P2PLeakage
This lab scenario concerns the leakage of music files from a music company. The goal is to determine who and how the suspect leaked the files and posted them online. It is similar to the NIST data leakage lab, but in this case, it is suspected that P2P is involved. This lab has more detailed instructions and explanations.
ID00 Lab_Setup
This power point provides directions for setting up the lab environment for the case. It includes the software needed and the steps to download them, details of the lab scenario, and the case material.
ID01 Disk_Image_and_Partitions
This case provides a walkthrough for the process of verifying the integrity of the disk image by comparing MD5/SHA1 hash. It also lists the steps to determine the layout of a system’s files; like determining the file system and partition setup of the system.
ID02 Registry_and_File_Directory
This case introduces torrent client and files. It provides instructions on how to mount a disk image. The directions on how to extract and analyze registry file, and acquire the listing of files from a system are included.
ID03 MFT_Timeline
This case concentrates on how to handle the Master File Table, MFT. It provides a guide on how to extract the contents of the MFT, create a timeline with the contents, and filter through the timeline for specific entries.
ID04 USN_Journal_Timeline
This case concentrates on how to handle the Updates Sequence Number (USN) Journal. It provides directions on how to extract the contents of the USN Journal, create a timeline with the contents, and filter through for specific entries.
ID05 uTorrent_Log_File
This case introduces torrenting, how it works and how to identify the torrent application on a system. It also provides instructions on how to extract and analyze torrent files, locate and analyze utorrent log files, and identify peer IP addresses and port numbers.
ID06 File_Signature
This case introduces the concept of file signature. The .mp3 files are located and checked to see if they are the same as the ones from the company; this is done by checking the binary signature of the file.
ID07 Emails
In this case, the suspect’s emails are checked for any traces of an exchange of the copyrighted files. It also introduces link files and how to analyze them.
ID08 Web_History
In this case, the suspect’s web browser is investigated. It includes a guide on how to determine and analyze the web browser the suspect used. It also details the directions for determining how the suspect uploaded the torrent file to the internet and locating the origin of the torrent trackers.
ID09 Website_Analysis
In this case, a website analysis on the website the music file was uploaded is done. The uploaded torrent file is checked if it matches the one found in the system. Also, the author’s account is checked to see if it belongs to the suspect.
ID10 Timeline_of_Case
This is a spreadsheet detailing the timeline of events deduced form the forensic investigations in the previous slides. The suspect and artifacts of proof are included.
Questions
This document contains a list of questions to work through following the labs/slides included above.
p2p_lab_tool_install
This is a document with the instructions and commands for downloading the tools for this lab.
Forum Search
Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...
By AP Malla, 1 year ago
How should I approach network forensic? Would you recommend learning tools like WireShark?
By AP Malla, 1 year ago
Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...
By AP Malla, 1 year ago