Microsoft windows systems | Computer Science homework help

Project

Attached Files:

· WinHex.zip (1.125 MB)

You need to finish one of the following choices for this week project. If you are using Microsoft Windows Systems (Windows XP/Vista/7), you need to use Choice 1 (Winhex). If you are using MacOS, you need to use Choice 2.

Choice 1: Microsoft Windows Based Platform

Download WinHex from http://www.x-ways.net/winhex/index-m.html (an earlier version is available in the week 3 Individual project folder). Choose at least four features of Winhex (there is a list of Winhex features at http://www.x-ways.net/winhex/allfeatures.html), and test these features on your computer. Submit a report. If possible, we prefer that you include the following features in your tests.

1. Check the operating system’s swap file (e.g., pagefile.sys). Using the WinHex go through the swap file. Have you found any interesting results?
2. Try to find any of your passwords on the hard drive (e.g., the passwords to one of your online email servers)
3. Data recovery

Some hints on run WinHex

1. Either log-in as admin or use ‘Run as…’ to start Winhex. If your platform is Windows Vista or Windows 7, you have to right-click on Winhex and choose “run as admin”

2. Click Tools > Open Disk, and select C:/

3. Click OK. Drive opens. You now have a snapshot of drive C:/.

4. Scroll through the contents to pagefile.sys and select it.

5. If you right-click on pagefile.sys and then click View. WinHex says: “Available only for owners of a forensic license”. This is not what you want.

If you right-click on pagefile.sys and then click Open. WinHex displays pagefile.sys as an empty file. This is not what you want.

AND If you right-click on pagefile.sys and then click Recover/Copy. WinHex exports pagefile.sys as an empty file. This is not what you want.

The last two options are just saving the reference to pagefile.sys in the snapshot…not the contents of the file.

6. In fact…THIS IS THE IMPORTANT BIT….you don’t need to do any right-clicking…as soon as you selected pagefile.sys at step 6 above…its raw contents are displayed in the lower pane of WinHex.

7. If you look at the entry in the column 1st Sector for pagefile.sys you will see that the sector number matches the Sector number displayed in the status bar at the bottom of Winhex.

8. Click on another file for a moment and you will see that the Sector number in the status bar has changed.

9. Now, click on pagefile.sys again.

· you need to design a CASE for other student to investigate. As an example; at the end of this week you should generate the following materials:

1. A case description. For example, what kind of suspect you have, and what kind of potential criminal activities the suspect may have committed?

2. Generate some potential files (you may delete or overwrite etc.) on a floppy drive or a small size USB memory stick (the image could be huge if you use a big USB memory stick). Use some tools discussed in the VirtualTools message to make a bit-by-bit image of your floppy image. Though you can delete and do any kind of activities, it is important that you should have some traces for other students to find the evidence on your image in next week. For your reference, you may follow the styles in http://dftt.sourceforge.net/ for your case image generation. Since many laptops do not come with floppy drive, you may work on a virtual floppy drive (that is, all software based images). Some tools are discussed in the VirtualTool message.

3. A detailed report on what kind of evidence you expect the other students to find

At the end of this week, you should submit the materials to the hand-in-assignment folder.In addition, please post your items 1 and 2 to the Discussion Forum for week 5 seminar, and mark the subject line as “Your_Name’s case for investigation”. In week 5, other students are required to find the evidence for your case, and you are required to find evidence for images supplied by other students.

Your item 3 is used to evaluate other students’ project findings at the end of week 5 (by me). But please also post your item 3 (the solution) in week 5 folder at the end of week 5 (that is, around Thursday of next week)

Please post item 2 and item 3 to the following project submission link.

·

Virtual Floppy Tools

The easiest methods converting between an image file and a disk are

1. dd: *IX machines have integrated dd command. For Windows machine, you may use the “dd for Windows” from http://www.chrysocome.net/dd

2. NTRawrite: fromhttp://ntrawrite.sourceforge.net/

3. WinImage (part of FDFORMAT, a shareware package for DOS written by Christoph H. Hochsttter) fromhttp://www.winimage.com/winimage.htm

4. dcf ftp://ftp.simtel.net/pub/simtelnet/msdos/diskutil/dcf5_3.zip (a copy is included)

5. Floppy Image from http://www.towodo.com/products/floppyimage/faq/

6. FTK Imager at http://www.accessdata.com/common/pagedetail.aspx?PageCode=downloads

In order to work with floppy images without a floppy drive, checkhttp://members.at.infoseek.co.jp/chitchat/vmware/vfd.html#top (a binary file in included also) or check the virtual floppy tool http://www.wintotal.de/yad/index.php?id=3223

Links to a zip file

Links to a zip file

Links to a zip file

Links to a .exe file