0% found this document useful (0 votes)

104 views113 pages

Cyber

Uploaded by

akhileshworks593

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

104 views113 pages

Cyber

Uploaded by

akhileshworks593

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 113

LORDS UNIVERSAL COLLEGE

TYBSC CS SEM V – CYBER FORENSIC

INDEX

Sr Date Practical Page No. Signature

No.
1 Creating a Forensic Image using FTK Imager/Encase Imager
02/08/2024 : 3
• Creating Forensic Image
• Check Integrity of Data
• Analyze Forensic Image

2 Data Acquisition:
09/08/2024 • Perform data acquisition using: 14
• USB Write Blocker + Encase Imager
• SATA Write Blocker + Encase Imager
• Falcon Imaging Device

3
16/08/2024 Analyze the memory dump of a running computer system. 19
• Extract volatile data, such as open processes,
network connections, and registry information.

4 Capturing and analyzing network packets using Wireshark

23/08/2024 (Fundamentals) : 24
• Identification the live network
• Capture Packets
• Analyze the captured packets

1
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

6 Recovering and Inspecting deleted files

06/09/2024 • Check for Deleted Files 54
• Recover the Deleted Files
• Analyzing and Inspecting the recovered files
• Perform this using recovery option in ENCASE and
also Perform manually through command line

7 Steganography Detection
13/09/2024 • Detect hidden information or files within digital 65
images using steganography analysis tools.
• Extract and examine the hidden content.

8 Mobile Device Forensics

20/09/2024 • Perform a forensic analysis of a mobile device, such 73
as a smartphone or tablet.
• Retrieve call logs, text messages, and other relevant
data for investigative purposes.

9 Email Forensics
27/09/2024 • Analyze email headers and content to trace the origin 89
of suspicious emails.
• Identify potential email forgeries or tampering.

10 Web Browser Forensics

04/10/2024 • Analyze browser artifacts, including history files, 104
bookmarks, and download records.
• Analyze cache and cookies data to reconstruct user-
browsing history and identify visited websites or
online activities.
• Extract the relevant log or timestamp file, analyze its
contents and interpret the timestamp data to
determine the user's last internet activity and
associated details.

2
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 1
Aim: Creating a Forensic Image using FTK Imager/Encase Imager:

Writeup:

_____________________________________________________________________

3
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

In this Practical we are going to use the FTK Imager to create Images of the evidences:-

• Creating Forensic Image

• Check Integrity of Data
• Analyze Forensic Image

Go to File  Create Disk Image

4
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Select the source evidence type

Here we are going to select the physical drive and proceed

Then we browse the location of the Pen drive and click Finish

5
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we add the location to create images

In this we are going to select the raw (dd) format

6
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

And now we fill the details required for the case

Create a folder to save the images to store in the system disk as the pen drive size cannot be stored in the same
drive

Then paste that location to save the images and click Finish

7
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then Click on Start and wait until the imaging is done

8
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now it will verify

9
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

This is the Hash Value CheckSum given if it matches the original values then the evidence is original if not
the evidence is been misplaced

We take the image summary

10
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we are going to view the images in the FTK Imager

Go to File  Add Evidence Item

Then select the type of the evidence here it is Image File

11
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Give the directory of the images created using the FTK Imager and click Finish

Here we can see the data shown by the FTK Imager

12
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

13
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 2
Aim: Performing data acquisition using various tools.
Writeup:
_____________________________________________________________________

_____________________________________________________________________

14
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Perform data acquisition using:

• USB Write Blocker + Encase Imager

• SATA Write Blocker + Encase Imager
• Falcon Imaging Device

USB Writer Blocker + Encase Imager

Hardware and Paid Softwares

https://www.getfastforensics.com/write-blockers https://www.amazon.com/usb-write-

blocker/s?k=usb+write+blocker&language=en_US&currency=INR

http://www.orionforensics.com/forensics-tools/orion-usb-write-blocker/ For Open Source Software

https://sourceforge.net/projects/usbwriteblockerforwindows8/

Encase Imager
Encase is a forensic suite produced by Guidance Software (now part of OpenText) that is popular
with commercial providers. A standard license comes in at around $3500 around ₹289242

Overview PDF for the Encase Imager

https://www.opentext.com/assets/documents/en-US/pdf/opentext-po-
encaseforensic-en.pdf https://www.forensicstore.com/product/encase-forensic-v8-06/
YouTube link to see the working of the Encase Imager https://www.youtube.com/watch?v=obmRoD3ChSc

15
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here is an Overview of the Encase Imager https://www.hackingarticles.in/forensic-imaging-encase/

SATA Write Blocker + Encase Imager

16
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Overview of Write Blockers https://linuxhint.com/best_hardware_write_blockers/

https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-

cftt/cftttechnical/hardware Setup of the Write Blocker https://www.youtube.com/watch?v=Kmm8iaa76rQ

Falcon Imaging Device

About Info of the Falcon Imaging Device

https://www.logicube.com/shop/forensic-falcon-neo/

http://www.edasfox.com/product/forensic-falcon-neo/

https://www.secureindia.in/?page_id=1068 Prices of the Falcon Imaging

Device https://www.indiamart.com/proddetail/forensic-falcon-

2850471543448.html

Documentation and Videos for Demonstration of the Working of the Flacon Imaging Device

https://www.forensicfocus.com/articles/how-to-create-a-logical-image-on-falcon-neo/

https://www.forensicfocus.com/articles/how-to-image-to-a-network-repository-with-logicubes-
forensicfalcon-neo/ https://www.forensicfocus.com/articles/how-to-use-the-file-browser-feature-in-
logicubes-forensic-

17
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

falconneo/ https://www.youtube.com/watch?v=YSLSi1QpjUs

https://www.youtube.com/watch?v=rZLndjf1hPs

18
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 3
Aim: Analyzing the memory dump of a running computer system.
Writeup:
_____________________________________________________________________

_____________________________________________________________________

19
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Extract volatile data, such as open processes, network connections, and registry information.

Practical:
Open Process

Go to Sysinternal Suite  ProcMon Right Click on it and Open As Administrator

20
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Network Connections
Go to SysinternalSuite  TCPview

21
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Registry Information

Click on Search Bar on the Taskbar  Type Regedit  Click on Registry Editor

22
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

View the desired registries to be analyzed

23
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 4
Aim: Capturing and analyzing network packets using WireShark (Fundamentals):
Writeup:
_____________________________________________________________________

_____________________________________________________________________

24
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Identification the live network

• Capture Packets
• Analyze the captured packets

In this practical only identification, capturing and analysis is done.

We will also solve some cases to understand the practical clearly.

Identifying the Live Networks

We are using WireShark, an application used to identify, capture and analyze the network traffics.

Capturing Network

We are now going to capture a network of Ethernet

25
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

As soon as you single-click on your network interface’s name, you can see how the packets are working in
real time. WireShark will capture all the packets going in and out of our systems.

Analyze the Captured Packets

Color Coding Different packets are seen highlighted in various different colors. This is WireShark’s way of
displaying traffic to help you easily identify the types of it.

Default colors are:

▪ Light Purple color for TCP traffic

▪ Light Blue color for UDP traffic
▪ Black color identifies packets with errors

Example these packets are delivered in an unordered manner.

Click on View  Colorize Conversation  New Coloring Rule

26
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we can see the Default Colors given for every Packet Capturing

Now we analyze data using filters provided in the WireShark application

27
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Write the following commands in the given area to apply filter

Display filter command

1. Display packets based on specific IP-address

 ip.addr == 192.0.2.1

2. Display packets which are coming from specific IP-address

 ip.src == 192.168.10.28

28
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

3. Display packets which are having specific IP-address destination

 ip.dst == 192.168.10.28

4. Display packets which are using http protocol

 http

29
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

5. Display packets which are using http request

 http.request

6. Display packets which are using TCP protocol  tcp

30
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

7. Display packets having no error connecting to server

 http.response.code==200

8. Display packets having port number 80, 443

 tcp.port==80 || udp.port==443

31
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

9. Display packets which that contains keyword facebook

 tcp contains facebook

32
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we are going to perform a Case Study

AIM:

Analyze the packets provided in lab and solve the questions using Wireshark
1. What web server software issued by go.microsoft.com?
Analysis –

The domain name be found from host header so we will set host header column where we will see all domain
name. Select any HTTP request and expand the Hypertext Transfer Protocol then right click on Host header
and then Apply as Column

First find the requests from HTTP and click on and request then on the lower table of details Select on
HyperText Transfer Protocol  Host and Right Click on that and Select Apply as Filter

33
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we can see the Host

Right click on the selected packet and then select Follow  TCP stream

34
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

35
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

2. About what cell phone problem is the client concerned?

Analysis –

Client talking about cell so we search for cell keyword in whole packets. We will use regular express for
searching the cell keyword. Apply frame matches “()”

In the search frame type frame matches “microsoft”

After applying the filter now, we will start to check every HTTP request. We noticed in the first HTTP request
microsoft keyword is in URL and it was about Microsoft Edge connection.

3. According to http, what data will TCP show?

36
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Analysis –

As we did in the last challenge, we will apply a regular express filter for the Google keyword. Apply frame
matched “http” .

Select the packet and expand the Hypertext Transfer Protocol tab right click on Transmission Control
Protocol Go to Protocol Preferences and check Allow subdissector to resemble TCP stream with HTTP
spanning bodies.

Now Go to file and select Export Objects  HTTP. It will save all objects from the packet.

37
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click on save all.

After checking it seems only the packets transfer were to connect the machine to the internet.

4. How many web servers are running Microsoft?

38
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Analysis –

The web server name can be retrieved from HTTP response header. So will apply filter http.response and
we can see all http response packets.

Now we will set the server header as column select any packet and right click on it then select Apply as
Column.

Now can see the server column where all server name is showing.

39
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we have to check how many Apache packets are there we can’t count manually for each packet so we
will apply another filter http.server contains “Microsoft”

After applying filter Go to Statistics  Endpoints

40
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

It will show all connections.

Check the limit to display filter then it will show the actual Microsoft connections. Now there are showing
223 connections but will exclude 4.150.240.254 because it is client’s IP not a server IP so there are actual 222
Microsoft servers.

CONCLUSION:

We have successfully analyzed the packets provided and solved the questions using WireShark

41
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 5
Aim: Use of Sysinternals tools for Network Tracking and Process Monitoring:
Writeup:
_____________________________________________________________________

_____________________________________________________________________

42
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Check Sysinternals tools

• Monitor Live Processes
• Capture RAM
• Capture TCP/UDP packets
• Monitor Hard Disk
• Monitor Virtual Memory
• Monitor Cache Memory

Lets Check If the Sysinternal Suite is Available on the System

Check SysInternals Tools

STEPS

Google  sysinternal tools

If Available Then Skip the Installation Part Let’s Install the Sysinternal

Suite for Windows We can download the zip file from the given link

https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-

suite

Then Extract the file to the desired directory

43
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Monitor Live Processes

Process Monitor is an advanced monitoring tool for Windows that show real-time file system. Registry and
process/thread activity. It combines the features of two legacy SysInternals utilities, Filemon and Regmon,
and adds an extensive list of enhancements including rich non-destructive filtering, comprehensive event
properties such as session IDs and user names, reliable process information, full thread stacks with integrated
symbol support for each operation, simultaneous logging to a file, and much more.

STEPS

Sysinternal  procmon

44
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then allow the permissions and then Select all the processes to be viewed

Then Click on Apply and then OK Then see the displayed Processes

45
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Capture RAM
RAMMap is an advanced physical memory usage analysis utility for Windows Vista and higher. It presents
usage information in different ways on its several different tabs:

 Use Counts: usage summary by type and paging list

 Processes: process working set sizes
 Priority Summary: prioritized standby list sizes
 Physical Pages: per-page use for all physical memory
 Physical Ranges: physical memory addresses
 File Summary: file data in RAM by file
 File Details: individual physical pages by file

STEPS

Sysinternal  RAMMap

46
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then allow the permissions and view the mapping

Capture TCP/UDP packets

TCPView is Windows program that will show you detailed listening’s of all TCP and UDP endpoints on your
system, including the local and remote addresses and the state of TCP connections.

Using TCPView:

When you start TCPView it will enumerate all the active TCP and UDP endpoints, resolving all IP address to
their domain name versions. You can use a toolbar button on menu item to toggle the display of resolves
names.

Using Tcpvcon

Tcpvcon using is similar to that of the built-in Windows netstat utility

47
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Usage

Tcpvcon [-a] [-c] [-n] [process name or PID]

STEPS

Download TCPView

48
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Monitor Hard Disk

DiskMon is an application that logs and displays all hard disk activity on a Windows system

STEPS

Download DiskMon  Run as Administrator

49
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Monitor Virtual Memory

VMMap is a process virtual and physical memory analysis. It shows a breakdown of a process’s committed
virtual memory types as well as the amount of physical memory working set assigned by the operating system
to those types.

STEPS

Sysinternal  VMMap

50
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

51
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Monitor Cache Memory

CacheSet is an applet that allows you to manipulate the working the set parameters of the system file cahce.
Unlike CacheMan, CacheSet runs on all versions and will work without modifications on new Service Pack
releases.

Give all the permissions and Click on Agree

Click on apply

52
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

After applying the changes

53
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 6
Aim: Recovering and Inspecting deleted files
Writeup:

_____________________________________________________________________

54
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Check for Deleted Files

• Recover the Deleted Files
• Analyzing and Inspecting the recovered files
• Perform this using recovery option in ENCASE and also Perform manually through

command line

In this Practical we are going to use the Autopsy, an application used to check, recover, analyze and inspect
the deleted files using the Image evidence created

Open Autopsy and Click on New Case

Give a case name and browse the destination to save the autopsy file

55
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then give the case number and the details as per the case number when performing the FTK Imager Practical
1

Select on Disk Image or VM File and Click Next

56
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Give the destination of the image and click next

Select the ingest module and click next

57
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

See the acknowledgement and click finish

Now we check the files recovered

58
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

We see the Deleted Files

Now We Extract/Recover some deleted files

Set a directory for the recovered files

59
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we Generate a Report of the Autopsy done

60
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Select a type to store the data and click next. Here we are going to generate the report in Excel.

Now select all results this will generate all the reports and click finish. The other option only generate the
report for tagged one only.

61
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click on close and open the excel from the directory it is stored

62
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

63
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

64
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 7
Aim: Using Steganography Tools [S-Tools]
Writeup:
_____________________________________________________________________

_____________________________________________________________________

65
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Detect hidden information or files within digital images using steganography analysis tools.

• Extract and examine the hidden content.

In this Practical we are going to use the SteganPEG to check the hidden files in the given Image

Create a folder to keep the image and message file and store the txt file and image

Open the SteganPEG and give a password and browse the path of the image

66
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

First we are going to add some files in the captured image

Save the stegged image

67
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Open the saved image with the assigned password and view the image with hidden files

68
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we are going to do the stegging process using Command Prompt and viewing the Image using the
WinRAR

Make a zip file of the text file

Go to Command Prompt and Type the Syntax

69
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

C:\Users\bmm\Desktop\New Folder>copy/b stegprac.jpg + stegpractxt.rar

Then create a shortcut for WinRAR on the desktop

Then open the image using the shortcut

Right Click on the image  Open with  Choose another app

Select Choose another app  choose an app on your pc

70
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then Desktop  Shortcut created of WinRAR and Select Just Once

71
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

View the Extracted File

72
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 8
Aim: Mobile Device Forensics
Writeup:
_____________________________________________________________________

_____________________________________________________________________

73
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Perform a forensic analysis of a mobile device, such as a smartphone or tablet.

• Retrieve call logs, text messages, and other relevant data for investigative purposes.

In this Practical we are going to perform the mobile forensic using the MOBILedit Forensic toolkit

We are going to download the MOBILedit toolkit

Got to the link https://www.mobiledit.com/connection-kit

Then Click on Online Store then Scroll down to the Products

The Price is given below. It is around $1000

74
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Then we go to the software

The price is given below. It starts from $99 to few Thousands of Dollars

75
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we are going to start the Practical

Click on connect and Select the type of forensic device to work with. Here we are going with Phone

76
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click Next and Select the type of Connection with the Mobile Phone. Here we are going to Select Cable
Connection and click Next

77
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click Next and let it Scan the Device, If Found click Next, If Not Found Perform these steps and Retry

”Go to Phone Settings and open Developer Option and Enable it, and then Allow
USB Debugging”

Then connect it with a connector for efficient data recovery

78
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

We got a device connected

This is the device we are going to use and click on next

79
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Fill the details and browse a directory to store the logs

Then Click on Next then Select the Acquisition we want Here we are going to acquire all the data from
the device

80
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click on Yes and Wait for the Acquisition to be completed

81
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Open the Case and Organize and decide the Format in which we need the Acquisition

82
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Fill in the details of the Investigator

Select the type of format to display the data. Here we are going to display it in Excel.

83
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

A Success Message will be Prompted

Now we are going to view and analyze the data acquired form the Performed Acquisition

84
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

We have performed of Two Mobile Devices

The First One is the Oppo Reno 2

Second One is the One+ 9

Display of the First Device Oppo Reno 2

Here we can see the Phonebook of the device

85
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

And here we can see the Call Logs

And here we can see the messages on the device

86
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Display of the Second Device One+ 9

Here we can see the Files  Internal Storage  DCIM  Camera

Here we can see the Files  Internal Storage  Pictures

87
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Now we are going to Generate and Analyze the Report

This is the data.log file we created before we started the Acquisition

88
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 9
Aim: Email Forensics

Writeup:
_____________________________________________________________________

_____________________________________________________________________

89
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Analyze email headers and content to trace the origin of suspicious emails.

• Identify potential email forgeries or tampering

Here we are going to use the AccessData FTK

FTK can filter or find files specific to e-mail clients and servers.
You can configure these filters when you enter search parameters.
Because of Jim’s responses to a poor performance review, the CEO of Superior Bicycles,Martha Dax, suspects
he might have obtained sensitive information about the company’s business model that he’s leaking to a
competitor.
Martha asked her CIO, to have an IT employee copy the Outlook .pst file from Jim Shu’s old computer to a
USB drive.
To process this investigation, we need to examine the Jim_shu’s.pst file, locate the message, and export it for
further analysis of its header to see how Jim might have received it.

Recovering Email

Start AccessData FTK and click Start a new case, then click OK.
Click Next until you reach the Refine Case - Default dialog box Click the Email Emphasis button, and
then click Next

Create a new File

90
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Fill the details of the Examiner

Click on all the options and Click Next

91
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Select all the options

Now we have reached the Email Emphasis section

92
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click Next until you reach the Add Evidence to Case dialog box, and then click the Add Evidence button.
In the Add Evidence to Case dialog box, click the Individual File option button, and then click Continue.

93
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

In the Select File dialog box, navigate to your work folder, click the Jim_shu’s.pst file, and then click
Open.

94
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Give some data

Complete the steps and Click on Next

95
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click on finish and see the data

96
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

When the Add Evidence to Case dialog box opens, click Next. In the Case summary dialog box, click Finish.
When FTK finishes processing the file, in the main FTK window, click the Email Messages button, and then
click the Full Path column header to sort the records.

97
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

For email recovery follow following steps: Click the E-Mail tab. In the tree view, click to expand all folders,
and then click the Deleted Items folder.

98
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Select any message say Message0001 right click and select option Launch Detached Viewer and you can see
detail of deleted message.

99
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

For analyzing header follow following steps: Click the E-Mail tab. In the tree view, click to expand all folders,
and then click the Inbox folder. In the File List pane at the upper right, click Message0003; as shown in the
pane at the bottom, it’s from Sam and is addressed to [email protected].

100
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Right-click on any message say Message0003 in the File List pane and click Export File. In the Export Files
dialog box, click OK.

101
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

FTK saves exported files in the HTML format with no extension.

Right-click the Message0003 file and click Rename. Type Message0003.html and press Enter

102
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Double-click Message0003.html to view it in a Web browser.

103
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

PRACTICAL NO. 10
Aim: Using Web Browser Forensics
Writeup:
_____________________________________________________________________

_____________________________________________________________________

104
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

• Analyze browser artifacts, including history files, bookmarks, and download records.
• Analyze cache and cookies data to reconstruct user-browsing history and identify visited websites or
online activities.
• Extract the relevant log or timestamp file, analyze its contents and interpret the timestamp data to
determine the user's last internet activity and associated details.
We are going to use the Browser History Examiner Run it as Administrator..

It is a Paid Software but has a free–trail to get a total of 25 records from all the browsers in the device

Click on Continue Trail

105
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Click OK

This is the Interface of the Application

Go to File  Capture History

106
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

We are going to capture from this device only Select on that and click Next

Select the Browser we want the history and give a directory to save those history extracted files

107
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we can see the websites visited

108
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we can see the bookmarks

Here we can see the browser settings

Here we can see the cached files

109
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we can see the cached images

Here we can the cached webpages

Here we can see the cookies stored

110
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we can see the emails used for logins

Here we can see the favicons

Here we can see the searches

111
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

Here we see the thumbnails

Here we can see the websites visits

112
LORDS UNIVERSAL COLLEGE
TYBSC CS SEM V – CYBER FORENSIC

113

Douglas London The Recruiter Spying and The Lost Art of American
No ratings yet
Douglas London The Recruiter Spying and The Lost Art of American
489 pages
Espionagem Na Guerra Civil
100% (1)
Espionagem Na Guerra Civil
332 pages
Maltego Case Study - Hunting An Illicit Service Provider
No ratings yet
Maltego Case Study - Hunting An Illicit Service Provider
5 pages
Injection Engine Control System. VAZ 21213, 21214 (Niva)
No ratings yet
Injection Engine Control System. VAZ 21213, 21214 (Niva)
3 pages
Digital Forensics
No ratings yet
Digital Forensics
17 pages
Cyber Crime
No ratings yet
Cyber Crime
17 pages
Malware Investigations - DAY2.0
No ratings yet
Malware Investigations - DAY2.0
58 pages
Chrome Password Stealer
No ratings yet
Chrome Password Stealer
2 pages
Dark Web Forensics
No ratings yet
Dark Web Forensics
3 pages
002 IntroCyberSecOnline-Draft
No ratings yet
002 IntroCyberSecOnline-Draft
132 pages
Israel - Iran War Cyber and Electronic Warfare Operations 2025
No ratings yet
Israel - Iran War Cyber and Electronic Warfare Operations 2025
29 pages
Bot Net
No ratings yet
Bot Net
18 pages
#MissionPlateObstructions - Global OSINT/HUMINT Intelligence Report and Call To Action On The Universal Right To Transparent Roads
No ratings yet
#MissionPlateObstructions - Global OSINT/HUMINT Intelligence Report and Call To Action On The Universal Right To Transparent Roads
31 pages
Military Deception Operations: October 2020
No ratings yet
Military Deception Operations: October 2020
19 pages
Title - The Open Spy - Mastering Public Domain Intelligence For Independent Spymasters
No ratings yet
Title - The Open Spy - Mastering Public Domain Intelligence For Independent Spymasters
56 pages
Red - Team Operations Brochure - Final v1
No ratings yet
Red - Team Operations Brochure - Final v1
11 pages
Cyber Security - Unit-1-1
No ratings yet
Cyber Security - Unit-1-1
56 pages
BOTNETS
No ratings yet
BOTNETS
21 pages
Cybrary - Computer and Hacking Forensics
No ratings yet
Cybrary - Computer and Hacking Forensics
3 pages
Malware Dynamic Analysis Part-5
No ratings yet
Malware Dynamic Analysis Part-5
22 pages
Dedsec Full Spamming Course by TheHackersSpacerar AnonFiles
No ratings yet
Dedsec Full Spamming Course by TheHackersSpacerar AnonFiles
2 pages
Windows Forensics - Exercises
No ratings yet
Windows Forensics - Exercises
47 pages
ТС6-0.1 Подготовка Экипажей КП АСУ
No ratings yet
ТС6-0.1 Подготовка Экипажей КП АСУ
162 pages
Canadian Bullshit: An Intelligence Report On Systemic Propaganda, Misinformation, Colonial Legacies, and Pervasive Discrimination in The Canadian State
No ratings yet
Canadian Bullshit: An Intelligence Report On Systemic Propaganda, Misinformation, Colonial Legacies, and Pervasive Discrimination in The Canadian State
30 pages
Williamson Murray, Peter R. Mansoor-Hybrid Warfare - Fighting Complex Opponents From The Ancient World To The Present-Cambridge University Press (2012)
No ratings yet
Williamson Murray, Peter R. Mansoor-Hybrid Warfare - Fighting Complex Opponents From The Ancient World To The Present-Cambridge University Press (2012)
255 pages
Philippine Digital Forensics
No ratings yet
Philippine Digital Forensics
61 pages
Cyber Terror
No ratings yet
Cyber Terror
186 pages
AV Botnet Detection PDF
No ratings yet
AV Botnet Detection PDF
23 pages
Shark-Jack Ebook v22.03
No ratings yet
Shark-Jack Ebook v22.03
32 pages
Cybercrime and Computer Hacking
100% (1)
Cybercrime and Computer Hacking
35 pages
Botnets Infrastructure and Attacks
No ratings yet
Botnets Infrastructure and Attacks
51 pages
Cyber Security & Digital Forensics-Lec2
No ratings yet
Cyber Security & Digital Forensics-Lec2
31 pages
Rusia Espionaje
No ratings yet
Rusia Espionaje
26 pages
All in One Ethical Hacking 1000 TB+ DATA by Multi Bundle
No ratings yet
All in One Ethical Hacking 1000 TB+ DATA by Multi Bundle
7 pages
350 Hunting With PowerShell
100% (1)
350 Hunting With PowerShell
74 pages
CounterSpy - Documentos Secretos de La CIA Sobre El Mossad
100% (1)
CounterSpy - Documentos Secretos de La CIA Sobre El Mossad
44 pages
Extremist Propaganda in Social Media A Threat To Homeland S
No ratings yet
Extremist Propaganda in Social Media A Threat To Homeland S
235 pages
Evasion Techniques and Breaching Defenses: Offensive Security
No ratings yet
Evasion Techniques and Breaching Defenses: Offensive Security
11 pages
SOP On Cyber Investigation Techniques - InD RAILWAY POL
No ratings yet
SOP On Cyber Investigation Techniques - InD RAILWAY POL
56 pages
Botnet: Please Submit Your Proposal Here
No ratings yet
Botnet: Please Submit Your Proposal Here
15 pages
Paradigm Shift in Cyber Crime by Srikanta Sen
No ratings yet
Paradigm Shift in Cyber Crime by Srikanta Sen
80 pages
Crimes-Cibernéticos-E Investigação Policial
No ratings yet
Crimes-Cibernéticos-E Investigação Policial
17 pages
Cyber Security
No ratings yet
Cyber Security
3 pages
Types of Hacker
No ratings yet
Types of Hacker
5 pages
Ciberterrorismo
No ratings yet
Ciberterrorismo
393 pages
Professional Ethical Hacker Course Outline: Module 00 - Setup Lab
No ratings yet
Professional Ethical Hacker Course Outline: Module 00 - Setup Lab
10 pages
Arp Poisoning Attack Mitigation
No ratings yet
Arp Poisoning Attack Mitigation
87 pages
Footprinting
No ratings yet
Footprinting
14 pages
IA CT: CTIA Exam Blueprint v1
No ratings yet
IA CT: CTIA Exam Blueprint v1
3 pages
Computer Viruses
No ratings yet
Computer Viruses
12 pages
Chapter 1 - Cyber Security
100% (2)
Chapter 1 - Cyber Security
20 pages
Softwares Video Forense PDF
No ratings yet
Softwares Video Forense PDF
10 pages
On Cyber Warfare
No ratings yet
On Cyber Warfare
49 pages
Email Forensics
No ratings yet
Email Forensics
57 pages
FortiWeb 7.0.4 Administration Guide
100% (1)
FortiWeb 7.0.4 Administration Guide
1,124 pages
Chapter 11 PDF
No ratings yet
Chapter 11 PDF
80 pages
Chapter 1: Introduction 1.1.2 Internet of Things (Iot) : Basic Concept
No ratings yet
Chapter 1: Introduction 1.1.2 Internet of Things (Iot) : Basic Concept
29 pages
CHFIv9 Module 12 Investigating Email Crimes
No ratings yet
CHFIv9 Module 12 Investigating Email Crimes
54 pages
CH 6
No ratings yet
CH 6
38 pages
SEM5 TYCS Cyber Forensic
No ratings yet
SEM5 TYCS Cyber Forensic
2 pages
Cyber - Security Unit 4
No ratings yet
Cyber - Security Unit 4
21 pages
Lovino - B8 - Case Analysis Essay Volunteerism
No ratings yet
Lovino - B8 - Case Analysis Essay Volunteerism
3 pages
Airbnb Seasonality and Revenue Data Trends For Grand Prairie - AirDNA MarketMinder
No ratings yet
Airbnb Seasonality and Revenue Data Trends For Grand Prairie - AirDNA MarketMinder
2 pages
Equlibrium
No ratings yet
Equlibrium
20 pages
Figure of Speech
No ratings yet
Figure of Speech
4 pages
Three High-Altitude Peoples, Three Adaptations To Thin Air
No ratings yet
Three High-Altitude Peoples, Three Adaptations To Thin Air
11 pages
Ephesians: What To Do
No ratings yet
Ephesians: What To Do
8 pages
Term 2 Year 1 Hass
No ratings yet
Term 2 Year 1 Hass
13 pages
A Pilgrimage To Asamankese
No ratings yet
A Pilgrimage To Asamankese
10 pages
Case
No ratings yet
Case
4 pages
Oracle Final Exam Semester 1
100% (1)
Oracle Final Exam Semester 1
22 pages
SCBA Pre-Use Inspection
No ratings yet
SCBA Pre-Use Inspection
2 pages
Exhibit B - Security Policy
No ratings yet
Exhibit B - Security Policy
4 pages
Mpa 17 em PDF
No ratings yet
Mpa 17 em PDF
9 pages
Motion in 1dimension DPP 05 of Lec 06 Prayas JEE 2.0 2025666a9a5e40a9650018c46d03
No ratings yet
Motion in 1dimension DPP 05 of Lec 06 Prayas JEE 2.0 2025666a9a5e40a9650018c46d03
5 pages
Sony MDS-JE 520 User Manual
No ratings yet
Sony MDS-JE 520 User Manual
136 pages
London City Hall: Architectural Analysis Course: Intelligent Building
100% (2)
London City Hall: Architectural Analysis Course: Intelligent Building
17 pages
A Cyber Security Awareness and Education Framework For South Africa
No ratings yet
A Cyber Security Awareness and Education Framework For South Africa
219 pages
1304593-TogetherwithElements Archetypes v1
No ratings yet
1304593-TogetherwithElements Archetypes v1
33 pages
Naukri VinitaSingh 1790045 - 08 00 - 1
No ratings yet
Naukri VinitaSingh 1790045 - 08 00 - 1
3 pages
Chapter-4: Operations, Material and Maketing Management: Definition & Importance of Operational Management
No ratings yet
Chapter-4: Operations, Material and Maketing Management: Definition & Importance of Operational Management
47 pages
Important: Service Data Sheet
No ratings yet
Important: Service Data Sheet
4 pages
Failure Mode For Gas CHromatograph
No ratings yet
Failure Mode For Gas CHromatograph
2 pages
Intervention21120-5570393 152823
No ratings yet
Intervention21120-5570393 152823
10 pages
Practice Problems For Solid Geometry
No ratings yet
Practice Problems For Solid Geometry
12 pages
Post WW Ii Latin American Boom: 21 Century Literature From The Philippines and The World Week 4 Topic
No ratings yet
Post WW Ii Latin American Boom: 21 Century Literature From The Philippines and The World Week 4 Topic
2 pages
4-Quantity Calculations
No ratings yet
4-Quantity Calculations
18 pages
Case Ih Tractor Ignition Electrical Parts
100% (2)
Case Ih Tractor Ignition Electrical Parts
16 pages
3.1 Tuple Relational Calculus
No ratings yet
3.1 Tuple Relational Calculus
11 pages
IOT Smart Energy Grid
No ratings yet
IOT Smart Energy Grid
10 pages