210280107113 DF-SEM7-BE-CE-LDCE

Practical – 1
• AIM: Study of packet analyzer tool (Wireshark / NMap / Networkminer).

• Theory:
• Wireshark: Packet Analyzer Tool

Wireshark is the world’s foremost and widely used network protocol analyzer. It
lets you see what’s happening on your network at a microscopic level and is the
de facto (and often de jure) standard across many commercial and non-profit
enterprises, government agencies, and educational institutions.

Wireshark development thrives thanks to the volunteer contributions of

networking experts around the globe and is the continuation of a project started
by Gerald Combs in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD,
and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark
utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG,
• Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor,
Network General Sniffer® (compressed and uncompressed), Sniffer® Pro,
and NetXray®, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos,
SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

• Wireshark Interface

Wireshark’s interface consists of three main panes that display different views of the packet
data:
1
210280107113 DF-SEM7-BE-CE-LDCE

1. Packet List Pane:

o Displays the list of packets captured in real time.
o Each line represents an individual packet, including columns for the packet
number, time, source, destination, protocol, length, and other relevant
information.
o You can select a packet from this pane to view detailed information in the
other panes.

2. Packet Details Pane:

o Displays detailed information about the selected packet.
o This pane breaks down the packet data according to the OSI layers, showing
data link, network, transport, and application layer details.
o Information such as IP addresses, ports, and protocol-specific details are
visible here.

3. Packet Bytes Pane:

o Shows the raw data of the selected packet in a hexadecimal format, which
allows users to inspect the exact bits transmitted over the network.

• Steps to Capture and Analyze Packets:

1. Download and Install Wireshark:
o Download the latest version of Wireshark from its official website and install
it on your machine.

2
210280107113 DF-SEM7-BE-CE-LDCE

2. Start Wireshark:
o Upon opening Wireshark, you will see a list of available network interfaces
(Wi-Fi, Ethernet, etc.). Select the interface through which network traffic is
to be captured.

3. Start Packet Capture:

o Choose an active network interface and click on the green shark fin button or
use the keyboard shortcut Ctrl + E to start capturing network packets.
o Wireshark will begin displaying the captured packets in the Packet List Pane.
4. Stop Packet Capture:
o After collecting sufficient data, stop the packet capture by clicking the red
stop button or using the Ctrl + E shortcut.
o Best practice suggests stopping the capture before starting analysis to
ensure consistent results.
5. Analyzing Packet Data in the OSI Model:
o Wireshark categorizes captured packet data into layers of the OSI model
(except the Physical layer unless special hardware is used). Here’s what you
can expect from each layer in the packet capture:
o Data Link Layer:
▪ This layer includes MAC addresses and other low-level information.
▪ It is visible for protocols like Ethernet frames and wireless data.
o Network Layer:
▪ Displays IP addresses, routing, and other protocol-specific
information such as ICMP or ARP.
▪ You will see the protocol, source, and destination IP addresses at this
layer.

3
210280107113 DF-SEM7-BE-CE-LDCE

o Transport Layer:
▪ This layer contains TCP or UDP data, which shows the source and
destination port numbers.
▪ Flags such as SYN, ACK, or FIN in TCP will be visible.

o Application Layer:
▪ Data transmitted by protocols such as HTTP, DNS, or FTP is
displayed here.
▪ The application layer is often the most informative as it contains the
actual data being transmitted between systems.

6. Filters:
o Wireshark provides filters to narrow down the displayed data and find
specific packets or information. The filters can be applied at two stages:
o Capture Filters:
▪ Set before starting a capture to limit the data captured.
▪ Example: host 192.168.1.1 to capture packets only from/to a specific
host.
o Display Filters:
▪ Applied to the already captured data to display only specific packets.
▪ Example: ip.src==192.168.1.1 to display packets originating from a
particular IP address.

Signature of Faculty: Grade

4
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 2
• AIM: Study of forensic commands of Linux.

• Theory:
1. Process Investigation
In Linux, a process refers to an executing instance of a program. When
investigating an intrusion, analyzing running processes can provide critical
information regarding unauthorized access or malicious activities. Common
commands used for process investigation include:

ps Command:
• The ps command is used to display the current processes running in the
system.
• Example Usage:
ps -eFH
This command lists all processes in a full-format hierarchical view,
showing child-parent relationships between processes.

pstree Command:
• The pstree command displays running processes as a tree, illustrating the
parent-child relationship.
• Example Usage:
pstree -p -s <PID>
This command helps to visualize the hierarchy of processes and identify
any malicious child processes spawned by known services.

2. Network Forensics: Netcat

Netcat (nc) is a versatile tool used by attackers to establish unauthorized
network connections, such as a bind shell. Identifying suspicious nc processes
can uncover backdoors or command-and-control servers.

Example:
nc -l 0.0.0.0 4444
This command opens port 4444 on the system, awaiting connections from any
IP address. The presence of this command in the process list may indicate an
attempt to create a bind shell.

Command to check the open files of a process:

sudo lsof -p <PID>

3. File System and Logs

Investigating file system activity is a critical part of forensic analysis. Using
utilities like lsof, investigators can gather information about files currently
opened by processes, which may help reveal the data accessed or manipulated
by a potential intruder.

lsof Command:
5
210280107113 DF-SEM7-BE-CE-LDCE

• Example Usage:
sudo lsof -p <PID>
Lists all open files for the specified process.

Log Files:
• Forensic analysis requires investigation of log files to uncover activity
traces. Linux systems store system logs in /var/log/syslog.
sudo grep cron /var/log/syslog

4. Service and Cronjob Analysis

In Linux, cron jobs are used to schedule tasks. Malicious cron jobs could be
used by attackers to gain persistent access to a compromised system.

crontab Command:
• Example Usage:
crontab -u <username> -l
Lists cron jobs associated with a specific user. Investigating cron jobs helps
identify whether the attacker used any scheduled tasks to maintain
backdoor access.

5. Dynamic Process Monitoring with top and journalctl

top Command:
• top dynamically displays system processes and provides a real-time view
of CPU and memory usage.
• Example Usage:
top -u <username>
Shows active processes owned by a particular user.

journalctl Command:
1. Investigators use journalctl to view logs related to specific services or
processes.
2. Example Usage:
sudo journalctl -u <service_name>

6. Autostart and Services Analysis

System Services: Malicious actors may create or modify services to ensure
their persistence in the system.

• Example Usage:
sudo systemctl list-units --type=service --state=running
This command lists all active services, which can reveal any unauthorized
services created by the attacker.

Signature of Faculty: Grade:

6
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 3
• AIM: Make a disk image using an imaging tool.

• Theory:
o The data acquisition of a Hard Drive is known as an image, a forensic image
perhaps when performed in an investigation. Creating a forensics image is one of
the most crucial steps involved in digital forensic investigation. However, this
imaged disk needs to be applied to the hard drive to work.
o One cannot restore a hard drive by placing the disk image files on it as it needs to
be opened and installed on the drive using an imaging program. A single hard
drive can store many disk images on it. Disk images can also be stored on flash
drives with a larger capacity.

o Creating A Forensics Image

Open FTK Imager by AccessData after installing it, and you will see the window
pop-up which is the first page to which this tool opens.

Now, to create a Disk Image. Click on File > Create Disk Image.

7
210280107113 DF-SEM7-BE-CE-LDCE

A Physical Drive is the primary storage hardware or the component within a

device, which is used to store, retrieve, and organize data.

A Logical Drive is generally a drive space that is created over a physical hard disk.
A logical drive has its parameters and functions because it operates
independently.
Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic
perspective, It should be copied in a separate hard drive and multiple copies of the
original evidence should be created to prevent loss of evidence.

8
210280107113 DF-SEM7-BE-CE-LDCE

Select the format of the image that you want to create. The different formats for
creating the image are:
Raw(dd): It is a bit-by-bit copy of the original evidence which is created
without any additions and or deletions. They do not contain any metadata.
SMART: It is an image format that was used for Linux which is not
popularly used anymore.
E01: It stands for EnCase Evidence File, which is a commonly used format
for imaging and is similar to
AFF: It stands for Advanced Forensic Format that is an open-source format
type.

A Now, add the details of the image to proceed.

9
210280107113 DF-SEM7-BE-CE-LDCE

Now finally add the destination of the image file, name the image file and then
click on Finish.

Once you have added the destination path, you can now start with the Imaging
and also click on the verify option to generate a hash.

After the image is created, a Hash result is generated which verifies the MD5
Hash, SHA1 Hash, and the presence of any bad sector.

10
210280107113 DF-SEM7-BE-CE-LDCE

The Image Summary also includes the data you entered in the Evidence Item
Information dialog.

Disk image is created.

Signature of Faculty: Grade:

11
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 4
• AIM: Using hex editor analyze metadata of a file.

• Theory:
HxD tool
o HxD is a carefully designed and fast hex editor which, additionally to raw disk
editingand modifying of main memory (RAM), handles files of any size.
o The easy-to-use interface offers features such as searching and replacing,
exporting, checksums/digests, insertion of byte patterns, a file shredder,
concatenation or splitting offiles, statistics and much more.
o Editing works like in a text editor with a focus on a simple and task-oriented
operation, assuch functions were streamlined to hide differences that are
purely technical.
o For example, drives and memory are presented similar to a file and are shown
as a whole,in contrast to a sector/region-limited view that cuts off data which
potentially belongs together. Drives and memory can be edited the same way
as a regular file including support for undo. In addition, memory-sections
define a foldable region and inaccessible sections are hidden by default.
o Furthermore, a lot of effort was put into making operations fast and efficient,
instead of forcing you to use specialized functions for technical reasons or
arbitrarily limiting file sizes. This includes a responsive interface and progress
indicators for lengthy operations.

Features:
o Available as a portable and installable edition
o RAM-Editor
o To edit the main memory
o Memory sections are tagged with data-folds
o Disk-Editor (Hard disks, floppy disks, ZIP-disks, USB flash drives, CDs, ...)
o RAW reading and writing of disks and drives
o for Win9x, WinNT and higher
o Instant opening regardless of file-size
o Up to 8EB; opening and editing is very fast
o Liberal but safe file sharing with other programs
o Flexible and fast searching/replacing for several data types
o Data types: text (including Unicode), hex-values, integers and floats
o Search direction: Forward, Backwards, All (starting from the
beginning)
o File compare (simple)
o View data in Ansi, DOS, EBCDIC and Macintosh character sets
o Checksum-Generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5,
o Exporting of data to several formats
o Source code (Pascal, C, Java, C#, VB.NET)
o Formatted output (plain text, HTML, Richtext, TeX)
o Hex files (Intel HEX, Motorola S-record)
o Insertion of byte patterns

12
210280107113 DF-SEM7-BE-CE-LDCE

Installation Steps:
o Step 1: Go to https://mh-nexus.de/en/hxd/ . scroll down and click on the
download page .

o Select English language and click on the to download the zip file

o Step 2: Go to the folder where you have downloaded the zip file .unzip the zip
file.

13
210280107113 DF-SEM7-BE-CE-LDCE

o Step 3: click on the executable and explore the functionalities.

Functionalities:

In HxD we can open any disk or a ram(main memory) and also a files.

In HxD we can easily open any file and do searching , replacing , inserting and
also we can see the statistics of that file.

14
210280107113 DF-SEM7-BE-CE-LDCE

Insertion of bytes

Searching

Replacing

Signature of Faculty: Grade:

15
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 5
• AIM: Study and perform Microsoft office file metadata analysis

• Theory:
o Microsoft Word is currently the word processing software of choice for most
individuals and companies. Many users are under the mistaken belief that the
final version of the "visible" Word document is the only substantive content
contained in the "saved file."
o Beyond the visible document and hidden in Word files is data known as
"metadata". Metadata can include things like revision history, authors, and "track
changes" which reveals the evolution of a document and the various edits that
led to the final Word file. According to Microsoft metadata found in Word files
can include:
• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the
document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments

o View Microsoft Word Properties:

1. Access GroupDocs Online: Visit GroupDocs Metadata Viewer.

16
210280107113 DF-SEM7-BE-CE-LDCE

2. Upload the Document: Click "Browse" or drag & drop your Microsoft
Office file (e.g., .docx, .xlsx) into the upload area.

3. View Metadata: After processing, metadata such as author, creation

date, modification date, software version, and hidden data will be
displayed.

Signature of Faculty: Grade:

17
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 6
• AIM: Image metadata analysis.

• Theory:
o Image metadata is text information pertaining to an image file that is embedded
into the file or contained in a separate file that is associated with it.
o Image metadata includes details relevant to the image itself as well as information
about its production. Some metadata is generated automatically by the the device
capturing the image. Additional metadata may be added manually and edited
through dedicated software or general image editing software such as GIMP or
Adobe Photoshop. Metadata can also be added directly on some digital cameras.
o Technical metadata is mostly automatically generated by the camera. It includes
camera details and settings such as aperture, shutter speed, ISO number, focal
depth, dots per inch (DPI). Other automatically generated metadata include the
camera brand and model, the date and time when the image was created and the
GPS location where it was created.
o Descriptive metadata is mostly added manually through imaging software by the
photographer or someone managing the image. It includes the name of the image
creator, keywords related to the image, captions, titles and comments, among
many other possibilities. Effective descriptive metadata is what makes images
more easily searchable.
o Administrative metadata is mostly added manually. It includes usage and licensing
rights, restrictions on reuse, contact information for the owner of the image.
o Several standardized formats of metadata exist, including: Information
Interchange Model (IPTC), Extensible Metadata Platform (XMP), EXchangable
Image File (Exif), Dublin Core Metadata Initiative (DCMI) and Picture Licensing
Universal System (PLUS).
o Example of image metadata analysis:
Adobe Photoshop is a commercial application that includes an XMP viewer. In
Photoshop CS5, it is under File → File Info. While not as powerful or as complete
as Exiv2 and ExifTool, Adobe's viewer does provide the ability to decode XMP,
IPTC, Exif, and other types of metadata in a graphical interface.
You can add metadata to any document in Illustrator®,Photoshop®, or InDesign
by choosing File > File Info.
Here, title, description, keywords, and copyrightinformation have been inserted

18
210280107113 DF-SEM7-BE-CE-LDCE

You can view the metadata in InDesign by selecting an image and choosing File
Info from the Info panel menu. Or you can use the metadata by choosing Object >
Captions>Caption Setup.

Signature of Faculty: Grade:

19
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 7
• AIM: Study of browser forensics - Collect data of history, cache etc. and prepare report.

• Theory:
o The most widely used applications by the majority of user of computer are Web
Browsers. A Web browser is an application program for accessing the Internet.
Users performs their many activities such as, browsing on the internet, download
files, use social media applications, accessing e-mail accounts via web browser. If
user uses illegally the Internet as a source of information, the evidence related to
the browser uses would be saved in the log file of the Web browser. Web browser’s
log file can help to collect information of criminal. After considering existing
research and tools, this paper suggests a new evidence collection and analysis
methodology and tool for forensic process.
o Google Chrome is one of the most popular browsers of all the browsers available.
It runs on all platforms and has been developed by google. Few salient features
offered by chrome –
• Can be integrated with all google services
• Password synchronization between various devices
• Plugins and extensions availability
• Incognito mood support

o Google chrome artifacts

An artifact is a remnant or trace left behind on the computer which helps to

identify the source of malicious traffic and attack conducted onto the system. Few
examples include cache data, History, Downloads etc.

Chrome stores these artifacts inside specific folders in the operating system. The
file location for every browser is different but the file format remains the same.
Following are the common artifacts stored by Chrome –
• Navigation History – This reveals navigation history of the user. It can be
used to track whether a user has visited any malicious URL or not.
• Autocomplete Data – This reveals data that has been used on various forms
and search terms etc. It is used with Navigation History for more insight.
• Bookmarks
• Add-ons, Extensions and Plugins
• Cache – Contains cache data from various websites like Images, JavaScript
Files etc.
• Logins
• Form Data
• Favicons
• Session Data
• Thumbnails
• Favorites
• Sensitive data

20
210280107113 DF-SEM7-BE-CE-LDCE

o Collecting data from history:

See your history On your computer, open Chrome. At the top right, click More
More. Click History and then History.

o Browser cache:
Your web browser stores complete or partial copies of the pages you recently
viewed together with the media (images, audio, and video) in a file on your
computer called the cache. The cached files are temporary files that help the
internet pages load quicker. That’s why when you clear your browser cache, you’ll
often see that the sites load slower than usual.
o How To View Cached Pages And Files
In order to see cached pages and files, you first need to locate them. You can’t
always see them since the folder where they’re stored may be hidden.
Inside the Cache folder you’ll find files with various extensions and random file
names. The difficulty here is that you won’t know exactly what you’re looking at.
Most of the names are random and there’s no way to tell the format of the file or
where it came from.
You can either click on every file to open it or decode the cached files using special
software or a browser extension. One of the best options is to use one of the web
browser tools by Nirsoft. For Google Chrome it’s the ChromeCacheView.

21
210280107113 DF-SEM7-BE-CE-LDCE

o How To View Cookies In Your Browser

Since cookies are responsible for exposing your private details to the web, in most
browsers you can find them in the Privacy section of the SettiNGS

Signature of Faculty: Grade:

22
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 8
• AIM: Using Sysinternals tools for Network Tracking and Process Monitoring.

• Theory:
o Sysinternals Process Explorer is a tool that allows you to monitor and manage the
processes running on your computer in real-time. With Process Explorer, you can
see detailed information about each process, including the resource usage,
associated handles and modules, and process tree. In this tutorial, we will go over
how to use Sysinternals Process Explorer to monitor and manage processes on
your computer.

o Download and install Process Explorer

To get started, you will need to download and install Process Explorer from the
Sysinternals website:
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer.
Once the download is complete, run the installer and follow the prompts to
complete the installation.

o Launch Process Explorer

After installation, you can launch Process Explorer by clicking on the Process
Explorer icon on your desktop or by searching for it in the start menu. When you
launch Process Explorer, you will see a window with a list of the currently running
processes on your computer.

This picture shows the Process Explorer window displaying a list of the currently
running processes on the computer.

o View process details

Process Explorer displays a list of the currently running processes on your
computer, including the process name, CPU and memory usage, and associated
handles and modules. You can sort the list by any of these columns by clicking on
the column header. You can also right-click on a process and select “Properties” to
23
210280107113 DF-SEM7-BE-CE-LDCE

view more detailed information about the process. This will open the process
properties window, which displays additional information about the process,
including the command line arguments, version information, and security
attributes.

This picture shows the Process Explorer process properties window displaying
detailed information about a specific process

o Kill processes
You can use Process Explorer to kill processes that are not responding or that you
no longer need. To do this, right-click on the process and select “Kill Process”. Be
cautious when killing processes, as terminating certain processes may cause your
system to crash or become unstable.

This picture shows the Process Explorer “Kill Process” dialog that appears when
you right-click on a process and select “Kill Process”.

o Search for handles and modules

Process Explorer allows you to search for specific handles and modules that are
associated with a process. To do this, go to the “Find” menu and select “Find
Handle or DLL”. This will open the “Find Handle or DLL” window, where you can
enter the name of the handle or module you want to search for.
24
210280107113 DF-SEM7-BE-CE-LDCE

o Find a process associated with a window

Sometimes it can be helpful to find the process associated with a specific window
on your desktop. Process Explorer makes this easy with the “Find Windows
Process” feature. To use this feature, simply drag the crosshairs icon from the
Process Explorer toolbar over the window that you want to find the process for.
Process Explorer will highlight the process in the list and display the process
properties in a separate window.

Signature of Faculty: Grade:

25
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 9
• AIM: Recovering and Inspecting deleted files using Autopsy

• Theory:

o What is Autopsy?
Autopsy is an open source digital forensics tool developed by Basis Technology,
first released in 2000. It is a free to use and quite efficient tool for hard drive
investigation with features like multi-user cases, timeline analysis, registry
analysis, keyword search, email analysis, media playback, EXIF analysis, malicious
file detection and much more.

o How to install Autopsy?

Step 1: Download Autopsy from: https://www.autopsy.com/download/.
Step 2: Run the Autopsy msi installer file.
Step 3: If you get a Windows prompt, click Yes.
Step 4: Click through the dialog boxes until you click a button that says Finish.
Step 5: Autopsy should be installed now.

o How to use Autopsy?

Step 1: Run Autopsy and select New Case.

Step 2: Provide the Case Name and the directory to store the case file. Click
on Next.

26
210280107113 DF-SEM7-BE-CE-LDCE

Step 3: Add Case Number and Examiner’s details, then click on Finish.

Step 4: Choose the required data source type, in this case Disk Image and click
on Next.

Step 5: Give path of the data source and click on Next.

27
210280107113 DF-SEM7-BE-CE-LDCE

Step 6: Select the required modules and click on Next.

Step 7: After the data source has been added, click on Finish.

Step 8: You reach here once all the modules have been ingested. You can begin
begin investigating but recommend id to waiting until analysis and integrity check
is complete.

28
210280107113 DF-SEM7-BE-CE-LDCE

Inspection of deleted files

o Verify File Integrity with Hash Values: Before recovering files, check their hash
values using the File Metadata tab to ensure file integrity. This step helps verify
files haven’t been altered since deletion.

o Examine Operating System and Events: Investigate the system’s OS information

and event logs. Autopsy provides OS details under Results > Extracted Content >
Operating System Information. Use this to track activities like install date and last
shutdown time, which may correlate with file deletion.

o File System Metadata: Analyze metadata such as file creation, modification, and
access times to determine when files were deleted or tampered with. Inspect the
NTFS file system to track unallocated spaces where deleted files might still exist.

Signature of Faculty: Grade:

29
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 10
• AIM: Acquisition of Cell phones and Mobile devices.

• Theory:
o What is Mobile Forensics?
Mobile forensics refers to the process of recovering digital evidence from a mobile
device under forensically sound conditions. Unlike traditional digital forensics,
mobile forensics deals with data stored on devices with unique challenges, such
as complex file systems, encryption, and the volatile nature of mobile storage.
Mobile forensics involves examining:
• Call logs and messages
• Application data (social media, email, etc.)
• Photos, videos, and other media
• Geolocation data
• Internet history and browser cache
• System files, including system logs
Both Android and iOS devices store vast amounts of data, often spread across
multiple locations, making forensic examination critical in legal and corporate
investigations.

o Mobile Forensics Tools

There are numerous tools available to help extract and analyze data from Android
and iOS devices. Some of the most widely used tools include:
1. Cellebrite UFED: One of the leading tools in mobile forensics, offering
advanced capabilities to acquire, decode, and analyze data from Android
and iOS devices.
2. Magnet AXIOM: A comprehensive tool for mobile, computer, and cloud
forensics that supports data extraction from both Android and iOS devices.
3. Oxygen Forensic Detective: A powerful tool that provides deep insights into
various types of mobile data, including encrypted information, cloud data,
and application data.
4. MSAB XRY: A versatile tool that supports a wide range of Android and iOS
devices for extracting data through logical, physical, and file system
extractions.
5. Autopsy with Mobile Modules: Open-source forensic tool with plugins or
modules for mobile analysis, specifically for extracting call logs, SMS, and
other key data.
6. Belkasoft Evidence Center: A tool with a strong focus on mobile data
acquisition, supporting the latest versions of Android and iOS, including
encrypted backups.
7. Elcomsoft Mobile Forensic Toolkits: The complete mobile forensic kit in a
single pack. Perform physical, logical and over-the-air acquisition of
smartphones and tablets, break mobile backup passwords and decrypt
encrypted backups, view and analyze information stored in mobile devices.

30
210280107113 DF-SEM7-BE-CE-LDCE

o How to acquire data from mobile devices

Acquiring data from mobile devices is a delicate process, as improper techniques
can alter or even destroy valuable information. There are several methods of data
acquisition, each suited to different scenarios:
1. Types of Mobile Forensic Acquisition
• Logical Acquisition: This method captures the data that the operating
system can access. Logical acquisition is less invasive and faster but may
not recover deleted or hidden data.
• File System Acquisition: This provides a more in-depth view by accessing
the file system, revealing files, directories, and data not available through
logical acquisition.
• Physical Acquisition: This is the most comprehensive method, capturing a
bit-by-bit copy of the device’s storage. It allows forensic investigators to
recover deleted data, hidden files, and encrypted information.
• Cloud Acquisition: This involves accessing backups and data stored on
cloud services linked to the device (e.g., Google Drive for Android or iCloud
for iOS).
• Hybrid Acquisition: A combination of logical, file system, and physical
methods, depending on the device’s capabilities and state.
2. Acquiring Data from Android Devices
• Android Debug Bridge (ADB): Using ADB, investigators can communicate
with the device via USB to extract data. It’s a non-invasive logical
acquisition method but may require device rooting to access more data.
• Rooting: For physical and file system acquisition, rooting is often
necessary. Rooting bypasses the device’s security restrictions, allowing
deep access to the file system. However, rooting can alter the device, and
care must be taken to avoid contamination of evidence.
• Custom Recovery Tools: Tools like TWRP (Team Win Recovery Project)
allow investigators to load custom recovery environments to extract data.
3. Acquiring Data from iOS Devices
• iTunes Backup: iOS devices automatically create backups when synced
with iTunes. These backups can be acquired and analyzed, offering logical
access to messages, contacts, photos, and more.
• Jailbreaking: Jailbreaking allows full access to the iOS file system, enabling
physical acquisition. However, like rooting Android devices, it can alter the
device’s state.
• Checkm8/Checkra1n Exploit: This hardware-based exploit can be used on
certain iOS devices (iPhone X and earlier models) to perform physical
acquisition without needing to jailbreak the device.
• iCloud Backup: Investigators can acquire iCloud backups if they have the
correct credentials or legal authority to access cloud-stored data.
4. Challenges in Data Acquisition
• Encryption: Both Android and iOS employ encryption that can be difficult
to bypass, especially on newer devices. Encrypted data may require
specific decryption keys or passwords to access.
• Data Fragmentation: Mobile devices constantly store and delete data,
causing fragmentation that can complicate the recovery of deleted files.
• Lock Screens and Passwords: Bypassing password locks can be time-
consuming and requires specific tools depending on the device.
31
210280107113 DF-SEM7-BE-CE-LDCE

o Preservation of Mobile Data

Data preservation is crucial in maintaining the integrity of the evidence. Mobile
devices, especially smartphones, are constantly changing as new data is
generated. Therefore, preserving a snapshot of the device’s state at the time of
acquisition is critical.
1. Isolate the Device
• Turn off Wi-Fi and Bluetooth: To prevent remote wiping or additional data
syncing, isolate the device from the network.
• Airplane Mode: Putting the device in airplane mode prevents further
changes in connectivity while keeping the device powered on.
2. Use a Faraday Bag
• Faraday Bags: These are protective bags that block radio frequency signals,
preventing remote access or interference with the mobile device during
transport or acquisition.
3. Hashing
• Hashing the Data: Like in traditional forensics, use hash functions like MD5
or SHA-256 to create a hash value for the acquired data. This ensures that
any future analysis is done on an unchanged copy of the original data.
4. Backup and Duplication
• Create Multiple Copies: Always create multiple copies of the acquired data.
Store one securely as the master copy and use the others for analysis.

o Investigation and Analysis

After acquiring and preserving mobile data, the next step is to analyze it for
relevant information. Depending on the case, different areas of the mobile device
may provide valuable insights.
1. Analyzing System Data
• Call Logs and Text Messages: Examine the device’s logs for calls, messages,
and communications via apps like WhatsApp, Signal, or Telegram.
• Location Data: Many mobile devices store geolocation information that can
reveal the movement of the device’s user.
• Browser History: The device’s internet history can provide information
about the user’s online activity.
2. Application Data
• Social Media: Apps like Facebook, Instagram, and TikTok may store data
locally, including chat logs, media, and even location history.
• Encrypted Messaging Apps: While apps like Signal and Telegram encrypt
messages, some metadata and logs may still be recoverable from the
device.
3. Cloud Data
• iCloud and Google Drive: Data synced to the cloud can be a goldmine of
information, including contacts, photos, and documents.
• Application Backups: Many apps backup their data to cloud services. These
backups can often be more accessible than the data stored on the device
itself.
4. Recovery of Deleted Data
• Deleted Files: Physical acquisition allows the recovery of deleted data.
Forensic tools can recover fragments of deleted files from unallocated
storage.
32
210280107113 DF-SEM7-BE-CE-LDCE

5. Malware and Exploits

• Malicious Apps: Investigating suspicious apps for signs of malware,
spyware, or other harmful activity is crucial in incident response.
• Fileless Malware: Mobile devices are also vulnerable to fileless malware,
which hides in memory or other volatile locations.

o Handling and Legal Considerations

Mobile devices contain personal and sensitive information, making legal
considerations critical in mobile forensics. Investigators must ensure that all
procedures comply with laws and regulations to maintain the evidence’s
admissibility in court.
1. Chain of Custody
• Properly document every step of the forensic process to maintain a clear
chain of custody, ensuring the evidence’s integrity.
2. Compliance with Privacy Laws
• Mobile forensics often involves personal data. Investigators must be
mindful of privacy regulations such as GDPR, HIPAA, or CCPA when
handling this data.
3. Legal Admissibility
• Ensure that all acquisition, preservation, and analysis methods are
forensically sound and well-documented, ensuring that the data will hold
up in court.

Signature of Faculty: Grade:

33
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 11
• AIM: Study any one digital forensic collection and analysis tool used in analysis of digital
evidence (For eg., Coffee tool, Mangnet capture tool, Ram capture tool, NFI Defragger,
Toolsley, Volatility).

• Theory:

o What is Volatility?
• Open-Source Memory Forensics Framework: Volatility is an open-source
memory forensics framework designed for incident response and malware
analysis.
• Developed in Python: Volatility is written in Python and supports multiple
operating systems, including Microsoft Windows, Mac OS X, and Linux.
• Created by Aaron Walters: Volatility was created by Aaron Walters, based on
academic research he conducted in memory forensics.
o Key Features and History:
• Initial Release: The first version of the Volatility Framework was publicly
released in 2007 at Black Hat DC, after years of academic research into
advanced memory analysis and forensics.
• Shift in Digital Investigations: Before Volatility, digital forensic investigations
primarily focused on analyzing hard drive images. Volatility introduced the
concept of analyzing a system's runtime state using volatile storage (RAM).
• Cross-Platform, Modular Tool: Volatility provided a modular, extensible, and
cross-platform framework that encouraged further research in memory
forensics.
• Collaboration and Innovation: One of Volatility’s key goals was to foster
collaboration and innovation within the forensic community and make
knowledge more accessible.

o How to Install Volatility

Pre-requisite: Python 3 and pip3
Step1: Download Volatility 3
• Open your cmd/terminal.
• Use the following command to clone the Volatility 3 repository:
git clone https://github.com/volatilityfoundation/volatility3.git

Step2: Navigate to the Volatility 3 Directory

• After cloning, a folder named volatility3 will be created.

34
210280107113 DF-SEM7-BE-CE-LDCE

• Navigate to this folder using:

cd volatility3

Step 3: Install Dependencies

• Install the required dependencies using pip:
pip3 install -r requirements.txt

Step 4: Verify Installation

• Check that Volatility is installed correctly by running the help command:
python3 vol.py -h

o Identifying Malicious Processes

“malware can hide but it must run”. Looking at the running processes of a device
is always a great way to try and identify any malware that may be running on the
device.Commands used in volatility

pslist
used for analyzing running processes
python3 vol.py -f <filename> windows.pslist
filename -> file name of captured RAM
The above command will produce the following output:

If the output is too large, you can paginate through it using:

python3 vol.py -f <filename> windows.pslist | less
Alternatively, you can redirect the output to a text file for easier analysis:
python3 vol.py -f <filename> windows.pslist > output.txt

35
210280107113 DF-SEM7-BE-CE-LDCE

Understand the Output

• The output of the pslist command includes several key headers:
o PID: Process ID number
o PPID: Parent Process ID number
o ImageFileName: Name of the running process
o Offset: Hexadecimal value representing the memory location of the
process
o CreateTime: Time when the process started
o ExitTime: Time when the process ended
• Here, you can check the ImageFileName column for process names and analyze
their legitimacy.
• Identify any unusual or suspicious names that may indicate malicious activity.

Pstree
provides a hierarchical view of the processes running in memory, showing parent
child relationships
python3 vol.py -f <filename> windows.pstree

it generates an output where processes are displayed in a tree-like structure. Each

process is shown with an asterisk (*) indicating its level relative to its parent.

36
210280107113 DF-SEM7-BE-CE-LDCE

o Identifying Malicious Network Connections

When a RAM dump is captured any network connections at the time the capture
was taken will also be stored within the captured memory. This is is great for
incident responders as any malicious network connections can be identified such
as the source port, destination IP, destination port, and the process that the
network activity relates to.

netscan
To view the network connections associated with the RAM dump that is being
analyzed use the following command:
python3 vol.py -f <filename> windows.netscan
The following information will be displayed from running this command:

o Identifying Injected Code

Packed malware is essentially ‘wrapped’ with a layer of code, this additional layer
hides the code the malware author has written and it’s this obfuscation technique
that is known as malware ‘packing’.
Because of this when a piece of malware is packed it will need to unpack itself, it
does this in memory which is great for Volatility as that is exactly what the tool is
designed to analyze!

malfind
python3 vol.py -f <filename> windows.malfind
The output of ‘malfind’ is displayed below.

Signature of Faculty: Grade:

37
 210280107113 DF-SEM7-BE-CE-LDCE

Practical – 12
• AIM: For crime occurred in recent time (example online fraud).
Prepare a report containing
• Name of the crime, which year, victim and attacker name
• List of digital devices available for forensics
• List of tools (that can be used for investigation) along with short description of
their utility.

• Theory:

o Incident Details
• Name of the Crime: Data Leak
• Year: 2023
• Victim: Microsoft Corporation
• Attacker: Malicious actors taking advantage of the data exposure

o Digital Modus Operandi Executed

The incident involving Microsoft occurred due to misconfigured security settings
during the publication of open-source training data on GitHub. The Microsoft AI
research team accidentally exposed 38 terabytes of sensitive corporate data,
including private keys, passwords, and internal communications. This was a result
of the researchers using Azure's Shared Access Signature (SAS) tokens incorrectly,
which allowed unrestricted access to the entire storage account instead of specific
files.
In the case of Pegasus Airlines, a similar modus operandi was executed. An
employee misconfigured an AWS (Amazon Web Services) database, which led to
the exposure of 6.5 terabytes of company data, including personal information of
crew members and flight charts. This misconfiguration allowed 23 million files to
be publicly accessible for viewing and modification.

o Motive Behind the Cyber Attack

The primary motive behind the cyber attacks related to these data leak incidents
appears to be opportunistic. Malicious actors often look for vulnerable targets to
exploit valuable information. In these instances:
1. Access to Sensitive Data: The exposed data could be leveraged for various
malicious purposes, including identity theft, corporate espionage, or fraud.
2. Exploitation of Mistakes: The negligence in data configuration provided an
open door for attackers to access sensitive information without needing to
perform sophisticated hacking techniques.
3. Financial Gain: Stolen data, especially sensitive corporate information, can be
sold on the dark web, leading to significant financial gains for cybercriminals.

These incidents serve as a stark reminder of the critical importance of proper data
handling and security protocols. Regular training and awareness programs for
employees, coupled with routine security audits, can significantly mitigate the risk
of such data leaks. Organizations must be vigilant in maintaining their security

38
210280107113 DF-SEM7-BE-CE-LDCE

configurations and monitoring user activities to safeguard sensitive information

against potential cyber threats.

39