INFER Labs

Hands-on 1: Data Acquisition using dd/dcfldd.

  • Module 1.1: Zeroing-out. Students will zero-out the target drive by writing 0 to every bit of the drive. This makes sure the target disk contains no existing data so that it won’t contaminate the copied evidence. After the drive is zeroed out, students will create a new partition on the target drive and assign a new file system to it.
  • Module 1.2: Data acquisition with dd/dcfldd. Students will perform data acquisition using the dd and dcfldd tools.
  • Module 1.3: Data validation. Students will learn different data validation methods to make sure the acquired data is an exact copy of the original evidence.

Hands-on 2: Windows Acquisition Tools.

  • Module 2.1: Disk formatting vs. zeroing-out. Students will perform Windows disk formatting and zeroing-out towards two non-empty USB drives respectively, and then acquire data from the two USBs using Linux dd and compare the results.
  • Module 2.2: FTK Students will perform data acquisition towards a non-empty USB drive with different tools and compare the results.
  • Module 2.3: Formatted vs. non-formatted disk. Students will perform acquisitions using FTK imager towards a USB drive before and after it is disk formatted, and then compare the results.

Hands-on 3: Examine Windows NTFS using WinHex

  • Module 3.1: Partition table. Students will examine the partition table in the Master Boot Record to find information about all partitions on the disk, including the hidden partitions.
  • Module 3.2: Master File Table (MFT). Students will analyze the MFT on the NTFS disk, particularly the attributes of a file record to reveal information about file creation, alterations, and the physical cluster addresses that hold the file or file fragments.
  • Module 3.3: Alternate data streams. Students will append hidden data to a file using alternate data streams, and then reveal the hidden data by analyzing the file MFT.
  • Module 3.4: File headers. Students will explore the headers of different file types in order to recognize a file’s true file type. Even if the suspect hides the file using techniques such as changing file extensions, investigators can still recognize the actual file type and access the data as long as the file header remains intact.
  • Module 3.5: Windows Registry. Students will learn to analyze the Windows system Registry and its structure.

Hands-on 4: Virtual Linux Forensic Workstation Setup and Forensic Analysis with Autopsy

  • Module 4.1: Linux VM Setup. Students will create a Linux VM using VirtualBox, boot the VM from a live CD, and install it on the virtual disk. Students will also practice some basic Linux commands in Terminal to manage the disks, files, and user accounts.
  • Module 4.2: Autopsy. Students will analyze a scenario where the forensic image of a suspect’s USB drive is provided to students in advance. Students will perform a forensic analysis of the image, including locating and recovering the hidden or deleted files, recognizing the true file types, examining the file content, etc. Post-activity questions will be provided to help reveal the artifacts.

Hands-on 5: File Carving

  • Module 5.1: Extracting unallocated clusters. Students will use the Sleuth Kit tool blkls to extract all the unallocated clusters from a forensic image.
  • Module 5.2: Foremost. Students will use the file-carving tool Foremost to recover a file from the unallocated space, and learn to specify the file signatures in the configure file of Foremost.
  • Module 5.3: Scalpel. Students will perform file carving with a different tool, Scalpel.
  • Module 5.4: QPhotoRec. Student will use QPhotoRec on a Windows system to perform data recovery.
  • Module 5.5: Manual file carving with Winhex. Students will use Winhex to perform manual file carving. A PNG file with modified header will be provided to students for analysis. Without file metadata or assistance from any file carving tool, students need to locate the physical cluster addresses of all file fragments, reassemble the file from these fragments, and fix the file header to recover the file.

Hands-on 6: Steganography with S-Tools

  • Module 6.1: Steganography with S-Tools. Students will create a steganography file using S-Tools, a free steganography tool, by hiding a secret message in the image carrier. Students will then use MS-DOS commands to compare the two files and extract the hidden message from the steganography file.
  • Module 6.2: Bit-level Steganography. Students will hide and recover a message stored in a text file by performing bit shifting, bit inverting, and bit XOR operation in WinHex.

Hands-on 7: Steganography with Audio File

Students will hide a secret message in an audio file and then extract the message visually. The carrier audio file will be provided in .wav format. Students will first create a message on a canvas in the Paint tool. The image with the secret message is then converted to an audio file using Coagula. With Audacity, the audio file is appended to the carrier audio to generate the steganography audio. The secret message in the audio file sounds like a short piece of noise that human ears can hardly pick up. Finally, students will reveal the secret message visually by displaying the spectrogram of the steganography audio.

Hands-on 8: Developing Your Own Image Steganography Tool

Students will develop an image steganography tool, which can hide the message in the least-significant-bits of pixels in an image, and also extract a hidden message from the steganography file. Students will be provided with a piece of template code and specific instructions to complete the code.

Hands-on 9: Android Forensics

  • Module 9.1: Bypassing Android lock screen. Students will learn common techniques to bypass the Android lock screen in order to extract data from the device.
  • Module 9.2:Acquisition with Android debugging tool adb. Students will perform a physical acquisition of the Android device using the adb backup.
  • Module 9.3: Acquisition with AFLogical. Students will perform mobile phone acquisition with AFLogical.
  • Module 9.4: Android Emulator. Students will create an Android Emulator, a virtual device that can simulate a real mobile device. Students will replace the user data on the emulator with the data taken from the real device.
  • Module 9.5: Data analysis with adb. Students will use adb to perform operations such as analyzing data, pulling files from a device, and getting system usage statistics and wifi information.

Hands-on 10: Memory Forensics

  • Module 10.1: WinPmem. Students will perform memory acquisition on a physical machine and a VM using WinPmem and the hibernation file respectively.
  • Module 10.2: Volatility. Students will use the memory forensics tool Volatility to analyze a memory image, including getting the image information; identifying the running processes using different plugins and comparing their results; recognizing suspicious system processes; listing the DLLs, command lines, and handles for each process; and analyzing the registry information to identify the persistence mechanisms, dump password hashes and even reveal the cleartext passwords.
  • Module 10.3: Redline. Students will analyze the same memory image using Redline and compare the analysis results with results generated by Volatility.

Hands-on 11: Network Forensics with Xplico

  • Module 11.1: Remote acquisition with Xplico. To perform a remote acquisition on a suspect machine, students need to set up an investigation machine and conduct a man-in-the-middle attack on the suspect machine. Packet sniffing and live acquisition can then be started to the suspect machine using the open source tool Xplico on the investigation machine. Later, students will examine the captured data to analyze the suspect’s activities.
  • Module 11.2: Xplico analysis without ground truth. Given a pcap file that is irrelevant to Module 1, students will analyze the activities contained in the file, such as DNS queries and connection requests, the webpages surfed, and emails sent and received.

Hands-on 12: Forensics on Discord

  • Module 12.1: Network traffic analysis. Students will analyze network traffic flow using regular network forensics tools such as Wireshark and netstat, and also use Fiddler to decrypt the traffic and analyze user activities (e.g. login).
  • Module 12.2: File cache analysis. Students will also retrieve the file cached by Discord on a local disk, and provide the proper extensions to restore the files to viewable files manually using hex editor or automatically using CacheMonkey.
  • Module 12.3: Draft message retrieval. Students will analyze memory with Cheat Engine to restore information such as the unsent draft messages on Discord client.

Hands-on 13: Drone Forensics

  • Module 13.1: Drone analysis. Given the cost, students will not perform a data dump from the drone’s SD card and internal mounted storage, and will be provided with the acquired images from those storage media directly.
  • Module 13.2: Mobile controller forensics. Students will review and apply what they have learned in mobile forensics to analyze the controlling mobile phone of the drone.
  • Module 13.3: Drone forensics with public data set. In previous modules, students will be provided with ground truth to verify analysis results. In this module, students will perform forensics with public drone data set from the CFReDS project. 

Hands-on 14: Reverse Engineering with IDA

  • Module 14.1: IDA code analysis with ground truth. Student will write a small C program with a few functionalities and obfuscations to create their own executables. They will then analyze the assembly code to understand how their programs are structured in assembly language
  • Module 14.2: IDA code analysis without ground truth. Students will be given another executable (not the one they created in Module 1) to practice what they have learned and reverse engineer the executable.

Hands-on 15: Reverse Engineering with Ghidra

Students will perform activities similar to those in last lab, but with a different environment, Ghidra, which is an open source tool developed by the NSA and released in 2019. In addition to the above activities, students will also analyze provided binary executables to practice their reverse engineering skills and get familiar with the Ghidra environment.

Hands-on 16: Anti-Forensics Techniques

  • Module 16.1: Windows BitLocker. Students will use Windows BitLocker to encrypt the data on the entire volume of a Windows system.
  • Module 16.2: VeraCrypt. Students will encrypt a drive using VeraCrypt, a free open source tool for on-the-fly encryption. Students will also use the plausible deniability function, with which suspects can encrypt a hidden volume inside another regular volume. When they are required to provide a password for decryption, they may provide a fake one and fool investigators into accessing the decoy volume.
  • Module 16.3: Timestomping. Students will learn techniques of timestomping, meaning manipulating timestamps by changing a file’s creation and modification time, etc. They will also learn to detect timestomping by checking the Master File Table (MFT) in the NTFS system.
  • Module 16.4: Code Obfuscation. Students will learn code obfuscation and practice de-obfuscation using tools such as Balbuzard, De4dot, Flare-floss, and VirtualDeobfuscator.