations of laptop and desktop computers, you will undoubtedly be faced with conducting a forensic examination of a virtual machine. Your readings for this module introduced the concepts and procedures to you for this activity. In this lab, you will practice those techniques. Note that your text says Autopsy cant directly read .vmdk files. In the 4.1 version of Autopsy that limitation is now removed. There may still be times you need to image a drive image however so in this lab you will image with FTK and then analyze with Autopsy a virtual machine disk.

Access the virtual lab, you are directed to by your instructor, (using the Consolidated Lab Access instructions provided in the Course Materials folder). The first part of this assignment requires you to complete the steps outlined on pages 427-429 in your textbook. Steps 1 and 2 at the bottom of page 427 have already been completed for you. You will complete steps 3-14 on pages 428 and 429 in your text to generate an image file you will need for the Hands-On Project 10-1. Note that in step 5 your actual path will be C:\Users\Student\VirtualBox VMs\Ubuntu 20.04. Make a screen capture of Drive/Image Verify Results dialog displayed with the image is created. This screen will show the image hashes. Submit this screen capture with your assignment.

For the second part of this lab complete Hands-On Project 10-1, steps 1-3. In step 3 you will select the image file you created with FTK earlier in the first part described above. This should be at C:\Users\Student\Desktop\Work\C10InChp-2.001. We will not use all the injest modules for this analysis; you should ensure only the Recent Activity injest module is selected. Click Next and Finish and wait for the analysis to complete.

Expand the Views/File Types/By Extension/Documents tree on the left and select the PDF list of documents. Make a screen capture of the list of found pdfs and submit with your assignment, including the screen capture of the image hashes from the first part.

When logging into your VM use the Student account with the password 607forensics. The data files needed for the lab are in a folder on the desktop named Lab Data, in the sub folder for this module. You will not need to download them. There is a Work folder build for you on the desktop.