Use grep to search for all of these words in the keywords folder. Remember in Lab 8, we only saw Patterson user accounts? We want to double check for sure if there are any Peterson user accounts on this system.

File analysis, data carving, and keyword searches 

Lab Resources: 

• Windows workstation with FTK Imager and Autopsy
• SIFT Workstation
• Peterson USB forensic image
• Peterson Linux hard drive forensic image

PART 1 – Look for deleted files using FTK Imager

1. Start FTK Imager
2. Add the Peterson USB image file:

Remember, FTK Imager is an imaging tool. While it is very powerful for initial examinations, it is not an in-depth analysis tool. Therefore, you may OR may not be able to recover data of value. Do not be alarmed if you are unable to make a recovery. This is just step one in determining where we need to go next.

Let’s recover some deleted files

Recover all the deleted .txt, .bat, and .pdf files:

1. To recover a file, highlight the file name (make sure it has a file size greater than 1) and right click on it. Select Export File.
2. Make a folders names Exports to use as your destination folder. Select OK.
3. Files will be exported to the Exports folder and can now be opened with the program that created them or another similar program. For example, .txt or .bat files can be viewed in Notepad.

PART 2 – File Carving

Not all deleted files can be recovered as easily as in the previous steps. Files that have been fragmented or partially overwritten will require more work. This is when we use File Carving, also called Data Carving, or simply Carving.  File carving is the process of trying to recover files without the help of OS metadata. This is done by analyzing the raw data and identifying what it is (text, executable, JPG, MP3, etc.). This can be done in different ways, but the simplest is to look for headers. Some files contain footers as well, making it just as simple to identify the ending of the file.

Perform carving using Scalpel (use the Canvas presentations for a reminder on the steps):

1. Open you SIFT Workstation.
2. Using the GUI, locate the Scalpel file (it is located in /etc)
3. Copy the .config file to your Peterson USB folder. Be sure Peterson USB image is also in this folder!!
4. Edit the new .config file to locate any JPG file. Do this by uncommenting the JPG line in the config file.
5. Edit the .config file to locate JPG, DOC and PDF files. Do this by uncommenting all the file headers you wish to locate. Save the .config file. DO NOT change the name of the config file.
6. Open Terminal and navigate to your Peterson USB folder.
7. Make sure both the Peterson USB image and .config are listed: ls -l
8. Carve the Peterson USB image for JPG, DOC, and PDF files:

sudo scalpel –c scalpel.conf –o Norm Output NORM-USB.001

9. Notice the output files that were created.
10. Change the permissions on your Norm Output folder: sudo chmod 777 Norm Output
11. Open the Norm Output folder and take a screenshot of all the sub folders that were collected.
    Paste the screenshot here:

 Find the carved files using Autopsy (use the Canvas presentations for a reminder on the steps):

1. On your Windows workstation, open the Autopsy case that contains the Peterson USB image.
2. Locate the container of Carved Files and click on it to show all the files in the listing pane.
   Paste a screenshot of the carved files listing here:

PART 3 – File Analysis

1. In Autopsy, locate the picture of the bank storefront that contains metadata. Refer to videos in Canvas for a reminder on doing t
2. Export the file into the same folder you used from Part 1.
3. In your SIFT Workstation, from your Norm Output folder, copy the document you carved with the “move along” message. Copy it to the Export folder from Part 1.
4. You should now have five file types in your Export folder:  .txt, .pdf, .jpg, .bat, .doc
5. Using what tool or method you choose, put on your investigator hat and complete the analysis table below.

Complete this Analysis Table:

1. Pick the five most interesting files. There must be one of each type: .txt, .pdf, .jpg, .bat, .doc
2. In the table, list EACH of the five chosen files and write a brief statement of your findings for EACH. See example on Line 1:

Name of file OR Carved File Number	Type of file	File description	How is this relevant to the case?
Example.doc 000000	.doc	Word document about dogs	The hidden message in-text tells us where Jimmy Hoffa is buried.

Part 4 – Keyword Searching with grep

1. Open the Export folder on your Windows workstation.
2. Launch FTK Imager, and open Peterson’s Ubuntu hard drive image.
3. Export etc/shadow, etc/passwd, etc/group files into your Exports folder.
4. Copy your Exports folder onto your SIFT Workstation.
5. Create a folder on your desktop named “keywords”
6. Copy the following files from your Export folder to the keywords folder:
   1. txt
   2. Shadow
   3. Passwd
   4. Group
7. Open the Terminal.
8. Navigate to your keywords folder
9. Use the ls command to verify the four files you need are listed.
10. We will now use grep to search the files for keywords.
    1. Type grep ‘OWAT’ margaritas.txt* to search for any hits of OWAT in the .txt file you recovered.
    2. Type grep ‘Peterson’ margaritias.txt* to search for any hits of Peterson in the .txt file you recovered.
    3. Type grep –r ‘Peterson’ * to search recursively for any hits of Peterson that can be found in ANY file located in the keyword folder.
11. Apply what you just learned – Use grep to search for all of these words in the keywords folder.
    1. OWAT
    2. Antigua
    3. Cavin
    4. Manhattan
    5. Ponzi
12. Take a screenshot of the results and paste it here.

13. Use grep to search for all of these words in the keywords folder. Remember in Lab 8, we only saw Patterson user accounts? We want to double check for sure if there are any Peterson user accounts on this system.
    1. patterson
    2. Peterson
14. Take a screenshot of the results and paste it here.