Digital Forensics Manual Aayushi

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 54

L. D.

College of
Engineering
Opp. Gujarat University, Navrangpura, Ahmedabad
380015

LAB MANUAL
Branch: Computer Engineering

Digital Forensics (3170725)


Semester: VII

Faculty Details:
1. Prof. Dr. R. A. Jaiswal

2. Prof. H. B. Pandya
DIGITAL FORENSICS (3170725) 210280107035

CERTIFICATE

This is to certify that Ms. AAYUSHI GUPTA , Enrollment Number 210280107035


has satisfactorily completed the practical work in “Digital Forensics” (3170725) subject
at L.D. College of Engineering, Ahmedabad-380015.

Date of Submission: ___________

Sign of Faculty:

Head of Department: _______________

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035

Preface
With the rapid growth of internet users over the globe, the rate of cybercrime is also increasing.
Nowadays, Internet applications become an essential part of every discipline with their variety of
domain-specific applications. The basic objectives to offer this course are to aware engineering
graduates to understand cybercrimes and their Operandi to analyze the attack.

By using this lab manual students can go through the relevant theory and procedure in advance
before the actual performance which creates an interest and students can have basic idea prior to
performance. This in turn enhances pre-determined outcomes amongst students. Each experiment in
this manual begins with competency, relevant skills, course outcomes as well as practical outcomes
(objectives). The students will also achieve safety and necessary precautions to be taken while
performing practical.

This manual also provides guidelines to faculty members to facilitate student centric lab activities
through each experiment by arranging and managing necessary resources in order that the students
follow the procedures with required safety and necessary precautions to achieve the outcomes. It also
gives an idea that how students will be assessed by providing rubrics.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035

Industry RelevantSkills
The following industry relevant competency is expected to be developed in the student by
undertaking the practical work of this laboratory.
1. Investigation and analysis skills: Develop the ability to investigate and analyze various
digital devices and systems, including computers, mobile devices, and networks. Learn
how to extract and analyze data from these devices and systems to identify evidence of
cybercrime.
2. Evidence handling and preservation skills: How to handle and preserve digital evidence in
a way that is admissible in court. This includes learning about chain of custody, evidence
storage, and documentation.
3. Technical skills: Technical skills related to computer and network security, including
knowledge of operating systems, file systems, and network protocols. Students may also
learn about encryption, steganography, and other techniques used to hide information.
4. Legal and regulatory knowledge: Relevant laws and regulations related to cybercrime,
such as the IT Act 2000. Students will learn about legal procedures, courtroom
procedures, and other aspects of the legal system.
5. Communication and reporting skills: Students will learn how to communicate complex
technical information to non-technical stakeholders, such as lawyers, judges, and juries.
They will also learn how to write clear and concise reports that summarize their findings
and conclusions.
6. Critical thinking and problem-solving skills: Complex problem-solving scenarios that
require students to think critically and apply their knowledge and skills to real-world
situations.
Guidelines for Faculty members
1. Teacher should provide the guideline with demonstration of practical to the
students with all features.
2. Teacher shall explain basic concepts/theory related to the experiment to the students
before starting of each practical
3. Involve all the students in performance of each experiment.
4. Teacher is expected to share the skills and competencies to be developed in the students
and ensure that the respective skills and competencies are developed in the students
after the completion of the experimentation.
5. Teachers should give opportunity to students for hands-on experience after the
demonstration.
6. Teacher may provide additional knowledge and skills to the students even though not
covered in the manual but are expected from the students by concerned industry.
7. Give practical assignment and assess the performance of students based on task
assigned to check whether it is as per the instructions or not.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035
8. Teacher is
expected to refer complete curriculum of the course and follow the guidelines for
implementation.
InstructionsforStudents
1. Students are expected to carefully listen to all the theory classes delivered by the faculty
members and understand the COs, content of the course, teaching and examination scheme,
skill set to be developed etc.
2. Students shall organize the work in the group and make record of all observations.
3. Students shall develop maintenance skill as expected by industries.
4. Student shall attempt to develop related hand-on skills and build confidence.
5. Student shall develop the habits of evolving more ideas, innovations, skills etc. apart from
those included in scope of manual.
6. Student shall refer technical magazines and data books, follow real cyber forensic cases.
7. Student should develop a habit of submitting the experimentation work as per the schedule
and s/he should be well prepared for the same.
Common Safety Instructions
Students are expected to carefully perform each experiment without damaging the lab
computer systems. All the experiments are for learning purpose only and never perform
anywhere else without proper authorization.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035

L. D. College of Engineering, Ahmedabad


Department of Computer Engineering

Vision

 To achieve academic excellence in Computer Engineering by providing value based education.

Mission

 To produce graduates according to the needs of industry, government, society and scientific community.
 To develop partnership with industries, research and development organizations and government sectors for
continuous improvement of faculties and students.
 To motivate students for participating in reputed conferences, workshops, seminars and technical events to
make them technocrats and entrepreneurs.
 To enhance the ability of students to address the real life issues by applying technical expertise, human values
and professional ethics.
 To inculcate habit of using free and open source software, latest technology and soft skills so that they become
competent professionals.
 To encourage faculty members to upgrade their skills and qualification through training and higher studies at
reputed universities.

PEOs

 PEO1: Provide computing solutions of complex problems as per business and societal needs.
 PEO2: Procure requisite skills to pursue entrepreneurship, research and development, higher studies and
imbibe high degree of professionalism in the fields of computing.
 PEO3: Embrace life-long learning and remain continuously employable.
 PEO4: Work and excel in a highly competence supportive, multicultural and professional environment
which is abiding to the legal and ethical responsibilities.

PSOs

 PSO1: Graduates will be able to explore and propose effective solutions to the problems in the area of
Computer Engineering as per the needs of society and industry.
 PSO2: Graduates will be able to apply standard practice and strategies to develop quality software products
using modern techniques, programming skills, tools & an open ended programming environment and work
in a team.
 PSO3: Graduates will manifest the skills of continuous learning in the fast changing field of Computer
Engineering.

L. D. College of Engineering, Ahmedabad


Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15
DIGITAL FORENSICS (3170725) 210280107035

Department of Computer Engineering


DIGITAL FORENSICS (3170725)

COURSE OUTCOMES (CO):

L. D. College of Engineering, Ahmedabad

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035

Department of Computer Engineering


Practical List

Page Date of Date of


Objective(s) of Experiment perfor submis Marks Sign. Remar ks
Sr.No No.
mance sion
Study of packet analyzer tool (Wireshark /NMap /
1
1 Networkminer)
Study of forensic commands of Linux. 6
2
Make a disk image using an imaging tool. 11
3
Using hex editor (HxD tool ) analyze metadata of a
15
4 file.
Study and perform Microsoft office file metadata
18
5 analysis.
Image metadata analysis. 20
6
Study of browser forensics - Collect data of
22
7 history, cache etc. and prepare report.
Using Sysinternals tools for Network Tracking and
24
8 Process Monitoring
Recovering and Inspecting deleted files using
29
9 Autopsy
Acquisition of Cell phones and Mobile
33
10 devices.
Study any one digital forensic collection and
analysis tool used in analysis of digital
evidence ( Coffee tool, Magnet capture 38
11 tool, Ram capture tool, NFI Defragger,
Toolsley, Volatility)
For crime occurred in recent time (example
online fraud). Prepare a report containing
● Name of the crime, which year, victim and
attacker name
12 44
● List of digital devices available for
forensics
● List of tools along with short description of
their utility

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15


DIGITAL FORENSICS (3170725) 210280107035

Practical - 1
AIM: Study of packet analyzer tool (Wireshark)
Theory:
Wireshark is an open-source packet analyzer, which is used for education, analysis, software development,
communication protocol development, and network troubleshooting.
It is used to track the packets so that each one is filtered to meet our specific needs. It is commonly called as a
sniffer, network protocol analyzer, and network analyzer. It is also used by network security engineers to
examine security problems.
Wireshark is a free to use application which is used to apprehend the data back and forth. It is often called a free
packet sniffer computer application. It puts the network card into an unselective mode, i.e., to accept all the packets
which it receives.

Uses of Wireshark:
Wireshark can be used in the following ways:
1. It is used by network security engineers to examine security problems.
2. It allows the users to watch all the traffic being passed over the network.
3. It is used by network engineers to troubleshoot network issues.
4. It also helps to troubleshoot latency issues and malicious activities on your network.
5. It can also analyze dropped packets.
6. It helps us to know how all the devices like laptop, mobile phones, desktop, switch, routers, etc.,
communicate in a local network or the rest of the world.

Features of Wireshark
● It is multi-platform software, i.e., it can run on Linux, Windows, OS X, FreeBSD, NetBSD, etc.
● It is a standard three-pane packet browser.
● It performs deep inspection of hundreds of protocols.
● It often involves live analysis, i.e., from the different types of the network like the Ethernet, loopback, etc.,
we can read live data.
● It has sort and filter options which makes it easy for the user to view the data.
● It is also useful in VoIP analysis.
● It can also capture raw USB traffic.
● Various settings, like timers and filters, can be used to filter the output.
● It can only capture packets on the PCAP (an application programming interface used to capture the
network) supported networks.
● Wireshark supports a variety of well-documented capture file formats such as the PcapNg and Libpcap.
These formats are used for storing the captured data.
● It is the no.1 piece of software for its purpose. It has countless applications ranging from the tracing
down, unauthorized traffic, firewall settings, etc.

To explore the packet format in different layers using Wireshark:

1. Install and Launch Wireshark:


● Download and install Wireshark on your computer from
https://www.wireshark.org/download.html.
● Run Wireshark with appropriate permissions (usually requires administrative or root access for
capturing network traffic).
● Click on next to continue installation.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 1


DIGITAL FORENSICS (3170725) 210280107035

2. Start Capturing Packets:


● Select the network interface you want to monitor and click "Start" or "Capture" in Wireshark

3. Analyze the Captured Packets:


● Wireshark will display a list of captured packets in real-time. You can select a packet to see its details in
the lower pane.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 2


DIGITAL FORENSICS (3170725) 210280107035

4. Apply Filters:
● Use Wireshark's display filters to focus on specific layers or protocols.

5. Explore OSI Layer Packets:

Physical Layer (Layer 1): Wireshark doesn't provide detailed information about Layer 1 (physical layer)
because it operates at a higher level. However, you can see the presence and properties of physical layer
frames in the packet list.

Example: In the packet list, you might see Ethernet frames with MAC addresses, but you won't get insights into the
physical medium itself (e.g., electrical voltages on a cable).
Data Link Layer (Layer 2): In this layer, you can see the structure of data link frames, such as Ethernet frames.
Wireshark will display fields like source and destination MAC addresses, frame types, and frame check sequences.
Example: You'll see Ethernet frames with source and destination MAC addresses, frame types like IPv4, and other
relevant information.

Network Layer (Layer 3): For Layer 3, you can examine network packets, such as IP packets. Wireshark will display
information like source
Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 3
DIGITAL FORENSICS (3170725) 210280107035

and destination IP addresses, Time to Live (TTL), and the protocol used (e.g., TCP or UDP).

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 4


DIGITAL FORENSICS (3170725) 210280107035

Example: You can inspect IP packets, view source and destination IP addresses, identify the TTL value, and know if the
packet uses TCP or UDP.

Transport Layer (Layer 4): In Layer 4, you can inspect transport layer packets, such as TCP or UDP segments.
Wireshark shows source and destination ports, sequence numbers, acknowledgment numbers, and flags.
Example: You'll be able to see TCP or UDP segments with source and destination ports, sequence numbers,
acknowledgment numbers, and flags like SYN, ACK, or FIN.
UDP:

Session, Presentation, and Application Layers (Layers 5-7): Wireshark focuses primarily on lower OSI
layers, so it won't provide specific information about the higher layers. However, you can often identify the
application protocol used in Layer 7 (e.g., HTTP, DNS, or FTP) based on port numbers and packet payloads.
Example: While Wireshark shows the lower-layer data, it doesn't reveal the application-layer details.
However, you can identify HTTP traffic by observing packets on port 80.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 5


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 6


DIGITAL FORENSICS (3170725) 210280107035

Practical - 2
AIM: Study of forensic commands of Linux.
1. history: Using the history command without options displays the list of commands used since the start
of the terminal session:
● Syntax: $ history
Parameter Description
| less If you wish to view the history one page at a time, you can use this
command. Now, you can simply use the spacebar to view one page at a time
or use the down arrow to view one
line at a time.
| tail To view just the last ten commands.
n (where n = any number for e.g: 15) To view the last n (15 here) commands.
history with ctrl+R This will output a search feature. Just begin typing a command and it will
complete the command with the most recent match. If it is not the one you
need, simply type a few more letters until you find the command you
wanted. Once you find it, simply press the return key to run or press the
right arrow key to edit it.

2. find: The find command in UNIX is a command line utility for walking a file hierarchy. It can be used to find files and
directories and perform subsequent operations on them. It supports searching by file, folder, name, creation date,
modification date, owner, and permissions.
Syntax: $ find [where to start searching from] [expression determines what to find] [-options] [what to find]
(.): For current directory name (/): For the root directory

Options Description
-exec Other UNIX commands can be executed on files or folders found.
-name demo Search for files that are specified by ‘demo’.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 7


DIGITAL FORENSICS (3170725) 210280107035

-newer file Search for files that were modified/created after ‘file’.
-print Display the path name of the files found by using the rest of the criteria.
-empty Search for empty files and directories.
-user name Search for files owned by user name or ID ‘name’.
\(expr)\ True if ‘expr’ is true; used for grouping criteria combined with OR or AND.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 8


DIGITAL FORENSICS (3170725) 210280107035

3. last: The last command in Linux is used to display the list of all the users logged in and out since the file
/var/log/wtmp was created. One or more usernames can be given as an argument to display their login in (and
out) time and their host-name.
Syntax: $ last [options] [username..] [tty…]

4. lastlog: reports the most recent login of all users or of a given user. It formats and prints the contents of the last login log
/var/log/lastlog file. The login-name, port, and last login time will be printed. The default (no flags) causes lastlog entries to
be printed, sorted by their order in /etc/passwd.
Syntax: $ lastlog [options]

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 9


DIGITAL FORENSICS (3170725) 210280107035

5 . file: determines file type. File tests each argument in an attempt to classify it. There are
three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test
that succeeds causes the file type to be printed.
Syntax:
 $ file [option] [filename]
 $ file [ -bchikLnNprsvz ] [ -f namefile ] [ -F separator] [ - m magicfiles ] file ...
 $ file -C [ -m magicfile ]
-c, --checking-printout Cause a checking printout of the parsed form of the magic file. This is
usually used in conjunction with -m to debug a
new magic file before installing it
-C, --compile Write a magic.mgc output file that contains a pre-parsed
version of file.
-f, --files-from namefile Read the names of the files to be examined
from namefile (one per line) before the argument list. Either
namefile or at least one filename argument must be present; to test
the standard input, use ‘‘-’’ as a filename argument.
-F, --seperator seperator Use the specified string as the separator between the filename
and the file result returned. Defaults to ‘‘:’’.
-k, --keep-going Don’t stop at the first match, keep going.
-m, --magic-file list Specify an alternate list of files containing magic numbers. This can be a
single file, or a colon-separated list of files. If a compiled magic file is
found alongside, it will be used instead. With the -i or --mime option, the
program adds
".mime" to each file name.
-i, --mime Causes the file command to output mime type strings rather than the
more traditional human readable ones. Thus it may
say ‘‘text/plain; charset=us-ascii’’ rather than ‘‘ASCII text’’.
--help Print a help message and exit.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 10


DIGITAL FORENSICS (3170725) 210280107035

6. fsck: check and repair a Linux file system. fsck is used to check and optionally repair one or more Linux file systems.
filesys can be a device name (e.g. /dev/hdc1, /dev/sdb2), a mount point (e.g. /, /usr, /home), or an ext2 label or UUID
specifier (e.g. UUID=8868abf6-88c5-4a83-98b8-bfc24057f7bd or LABEL=root). Normally, the fsck program will try
to handle filesystems on different physical disk drives in parallel to reduce the total amount of time needed to check all
of the filesystems.
Syntax:
● $ fsck <options> <filesystem>
● $ fsck [-sAVRTMNP] [-C [fd]] [-t fstype] [filesys...] [--] [fs-specific-options]

-a Try to repair filesystem errors automatically. There will be no prompts, so use


it with caution.
-A Check all filesystems listed in /etc/fstab.
-C Show progress for ext2 and ext3 filesystems.
-f Force fsck to check a filesystem. The tool checks even when the
filesystem appears to be clean.
-l Lock the device to prevent other programs from using the partition during the
scan and repair.
-P Use to run a scan on multiple filesystems in parallel. It can cause issues,
depending on your setup. Use with caution.
-R Tell the fsck tool not to check the root filesystems when you use the -A option.
-r Print device statistics.
-t Specify which filesystems type(s) to check with fsck.
-y Try to repair filesystem errors automatically during the check.

7. stat: display file or file system status. stat is a linux command line utility that displays a detailed information about a
file or a file system. It retrieves information such as file type; access rights in octal and human-readable; SELinux
security context string; time of file creation, last data modification time, and last accessed in both human-readable and
in seconds since Epoch, and much more.
Syntax: $ stat [options] filenames

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 11


DIGITAL FORENSICS (3170725) 210280107035

Options Description
-f, --file-system display file system status instead of file status
-L, --dereference Follow link
-c, -- use the specified FORMAT instead of the default; output a newline
format=FORMAT after each use of FORMAT
--printf = FORMAT like --format, but interpret backslash escapes, and do not output a
mandatory trailing newline; if you want a newline, include \n in FORMAT
-t, --terse print the information in terse form

8. lsof: It for List Of Open File. This command provides a list of files that are opened. Basically, it gives the
information to find out the files which are opened by which process. With one go it lists out all open files in output
console. It cannot only list common regular files, but it can list a directory, a block special file, a shared library, a
character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket, and many others. it can
be combined with grep command can be used to do advanced searching and listing.
Syntax: $ lsof [option] [username]

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 12


DIGITAL FORENSICS (3170725) 210280107035

PRACTICAL – 3
AIM: Make a disk image using an imaging tool.

● Creating a good backup of your computer system involves not only backing up all of your data, but also
backing up all Windows and system files when they are in a working and stable state. When a hard drive
crashes or the Windows operating
system becomes corrupt, it would be preferable to not only be able to load back your data quickly, but also
to load back the entire OS with all of your user settings, bookmarks, installed drivers, installed applications,
and more.
● A good way to have both things taken care of at once is to create an image of your hard drive. By
creating an image, your entire system state, including the OS and data files, is captured like a
snapshot and can be reloaded at any time. It’s the best way to protect your data and is the fastest
solution also.

What Is FTK Imager?


● FTK Imager is a tool for creating disk images and is absolutely free to use. It was developed by The
Access Data Group. It is a tool that helps to preview data and for imaging.

Step 1: Download and install the FTK imager on your machine.

Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with the FTK Imager
dashboard.

Now, to create a Disk Image. Click on File > Create Disk Image.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 13


DIGITAL FORENSICS (3170725) 210280107035

Now you can choose the source based on the drive you have. It can be a physical or a logical Drive depending on your
evidence. A Physical Drive is the primary storage hardware or the component within a device, which is used to store,
retrieve, and organize data.

A Logical Drive is generally a drive space that is created over a physical hard disk. A logical drive has its
parameters and functions because it operates independently.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 14


DIGITAL FORENSICS (3170725) 210280107035

Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic perspective, It should
be copied in a separate hard drive and multiple copies of the original evidence should be created to prevent
loss of evidence.
Select the format of the image that you want to create. The different formats for creating the image are:
1. Raw(dd): It is a bit-by-bit copy of the original evidence which is created
without any additions and or deletions. They do not contain any metadata.
2. SMART: It is an image format that was used for Linux which is not popularly used
anymore.
3. E01: It stands for EnCase Evidence File, which is a commonly used format for imaging and is
similar to
4. AFF: It stands for Advanced Forensic Format that is an open-source format type.

Now, add the details of the image to proceed.


Now finally add the destination of the image file, name the image file and then click on Finish.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 15


DIGITAL FORENSICS (3170725) 210280107035

After the image is created, a Hash result is generated which


verifies the MD5 Hash, SHA1 Hash, and the presence of any bad sector.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 16


DIGITAL FORENSICS (3170725) 210280107035

Practical – 4

AIM: Using hex editor (HxD tool ) analyze metadata of a file.


1. Installation Steps:

Go to https://mh-nexus.de/en/hxd/ . scroll down and click on the download page Select


English language and click on the to download the zip file

2. Open HxD: Launch HxD on your computer.

3. Select the Drive or Disk Image: In HxD, open the drive or disk image from which you want to
attempt data recovery. This is usually done through the "File" menu, and you'll need to select the drive
or image file associated with the deleted data.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 17


DIGITAL FORENSICS (3170725) 210280107035

2. Search for the File Signature: Every file has a unique signature or "magic number" at the
beginning of its data. For example, a JPEG image file typically starts with "FF D8 FF E0" in
hexadecimal. You'll need to find the file signature of the type of file you're trying to recover. You
can usually find a list of common file signatures online.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 18


DIGITAL FORENSICS (3170725) 210280107035

3. Navigate to the Signature: Use the "Search" or "Find" feature in HxD to locate the file
signature in the hex editor. Once you've found it, you should see the file's header information.

4. Select and Extract Data: Carefully select and copy the data from the file signature to the end
of the file. Be cautious to select the correct range, as selecting too much or too little data can
affect the integrity of the file.

5. Save the Data: Paste the selected data into a new file (outside of the hex editor) and save it with
the appropriate file extension for the file type you're trying to recover. For example, if you're
recovering a JPEG image, save it with a .jpg file extension.
6. Check the Recovered File: Open the recovered file with the associated application (e.g., an
image viewer for images) to see if it's readable and intact. Keep in mind that data recovery
success depends on the extent of overwriting and file fragmentation.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 19


DIGITAL FORENSICS (3170725) 210280107035

Practical - 5
AIM: Study and perform Microsoft office file metadata analysis.
Theory:
 Microsoft Word is currently the word processing software of choice for most individuals and companies.
Many users are under the mistaken belief that the final version of the "visible" Word document is the only
substantive content contained in the "saved file."

● Beyond the visible document and hidden in Word files is data known as "metadata".
Metadata can include things like revision history, authors, and "track changes" which reveals the evolution of a
document and the various edits that led to the final Word file. According to Microsoft metadata found in Word files
can include:

• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments
View Document Properties:

1. Open a Word document.


2. Click the File tab.
Click “Info” and then click “Show all Properties” to view the metadata entries for the

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 20


DIGITAL FORENSICS (3170725) 210280107035

Use Document Inspector

1. Open a Word document and then click the “File” tab and look under “Info.”
2. Select “Check for Issues” and then click on “Inspect Document” to launch the document inspector
3. Click the check boxes to select the types of metadata the Document Inspector scans for and then click
“Inspect.” Microsoft Word will display the results of the inspection and provide an option to remove the
metadata.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 21


DIGITAL FORENSICS (3170725) 210280107035

Practical - 6
AIM: Image metadata analysis.
Theory:
Image metadata is text information pertaining to an image file that is embedded into the file or
contained in a separate file that is associated with it.
Image metadata includes details relevant to the image itself as well as information about its production. Some
metadata is generated automatically by the the device capturing the image. Additional metadata may be added manually and
edited through dedicated software or general image editing software such as GIMP or Adobe Photoshop. Metadata can also
be added directly on some digital cameras.

✔ Technical metadata is mostly automatically generated by the camera. It includes camera


details and settings such as aperture, shutter speed, ISO number, focal depth, dots per inch (DPI). Other
automatically generated metadata include the camera brand and model, the date and time when the image
was created and the GPS location where it was created.

✔ Descriptive metadata is mostly added manually through imaging software by the


photographer or someone managing the image. It includes the name of the image creator, keywords
related to the image, captions, titles and comments, among many other possibilities. Effective
descriptive metadata is what makes images more easily searchable.

✔ Administrative metadata is mostly added manually. It includes usage and licensing rights, restrictions on reuse,
contact information for the owner of the image.
Several standardized formats of metadata exist, including: Information Interchange Model
(IPTC), Extensible Metadata Platform (XMP), EXchangable Image File (Exif), Dublin Core Metadata
Initiative (DCMI) and Picture Licensing Universal System (PLUS).

Example of image metadata analysis:

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 22


DIGITAL FORENSICS (3170725) 210280107035

Adobe Photoshop is a commercial application that includes an XMP viewer. In Photoshop CS5, it is under File
→ File Info. While not as powerful or as complete as Exiv2 and ExifTool, Adobe's viewer does provide the
ability to decode XMP, IPTC, Exif, and other types of metadata in a graphical interface.

 You can add metadata to any document in Illustrator®,Photoshop®, or InDesign by


choosing File > File Info.
 Here, title, description, keywords, and copyrightinformation have been inserted.
 You can view the metadata in InDesign by selecting an image and choosing File Info
from the Info panel menu. Or you can use the metadata by choosing Object >
Captions > Caption Setup (as shown).

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 23


DIGITAL FORENSICS (3170725) 210280107035

Practical - 7
AIM: Study of browser forensics - Collect data of history, cache etc.
Theory:
Browsers Artifacts
When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
These artifacts are files stored inside of specific folders in the operating system.
Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the
time) the same type of data (artifacts).
Let us take a look at the most commun artifacts stored by browsers.
 Navigation History : Contains data about the navigation history of the user. Can be used to track down if the user has visited
some malicious sites for example
 Autocomplete Data : This is the data that the browser suggest based on what you search the most. Can be used in tandem with
the navigation history to get more insight.
 Bookmarks : Self Explanatory.
 Extensions and Addons : Self Explanatory.
 Cache : When navigating websites, the browser creates all sortes of cache data (images, javascript files…etc) for many reasons.
For example to speed loading time of websites. These cache files can be a great source of data during a forensic investigation.
 Logins : Self Explanatory.
 Favicons : They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more
information about the website or places the user visited.
 Browser Sessions : Self Explanatory.
 Downloads :Self Explanatory.
 Form Data : Anything typed inside forms is often times stored by the browser, so the next time the user enters something
inside of a form the browser can suggest previously entered data.
 Thumbnails : Self Explanatory.

Collecting data from history:


 See your history
 On your computer, open Chrome. At
the top right, click More.
 Click History

Browser cache:
Your web browser stores complete or partial copies of the pages you recently viewed together with the media
(images, audio, and video) in a file on your computer called the cache. The cached files are temporary files
that help the internet pages load quicker. That’s why when you clear your browser cache, you’ll often see that
the sites load slower than usual.

How To View Cached Pages And Files


In order to see cached pages and files, you first need to locate them. You can’t always see them since the folder where
they’re stored may be hidden.

Inside the Cache folder you’ll find files with various extensions and random file names. The difficulty here is that you
won’t know exactly what you’re looking at. Most of the names are random and there’s no way to tell the format of the
file or where it came from.

You can either click on every file to open it or decode the cached files using special software or a browser extension. One of
the best options is to use one of the web browser tools by Nirsoft. For Google Chrome it’s the ChromeCacheView.

After you download the cache viewer, double-click to open the main window. You’ll find the complete list of files stored in

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 24


DIGITAL FORENSICS (3170725) 210280107035

the cache of your browser.

How To View Cookies In Your Browser


Since cookies are responsible for exposing your private details to the
web, in most browsers you can find them in the Privacy section of the
Settings.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 25


DIGITAL FORENSICS (3170725) 210280107035

Practical - 8
AIM: Using Sysinternals tools for Network Tracking and Process Monitoring
Theory:
 Check Sysinternals tools
 Monitor Live Processes
 Capture RAM
 Capture TCP/UDP packets
 Monitor Hard Disk
 Monitor Virtual Memory
 Monitor Cache Memory
1. Check Sysinternals tools: Windows Sysinternals tools are utilities to manage, diagnose,
troubleshoot, and monitor a Microsoft Windows environment.
The following are the categories of Sysinternals Tools:
 File and Disk Utilities
 Networking Utilities
 Process Utilities
 Security Utilities
 System Information Utilities
 Miscellaneous Utilities

2. Monitor Live Processes: (Tool: ProcMon) To Do:


 Filter (Process Name or PID or Architecture, etc)
 Process Tree
 Process Activity Summary
 Count Occurrences

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 26


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 27


DIGITAL FORENSICS (3170725) 210280107035

3. Capture RAM

4. TCP/UDP PACKET CAPTURE

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 28


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 29


DIGITAL FORENSICS (3170725) 210280107035

5. Monitor Hard Disk

6. Monitor Virtual Memory

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 30


DIGITAL FORENSICS (3170725) 210280107035

Practical - 9
AIM: Recovering and Inspecting deleted files using Autopsy
Step 1: - Start Autopsy and select “New Case”.

Step 2: - Enter the “Case Name” and your directory.


{Autopsy provides multi-user functionality, so select that if
required.}

Step 3: - Enter Case Number and Examiner’s details, then click on Finish.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 31


DIGITAL FORENSICS (3170725) 210280107035

Step 4: - Specify the host name or else keep this setting as default

Step 5: - Choose the required data source type, in this case Local Disk for recovering the deleted files
from pen drive.

Step 6: - Select the correct drive and time zone and click on Next.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 32


DIGITAL FORENSICS (3170725) 210280107035

Step 7: - Select the modules you want to scan and click on Next. By default, it will select all the
supported modules.

Step 8: - Now the Data source is already added, and file analysis has been started.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 33


DIGITAL FORENSICS (3170725) 210280107035

Step 9: - Once it's done, you will be able to see all the files, both present and deleted, and here is the
preview you will get. It would be great if you try this yourself and explore all the options. You can even
save the files on our laptop or computer using extract functionality.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 34


DIGITAL FORENSICS (3170725) 210280107035

Practical - 10
AIM: Acquisition of Cell phones and Mobile devices.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 35


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 36


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 37


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 38


DIGITAL FORENSICS (3170725) 210280107035

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 39


DIGITAL FORENSICS (3170725) 210280107035

Practical – 11
AIM: Study digital forensic collection and analysis tools used in analysis of digital evidence:
a. Coffee tool
b. Magnet capture tool
c. Ram capture tool
d. NFI Defraser
e. Toolsley
f. Volatility

A. Coffee tool
Computer Online Forensic Evidence Extractor (COFFEE) is a tool kit,
developed by Microsoft, to help computer forensic investigators extract evidence from a
Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an
automated forensic tool during a live analysis. Microsoft provides COFEE devices and online
technical support free to law enforcement agencies.
Development and distribution:
COFFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on
Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law
enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15
countries.
A case cited by Microsoft in April 2008 credits COFFEE as being crucial in a New Zealand investigation into the
trafficking of child pornography, producing evidence that led to an arrest.
In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international
distributor of COFFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol
develops programs for training forensic experts in using COFFEE. The National White Collar Crime Center has been
licensed by Microsoft to be the sole US domestic distributor of COFFEE.
Benefits of coffee :
One of the key benefits of using computer online forensic evidence extractor is its ability to save time and resources.
Traditional methods of collecting and analyzing digital evidence can be time-consuming and require a significant amount
of manual effort. With computer online forensic evidence extractor, much of this work can be automated, allowing
investigators to quickly and efficiently process large amounts of data. Another advantage of computer online forensic
evidence extractor is its ability to provide more accurate and reliable results. Because the process is automated, there is
less room for human error, and the technology is able to analyze data in a more objective and consistent manner. This can
be particularly important in legal cases, where the accuracy and reliability of evidence can be critical. reduce the time
needed to collect evidence from a live system from hours to minutes It is portable and easy to use COFFEE can be
carried on a small USB device that can fit in a pocket or a keychain , doesn’t require installation or permission It is free
and supported

Limitations of Coffee:
It is dependent on the target system.
Only works on Windows computers that are running and accessible. It cannot extract evidence from other operating
systems, offline systems or encrypted systems.
It is vulnerable to detection and countermeasures.
COFFEE leaves traces on the target system that can be detected by anti-forensic tools or malware It can also be blocked or
disabled by security software or hardware
In 2009, a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved
group of programmers that claimed to protect computers against COFFEE and render it ineffective
It is proprietary and restricted

B. Magnet capture tool

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 40


DIGITAL FORENSICS (3170725) 210280107035

MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a
suspect's computer, allowing investigators to recover and analyze valuable artifacts that are often
only found in memory.

Installation and working:


 Go to https://www.magnetforensics.com/resources/magnet-ram-capture/

 Fill out the form to start the download


 First open the application.
 Select browse and choose the location of where you will save the file.
 Press "start" to begin the capture. Wait for the process to finish. The final results will be saved as a "Dump
File".

MAGNET RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing
the data that is overwritten in memory. You can export captured memory data in Raw (.DMP/.RAW/.BIN) format
and easily upload into leading analysis tools including Magnet AXIOM and Magnet IEF.
Magnet AXIOM is paid Software and available for officials only. Magnet
Forensics will no longer sell Magnet IEF.
But here we have an old version of Magnet IEF to analyze the memory captured in raw format by Magnet
Capture Tool.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 41


DIGITAL FORENSICS (3170725) 210280107035

 Key Features :
 Rapid Data Acquisition - The tool boasts high-speed data capture, enabling investigators to acquire
evidence swiftly.
 Cross-Platform Compatibility - It seamlessly works with various devices and operating systems, ensuring
versatility in forensic investigations.
 Data Integrity Assurance - The tool employs advanced techniques to maintain data integrity
throughout the acquisition process.
 User-Friendly Interface - Forensic professionals will appreciate the intuitive and user-friendly interface,
simplifying their tasks

C. Ram capture tool

Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire
contents of computer’s volatile memory—even if protected by an active anti-debugging or
anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the
tool’s footprint as much as possible. Memory dumps captured with Belkasoft Live RAM
Capturer can be analyzed with Live RAM Analysis in Belkasoft Evidence Center.

Designed to Bypass Active Anti-Debugging and Anti-Dumping Protection


Acquiring volatile memory from a computer running a debugging protection or anti-dumping system is tricky. Most
memory acquisition tools run in the system’s user mode, and are unable to bypass the defense of such protection systems
(which run in the systems’ most privileged kernel mode).
Installation and working:
1. Go to the https://belkasoft.com/get
2. Choose Belkasoft live ram capture and enter email. Then it will open a form fill the form and submit it to get
download link on email.
3. You will get an email from belkasoft with a download link. Click on the link to download and install the application.
4. Open application and give path to store file of ram capture. Click on start.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 42


DIGITAL FORENSICS (3170725) 210280107035

Use of Belkasoft live RAM Capture tool :


 Capture RAM: Belkasoft Live RAM Capture is run on a live system, and it captures the contents of RAM,
including active processes, data, and artifacts.
 Create a Dump File: The tool creates a memory dump file that preserves the captured RAM data, ensuring data
integrity.
 Analysis: The dump file can be analyzed using other forensic tools to uncover evidence of system activities,
open applications, and potentially malicious activities.
 Incident Response: Belkasoft Live RAM Capture is commonly used in incident response to quickly capture
volatile data for investigative purposes, especially when responding to cybersecurity incidents.
 Data Preservation: It helps in preserving the state of the system at a particular point in time, which can be
crucial for investigations and legal proceedings.
 Reporting: The captured data can be used to generate reports that provide insights into system activities, which
can be crucial for digital forensic investigations.

D. NFI Defraggler:
The tool Defraggler was developed to find partly erased or damaged multimedia files and, if
necessary, repair them. What sets Defragger apart is its ability to find not just complete multimedia
files, but also partial files, such as deleted video files that have been partly overwritten.

● Download and install NFI Defragger.


Open your web browser.Go to the official Defraggler website. You can usually find it by searching
"Defraggler" in your preferred search engine.https://www.ccleaner.com/defraggler/download

Select the drive and analyze.

● Key Features of NFI Defraggler


 Customizable Defragmentation: Users can choose to defragment specific files, folders, or entire drives, allowing for
precise control over the optimization process.
 Scheduled Defragmentation: Defraggler enables users to set up automated defragmentation schedules,

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 43


DIGITAL FORENSICS (3170725) 210280107035

ensuring that their drives stay optimized without manual intervention.


 Intuitive User Interface: The software features a user-friendly interface that makes it easy for both beginners and
advanced users to navigate and optimize their disks effortlessly.
 Detailed Drive Analysis: Defraggler provides in-depth analysis reports of disk fragmentation, helping users
understand the current state of their drives before initiating optimization.
 SSD Optimization: While primarily designed for traditional hard drives, Defraggler also includes SSD optimization
features, such as the ability to trim and maintain solid-state drives for better performance and longevity.
 File Shredder: It includes a file shredder feature, allowing users to securely delete sensitive files, ensuring they
are unrecoverable. Portable Version: Defraggler offers a portable version, allowing users to run it from a USB
drive without installation, making it convenient for
 on-the-go optimization.
 Fast and Efficient: The tool is known for its speed and efficiency, making the defragmentation process quick and
effective.
 Regular Updates: Piriform regularly updates Defraggler to ensure compatibility with the latest operating systems
and to add new features and enhancements.

E. Toolsley

Toosley is a free digital forensic tool that can be used to collect and analyze volatile memory from Windows systems. It
offers a variety of benefits, including:
Ease of use: Toosley is a relatively easy-to-use tool, even for users who are not familiar with digital forensics.
Wide range of features: Toosley offers a wide range of features, including the ability to extract a variety of evidence
from memory dumps, such as process information, network connections, and malware artifacts.
Flexibility: Toosley can be used to analyze memory dumps from both live and dead systems. It can also be used to
analyze memory dumps that have been collected using other RAM capture tools.

1. File Identifier

Figure out the type of a file based on its contents. Recognizes over 2 thousand file formats using libmagic.
Libmagic is the library that commonly supports the file command on Unix system. The library handles the loading of
database files that describe the magic numbers used to identify various file types.

2. Password Generator
A Flexible random password generator
3. Hash & Validate
Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 44
DIGITAL FORENSICS (3170725) 210280107035

Hash any local file with MD5, SHA-1, SHA-256 or CRC-32. This tool also makes validation links that
allows others to check their copy of the file.
4. PGPigeon
Encrypt, decrypt, sign or verify messages with PGP. Simple but powerful encryption tool.

F. Volatility
Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It supports analysis for Linux,
Windows, Mac, and Android systems. It is based on Python and can be run on Windows, Linux, and Mac systems. It can analyze raw
dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and many others.

● Installation
The Volatility software may be downloaded from here-
https://code.google.com/p/volatility/downloads/list
It also comes pre-installed with Backtrack 5 R3.

● Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory
analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in
Windows. It provides a number of advantages over the command line version including,
• No need to install a Python script interpreter.
• No need of remembering command line parameters.
• Storage of the platform and process list with the memory dump, in a .CFG file. When a memory image is re-loaded,
this saves a lot of time and eliminates the need to get process list each time.
• Automatic platform detection with .CFG files
• Simpler copy & paste.
• Simpler printing of paper copies (via right click).
• Simpler saving of the dumped information to a file on disk.
• A drop down list of available commands and a short description of what the command does.
• Time stamping of the commands executed.
• Auto-loading the first dump file found in the current folder.
• Support for analysing Mac and Linux memory dumps.
• Up to 20% increase in speed compared to interpreted version.

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 45


DIGITAL FORENSICS (3170725) 210280107035

Practical – 12
AIM: For crime that occurred in recent time (example online fraud). Prepare a report
containing:
● Name of the crime, which year, victim and attacker name
● List of digital devices available for forensics
● List of tools along with short description of their utility

Computer Engineering Department, L. D. College of Engineering, Ahmedabad-15 46

You might also like