APRIL 16, 2017

COMPUTER FORENSICS
ASSIGNMENT 2

SUNDEEL BIN HALEEM

MSIS-9
Autopsy:
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital
forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what
happened on a computer.
Shown below is the homepage of the autopsy forensic browser.

The figures below will show the steps to create a new case in autopsy:
After adding the case the analysis can be performed on images.
Shown below is a list of features availbale in autopsy:
DFF (Digital Forensics Framework) Tool:

DFF is a forensics framework with command line and GUI interface. It is run by the command dff or dff -g
for GUI interface. A screenshot of the GUI is shown below.

It can work on RAW, AFF, and EWF images. It is helpful in examining by preserving the digital chain of
custody. It can also be used to recover deleted files and can also be used for volatile memory analysis
(Win XP only).

Dc3dd:
dc3dd is the patched version of dd. It is used to make an RAW image of the drives. It also supports split
into multiple files. Also has the option to generate the hash of the image. It is a simple command line
tool. A simple screenshot is shown below:

Dcfldd:
dcfldd is an enhanced version of dd. It also has the option to wipe the disks too. It is also a command
line tool. A screenshot is shown below:
This command will read ten Gigabytes from the source drive and write that to a file called
driveimage.dd.aa. It will also calculate the MD5 hash and the sha256 hash of the ten Gigabyte chunk. It
will then read the next ten gigs and name that driveimage.dd.ab. The md5 hashes will be stored in a file
called md5.txt and the sha256 hashes will be stored in a file called sha256.txt.

Extundelete:
extundelete is used to recover deleted files from ext3 and ext4 partitions.
For example the command extundelete /dev/sda4 --restore-all will search and try to recover all deleted
data from the sda4 partition.

Foremost:
Foremost is a forensic data recovery program for Linux used to recover files using their headers, footers,
and data structures through file carving. jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole,
doc, zip, rar, htm, and cpp are some of the supported formats used by foremost.
The command foremost will begin searching for the files in the current directory. The file formats to be
searched can be specified, e.g. if we want to search for images we can use the command foremost -t jpg.
If no output directory is specified if will make an output folder in the current directory and store the
recovered files there.

Gzrt (The Gzip recovery toolkit):

This tool will attempt to skip over the corrupted data in a gzip archieve, and allow the rest of the data to
be recovered. The tool used in this toolkit is gzrecover.
For example gzrecover abc.tar.gz will attempt to salvage all recoverable data from the abc archive.

Kpartx:
kpartx mounts partitions within a valid image.
the kpartx -l abc.img will list the partitions in the abc.img file.
After this the partitions mapping will be added to recognized devices in /dev/mapper/ using the
command kpartx -a abc.img.
The mappings are in the form loop0pX here X=1,2,3…..
Finally the partitions can be mounted using the command
mount /dev/mapper/loop0pX (X can be 1 or 2 or number depending on our image.) /mnt/abc -0 loop,
ro.
The image will be mounted in /mnt/abc/ to read and copy the files.

Libewf:
libewf is a library to access the Expert Witness Compression Format (EWF).
The libewf package contains the following tools:
ewfacquire; which writes storage media data from devices and files to EWF files.
ewfacquirestream; which writes data from stdin to EWF files.
ewfexport; which exports storage media data in EWF files to (split) RAW format or a specific version of
EWF files.
ewfinfo; which shows the metadata in EWF files.
ewfmount; which FUSE mounts EWF files.
ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.
ewfverify; which verifies the storage media data in EWF files.

Log2timeline:
log2timeline is a tool designed to extract timestamps from various files found on a typical computer
system(s) and aggregate them in a single place for forensics analysis. The tool supports a wide range of
file formats. It is a simple command line tool.

analyzeMFT.py:
It is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as
possible in multiple formats.
An MFT file was copied from windows and the tools was used with the following command.

the command reads an input file MFT and returns the results in MFT_result
The result is shown below:

Safecopy:
safecopy is a data recovery tool which tries to extract as much data as possible from a seekable but
problematic (i.e., damaged sectors) source like floppy drives, hard disk partitions, CDs, etc., where other
tools like dd would fail due to I/O errors.
For example safecopy –stage1 /dev/sdc abc.img will read the entire sdc and mark the badblocks in
stage1.badblocks.
Similarly stage2 and 3 can also be carried out to mark the exact boundaries of the bad areas.

Scalpel:
Scalpel is an open source program for recovering deleted data originally based on foremost, although
significantly more efficient. Scalpel is being incorporated into the Sleuthkit.

scalpel can be used as scalpel /dev/sdc -o output.

The output directory can be set and the files to be recovered can also be set in the scalpel.conf file.

Testdisk:
TestDisk is powerful free data recovery software. It was primarily designed to help recover lost
partitions and/or make non-booting disks bootable again when faulty software causes these symptoms.
Run testdisk by typing cmd in the terminal and a interface will open:

After selecting logfile option the partition will be selected:

After this the partition table type will be selected:

And finally we can select what we what to do with the partition.

Since there was no corrupt partition on my PC I could not verift the results of the tool.
Vbindiff:
VBinDiff (Visual Binary Diff) displays files in hexadecimal and ASCII (or EBCDIC). It can also display two
files at once, and highlight the differences between them.

For example:
Shown below is a jpg file in hex form:

Now shown below are hex files of two different jpg files. The differences are shown in red:
CONCLUSION:
The tools which provides the most options to the user is autopsy. It has almost all the features of the
other tools and comes with a nice gui package. Also case starting and multi user access on a case is also
a good option. Although DFF has a volatile memory tool but autopsy tools far surpass DFF in other
features. So for a forensic analyst autopsy is the best tool to use as he can get most of his work done
through this tool.