Module‐12 - LPouliot/Soph-Spring-FOR-100-Digital-Forensics GitHub Wiki

Bulk Extractor Lab

Login to vmware horizion

viewportal.champlain.edu

open the forensic VDI

Open a web browser and download Bulk extractor

Windows 64bit Installer (GUI) bulk_extractor-1.6.0-dev-rec03-windowsinstaller_x64.exeLinks to an external site. (SHA-256: a219eeb4184a8cf23f5645b0c79c0cf7eab457c978ad91a362c0f7624c87925a)

Also download Java IF YOU NEED TO

https://www.java.com/en/download/Links to an external site.

Please download the folder from the network directory:

studentshared\Letourneau\bulk_extractor

Google Drive shareLinks to an external site.

Inside are 3 files:

A system image,

Download instructions,

Lab questions for the system image.

image

image

Use the download to get Bulk Extractor Viewer

Then look for it in the search bar to pull it out

image

To use: Look for tools then Run Bulk_Extractor

image

One of the left is the viewer

The one on the right is the extractor

image

Select the three dots next to Image file > Change this to All files as it will not find what we are looking for

image

image

Select the three dots next to the Output Feature Directory > Make a new folder called Output in the Bulk_Extractor folder

image

Include wordlist and Submit Run

image

It's Done!

image

Head back to the Bulk Viewer

image

Lab Questions:

Run Bulk extractor against the provided disk image and answer the following questions:

(1) How many phone numbers can you find?

  • There are five phone numbers in total. 202-555-0123, 202-555-0197, 202-555-0186, 202-555-0163, 202-555-0170. There is a histogram showing that 202-555-0186 was found twice while other phone numbers were only found once.

image

image

(2) How many times does Bulk Extractor say the email mailbox "@armyspy.com" is used?

  • By locating the email domain histogram, it shows that @armyspy.com was used twice

image

(3) How many credit card numbers does Bulk Extractor pull?

  • When looking at the ccn histogram, there were 13 credit cards found

image

  • Here are all of the cards found, which were all found legit and strange as they were not supposed to be there

image

(4) How many docx files are there on this disk?

  • When looking at the Windows directory, or windirs.txt, use the feature filter to search for docx. The results were called, "How to steal Credit Cards.docx"

image

(5) Run the following keywords against the drive and list your findings for each keyword.

  • Head over to wordlist.txt and use the search filter to learn more about the names

Laurie Ward

  • One of the credit card users that was documented

image

image

Amazon

  • Amazon was listed as one of the good sites for purchases with stolen cards

image

image

Confession

  • There is a confession found about stealing credit cards to help pay for video games in small stores. Their name is Joe F.

image

image

Position

  • There is a letter addressed to Dave about Joe quitting their position as a Pen manufacturer

image

image