Overview

This is a three (3) part assignment that uses several digital forensics techniques. Part 1 will show you the
use of calculating a files hash value. Part 2 will give you hands on experience with file carving. Part 3 will
show you how much plaintext data can be recovered from network traffic.

Scenario
The city of New Orleans passed a law in 2004 making possession of nine or more unique rhinoceros
images a serious crime. The network administrator at the University of New Orleans recently alerted
police when his instance of RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a
computer and USB key seized from one of the Universitys labs. Unfortunately, the computer had no
hard drive. The USB key was imaged and a copy of the dd image is in the project downloads (inside
course downloads) folder on the course page.

In addition to the USB key drive image, three network traces are also availablethese were provided by
the network administrator and involve the machine with the missing hard drive. The suspect is the
primary user of this machine, who has been pursuing his Ph.D. at the University.

Part 1- 5 pts
Tools
Windows: MD5 Hash (http://www.whitsoftdev.com/md5/)
FastSum (http://www.fastsum.com/download.php)

MacOS: MD5 (http://download.cnet.com/MD5/3000-2092_4-95588.html)

In the Mac Terminal type: md5 path\to\file

Task
Using a program that calculates a files MD5 hash value, calculate the MD5 hash for the following files:
rhino.log
rhino2.log
rhino3.log
RHINOUSB.dd

Part 2-5 pts

Tool
Windows/MacOS: PhotoRec (http://www.cgsecurity.org/wiki/TestDisk_Download)

Task
PhotoRec is a file carving tool. Use PhotoRec to carve any files that could be present in RHINOUSB.dd.
Remember, this file is an image of the USB key seized from the lab.
Use the PhotoRec Tutorial posted along with the assignment to guide you through this section. At the
end, you should have a folder called recup_dir.1 to submit to your professor. The folder will contain
image, text and doc files.

Part III- 10 points

Tool
Windows: HxD (http://mh-nexus.de/en/downloads.php?product=HxD)

MacOS: HexEdit (http://hexedit.en.softonic.com/mac)

Task
A hex editor, allows you to view and edit non-plaintext files. View the following files using a hex editor:

rhino.log
rhino2.log
rhino3.log
RHINOUSB.dd

Using the hex editor to view the files and the files that you carved out of memory using PhotoRec,
answer the following questions:

1. Who gave the accused a telnet/ftp account?

2. Whats the username/password for the account?
3. What happened to the hard drive in the computer? Where is it now?
4. What happened to the USB key?
5. What is recoverable from the dd image of the USB key?

You will need information from both parts 2 and 3 to answer all these questions. Hint: You can run
plaintext keyword searches in the hex editor to find information.