Another lab-heavy day, but full of hands-on learning. Today, we dove deeper into forensic imaging – specifically with dc3dd.
I created a forensic image of a .img file using the command:
sudo dc3dd if=/dev/loop10 of=example1.img log=imaging_loop10.txtAfter that, I performed integrity checks by comparing hashes of the original and the image to ensure the copy was exact. Then came the mounting process:
- Created a mount point:
sudo mkdir -p /mnt/example12. Mounted the image:
sudo mount -o loop example1.img /mnt/example1Mounting basically makes a disk image file accessible as if it were a real, physical drive. Once mounted, I explored the file system and began extracting data.
After the imaging exercise, I completed two Windows forensics labs: one mandatory, one optional.
In the first lab, I used Registry Explorer to pull out system information and details about user accounts. Navigating through the Windows registry was… overwhelming at first. There are so many folders, it’s like a maze.
One of the paths I had to locate was: Microsoft\Windows\CurrentVersion\NetworkList\Signatures
It wasn’t as easy as I thought it would but we had some help from the professor to set us up so it made it much more doable.
The second lab was even more exciting – we explored deleted file recovery using Autopsy, which made the process surprisingly visual and intuitive.
I also used some of Eric Zimmerman’s forensic tools. For context, Zimmerman is a developer who creates open-source tools for digital forensics, especially around Windows artifacts. Here’s a quick breakdown of what I used:
MFTECmd.exe – Parses NTFS metadata files like $MFT and $Boot. It helped surface detailed file system activity.
PECmd.exe – Parses Prefetch files, which show:
- Last time an application ran
- Number of times it was executed
- Files and devices it interacted with
WxTCmd.exe – Extracts Windows 10 timeline data, showing program execution history.
JLECmd.exe – Parses Jumplists, revealing first and last run times for applications and associated AppIDs.
LECmd.exe – Extracts metadata from shortcut files (located at:C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\)
These tools really opened my eyes to just how much Windows keeps behind the scenes and how much can be recovered with the right methods.
Today was another packed session, but I’m really enjoying this material. It’s challenging in all the right ways. I’m getting close to finishing the Cybersecurity Path 101, and I’m proud to be ahead in the bootcamp and I want to keep it that way. Tomorrow I’ll finish the path!
