Computer Forensics

Copyright Priscilla Oppenheimer

Computer Forensics Lab 5 Cloning a Disk with WinHex

Scenario

You are a computer forensics investigator who has seized a floppy disk into evidence. Because you should never work with the original evidence, you will clone this disk. Cloning the disk will create a bit-stream image file that is an exact replica, bit-for-bit, of the original data on the disk. The WinHex software lets you clone disks. WinHex also has many other features for analyzing and recovering evidence that we will explore in future labs.

Document Your Work

  1. Using Microsoft Word or Notepad, start an activity log that documents the major steps that you take.
  2. Note: Each student should write an activity log, even if you work together on the WinHex hands-on activities.
  3. Include the case number, which is 6666.
  4. Include a date.
  5. Include a start time, end time, and a few other times as you work.
  6. Save your activity log on your F drive. You will be submitting it electronically. Save every so often in case you crash your computer.

Prepare the Floppy Disk

  1. Set the floppy disk to Read Only.
  2. Insert the floppy disk into the floppy disk drive on your computer forensics workstation (the lab computer).

Start the WinHex Software

  1. Click on the Windows Start button and navigate to WinHex.
  2. Start the WinHex software.

Open and Authenticate the Floppy Disk

  1. From the Tools menu in WinHex, select Open Disk.
  2. Select Removable medium (A:) and click OK. (Removable medium refers to your floppy disk.)
  3. From the Tools menu, select Calculate Hash. This will give you a "digital fingerprint" of the original floppy disk. Later we will get a digital fingerprint of the clone (bit-stream image file). They should match.
  4. Select the MD5 (128-bit) hash algorithm and let the computer make the calculation. It could take a while. Be patient.
  5. Copy and paste the results (the hash) into your activity log (with a note about what it is, e.g. the MD-5 hash of the original disk).

Clone the Floppy Disk

  1. From the Tools menu, select Disk Tools and then Clone Disk.
  2. For the Source Disk, click on the disk icon, and select Removable medium (A:).
  3. For the Destination, we will use a file. We will clone to a destination file (not to a disk).
  4. Make sure you see Destination File rather than Destination Disk.
  5. Click on the file icon.
  6. Tell WinHex that you will save the clone (image) to a file on your F drive. Name the file something like 666FloppyImage.
  7. If you see a scary message that says something like, "Warning: the integrity of the disk may be severely damaged," STOP. Ask for help.
  8. Otherwise, click OK to get the cloning started. The cloning may take a while. Be patient

Authenticate the Clone

  1. Once WinHex has cloned your disk, you should see a new window that shows the data in the clone (image file).
  2. From the Tools menu, select Calculate Hash. This will give you a "digital fingerprint" of the clone. It should match the fingerprint of the original floppy disk.
  3. Select the MD5 (128-bit) hash algorithm and let the computer make the calculation. It could take a while. Be patient.
  4. Copy and paste the hash into your activity log (with a note about what it is, e.g. the MD-5 hash of the clone).
  5. Is the hash the same as the hash for the original disk? Include the answer to this question in your log. (If it's not the same, then you have a damaged clone and you would not use it in your investigation.)

Make a Quick Analysis of the Data on the Floppy (and Clone) If There's Time

  1. In WinHex, scroll down in the window for your image file. Do you see any readable text? Jot down a few examples in your activity log.
  2. From the Specialist menu in WinHex, select Interpret Image as Disk. This will let you see files and directories, even files and directories that the user deleted. (WinHex shows deleted files and folders in a paler color. It's a bit subtle. Don't worry for now if you can't see it. We'll discuss this later.)
  3. Compare what WinHex says is on the disk to what the Windows Operating System says is on the disk. In Windows, click on Start and then My Computer. Double-click on the 3 1/2 inch Floppy icon. Jot down in your activity log any obvious differences for what Windows shows compared to what WinHex shows.

Submission

Submit your activity log electronically. Each student should submit an activity log even if you worked together on the WinHex hands-on activities.