Lab 2 - Rhino Hunt!

Class: CYBR-405

Notes:

Questions

Q1

Do the reported hash values match the evidence?

Options:

• True
• False

Overall explanation:

• Instruction of the professor

Q2

How many files were visible (not deleted) on the USB thumb drive image?

Options:

• 0
• 2
• 7
• 9

Overall explanation:

Q3

How many image (picture) files did you recover from the file carve process?

Options:

• 0
• 100
• 9
• 12

Overall explanation:

• To recover deleted files, we will use a program named Photorec. To launch the program, open a terminal window on the Desktop, type photorec, hit enter, and type your Kali password when prompted.

• Use the arrow down button to select the 259 MB partition and hit enter to proceed.
  

• Select the FAT16 partition and hit enter to search.
  

• Select “Other” for filesystem type and hit enter to proceed.
  

• Select “Free” and hit enter to proceed.
  

• Hit Shift and C (Capital C) to select the default storage location for the search results. The default location should be where you opened the terminal window. For example, the terminal window below was opened from the Desktop.
  

• After the search, Photorec will indicate if it was able to recover any files and where those recovered files were stored. Hit “Q” twice to Quit the program
  

  • Note that we got 132 files saved in ...

• Open the recup_dir.1 to see the recovered files. (Note: to delete the recup_dir.1, open a terminal window, type sudo chmod 777 recup_dir.1, hit enter).
  

  • There are 9 image files (jpg or gif)

• The pictures and the .doc file are the only files recovered of evidentiary significance for this lab.

• Review the evidence you have processed so far to determine if you can answer any of the questions. When done, unmount the image, you should not need it anymore.

• To unmount the image, right click on the image icon and select "Unmount Volume".