CONTENTS

• Access Control & OS
  1. Tutorial Overview
  2. Windows Lab Procedures
  3. Unix 's File System
  5. SOLARIS
  6. SOLARIS Lab Procedures
• Apache SSL
  1. Tutorial Overview
  2. Installing Components
  3. Creating a Certificate
  4. Configuring Apache SSL
• Authenticode
  1. Tutorial Overview
  2. Installing .NET Framework SDK
  3. Signing a File
  4. Verifying a Signature
• Common Criteria Methodology
  1. Tutorial Overview
  2. General Evaluation Guidelines
  3. Evaluation of Functional Requirements TOE
  4. Questions
  5. References
• Cryptography with C#
  1. Tutorial Overview
  2. C# .NET Framework Examples
  3. Message Authentication
  4. Digital Signatures
  5. Exercises
  6. Resources
• Cryptographic Libraries
  1. Tutorial Overview
  2. OpnelSSL's Toolkit
  3. Java Cryptography Extension
  4. Exercises
  5. Resources
• Firewall Access Control Lists
  1. Tutorial Overview
  2. Technical Details
  3. Telnet and FTP
  4. Lab Report
• Firewall Configurations & Attacks
  1. Tutorial Overview
  2. Attacking Without a Firewall
  3. Filter an IP Address
  4. Filter TCP Traffic
  5. Misconfigured Firewall Examples
  6. Exercises
• Forensics
  1. Tutorial Overview
  2. Exercises
  3. Hidden Data
  4. Steganography
  5. Viewing IE Cache
  6. Installation Instructions
• IIS & Server 2003
  1. Tutorial Overview
  2. Installing Components
  3. Create a Certificate Request
  4. Submit a Certificate Request
  5. Installing a Certificate
  6. Secure Certificate Services
  7. Secure the Server
  8. Secure IIS
• IPSec and VPN Tunnel
  1. Tutorial Overview
  2. Technical Details
  3. VPN Tunnel Parameters
  4. Lab Report
• Java Code Signing
  1. Tutorial Overview
  2. Installing Java & Signing a File
  3. Verifying a Signature
• Network Protocol Analyzers
  1. Tutorial Overview
  2. TCPDump
  3. Ethereal
  4. Sniffer Distributed System
  5. Telnet Session
• PKI
  1. Tutorial Overview
  2. Installing Thunderbird
  3. Installing GPG and Enigmail
  4. Create and Use Key Pairs
• Secure Cookies
  1. Tutorial Overview
  2. Installing Components
  3. Creating a Secure Cookie
• Three Tier

Hidden Data in Files.  The purpose of this lab is to demonstrate the use of a hex editor and hash tool in computer forensics. This lab will also demonstrate how data can be modified within a file or hidden on a disk without the data being saved as a file.  The lab will be using a hash value to find initial evidence of tampering within a file. A hex editor will be used to compare the two files to find the exact differences. Also, the hex editor should demonstrate that hidden data can be stored onto the storage device without actually saving as a file in the operating system.

The idea is that there is lots of slack space (shown as dots using the hex editor tool) on the storage device that runs to the end of the sector that the file is saved in. This is the space on a disk that is unused when a file smaller than a sector is saved into that sector. This slack space can only be used if the file saved in that sector is made large enough to take up all of the space in the sector. A hex editor can be used to directly store data directly onto this slack space, as will be demonstrated in this exercise. The MD5 hashing tool uses an algorithm to derive a hash value for any given file. Each file has a unique hash value. Therefore slight changes to a file can generate totally different hash values.

1.  Login to a Windows machine in the lab.

a.  Username: Administrator

b.  Password: (no password)

2.  Open a Windows explorer and browse to c:\temp\forensicdata\modified and run the file spider.exe (spider solitaire). This is the modified file.

3.  Does the game of solitaire function as intended?

4.  Double click the link “MD5Hash” to open a MD5 hashing tool.

5.  From the Windows explorer drag the file “spider.exe” in folder c:\temp\forensicdata\modified to the MD4Hash window.

6.  What is the hash value displayed for the modified file?

7.  Similarly what is the hash value for the original file “spider.exe” in folder c:\temp\forensicdata\original

8.  Close all windows.

9.  Open Hex Workshop by double clicking the link “Hex Workshop.”

10.  Click the Compare button on the toolbar (or go to the Tools menu and click Compare > Compare Files)

11.  Click the button (with ellipses) to the right of the Source box and browse to c:\temp\forensic data\original\spider.exe

12.  Click the button (with ellipses) to the right of the Target box and browse to c:\temp\forensic data\modified\spider.exe

13.  Make sure the Resynchronizing Compare radio button option is selected

14.  Click Ok to begin comparing the two files.

15.  On the toolbar, click the Next Difference button (next to the Compare button on the toolbar or go to the Tools menu and click Compare > Next Difference)

This will highlight any difference in the file for you. The top window will show the original file and the bottom window shows the modified file. You should see the text that was inserted into this file using a hex editor. This could have been malicious code that was executed when you first opened the file.

16.  Close all windows.

NOTE: Hex-editors and other editors that can write directly to a storage device must be used with extreme caution.

Browse Pages << | < | 1 2 3 4 5 6 | > | >>