Scenarios for midterm exams
1.Test the student’s knowledge of “dd” and “netcat”and the ability to apply that knowledge. Have the student dd an object and pipe it into netcat (or cryptcatfor extra credit)
2.Send the object to another computer. Have the student md5 both the source and destination to demonstrate image integrity.
dd if=(OBJECT) conv=noerror | nc 192.168.1.1 8888
The object could be a simple file (note.txt), a device such as a thumb drive (/dev/sda), a logical partition (/dev/sda1), or live memory (/dev/mem Linux or\\.\ PhysicalMemoryWindows).Remember it is pointless to md5 the source on a live memory dump.
3.Test the student’s understanding of the pc-based “MBR Data Structure.” The student will need to reference Table 5.1, Table 5.2, and Table 5.3 in Brian Carrier’s File System Forensic Analysis(FSFA). Using the partitioning tool found on the Helix CD, partition a thumb drive into multiple partitions. Have the student analyze the MBR Data Structurethen using dd create an image file bycarving out one of the logical partitions. The md5 of the image file created should match the md5 of the source partition.
md5sum carvedpartition.img = md5sum /dev/sda5
Included is a practice image called “practice.img.” The md5 for this image is
d8d451a719d4ae9fce0c42c3f0433a80
In this exercise we are going to find the last usable logical partition in the image file “practice.img”that was created by imaging a partitioned thumb drive.
The first step is to dd the MBR into a 512 byte file and open it with a hex editor.
dd if=practice.img of=mbr1.img bs=512 count=1
The md5 for mbr1 is
a10867e3cf7170f442764a1abeeb91e2
Open “mbr1.img” with a hex viewer and go to byte offset 494.This is the last partition table entry. See Table 5.1 in FSFAthen reference Table 5.2. Note: the byte 4 partition type is 05 and Table 5.3 tells us that this is an extended partition, so to find the last usable partition we must carve out and analyze this next MBR. Bytes 8 thru 11 are the LBA starting address and is B8440300.This is in “little Indian” so we must invert it byte by byte to 000344B8. Then converting it to decimal we get 214200 so to carve out MBR2
dd if=practice.img of=mbr2.img bs=512 count=1 skip=214200
The md5 for mbr2 is 199cba87ee08f895063d6997ae3b9d2e
Now open “mbr2.img” in a hex viewer and go to byte offset 446. This is the last usable partition entry. If we look at partition table entries for 2, 3, and 4 we see that they contain only zeros. Byte 4 Partition type is 06 so it is a FAT partition. Bytes 8 thru 11 are the LBA starting address and is 38000000.This is in “little Indian” so we must invert it byte by byte to 00000038, then converting it to decimal we get 56.
214200, the starting offset for mbr2, plus 56, the offset between the starting position of mbr2 and the start of the last usable partition, gives us 214256 or the offset from the start of the physical device and the start of the last partition on this device. The size of the partition is
in bytes 12 thru 15 and is B0010100. Again we invert this number byte by byte to 000101B0. Converted to decimal we get 65968, so to carve out this last partition in to an image file:
dd if=practice.img of=partition.img bs=512 count=65968skip=214256
The md5 for “partition.img” is e10604c388aab3f0849eb3a4e65fca38 This should be the same md5 you get if you examine the original thumb drive and md5 the partition directly
md5sum /dev/sda5 (or whatever Helix is identifying the partition as).