Digital Forensics Manual Aayushi
Digital Forensics Manual Aayushi
Digital Forensics Manual Aayushi
College of
Engineering
Opp. Gujarat University, Navrangpura, Ahmedabad
380015
LAB MANUAL
Branch: Computer Engineering
Faculty Details:
1. Prof. Dr. R. A. Jaiswal
2. Prof. H. B. Pandya
DIGITAL FORENSICS (3170725) 210280107035
CERTIFICATE
Sign of Faculty:
Preface
With the rapid growth of internet users over the globe, the rate of cybercrime is also increasing.
Nowadays, Internet applications become an essential part of every discipline with their variety of
domain-specific applications. The basic objectives to offer this course are to aware engineering
graduates to understand cybercrimes and their Operandi to analyze the attack.
By using this lab manual students can go through the relevant theory and procedure in advance
before the actual performance which creates an interest and students can have basic idea prior to
performance. This in turn enhances pre-determined outcomes amongst students. Each experiment in
this manual begins with competency, relevant skills, course outcomes as well as practical outcomes
(objectives). The students will also achieve safety and necessary precautions to be taken while
performing practical.
This manual also provides guidelines to faculty members to facilitate student centric lab activities
through each experiment by arranging and managing necessary resources in order that the students
follow the procedures with required safety and necessary precautions to achieve the outcomes. It also
gives an idea that how students will be assessed by providing rubrics.
Industry RelevantSkills
The following industry relevant competency is expected to be developed in the student by
undertaking the practical work of this laboratory.
1. Investigation and analysis skills: Develop the ability to investigate and analyze various
digital devices and systems, including computers, mobile devices, and networks. Learn
how to extract and analyze data from these devices and systems to identify evidence of
cybercrime.
2. Evidence handling and preservation skills: How to handle and preserve digital evidence in
a way that is admissible in court. This includes learning about chain of custody, evidence
storage, and documentation.
3. Technical skills: Technical skills related to computer and network security, including
knowledge of operating systems, file systems, and network protocols. Students may also
learn about encryption, steganography, and other techniques used to hide information.
4. Legal and regulatory knowledge: Relevant laws and regulations related to cybercrime,
such as the IT Act 2000. Students will learn about legal procedures, courtroom
procedures, and other aspects of the legal system.
5. Communication and reporting skills: Students will learn how to communicate complex
technical information to non-technical stakeholders, such as lawyers, judges, and juries.
They will also learn how to write clear and concise reports that summarize their findings
and conclusions.
6. Critical thinking and problem-solving skills: Complex problem-solving scenarios that
require students to think critically and apply their knowledge and skills to real-world
situations.
Guidelines for Faculty members
1. Teacher should provide the guideline with demonstration of practical to the
students with all features.
2. Teacher shall explain basic concepts/theory related to the experiment to the students
before starting of each practical
3. Involve all the students in performance of each experiment.
4. Teacher is expected to share the skills and competencies to be developed in the students
and ensure that the respective skills and competencies are developed in the students
after the completion of the experimentation.
5. Teachers should give opportunity to students for hands-on experience after the
demonstration.
6. Teacher may provide additional knowledge and skills to the students even though not
covered in the manual but are expected from the students by concerned industry.
7. Give practical assignment and assess the performance of students based on task
assigned to check whether it is as per the instructions or not.
Vision
Mission
To produce graduates according to the needs of industry, government, society and scientific community.
To develop partnership with industries, research and development organizations and government sectors for
continuous improvement of faculties and students.
To motivate students for participating in reputed conferences, workshops, seminars and technical events to
make them technocrats and entrepreneurs.
To enhance the ability of students to address the real life issues by applying technical expertise, human values
and professional ethics.
To inculcate habit of using free and open source software, latest technology and soft skills so that they become
competent professionals.
To encourage faculty members to upgrade their skills and qualification through training and higher studies at
reputed universities.
PEOs
PEO1: Provide computing solutions of complex problems as per business and societal needs.
PEO2: Procure requisite skills to pursue entrepreneurship, research and development, higher studies and
imbibe high degree of professionalism in the fields of computing.
PEO3: Embrace life-long learning and remain continuously employable.
PEO4: Work and excel in a highly competence supportive, multicultural and professional environment
which is abiding to the legal and ethical responsibilities.
PSOs
PSO1: Graduates will be able to explore and propose effective solutions to the problems in the area of
Computer Engineering as per the needs of society and industry.
PSO2: Graduates will be able to apply standard practice and strategies to develop quality software products
using modern techniques, programming skills, tools & an open ended programming environment and work
in a team.
PSO3: Graduates will manifest the skills of continuous learning in the fast changing field of Computer
Engineering.
Practical - 1
AIM: Study of packet analyzer tool (Wireshark)
Theory:
Wireshark is an open-source packet analyzer, which is used for education, analysis, software development,
communication protocol development, and network troubleshooting.
It is used to track the packets so that each one is filtered to meet our specific needs. It is commonly called as a
sniffer, network protocol analyzer, and network analyzer. It is also used by network security engineers to
examine security problems.
Wireshark is a free to use application which is used to apprehend the data back and forth. It is often called a free
packet sniffer computer application. It puts the network card into an unselective mode, i.e., to accept all the packets
which it receives.
Uses of Wireshark:
Wireshark can be used in the following ways:
1. It is used by network security engineers to examine security problems.
2. It allows the users to watch all the traffic being passed over the network.
3. It is used by network engineers to troubleshoot network issues.
4. It also helps to troubleshoot latency issues and malicious activities on your network.
5. It can also analyze dropped packets.
6. It helps us to know how all the devices like laptop, mobile phones, desktop, switch, routers, etc.,
communicate in a local network or the rest of the world.
Features of Wireshark
● It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD, NetBSD, etc.
● It is a standard three-pane packet browser.
● It performs deep inspection of hundreds of protocols.
● It often involves live analysis, i.e., from the different types of the network like the Ethernet, loopback, etc.,
we can read live data.
● It has sort and filter options which makes it easy for the user to view the data.
● It is also useful in VoIP analysis.
● It can also capture raw USB traffic.
● Various settings, like timers and filters, can be used to filter the output.
● It can only capture packets on the PCAP (an application programming interface used to capture the
network) supported networks.
● Wireshark supports a variety of well-documented capture file formats such as the PcapNg and Libpcap.
These formats are used for storing the captured data.
● It is the no.1 piece of software for its purpose. It has countless applications ranging from the tracing
down, unauthorized traffic, firewall settings, etc.
4. Apply Filters:
● Use Wireshark's display filters to focus on specific layers or protocols.
Physical Layer (Layer 1): Wireshark doesn't provide detailed information about Layer 1 (physical layer)
because it operates at a higher level. However, you can see the presence and properties of physical layer
frames in the packet list.
Example: In the packet list, you might see Ethernet frames with MAC addresses, but you won't get insights into the
physical medium itself (e.g., electrical voltages on a cable).
Data Link Layer (Layer 2): In this layer, you can see the structure of data link frames, such as Ethernet frames.
Wireshark will display fields like source and destination MAC addresses, frame types, and frame check sequences.
Example: You'll see Ethernet frames with source and destination MAC addresses, frame types like IPv4, and other
relevant information.
Network Layer (Layer 3): For Layer 3, you can examine network packets, such as IP packets. Wireshark will display
information like source
Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 3
DIGITAL FORENSICS (3170725) 210280107035
and destination IP addresses, Time to Live (TTL), and the protocol used (e.g., TCP or UDP).
Example: You can inspect IP packets, view source and destination IP addresses, identify the TTL value, and know if the
packet uses TCP or UDP.
Transport Layer (Layer 4): In Layer 4, you can inspect transport layer packets, such as TCP or UDP segments.
Wireshark shows source and destination ports, sequence numbers, acknowledgment numbers, and flags.
Example: You'll be able to see TCP or UDP segments with source and destination ports, sequence numbers,
acknowledgment numbers, and flags like SYN, ACK, or FIN.
UDP:
Session, Presentation, and Application Layers (Layers 5-7): Wireshark focuses primarily on lower OSI
layers, so it won't provide specific information about the higher layers. However, you can often identify the
application protocol used in Layer 7 (e.g., HTTP, DNS, or FTP) based on port numbers and packet payloads.
Example: While Wireshark shows the lower-layer data, it doesn't reveal the application-layer details.
However, you can identify HTTP traffic by observing packets on port 80.
Practical - 2
AIM: Study of forensic commands of Linux.
1. history: Using the history command without options displays the list of commands used since the start
of the terminal session:
● Syntax: $ history
Parameter Description
| less If you wish to view the history one page at a time, you can use this
command. Now, you can simply use the spacebar to view one page at a time
or use the down arrow to view one
line at a time.
| tail To view just the last ten commands.
n (where n = any number for e.g: 15) To view the last n (15 here) commands.
history with ctrl+R This will output a search feature. Just begin typing a command and it will
complete the command with the most recent match. If it is not the one you
need, simply type a few more letters until you find the command you
wanted. Once you find it, simply press the return key to run or press the
right arrow key to edit it.
2. find: The find command in UNIX is a command line utility for walking a file hierarchy. It can be used to find files and
directories and perform subsequent operations on them. It supports searching by file, folder, name, creation date,
modification date, owner, and permissions.
Syntax: $ find [where to start searching from] [expression determines what to find] [-options] [what to find]
(.): For current directory name (/): For the root directory
Options Description
-exec Other UNIX commands can be executed on files or folders found.
-name demo Search for files that are specified by ‘demo’.
-newer file Search for files that were modified/created after ‘file’.
-print Display the path name of the files found by using the rest of the criteria.
-empty Search for empty files and directories.
-user name Search for files owned by user name or ID ‘name’.
\(expr)\ True if ‘expr’ is true; used for grouping criteria combined with OR or AND.
3. last: The last command in Linux is used to display the list of all the users logged in and out since the file
/var/log/wtmp was created. One or more usernames can be given as an argument to display their login in (and
out) time and their host-name.
Syntax: $ last [options] [username..] [tty…]
4. lastlog: reports the most recent login of all users or of a given user. It formats and prints the contents of the last login log
/var/log/lastlog file. The login-name, port, and last login time will be printed. The default (no flags) causes lastlog entries to
be printed, sorted by their order in /etc/passwd.
Syntax: $ lastlog [options]
5 . file: determines file type. File tests each argument in an attempt to classify it. There are
three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test
that succeeds causes the file type to be printed.
Syntax:
$ file [option] [filename]
$ file [ -bchikLnNprsvz ] [ -f namefile ] [ -F separator] [ - m magicfiles ] file ...
$ file -C [ -m magicfile ]
-c, --checking-printout Cause a checking printout of the parsed form of the magic file. This is
usually used in conjunction with -m to debug a
new magic file before installing it
-C, --compile Write a magic.mgc output file that contains a pre-parsed
version of file.
-f, --files-from namefile Read the names of the files to be examined
from namefile (one per line) before the argument list. Either
namefile or at least one filename argument must be present; to test
the standard input, use ‘‘-’’ as a filename argument.
-F, --seperator seperator Use the specified string as the separator between the filename
and the file result returned. Defaults to ‘‘:’’.
-k, --keep-going Don’t stop at the first match, keep going.
-m, --magic-file list Specify an alternate list of files containing magic numbers. This can be a
single file, or a colon-separated list of files. If a compiled magic file is
found alongside, it will be used instead. With the -i or --mime option, the
program adds
".mime" to each file name.
-i, --mime Causes the file command to output mime type strings rather than the
more traditional human readable ones. Thus it may
say ‘‘text/plain; charset=us-ascii’’ rather than ‘‘ASCII text’’.
--help Print a help message and exit.
6. fsck: check and repair a Linux file system. fsck is used to check and optionally repair one or more Linux file systems.
filesys can be a device name (e.g. /dev/hdc1, /dev/sdb2), a mount point (e.g. /, /usr, /home), or an ext2 label or UUID
specifier (e.g. UUID=8868abf6-88c5-4a83-98b8-bfc24057f7bd or LABEL=root). Normally, the fsck program will try
to handle filesystems on different physical disk drives in parallel to reduce the total amount of time needed to check all
of the filesystems.
Syntax:
● $ fsck <options> <filesystem>
● $ fsck [-sAVRTMNP] [-C [fd]] [-t fstype] [filesys...] [--] [fs-specific-options]
7. stat: display file or file system status. stat is a linux command line utility that displays a detailed information about a
file or a file system. It retrieves information such as file type; access rights in octal and human-readable; SELinux
security context string; time of file creation, last data modification time, and last accessed in both human-readable and
in seconds since Epoch, and much more.
Syntax: $ stat [options] filenames
Options Description
-f, --file-system display file system status instead of file status
-L, --dereference Follow link
-c, -- use the specified FORMAT instead of the default; output a newline
format=FORMAT after each use of FORMAT
--printf = FORMAT like --format, but interpret backslash escapes, and do not output a
mandatory trailing newline; if you want a newline, include \n in FORMAT
-t, --terse print the information in terse form
8. lsof: It for List Of Open File. This command provides a list of files that are opened. Basically, it gives the
information to find out the files which are opened by which process. With one go it lists out all open files in output
console. It cannot only list common regular files, but it can list a directory, a block special file, a shared library, a
character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket, and many others. it can
be combined with grep command can be used to do advanced searching and listing.
Syntax: $ lsof [option] [username]
PRACTICAL – 3
AIM: Make a disk image using an imaging tool.
● Creating a good backup of your computer system involves not only backing up all of your data, but also
backing up all Windows and system files when they are in a working and stable state. When a hard drive
crashes or the Windows operating
system becomes corrupt, it would be preferable to not only be able to load back your data quickly, but also
to load back the entire OS with all of your user settings, bookmarks, installed drivers, installed applications,
and more.
● A good way to have both things taken care of at once is to create an image of your hard drive. By
creating an image, your entire system state, including the OS and data files, is captured like a
snapshot and can be reloaded at any time. It’s the best way to protect your data and is the fastest
solution also.
Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with the FTK Imager
dashboard.
Now, to create a Disk Image. Click on File > Create Disk Image.
Now you can choose the source based on the drive you have. It can be a physical or a logical Drive depending on your
evidence. A Physical Drive is the primary storage hardware or the component within a device, which is used to store,
retrieve, and organize data.
A Logical Drive is generally a drive space that is created over a physical hard disk. A logical drive has its
parameters and functions because it operates independently.
Now choose the source of your drive that you want to create an image copy of.
Add the Destination path of the image that is going to be created. From the forensic perspective, It should
be copied in a separate hard drive and multiple copies of the original evidence should be created to prevent
loss of evidence.
Select the format of the image that you want to create. The different formats for creating the image are:
1. Raw(dd): It is a bit-by-bit copy of the original evidence which is created
without any additions and or deletions. They do not contain any metadata.
2. SMART: It is an image format that was used for Linux which is not popularly used
anymore.
3. E01: It stands for EnCase Evidence File, which is a commonly used format for imaging and is
similar to
4. AFF: It stands for Advanced Forensic Format that is an open-source format type.
Practical – 4
3. Select the Drive or Disk Image: In HxD, open the drive or disk image from which you want to
attempt data recovery. This is usually done through the "File" menu, and you'll need to select the drive
or image file associated with the deleted data.
2. Search for the File Signature: Every file has a unique signature or "magic number" at the
beginning of its data. For example, a JPEG image file typically starts with "FF D8 FF E0" in
hexadecimal. You'll need to find the file signature of the type of file you're trying to recover. You
can usually find a list of common file signatures online.
3. Navigate to the Signature: Use the "Search" or "Find" feature in HxD to locate the file
signature in the hex editor. Once you've found it, you should see the file's header information.
4. Select and Extract Data: Carefully select and copy the data from the file signature to the end
of the file. Be cautious to select the correct range, as selecting too much or too little data can
affect the integrity of the file.
5. Save the Data: Paste the selected data into a new file (outside of the hex editor) and save it with
the appropriate file extension for the file type you're trying to recover. For example, if you're
recovering a JPEG image, save it with a .jpg file extension.
6. Check the Recovered File: Open the recovered file with the associated application (e.g., an
image viewer for images) to see if it's readable and intact. Keep in mind that data recovery
success depends on the extent of overwriting and file fragmentation.
Practical - 5
AIM: Study and perform Microsoft office file metadata analysis.
Theory:
Microsoft Word is currently the word processing software of choice for most individuals and companies.
Many users are under the mistaken belief that the final version of the "visible" Word document is the only
substantive content contained in the "saved file."
● Beyond the visible document and hidden in Word files is data known as "metadata".
Metadata can include things like revision history, authors, and "track changes" which reveals the evolution of a
document and the various edits that led to the final Word file. According to Microsoft metadata found in Word files
can include:
• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments
View Document Properties:
1. Open a Word document and then click the “File” tab and look under “Info.”
2. Select “Check for Issues” and then click on “Inspect Document” to launch the document inspector
3. Click the check boxes to select the types of metadata the Document Inspector scans for and then click
“Inspect.” Microsoft Word will display the results of the inspection and provide an option to remove the
metadata.
Practical - 6
AIM: Image metadata analysis.
Theory:
Image metadata is text information pertaining to an image file that is embedded into the file or
contained in a separate file that is associated with it.
Image metadata includes details relevant to the image itself as well as information about its production. Some
metadata is generated automatically by the the device capturing the image. Additional metadata may be added manually and
edited through dedicated software or general image editing software such as GIMP or Adobe Photoshop. Metadata can also
be added directly on some digital cameras.
✔ Administrative metadata is mostly added manually. It includes usage and licensing rights, restrictions on reuse,
contact information for the owner of the image.
Several standardized formats of metadata exist, including: Information Interchange Model
(IPTC), Extensible Metadata Platform (XMP), EXchangable Image File (Exif), Dublin Core Metadata
Initiative (DCMI) and Picture Licensing Universal System (PLUS).
Adobe Photoshop is a commercial application that includes an XMP viewer. In Photoshop CS5, it is under File
→ File Info. While not as powerful or as complete as Exiv2 and ExifTool, Adobe's viewer does provide the
ability to decode XMP, IPTC, Exif, and other types of metadata in a graphical interface.
Practical - 7
AIM: Study of browser forensics - Collect data of history, cache etc.
Theory:
Browsers Artifacts
When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
These artifacts are files stored inside of specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the
time) the same type of data (artifacts).
Let us take a look at the most commun artifacts stored by browsers.
Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited
some malicious sites for example
Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with
the navigation history to get more insight.
Bookmarks : Self Explanatory.
Extensions and Addons : Self Explanatory.
Cache : When navigating websites, the browser creates all sortes of cache data (images, javascript files…etc) for many reasons.
For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
Logins : Self Explanatory.
Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more
information about the website or places the user visited.
Browser Sessions : Self Explanatory.
Downloads :Self Explanatory.
Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something
inside of a form the browser can suggest previously entered data.
Thumbnails : Self Explanatory.
Browser cache:
Your web browser stores complete or partial copies of the pages you recently viewed together with the media
(images, audio, and video) in a file on your computer called the cache. The cached files are temporary files
that help the internet pages load quicker. That’s why when you clear your browser cache, you’ll often see that
the sites load slower than usual.
Inside the Cache folder you’ll find files with various extensions and random file names. The difficulty here is that you
won’t know exactly what you’re looking at. Most of the names are random and there’s no way to tell the format of the
file or where it came from.
You can either click on every file to open it or decode the cached files using special software or a browser extension. One of
the best options is to use one of the web browser tools by Nirsoft. For Google Chrome it’s the ChromeCacheView.
After you download the cache viewer, double-click to open the main window. You’ll find the complete list of files stored in
Practical - 8
AIM: Using Sysinternals tools for Network Tracking and Process Monitoring
Theory:
Check Sysinternals tools
Monitor Live Processes
Capture RAM
Capture TCP/UDP packets
Monitor Hard Disk
Monitor Virtual Memory
Monitor Cache Memory
1. Check Sysinternals tools: Windows Sysinternals tools are utilities to manage, diagnose,
troubleshoot, and monitor a Microsoft Windows environment.
The following are the categories of Sysinternals Tools:
File and Disk Utilities
Networking Utilities
Process Utilities
Security Utilities
System Information Utilities
Miscellaneous Utilities
3. Capture RAM
Practical - 9
AIM: Recovering and Inspecting deleted files using Autopsy
Step 1: - Start Autopsy and select “New Case”.
Step 3: - Enter Case Number and Examiner’s details, then click on Finish.
Step 4: - Specify the host name or else keep this setting as default
Step 5: - Choose the required data source type, in this case Local Disk for recovering the deleted files
from pen drive.
Step 6: - Select the correct drive and time zone and click on Next.
Step 7: - Select the modules you want to scan and click on Next. By default, it will select all the
supported modules.
Step 8: - Now the Data source is already added, and file analysis has been started.
Step 9: - Once it's done, you will be able to see all the files, both present and deleted, and here is the
preview you will get. It would be great if you try this yourself and explore all the options. You can even
save the files on our laptop or computer using extract functionality.
Practical - 10
AIM: Acquisition of Cell phones and Mobile devices.
Practical – 11
AIM: Study digital forensic collection and analysis tools used in analysis of digital evidence:
a. Coffee tool
b. Magnet capture tool
c. Ram capture tool
d. NFI Defraser
e. Toolsley
f. Volatility
A. Coffee tool
Computer Online Forensic Evidence Extractor (COFFEE) is a tool kit,
developed by Microsoft, to help computer forensic investigators extract evidence from a
Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an
automated forensic tool during a live analysis. Microsoft provides COFEE devices and online
technical support free to law enforcement agencies.
Development and distribution:
COFFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on
Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law
enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15
countries.
A case cited by Microsoft in April 2008 credits COFFEE as being crucial in a New Zealand investigation into the
trafficking of child pornography, producing evidence that led to an arrest.
In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international
distributor of COFFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol
develops programs for training forensic experts in using COFFEE. The National White Collar Crime Center has been
licensed by Microsoft to be the sole US domestic distributor of COFFEE.
Benefits of coffee :
One of the key benefits of using computer online forensic evidence extractor is its ability to save time and resources.
Traditional methods of collecting and analyzing digital evidence can be time-consuming and require a significant amount
of manual effort. With computer online forensic evidence extractor, much of this work can be automated, allowing
investigators to quickly and efficiently process large amounts of data. Another advantage of computer online forensic
evidence extractor is its ability to provide more accurate and reliable results. Because the process is automated, there is
less room for human error, and the technology is able to analyze data in a more objective and consistent manner. This can
be particularly important in legal cases, where the accuracy and reliability of evidence can be critical. reduce the time
needed to collect evidence from a live system from hours to minutes It is portable and easy to use COFFEE can be
carried on a small USB device that can fit in a pocket or a keychain , doesn’t require installation or permission It is free
and supported
Limitations of Coffee:
It is dependent on the target system.
Only works on Windows computers that are running and accessible. It cannot extract evidence from other operating
systems, offline systems or encrypted systems.
It is vulnerable to detection and countermeasures.
COFFEE leaves traces on the target system that can be detected by anti-forensic tools or malware It can also be blocked or
disabled by security software or hardware
In 2009, a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved
group of programmers that claimed to protect computers against COFFEE and render it ineffective
It is proprietary and restricted
MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a
suspect's computer, allowing investigators to recover and analyze valuable artifacts that are often
only found in memory.
MAGNET RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing
the data that is overwritten in memory. You can export captured memory data in Raw (.DMP/.RAW/.BIN) format
and easily upload into leading analysis tools including Magnet AXIOM and Magnet IEF.
Magnet AXIOM is paid Software and available for officials only. Magnet
Forensics will no longer sell Magnet IEF.
But here we have an old version of Magnet IEF to analyze the memory captured in raw format by Magnet
Capture Tool.
Key Features :
Rapid Data Acquisition - The tool boasts high-speed data capture, enabling investigators to acquire
evidence swiftly.
Cross-Platform Compatibility - It seamlessly works with various devices and operating systems, ensuring
versatility in forensic investigations.
Data Integrity Assurance - The tool employs advanced techniques to maintain data integrity
throughout the acquisition process.
User-Friendly Interface - Forensic professionals will appreciate the intuitive and user-friendly interface,
simplifying their tasks
Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire
contents of computer’s volatile memory—even if protected by an active anti-debugging or
anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the
tool’s footprint as much as possible. Memory dumps captured with Belkasoft Live RAM
Capturer can be analyzed with Live RAM Analysis in Belkasoft Evidence Center.
D. NFI Defraggler:
The tool Defraggler was developed to find partly erased or damaged multimedia files and, if
necessary, repair them. What sets Defragger apart is its ability to find not just complete multimedia
files, but also partial files, such as deleted video files that have been partly overwritten.
E. Toolsley
Toosley is a free digital forensic tool that can be used to collect and analyze volatile memory from Windows systems. It
offers a variety of benefits, including:
Ease of use: Toosley is a relatively easy-to-use tool, even for users who are not familiar with digital forensics.
Wide range of features: Toosley offers a wide range of features, including the ability to extract a variety of evidence
from memory dumps, such as process information, network connections, and malware artifacts.
Flexibility: Toosley can be used to analyze memory dumps from both live and dead systems. It can also be used to
analyze memory dumps that have been collected using other RAM capture tools.
1. File Identifier
Figure out the type of a file based on its contents. Recognizes over 2 thousand file formats using libmagic.
Libmagic is the library that commonly supports the file command on Unix system. The library handles the loading of
database files that describe the magic numbers used to identify various file types.
2. Password Generator
A Flexible random password generator
3. Hash & Validate
Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 44
DIGITAL FORENSICS (3170725) 210280107035
Hash any local file with MD5, SHA-1, SHA-256 or CRC-32. This tool also makes validation links that
allows others to check their copy of the file.
4. PGPigeon
Encrypt, decrypt, sign or verify messages with PGP. Simple but powerful encryption tool.
F. Volatility
Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It supports analysis for Linux,
Windows, Mac, and Android systems. It is based on Python and can be run on Windows, Linux, and Mac systems. It can analyze raw
dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and many others.
● Installation
The Volatility software may be downloaded from here-
https://code.google.com/p/volatility/downloads/list
It also comes pre-installed with Backtrack 5 R3.
● Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory
analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in
Windows. It provides a number of advantages over the command line version including,
• No need to install a Python script interpreter.
• No need of remembering command line parameters.
• Storage of the platform and process list with the memory dump, in a .CFG file. When a memory image is re-loaded,
this saves a lot of time and eliminates the need to get process list each time.
• Automatic platform detection with .CFG files
• Simpler copy & paste.
• Simpler printing of paper copies (via right click).
• Simpler saving of the dumped information to a file on disk.
• A drop down list of available commands and a short description of what the command does.
• Time stamping of the commands executed.
• Auto-loading the first dump file found in the current folder.
• Support for analysing Mac and Linux memory dumps.
• Up to 20% increase in speed compared to interpreted version.
Practical – 12
AIM: For crime that occurred in recent time (example online fraud). Prepare a report
containing:
● Name of the crime, which year, victim and attacker name
● List of digital devices available for forensics
● List of tools along with short description of their utility