0% found this document useful (0 votes)

78 views201 pages

IT602 - Lab - Manual Final

Uploaded by

abdullahal8besy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

78 views201 pages

IT602 - Lab - Manual Final

Uploaded by

abdullahal8besy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 201

Digital Forensics Technology & Practices

Lab Manual

1|P a g e Digital Forensics Technology & Practices Lab Manual

Digital Forensics Technology & Practices (Lab)
Learning Objective

In this lab students are;

1. Analyse computer evidence

2. Investigate digital evidence in a Windows and Linux environment.
3. Investigate Network Evidence

LIST OF EXPERIMENTS:
1. Recovery & analyses of Data Using the EaseUS Data Recovery tool
2. Performing Hash, Checksum, or HMAC Calculations Using the HashCaIc:
3. Viewing Files of Various Formats Using the File Viewer
4. Handling Evidence Data Using the P2 Commander.
5. Creating A Disk Image File of a Hard Disk Partition Using the R-Drive Image.
6. Analyzing file system types using the Sleuth Kit (TSK)
7. Analyzing raw image using Autopsy.
8. Investigating NTFS drive using Disk Explorer for NTFS.
9. Viewing Content of Forensic Image Using Access Data FTK Imager Tool
10. Discovering and extracting hidden forensic material on computers
11. Viewing, Monitoring, and Analyzing Events using the Event log Explorer.
12. Performing a computer forensic investigation using the Helix tool
13. Acquiring volatile data in Linux system.
14. Analyzing Non-Volatile data in Linux system.
15. Scanning System and Network Resources Using Advanced IP Scanner
16. Monitoring TCP/IP Connections Using the CurrPorts Tool
17. Exploring and Auditing a Network Using Nmap

2|P age Digital Forensics Technology & Practices Lab Manual

Lab 1: Recovering Data Using the EaseUS Data Recovery tool

Lab Objectives:

The objective of this lab is to help students understand and perform data recovery
using the EaseUS Data Recovery
Wizard tool.
Lab Environment:
This Lab requires:

A computer running Windows 10virtual machine.

Administrative privileges to install and run tools.
A web browser with an Internet connection.
EaseUS Data Recovery Wizard, located at C:\CHFI-Tools\CHFIv9Module 02 Computer
Forensics Investigation
You can also download the latest version of EaseUS Data Recovery
Wizard at: https://www.easeus.com/datarecoverywizard/free-data-recovery-
software.htm

Lab Tasks:
1. Log on to Windows 10 Virtual machine.
2. Navigate to Z:\CHFIv9Module 02 Computer Forensics Investigation Process\Data
Recovery Tools\EaseUS Data Recovery Wizard, double-click drw_free.exe, select a
language (English) and follow the Wizard driven installation steps to install the
application.

3|P age Digital Forensics Technology & Practices Lab Manual

Note:If an Open File - Security Warning pop-up appears, click Run. If a User Account

Control pop-up appears, click yes.

If a Windows Security dialog-box appears, enter the credentials of

Windows Sewer 2012 virtual machine and then click OK.
3. In the final step of installation, ensure that Launch EaseUS Data Recovery Wizard
option is checked, uncheck
Participate in the Customer Experience Improvement Program option and click Finish.

4. A EaseUS webpage appears in the default web browser, closeit.

5. EaseUS Data Recovery Wizard appears along With a pop-up. Close the pop-up and
click 011 Next in the Wizard.

4|P age Digital Forensics Technology & Practices Lab Manual

6. Next step of the Wizard appears displaying the Common Locations and Hard Disk
Drives. Select D drive and after that click Scan.

7. The application begins to scan the drive and begins to display the contents of the
drive, along With the data that has been deleted.
8. On completion of the scan, a pop-up appears; click OK to close the pop-up.
5|P age Digital Forensics Technology & Practices Lab Manual
9. The file system of D drive appears in the left pane, displaying the files present in
the drive ( if any), along With the deleted files (denoted by the letter d) as shown in
the following screenshot:

10. To View the deleted files insidea folder Which contains sub-folders, you need to
expand the nodes pertaining to each directory, until you find a directory that contains
files.
11. In this lab, the deleted contents of the directory top_files located in\AI-Qaida
Hard Disk\AI-Qaida
Articles\x_files\ are viewed.

12. To View the deleted file, right-click on the respectivefile and click Preview.

6|P age Digital Forensics Technology & Practices Lab Manual

13. The preview of the file appears as shown in the following screenshot:

7|P age Digital Forensics Technology & Practices Lab Manual

14. Click Cancel to View the other deleted files.

15. To view the files pertaining to image format, click Graphics tab and then, select
a folder. The images present in the folder appear in the right-pane as shown in the
following screenshot:

8|P age Digital Forensics Technology & Practices Lab Manual

16. To recover a single or multiple files, select the file/tiles of your choice and click
Recover. In this lab, files present in Image Files folder are being recovered.

17. A Browse for Folder Window appears. You need to choose a location to store the
recovered files.
18. So, navigate to Documents, create a folder named Recovered Files and then click
OK.

9|P a g e Digital Forensics Technology & Practices Lab Manual

19. EaseUS Data Recovery application recovers the files to Recovered data [date] at
[time] / New Volume as shown in the. following screenshot:

20. Open the New Volume folder. The New Volumefolder contains folder Image Files
folder, from Where we have recovered the deleted files as indicated in step no. 16.open
this folder.

21. The files are successfully recovered as shown in the following screenshot:

10 | P a g e Digital Forensics Technology & Practices Lab Manual

22. Switch to EaseUS Data Recovery Wizard, and close the pop-up that contains the
status of the recovery.

23. This way, you may also View files of other formats and recover them. In some cases,
the application may fail to find all the deleted files. In such cases, you may need to
perform a deep scan on the respective disk

Lab A nalysis:

Analysis and document the results related to this experiment.

…………………………………………………………………………………………………………
…………………………………………………………………………………………………………
…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………

11 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab2: Performing Hash, Checksum, or HMAC Calculations Using the
HashCaIc:

Lab Objectives:
This lab will show you how to encrypt data and how to use it. Furthermore, it will
teach you how to:

Use the encrypting command.

Generate hashes and checksum files.
Lab Environment:
This lab requires:

A computer running Windows Server 2012 virtual machine.

Administrative privileges to run tools.
HashCalc located at C:\CHFI-Tools\CHFIv9Module 02 Computer Forensics
Investigation Process\Hash Value
Calculator Tools\HashCaIc.
You can also download the latest version of HashCaIc from the link
http://www.slavasoft.com/hashcalc/
Please note that, if you are willing to download the latest version, the screenshots
and steps shown in this lab might differ.
Lab Tasks:
1. Login to Windows Server 2012 Virtual machine.
2. Navigate to C:\CHFI-Tools\Evidence Files\lmage Files to find the evidence files for
this lab.

12 | P a g e Digital Forensics Technology & Practices Lab Manual

3. Navigate to C:\CHFI-Tools\CHFlv9Module 02 Computer Forensic Investigation
Process\Hash Value Calculator Tools\HashCalc, then double-click on setup.exe and follow
the Wizard-driven installation steps to install the application.
Note:If an Open File - Security Warning pop-up appears, click Run.

4. In the final step of installation, uncheck View the README file option. check
Launch HashCaIc option and click
Finish

13 | P a g e Digital Forensics Technology & Practices Lab Manual

5. The HashCaIc application’s main Window appears as shown in the following
screenshot:

6. In the Data Format drop-down list, select file format as File and clickthe ellipsis
button associated With the Data field to select the file.

7. Subsequently, Find Window appears, navigate to C:\CHFI-Tools\Evidence

Files\lmage Files. In this location, you need to select an evidencetile, Whose hash value
needs to be calculated. In this lab, we have selected BIackberry.png. Once you select
the file, click Open.

14 | P a g e Digital Forensics Technology & Practices Lab Manual

8. The selected file Will be displayed in the Data field.

Note:To calculate the message digests /checksums for the data, the HMAC box must
be unchecked.

9. Select the algorithms you want to use for calculations by checking the boxes
With the appropriate names, and then click the Calculate button.

15 | P a g e Digital Forensics Technology & Practices Lab Manual

10. Hash values will be displayed for the selected file as shown in the following
screenshot:

11. To calculate the Keyed - Hash MessageAuthentication Code(HMAC) for the

data:

16 | P a g e Digital Forensics Technology & Practices Lab Manual

Check the HMAC box.
In the Key Format combo box, select the type of the key you want to use for
calculations. HashCalc allows you to perform calculations using text keys or hex keys.
In the Key box, enter the key for HBL-XC calculations f o r example, here test is
entered as key)
Select the algorithms you want to use for calculations by checking the required
algorithms, and then click Calculate

12. HashCalc calculates the hashes of the specified fileand displays them as shown
in the following screenshot:

17 | P a g e Digital Forensics Technology & Practices Lab Manual

13. Both the Windows containing MD5 hash values (with key and Withoutkey)
are shown below for students’
understanding.

14. If you want to perform a calculation for a text string, first select Text string from
the Data Format drop-down list and then enter the text in the Data field.
15. Select the algorithm you want to use for calculations by checking the required
algorithms and then clickthe
Calculate button.

18 | P a g e Digital Forensics Technology & Practices Lab Manual

16. Hash values Will be displayed for the selected algorithms as shown in the
following screenshot:

Lab A nalysis:

Analysis and document the results related to this experiment.

…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………

19 | P a g e Digital Forensics Technology & Practices Lab Manual

Assignment: Generating MD5 Hashes Using MD5 Calculator:
Lab Objectives:
This lab Will give you experience encrypting data and show you how to do it. It
Will teach you how to:

Use encrypting commands.

Calculate the MDS value of selected files.

Lab Environment:
This lab requires:

MDS Calculator, which is located at C:\CHFI-Tools\CHFlv9Module 02 Computer

Forensics Investigation
Process\Hash Value Calculator Tools\MDS Calculator.
A computer running Windows Server 2012 virtual machine.
Administrative privileges to run tools.
You can also download the latest version of MD5 Calculator from
http://www.bullzip.com/products/md5/info.php

Kindly note that, if you decide to download the latest version, then screenshots
shown in the lab might differ.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\CHFlv9Module 02 Computer Forensics
Investigation Process\Hash Value Calculator
Tools\MDS Calculator.
2. Double-click md5calc(1.0.0.0).msi to launch the setup‘ and then follow the
Wizard-driven installation steps to install the application.

Note:If an Open File - Security Warning pop-up appears, click Run.

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………
…………………………………………
……………………………………………………………………………………………………
…………………………………………

20 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 3: Viewing F i l e s of Various Formats Using the File Viewer:

Lab Objectives:
The objective of this lab is to help students learn and perform fileviewing with
the help of File Viewer. Fileviewer is used for:

Viewing files of various formats

Quickly locating the files needed
Saving files of various filetypes

Lab Environment:
This lab requires:

File Viewer tool, located at C:\CHFI-Tools\CHFIv9Module 02 Computer

Forensics Investigation
Process\Computer Forensics Software\FiIe Viewer.
You can also download the latest version of File Viewer from
http://www.accessoryware.com/fileview.htm
Kindly note that if you decide to download the latest version, then the
screenshots shown in this lab might differ slightly.
A computer running Windows Server 2012 virtual machine.
Administrative privileges to install and run tools.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\Evidence Files\lmage Files to View the evidence
files. You Will be selecting a file from this location in the subsequent steps.

21 | P a g e Digital Forensics Technology & Practices Lab Manual

2. Navigate to C:\CHFI-Tools\CHFIv9Module 02Computer Forensics
Investigation Process\Computer Forensics Software\FiIe Viewer,
double-click FiIeView.exe to launch the setup and follow the Wizard-
driven installation steps to install the application.

Note:If an Open File - Security Warning pop-up appears, click Run.

3. Double-click File Viewer 9.5icon 011 the Desktop to launch the

application. Note: Alternatively, you may launch the application from

the Apps screen.

4. The File Viewer Registration pop-up appears. Click the Close button
to open the File Viewer Windows.

22 | P a g e Digital Forensics Technology & Practices Lab Manual

5. The File Viewer main Window appears, along With a Getting
Started with File Viewer dialog box. Click on the Do
Not Show on Start Up option and Click Cancel.
6. If the pop-up does not appear, skip to the next step.

7. Go to File menu and click Open.

8. in the Open dialog box:

Locate the evidence file path (C:\CHFI-Tools\Evidence
Files\lmageFiles).
Select Allfiles (*.*)in the File type drop-down list.

23 | P a g e Digital Forensics Technology & Practices Lab Manual

Select the file (Flowers.jpg), and then click Open.

9. If a Getting Started with File Viewer pop up appears, click

Cancel.
10. The image Flowers.jpg opens in the file Viewer screen as shown in
the following screenshot:

11. Navigate to File ->File Properties to View various properties of

the selected image.
24 | P a g e Digital Forensics Technology & Practices Lab Manual
12. The File Properties WindowWill pop up showing various properties of
the selected file. Click OK to close the
Window.

13. You may save the image for further reference, and you have an option to
save the image in a different file format. However, this feature is availableonly
for the licensed version of File Viewer.

Lab A nalysis:

Analysis and document the results related to this experiment.

25 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 4: Handling Evidence Data Using the P2 Commander:

Lab Objectives:
The objective of this lab is to help students learn and use P2 commander for
handling evidence data.

Lab Environment:
This lab requires:

The P2 Commander tool, which is located at C:\CHFI-Tools\CHFIv9Module

02Computer Forensics Investigation
Process\Computer Forensics Software\P2Commander.
You can also download the latest version of P2Commander from
http://www.paraben.com/p2-commander.html

Please note that, if you decide to download the latest version, then the
screenshots shown in this lab might differ slightly
A computer running Windows Server 2012 virtual machine.
Administrative privileges to install and run tools.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\CHFIv9Module 02Computer Forensics
Investigation Process\Computer Forensics
Software\P2Commander.
2. Double-click p2c-demo.exe to launch the setup, and follow the Wizard-
driven installation steps to install the application.
Note:If an Open File - Security Warning pop-up appears, click Run.

26 | P a g e Digital Forensics Technology & Practices Lab Manual

3. On completing the installation, Paraben’s Dongle Managerinstallation
Wizard appears, follow the Wizard driven installation steps to install Paraben’s
Dongle Manager.

4. Once the installation is completed, a Paraben’s P2C dialog box appears

asking you to restart your computer.
Click Yes, to restart the machine, for the configuration changes to take effect.

27 | P a g e Digital Forensics Technology & Practices Lab Manual

5. Double-click on the P26 icon located on Desktop, to launch the

application. Note:Alternatively, you may launch the application from the

Apps screen.
6. An Activation pop-up subsequently appears, click Later.

Note:The P2 Commander Trial version can be used for only 30 days with a
limited number (7) of executions.

7. The P2 Commander GUI appears, along with a Paraben’s P26pop-up

as shown in the following screenshot:

28 | P a g e Digital Forensics Technology & Practices Lab Manual

8. Click Create New Case icon in the Paraben’s P2C pop-up.

9. A New Case Window appears, displaying the Welcome section.

Click‘ Next

29 | P a g e Digital Forensics Technology & Practices Lab Manual

10. In the Case Properties section; provide a Case name, write a case
Description information in the respective fields, and then click Next.

11. In the Additional Information section, fill in additional information

and clickthe Finish button. Note: Additional information is not mandatory’
and can be completed anytime.

30 | P a g e Digital Forensics Technology & Practices Lab Manual

12. A New case creation Window appears, navigate to Desktop, create a
folder named Reports, navigate to the
Reports folder, specify a file name (here, Test 1.p2c) in the File Name field,
and click Save.

13. In the Add New Evidence Window, select Image File under the
Category section in the left pane then select
Auto-detect image under the Source type section and click OK.

31 | P a g e Digital Forensics Technology & Practices Lab Manual

14. An Open window appears. navigate to C:\CHFI-
Tools\Evidence Files\Raw - DD Image, select TestRawImage.dd and click Open.

15. Specify a new evidence name and click OK.

32 | P a g e Digital Forensics Technology & Practices Lab Manual

16. P2C Content Analysis Wizard appears displaying the General options
section. Select the required options and click Next.

17. Data Analyzing Options section appears, select the required options
and click Next.

18. Advanced Options section appears; select the options required for
analyzing the image and click Next.

33 | P a g e Digital Forensics Technology & Practices Lab Manual

19. Image Analyzer Options section appears, leave the options set
to default and click Finish.

20. The selected image file is added to the case (Test 1file under
the Case Content).

34 | P a g e Digital Forensics Technology & Practices Lab Manual

21. Expand Test->TestRawImage->FAT->Root. You Will find that there are
folders With X mark over the folder icons.
22. Click on the Test1 folder and select the More Icons folder in the Items
tree View. The ‘X’ mark indicates that they
have been deleted.

23. To add a file to the report, right-click on the file and then click Add to
report/File Export.

35 | P a g e Digital Forensics Technology & Practices Lab Manual

24. If you want to see the properties of the selected file, clickthe Common
Log tab. It Will display the proper ties of the selected filein the Common Log
section.

25. If you want to see the actual image of the selected file, clickthe File View
tab.

36 | P a g e Digital Forensics Technology & Practices Lab Manual

26. To view the hex values of the selected file, clickthe Hex
Viewtab.

27. To View the text values of the selected file, clickthe Text View
tab.

37 | P a g e Digital Forensics Technology & Practices Lab Manual

28. To generate. a report, clickthe. Generate Report button.

29. In the Reports Wizard Window, specify a Destination folder.

30. In this lab, we Will be using HTML Investigative Report type and the
default destination folder locatio n. Click
Next.

38 | P a g e Digital Forensics Technology & Practices Lab Manual

31. You can Add or Edit any additional Investigator information, if needed
in the Investigator’s Information section
and click Next.

32. In the file system section, select the required options and clicknext.

39 | P a g e Digital Forensics Technology & Practices Lab Manual

33. In the file properties section, leave the options set to default and click
next.

34. In the sorted files section, select the include onlydata checked as
“include to reports” radio button and then
clicknext.

40 | P a g e Digital Forensics Technology & Practices Lab Manual

35. In the logs and supplementary files section, check the includecase
history option and clickfinish.

36. Navigate to the folder Where you have saved the Report. In this
folder, you Will find a sub folder named Test
1.ope11 that folder and double-click the Test 1.html file to view the
report.

41 | P a g e Digital Forensics Technology & Practices Lab Manual

37. A detailed investigativereport Will open in the web browser, scrolldown
the browser WindowtoView and examine the report.

Lab A nalysis:

Analysis and document the results related to this experiment.

…………………………………………………………………………………………………
…………………………………………
…………………………………………………………………………………………………
……………………………………………
…………………………………………………………………………………………………
……………………………………………
42 | P a g e Digital Forensics Technology & Practices Lab Manual
Lab 5: Creating a Disk Image File of a Hard Disk Partition Using the R-
Drive Image:

Lab Objectives:
The objective of this lab is to help students understand how to create a disk image file
of hard disk partition using R - drive image.

Lab Environment:
This lab requires:

The R-drive Image tool, which is located at C:\CHFI-Tools\CHFIv9Module 02

Computer Forensics Investigation
Process\ComputerForensics Software\R-drive Image.
You can also download the latest version of R-drive Image from the
link http: http://www.driveimage.com/Drive_Image_Download.shtm

Please note that, if you decide to download the latest version, then the screenshots
shown in this lab might differ slightly.
A computer running Windows 10Virtual machine.
Administrative privileges to install and run tools.

Lab Tasks:
1. Navigate to Z:\CHFIv9Module 02 Computer Forensics Investigation
Process\Computer Forensics Software\R- drive Image.
2. Double-click RDrivelmage6.exe to launch the setup, select the language (here,
English) and follow the Wizard-
driven installation steps to install the application.
Note:If an Open File - Security Warning pop-up appears, click Run.

If a User Account Control pop-up appears, click Yes.

If a Windows Security dialog-box appears, enter the credentials of Windows
10Virtual machine and then click
OK.

43 | P a g e Digital Forensics Technology & Practices Lab Manual

3. On completing the installation, ensure that Launch R-Drive Image option
is checked and click Finish.

4. The R-Drive Image GUI appears, click Next.

44 | P a g e Digital Forensics Technology & Practices Lab Manual

5. In the Action Selection Window, select the Create an Image option and
click Next to continue.

6. in the Partition Selection Window, select D drive to create a drive image

file of the D drive. Click Next.

45 | P a g e Digital Forensics Technology & Practices Lab Manual

7. in the Image Destination Window:
Select D drive in the tree pane to save the file.
The filename Will be automatically taken by the application.
Select R-Drive Image files (*.rdr) in the Files of type field to save the file in .arcformat.
Click Next.

8. In the. Image Options Window,click Next. Note: Providing a password is optional.

46 | P a g e Digital Forensics Technology & Practices Lab Manual

9. In the Backup Options Window,click Next.

10. The Processing Window Will show the summary of allthe processes Click Start to
start the disk partition imaging process.

47 | P a g e Digital Forensics Technology & Practices Lab Manual

11. The Progress bar in the Processing Window Will Show the completed
percentage task.

12. Once the processing is done, the following pop-up Window is displayed.
Click OK

48 | P a g e Digital Forensics Technology & Practices Lab Manual

13. In the Processing Window, click Continue to complete the process.

14. In the R-Drive Image Window, clickthe Exit button to close the
application.
15. Go to the D Drive to View the created disk partition image file.

49 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………

50 | P a g e Digital Forensics Technology & Practices Lab Manual

Assignment: Recovering Deleted Files from Hard Disks Using WinHex
Lab Objectives:
The objective of this lab is to help you understand how to recover files that have been
permanently deleted using the WinHex tool.

Lab Environment:
This lab requires:

WinHex, which is located at C:\CHFI-Tools\CHFlv9Module 03 Understanding Hard

Disks and File Systems\File
System Analysis Tools\WinHex.
A computer running Windows Server 2012.
You can also download the latest version of WinHex from https://www.x -
ways.net/winhex/
Kindly note that if you decide to download the latest version, then the screenshots
shown in the lab might be slightly different.
Administrative privileges to install and run tools.
A web browser with an Internet connection.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\Evidence Files\Raw - DD Image for the evidence files.

2.Navigate to C:\CHFI-Tools\CHFIv9Module 03 Understanding Hard Disks and File

Systems\FiIe System Analysis
Tools\WinHex.
3.Double-click setup.exeto launch the setup and follow the Wizard-driven installation
instructions.

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………

51 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 6: Analyzing File System Types Using The Sleuth Kit (TSK)

Lab Objectives:
The objective of this lab is to help investigators learn and perform file system analysis.
The Sleuth Kit (TSK) is used to obtain:

File system type.

Metadata information.
Content information.

Lab Environment:
This lab requires:

The Sleuth Kit (TSK), which is located at C:\CHFI-Tools\CHFlv9Module

03Understanding Hard Disks and File
Systems\File System Analysis Tools\The Sleuth Kit (TSK).
You can also download the latest version of The Sleuth Kit from this link
http://www.sIeuthkit.orglsleuthkit/ download.php.
If you decide to download the latest version, then the screenshots shown in this lab
might differ slightly.
A computer running Windows Server 2012.
Administrative privileges to executethe commands.
A web browser With an Internet connection.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\CHFlv9Module 03 Understanding Hard Disks and File
Systems\File System Analysis
Tools\The Sleuth Kit (TSK).

2.Select bin folder, press Shift +Right clickon the keyboard and select Open command
window herefrom the context menuto open command prompt Window.

52 | P a g e Digital Forensics Technology & Practices Lab Manual

3.NOWtype fsstat -f ntfs "C:\CHFI-Tools\Evidence Files\Disk Partition Raw
Image\DiskPartitionRawlmage.dd"a11d then press Enter to see the file system details.

4.Use the istat tool of the sleuth kit to view the details of metadata structure.

5.To view the MFTFile Overview, tvpe istat -f ntfs "C:\CHFI- Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawlmage.dd" 0

53 | P a g e Digital Forensics Technology & Practices Lab Manual

Note:Master File Table (MFT) has an entry for every file and directory; hence it is
required to find allother files. The layout of the MFT is determined by processing
entry 0 in the BIFT.
6.To View MFTMirr File overviewtype istat -f ntfs "C:\CHFI- Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawlmage.dd" 1

Note: MFTentry 1is for the MFTMirr file, which has a non-resident attributethat
contains a backup copy of the first
MFT entries.

7.To view the Boot File overview, type istat -f ntfs "C:\CHFI-Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawImage.dd" 7

54 | P a g e Digital Forensics Technology & Practices Lab Manual

Note:The Boot file system nletadata fileis located in BIFTentry 7 and contains the boot
sector of the file system.

8.To view the File Volume overview, type istat -f ntfs "C:\CHFI-Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawlmage.dd"

Note:The Volume filesystem metadata file is located in MFTentry 3 and contains the
volume label and other version information.
9.To view AttrDef File Overview, type istat -f ntfs "C:\CHFI-Tools\Evidence Files\Disk
Partition Raw

55 | P a g e Digital Forensics Technology & Practices Lab Manual

Image\DiskPartitionRawImage.dd" 4

Note:The MFT entry for AttirDef filesystem metadata fileis 4.It defines the names and
type identifiers for each type of attribute.
10. To Vi€\V Bitmap File overview, type istat -f ntfs “C:\CHFI-Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawlmage.dd" 6

56 | P a g e Digital Forensics Technology & Practices Lab Manual

Note:The MFT entry of the Bitmap file system metadata file that determines the
status of the cluster is 6

11. To view the BadClus File Ovewiew,type istat -f ntfs “C:\CHFI-Tools\Evidence

Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd" 8

Note:NTFS keeps track of the damaged clusters by allocating them to a SDATA attribute
of the Bad Clus tile system metadata tile. The MFTentry is 8

12. To View the Secure File OyeiyieW, type istat -f ntfs "C:\CHFI-Tools\Evidence
Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd" 9

57 | P a g e Digital Forensics Technology & Practices Lab Manual

Note:Secure file inetadata filesystem stores the security descriptors that definethe
access control policy for a file or directory. The MFT entry for this is 9.
13. Use the flscommand-linetool of TSK to list the files and directory names. Type fls-f
ntfs "C:\CHFI-Tools\Evidence
Files\Disk Partition Raw Image\DiskPartitionRawlmage.dd" and then press Enter.

14. To see only the deleted entries, type fls -d "C:\CHFI-Tools\Evidence Files\Disk
Partition Raw
Image\DiskPartitionRawlmage.dd“

15. Use the img_stat command to see the details of an image. Type img_stat "C:\CHFI-
Tools\Evidence Files\Disk
Partition Raw Image\DiskPartitionRawlmage.dd" and press Enter to see the details of an
image file.

58 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………

59 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 7: Analyzing Raw image using Autopsy

Lab Objectives:
The objective of this lab is to help investigators learn and perform file system
analysis using Autopsy:

File system type.

Metadata information.
Content information.

Lab Environment:
This lab requires:

Autopsy, is an inbuilt tool in Kali Linux.

You can also download the Windows-based version of Autopsy from the link
http://www.sleuthkit.org/autopsyl.
Kindly note that if you decide to download the latest version, then the
screenshots shown in this lab might differ slightly.
A computer running Kali Linux.
A Computer running WindowsServer2012machine to access CHFI-Tools directory.
Administrative privileges to executethe commands.
A web browser with an Internet connection.

Lab Tasks:
1. To launch Autopsy, navigate to Applications ->11- Forensics -> autopsy.

60 | P a g e Digital Forensics Technology & Practices Lab Manual

2.Terminal Window opens once you clickon Autopsy icon from the Applications
menu.

3.In the terminal Window it will instruct to open a browser and browse the URL
http://localhost:9999/autopsy , copy the given URL as shown in the screenshot.

Note:Do not close the terminal Window until the process is completed.

4.Once the link is copied, now click Iceweasel icon from the task bar to open a web
browser.
5.Paste the copied link in the Iceweasel browser’s address bar and press Enter.

6.Autopsy main Window appears as shown in the screenshot, click NEWCASE

button to start the investigating process.
Note:Ignore the warning message in autopsy main Window.

61 | P a g e Digital Forensics Technology & Practices Lab Manual

7.CREATE A NEWCASE page subsequently appears, fill the required details.

8.In this lab we have given this case a numerical case name as 100, and description as
Test, and Investigator name as Johnathan, and click NewCase.

62 | P a g e Digital Forensics Technology & Practices Lab Manual

9.Once you clickon "NewCase" button in the previous screen, it Will redirect you to
the Creating Case webpage.
10. Now, click ADDHOST button.

11. ADDA NEWHOST webpage next appears Where you need to fill the details,
and click ADDHOST button.

12. After successfully adding host to autopsy, it will appear as shown in the screenshot
13. Now, we need to add an image for investigation. Click ADDIMAGE button.

63 | P a g e Digital Forensics Technology & Practices Lab Manual

14. Click ADD IMAGEFILE button to add an image. for investigation.

15. ADD A NEW IMAGEpage appears; here we need to provide the location of the
image in the Location field, Type of the Image, and Import Method.

16. Minimize the browser Window, double-click chfi-tools on 10.0.0.12 on desktop

and navigate to EvidenceFiIes -> Disk Partition Raw Image and copy
DiskPartionRawlmage.dd tile and paste it on desktop.
Note:10.0.0.12 is the IP Address of Windows Server 2012 Virtual machine. IP
Addresses may differ as per your network infrastructure.

64 | P a g e Digital Forensics Technology & Practices Lab Manual

17. Maximize the Autopsy browser, and drag DiskPartionRawlmage.dd file in
the Location field.
18. In Type section choose Partition radio button,leave the other settings to

default, and click NEXT. Note: While you are dragging the image file, the path

Will be shown as file:/// ..... , deletefile://

19. Image File Details webpage next appears, leave the settings to default and
click ADD.

65 | P a g e Digital Forensics Technology & Practices Lab Manual

20. Testing partitions page appears, click OK

21. Once the image is added to Autopsy database, you can analyze the image.
To analyze the image click ANALYZE.

22. To start analyzing the added disk image, you can choose the analysis
mode from the above tabs as shown in the screenshot.

66 | P a g e Digital Forensics Technology & Practices Lab Manual

23. To do file analysis, click FILEANALYSIS button that allows you to analyze
an image from the file and directory perspective.
24. File Analysis is used to examine the directories and files for evidence. It
also performs bas ic binary analysis to extract the ASCII strings.

25. To generate MD5hashes of the contained files, click GENERATE MDS

LIST OF FILES button, it will open in a new tab of the browser with the list of
Hash values of the image.

67 | P a g e Digital Forensics Technology & Practices Lab Manual

26. Click IMAGEDETAILS button to View the complete Filesystem of the
added image, where you can view FILE SYSTEM INFORMATION, METADATA
INFORMATION. and CONTENTINFORMATION.

Thus, you can go through the allthe required options of the Autopsy in
detail required for your investigat ion.

Lab A nalysis:
Analysis and document the results related to this experiment.

………………………………………………………………………………………………
………………………………………………

68 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 8: Investigating N T F S Drive Using Disk Explorer for NTFS

Lab Objectives:
The objective of this lab is to help students learn how to investigate the NTFS

filesystem. In this lab you will learn how to:

Use DiskExplrorer for NTFS

Lab Environment:
To carry out the lab. you need:
DiskExplorer for NTFS, located at C:\CHFl-Tools\CHFIv9Module 04
Data Acquisition and Duplication\Data Acquisition Tools\DiskExplrorer for
NTFS.
You can also download the latest version of DiskExprorer for
NTFS from the link https://www.runtime.org/diskexplorer.htm
Kindly note that if you decide to download the latest version, screenshots
shown in the lab might differ.

A computer running windows server 2012.

Administrative privileges to run tools.

Lab Tasks:
1. Navigate to C:\CHFI-Tools\CHFIv9Module 04 Data Acquisition and
Duplication\Data Acquisition Tools\DiskExplorer for NTFS.
2.Double-click setup.exeto launch the Setup, and follow the wizard- driven

installation steps.
Note:If an Open File - Security Warning pop-up appears, click Run
3.To launch DiskExplorer for NTFS, double-click the shortcut icon

{related to DiskExplorer} located on the Desktop.

4.The main Window of DiskExplorer for NTFS will appear. Note:You can also

launch the tool from Apps screen.

69 | P a g e Digital Forensics Technology & Practices Lab Manual

5.Navigate to C:\CHFI-Tools\Evidence Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd for the evidence file for this lab.

70 | P a g e Digital Forensics Technology & Practices Lab Manual

6.Select Image from the file menu, and then navigate to C:\CHFI-Tools\Evidence
Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd

7.In the File of type drop-down list, select Allfiles (*.*),and then click Open.

8.It will display the complete details of the image file in two sectors, Valid and Invalid
Boot Sector, as shown in the figure below:

71 | P a g e Digital Forensics Technology & Practices Lab Manual

9.Now click the Sector icon (sector… Ctrl+G) on the toolbar, or navigate to Goto sector.

10. In the Gotosector… wizard, enter the hex value in the sector or Byte section to jump
to a new position, and then click OK.

72 | P a g e Digital Forensics Technology & Practices Lab Manual

11. It will display the entered sector information; the screen will look as shown
below:

12. Now click View as Hex, or alternatively you can press F3 to view the hex
values of the selected sector.

73 | P a g e Digital Forensics Technology & Practices Lab Manual

13. The figure below shows the Hex view of the selected sector:

14. On the menu bar, click Edit Select All.

74 | P a g e Digital Forensics Technology & Practices Lab Manual

15. The entire drive in Hex should be highlighted, as shown in the figure:

16. Navigate to Edit and click Copy to file to copy the evidence files for
further processing.

75 | P a g e Digital Forensics Technology & Practices Lab Manual

17. In the copy pop-up window, select where you want to save the file, specify the
name for an image, and store it. At the top of the prompt, it will display the sizeof
the image about to be created. Click save.

18. In the confirm pop-up window, click Yes to split an image file into several files,
as the destination drive might not accept very large files.

19. This process will start copying the image files.

76 | P a g e Digital Forensics Technology & Practices Lab Manual
Lab A nalysis:

Analysis and document the results related to this experiment.

………………………………………………………………………………………………………
………………………………………
………………………………………………………………………………………………………
………………………………………

77 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 9: Viewing Content of Forensic Image Using Access Data FTK
Imager Tool

Lab Objectives:
Allthe system related data remains saved in the system hard disk. When an incident
occurs, there is a probability that the system is shutdown and switching it on
would make changes in the evidence present on it. Even if the system is on,the
investigators should not use forensics techniques on it directly, as it may tamper the
evidence and render it useless during the trial. Therefore, an investigator should
always create a duplicate of the storage and this lab will help you to create an image
of the file you need to investigate.
The objective of this lab is to help students learn how to use Access Data FTK Imager
for creating forensics images.

Lab Environment:
To carry out the lab, you need:

AccessData FTK Imager, located at C:\CHFI-Tools\CHFIv9Module 04 Data

Acquisition and Duplication\Data
Acquisition Tools\AccessData FTK Imager.
You can also download the latest version of AccessData FTK Imager from the link
http://AccessData. Com/product-download/digital-forensics/ftk-imager-version-3.4.2.
Kindly note that, if you decide to download the latest version, screenshots shown
in the lab might di ffer.
A computer running Windows server 2012.
Administrative privileges to run tools.

Lab Tasks:
1. Navigate to C:\ CHFI-Tools\CHFIv9Module 0 4 Data Acquisition and
Duplication \Data Acquisition Tools
\AccessData FTK Imager.

2.Double-click AccessData_FTK_Imager_3.4.2.exe to lunch the setup, and followthe

wizard-driven installation instructions.
3.The system will launch AccessData FTK Imager automatically after installation. The
AccessData FTK Imager main window appears.

78 | P a g e Digital Forensics Technology & Practices Lab Manual

4.Click File Add Evidence Item to add evidence, or clickthe Add Evidence Item
button on the toolbar.

5.Select the Image File option from the Select Source wizard and then click Next.

79 | P a g e Digital Forensics Technology & Practices Lab Manual

6.Click the Browser buttonto specify the image file path (C:\CHFI-Tools\Evidence
Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd) and then click Finish.

7.The evidence appears in a tree, as shown in the following screenshot:

80 | P a g e Digital Forensics Technology & Practices Lab Manual

8.Select any file or folder from the Evidence Tree to view the file list in the Right
pane under File List.

9.To view the Hex value of the particular file, select the file from the File List and
clickthe Hex icon on the toolbar.
81 | P a g e Digital Forensics Technology & Practices Lab Manual
10. Hex values of the selected file will be displayed in the bottom-right pane.

11. Click the properties tab in the lower-left pane to view the properties such as
file class, size,date, start cluster, etc. of the selected file.

12. Click the Hex Value Interpreter tab in the lower-left pane to view the properties
such as signed integer, DOS date, etc. of the selected file.

82 | P a g e Digital Forensics Technology & Practices Lab Manual

Analysis and document the results related to this experiment.

………………………………………………………………………………………………………
………………………………………
………………………………………………………………………………………………………
………………………………………

83 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 10: Discovering and extracting hidden forensic material on
computers

Lab objectives:

The objective of this lab is to help students learn how to investigate a suspect’s
computer to locate evidence of a
crime, in this lab, you will learn how to use the OSForensics tool.
Lab environment:

This lab requires:

OSForensics, located at C:\CHFI-Tools\CHFIv9module 06 operating system
forensics\windows forensics Tools
\OS Forensics.
You can also download the latest version of OSForensics from
www.osforensics.com/download .html
A computer running windows server 2012.
A administrative privileges to install and run tools
A web browser with an internet connection.

Lab tasks
1- Navigate to C:\CHFI-Tools\CHFIV( module 06 operating system forensics\window
forensics tools\OSForensics.
2- Double-click osf.exeto launch the setup and follow the wizard-driven installation
instructions. Note:if an open file – security warning pop-up appears, clickrun.
3- In the final step of installation, check launch OSForensics option and click finish.
4- 4. OSForensics GUI appears, along with passMark OSForensics

84 | P a g e Digital Forensics Technology & Practices Lab Manual

5- Click the create case icon in the main window to create a new case.

6- Complete the required fields of the new case wizard, and choose to save
the new case folder in either the default or custom location and click ok

Note:if you want to create a new case in a custom location, clickthe browse
button, indicate the desired path, and then clickok. In this lab, the case name is
case 1and the default case folder has been selected.

85 | P a g e Digital Forensics Technology & Practices Lab Manual

7-A new case is created as shown in the below screenshot:

8- Click file name search in the left pane of the window

9- To search for files, type a file name or extension in the search string of the
file name search window, or you can also select the file type from the presets drop-
down list.
10- In this lab, image has been selected from the presets drop-down list.
11- In the start folder field, indicate the path to search by clicking the browse
button, and then clickthe search button.

86 | P a g e Digital Forensics Technology & Practices Lab Manual

12- - here we are specifying the location C:\CHFI_Tools\Evidence Files to
search for images in it.

13- This displays allthe images present in the specified location. You may
analyze these files, to see if any suspicious or unwanted image\ images are
stored in the location.

87 | P a g e Digital Forensics Technology & Practices Lab Manual

14- You may view the images either in file list viewor in thumbnail view. The
timelinetab allows you to see/sort the files according to their modified,
accessed or created times.
15- Now clickcreate index in the left pane of the window. It will create an
index of the content.
16- It is a five-step process to create an index:

Step1: select the use pre-defined filetypes option for creating the index and
check the requi red options listed below (here, images options has been
selected) for selecting the file types, then click next.

88 | P a g e Digital Forensics Technology & Practices Lab Manual

Step2: now clickthe add button to select the drive you want to index.

Select the specific folder radio button, and clickthe ellipsis button to add
folders. For this lab, select the C:\CHFI- Tools\Evidence file\image files folders
and clickthe ok button.

89 | P a g e Digital Forensics Technology & Practices Lab Manual

Click the next button in the create index section.

Step 3: specify an index title( case 1) and index notes (optional), then
clickstart indexing.

90 | P a g e Digital Forensics Technology & Practices Lab Manual

Step 4 :in step 4, the application begins to perform a Pre- Scan on the
specified folder.

Note :if a maximum page limit in free version dialog box appears while
scanning, clickok to close it.

Step 5 :display the status of the indexing. Once the indexing is completed, an
OSForensics – created index pop- up appears, clickok.

91 | P a g e Digital Forensics Technology & Practices Lab Manual

17- Select search index section from the left pane; enter the keyword to
search in the Enter Search Words field
(optional), select the index search (here, case1) from the drop-down menu.
Click search button.

Note:the free version of OSForensics returns a maximum of 250 results. So, if

the search results exceed this number, an OSForensics – Notes pop- up appears
where you need to clickok.

92 | P a g e Digital Forensics Technology & Practices Lab Manual

18- Click recent activity to scan for evidence such as browsed website, USP
drives, recent downloads, and wireless networks.
19- Select scan drive radio button, select C :drive and clickto scan to scan for
evidence such as browsed websites,
USP drives, recent downloads, and wireless network in the drive.

Note:if a warning pop-up appears, click yes, if an OSForensics Error appears

during the scan, click, clickok.
20- On completion of scan, a recent activity – summary window appears, click
ok.

21- To recover the deleted files from the file stem, clickdeleted files search in
the left pane, select a disk on which you want to perform the deleted
filesearch ( here, Partition 1,C:), and clickthe search button.

93 | P a g e Digital Forensics Technology & Practices Lab Manual

22- The application searches for the deleted files in C:Drive and displays them
as shown in the following screenshot:

23- To locate files whose contents do not match with the file extentions, click
mismatch filesearch in the left pane of the window.
24- Click the browse button to give the location path to search. In this lab,
navigate to C:\CHFI-Tools\Evidence
Files\Image Files and clickthe search button.

94 | P a g e Digital Forensics Technology & Practices Lab Manual

25- This option will uncover attempts to hide files under a false name and
extention,and it also verifies the actual file format.

26- To view the processes that are running on the system, click Memory
Viewer in the left pane of the window.
27- An OSForensics – Warning pop-up appears, clickok.

95 | P a g e Digital Forensics Technology & Practices Lab Manual

28- Select a process from the list of running processes, and select the Memory
Space tab to view complete memory details of that processs.

29- To analyze the raw sectors of all physical disks and partitions, click Raw Disk
Viewer, and select a disk ( here,C: Drive) to view its raw contents.

96 | P a g e Digital Forensics Technology & Practices Lab Manual

30- To retrieve detailed information about the core components of the
system, click System Information.
31- You may use any of the following option from the List drop-down menu:
Basic DOS commands used
Basic system information
System Information from Registry
Allcommands used

97 | P a g e Digital Forensics Technology & Practices Lab Manual

32- From the list drop-down menu, select the type of information that you
want to retrieve, and click GO.
33- Here, All Commands has been selected from the drop-down menu. By
selecting this, the application excutes allthe commands displayed under the
Commands tab on the machine.

34- It displays the commands executed, with complete details in the Result tab
as shown in the following screenshot:

98 | P a g e Digital Forensics Technology & Practices Lab Manual

35- To verity the integrity of flies by calculating their hash values, click Verify/
CREAT hash from the left pane
36- You can also create a hash of a complete partition, a physical disk drive, or
a simple text string by selecting the respective options.

37- Click the Ellipsisbutton to specify a file or Volume or Text to calculate the
hash value. (In this lab, navigate to the file C:\CHFI_Tools \Evidence
Files\Image.txt to calculate the hash value of Images.txt)
38- 38- Select Hash Function (here, MD5) from the drop-down menu and then
click Calculate.
99 | P a g e Digital Forensics Technology & Practices Lab Manual
39- The calculated hash value appears in the Calculated Has field as shown in
the following screenshot:

40- To identify known safe files or known suspected files, click Hash Sets to
reduce the need for further time - consuming analysis.

41- To create a new database click New Db,enter the new database name in
the database Name field, and clickok.
100 | P a g e Digital Forensics Technology & Practices Lab Manual
42- Right clickon the Investigation database and select Make Active option
from the context menu

101 | P a g e Digital Forensics Technology & Practices Lab Manual

43. to generate a new hash set ,click New Set ….In the Hash Set wizard, complete
the required fields in the New
Hash Set wizard, and then click Create.
44- to add a folder, navigate to C:\CHFI-Tools\ Evidence Files\Disk

45- It takes some time to create the new hash set.

46- Double clickthe newly created set of hashes to view the hash value of the selected
folder.

102 | P a g e Digital Forensics Technology & Practices Lab Manual

47- To generate exact copies of partitions or whole drives on an active system, click Dive
Imaging from the left pane.
48- Select the source volume (E:drive) from the drop-down list of Source Disk.

49- Mention the path to store the Target Image File by clicking the Browse button.
Complete the respectivefields, check the Verity Image file After Completion option, and
clickthe Create Image button.
Note:it will take time to create drive image.
It is suggested to abort the imaging process as it require huge amount of free space.

103 | P a g e Digital Forensics Technology & Practices Lab Manual

50- to mount a drive image a drive image and to view the content of that drive image,
click Mount Drive image.

51- PassMark OSFMount window appears, clickmount New…… buttonand navigate to

C:\CHFI-Tools\Evidence Files\Disk Partition Raw Image\DiskPartitionRawImage.dd in
Image File path. Leave the other settings to default click OK

52- To view the mounted drive, click E:.

104 | P a g e Digital Forensics Technology & Practices Lab Manual

53- To copy the contents of one directory to another while maintaining the same
timestamps as the original, click
Forensic Copy.
54- Mention the Source Directory and Destination Directory by clicking the Ellipsis.

55- For Source Directory navigate to C:\CHFI-Tools\Evidence Files\Disk Partition Raw

Image and for Destination
Directory, create a folder named Test Files on Desktop and navigate to it.

56- A forensic copy has been created in the following path, with the results in the bottom
pane of the window.

105 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………

106 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 11: Viewing, Monitoring, and Analyzing Events Using the Event Log
Explorer Tool

Lab Objectives

The objective of this lab is to help forensicinvestigators learn how to view, monitor, and
analyze various events. Here we, monitor and analyze:
Securitylogs
Systemlogs
Applicationlogs
Other logs of theMicrosoft Windows OS.

Lab Environment
This lab requires:
Event Log Explorer located atC:\CHFl-Tools\CHFlv9 module 06 operating System
Forensics\WindowsForensics
Tools\Event Log Explorer.
You can alsodownload the latest version of Event Log Explorer from
www.eventlogxp.com.
If you decide to download the latest version, then the screenshots shown in the lab
might be slightly different.
A computer running Windows Server 2012.
Administrative privileges to install and run tools.

Lab Tasks
1- Navigate to C:\CHFl-Tools\CHFlv9 module 06 operating System Forensics\Windows
Forensics Tools\Event Log
Explorer.
2- Double-click elex-setup.exeto launch the setup, select the language as English, and follow
the wizard-driven installation steps to install the application.
Note:If an open File – Security Warning pop-up appears, click Run.

107 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer startup installer wizard

3- In the final step of installation, check Launch Event Log Explorerand click Finish.

Event Log Explorer startup installer wizard

108 | P a g e Digital Forensics Technology & Practices Lab Manual

4- On completion of installation, a web page related to Event Log Explorer appears
in a web browser. Close the web page.
5- An Event Log Explorer pop-up window appears, click ok to close it.

Event Log Explorer pop-up window

6- Event Log Explorermain windowappears, displaying an empty log view area and
Computer Tree pane with WindowsServer 2012 virtual machine’scomputer name.

109 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer Main Window

7- If the local computername does not appear in the computer Tree pane, then choose
File→ New Workspace.

110 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log ExplorerNew Workspace
8- To open an event log of your computer, clickthe (+) button near the
computername in the computer Treepane.

Event Log Explorercomputers Tree

9- It will expand the computer node to display allavailable event logs as shown in the
following screenshot:

Expanding the computers Tree of Event Log Explore

111 | P a g e Digital Forensics Technology & Practices Lab Manual

10- Double-click Application in the computers Tree pane to view the application events.
Application event logs will be displayed in the right pane of the window as shown in the
screenshot:

Event Log Explorer viewing the application events

11- Event Log Explorer also displays the events of Applicure DFS Replication,
dotDefenderAudit, Hardware Events, Key Management service, OAlerts, Security, System,
Windows PowerShell.
12- Selecting an event displays the description of the event in the Descriptionpane at
the lower end of the Window.

112 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer Description pane

13- You can also filter the events. To filter the events, clickthe filter icon

in the toolbar, or choose

view→Filter.

Event Log Explorer Filter option

14- It will pop up a new Filter window. Choose Source, Category, User and
Computer and then, click Ok.

Event Log Explorer applying a filter

15- Event Log Explorer displays allthe events related to your Filter Settings.

113 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer showing the filtered event logs

16- To clear the FilterSettings,click on the clear Filter button on the toolbar,
or go to view→Clear Filter.

Note:The ClearFilteroption will be active only when a filter is applied.

17- You can save the event logs for future reference. To save logs choose File→
Save Log As … and select any
option according to your requirement. In this lab, Save Event Log(Backup)…. Option
is selected.

114 | P a g e Digital Forensics Technology & Practices Lab Manual

18- Navigate to the location where you want to save the event logs (here we are
savings the file to the Desktop), type the file name (here,Application Events) in the
appropriate field, and the click Save.

Event Log Explorer Save Log As window

19- Navigate to the location where you saved the event logs and double -click on
file to see the saved event logs.
20- The saved logs appear in the Event Viewer window as shown in the following
screenshot:

115 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer Event Viewer

21- An alternative method for opening an event log file is to choose File→ Open
LogFile→Standard (or)File→
Open Log File→ Direct.
22- In the pop-up window, click Browse to select the file and then click Ok.
It will open the saved file.

Event Log Explorer Direct

23 - To clear the logs, select File→ Clear Log.

116 | P a g e Digital Forensics Technology & Practices Lab Manual

Event Log Explorer Clear Logs

24- A Clear Logpop-up appears;clickYes if you want to save the logs. If you do not want
to save logs, clickNo. It will clear all the event logs of the selected category in the
Computer Tree pane on the left.

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………
……………………………………………………………………………………………………………
…………………………………

117 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab12: Performing a Computer F o r e n s i c Investigation Using the Helix
Tool
Lab Objectives
The objective of this lab is to help students learn how to investigate a computer-
based crime using the Helix tool.
Lab Environment
To carry out the lab you need:
The Helix tool, located at C:\CHFl-Tools\CHFlv9 module06 operating System
Forensics\Windows Forensics
Tools\Helix.
A computer running Windows Server 2012.
Administrative privileges to install and run tools.

Lab Tasks

Note:This lab is based on the free version of Helix 3.

1- Navigate to C:\CHFl-Tools\CHFlv9 module 06 operating System Forensics\Windows
Forensics Tools\Helix.
2- To launch Helix, double-click helix.exe.
3- It will display a warning message. Read it thoroughly and select your preferred
languagefrom the Choose Your
Language drop-down menu.
4- Click Accept to continue.

After clicking the Accept button, Helix GUI appears as shown in the following screenshot:

118 | P a g e Digital Forensics Technology & Practices Lab Manual

5- Click the System Information icon on the left side of the window to see the
complete system i nformation.

119 | P a g e Digital Forensics Technology & Practices Lab Manual

6- It displays the OS information, owner information, network information, drives and
their file types.

7-
Click the (…….)
button to go the second System Informationpage.
This page displays the processes running on your system.

120 | P a g e Digital Forensics Technology & Practices Lab Manual

8- Click theAcquisition icon to acquire physical memory or disk drives.
9- Select the desired disk drivefrom the Source drob-down menu. In Location
Option, choose any one option to save, give the destination path by clicking the
Folder icon. Give the image a name and set the DD Option field to default, then
click Acquire.

10-

11- To proceed to step 2 clickthe (…..) button. To create an image of a folder

with the help of Access Data FTK Imager, click Imager.

121 | P a g e Digital Forensics Technology & Practices Lab Manual

Note:Wecan also create an image of a physical drive, logical drive, image file, the
contents of a folder, and a Fernico device (multiple CD\DVD).
12- It will launch Access Data FTK Imager. Now go to the File mean from menu bar
and click Create Disk Image…

13- Choose Contents of a Folder as the source evidence type, and then click Next to
create an image.

122 | P a g e Digital Forensics Technology & Practices Lab Manual

14- Access Data FTK Imager will prompt you with a warning; if you want to continue
click Yes.

15- Now clickBrowse and select a folder, in this case, C:\CHFl-Tools\Evidence

Files\Image Files, and then click Finish.

123 | P a g e Digital Forensics Technology & Practices Lab Manual

16- Click the Add button.
17- Evidence Item Information wizard appears, fill in the details, and click Next.

18- Now clickthe Browsebutton to give a destination path (in this lab we have created a
folder named Helix Result in
c:\and saved the result in C:\Helix Result), enter an Image Filenameexcluding the
extension, and click Finish.

124 | P a g e Digital Forensics Technology & Practices Lab Manual

19- Now clickthe Start button in the Create Image wizard to create an image of the
folder contents.

20- After completion, the Drive\Image Verify Results summary will pop up,click Close and
then click Close in the create Imagewizard.

21- Access Data FTK Imager created an image of a folder, to check this, navigate to
the C:\Helix Result path mentioned in the destination.

125 | P a g e Digital Forensics Technology & Practices Lab Manual

22- Now, you can examine this image using Access Data FTK Imager. In this lab, we
already have an evidence item\Disk Image located at C:\CHFl-Tools\Evidence Files\Disk
Partition Raw Image (DiskPartitionRawImage.dd), and we will be analyzing this image,
instead of the one which we created in the previous steps.
23- Go to File→ Add Evidence Item from the menu bar to add an evidence item for
investigation.

126 | P a g e Digital Forensics Technology & Practices Lab Manual

24- Choose Image File option for investigating the image file, and click Next.

127 | P a g e Digital Forensics Technology & Practices Lab Manual

25- ClickBrowse ,navigate to C:\CHFl-Tools\Evidence Files\Disk Partition Raw
Image\DiskPartitionRawImage.dd
and then, click Finish.

28- Now close the Access Data FTK Imager by clicking Exit in the File menu.

128 | P a g e Digital Forensics Technology & Practices Lab Manual

Now click Incident Response (…..) icon in the left pane of Helix GUI.
29- Click Agile Risk Management´s Nigilant32 icon on page1.

129 | P a g e Digital Forensics Technology & Practices Lab Manual

30- It will prompt you with a Notice. Click Yes.

3
Nigilant32 pop-up appears, clickthe pop-up. 2
-

130 | P a g e Digital Forensics Technology & Practices Lab Manual

31- Nigilant32-Windows Afterdark ForensicWindowappears as shown in the
screenshot:

32- Choose File → Preview Disk… to view the Preview of the hard drives.

33- Select the drive to Preview, and then click the Apply button. Note: Do not
select the C Drive (contains system file).

131 | P a g e Digital Forensics Technology & Practices Lab Manual

34- It displays the files and folders pertaining to the partition. Double-click on file to
view the file content in the button pane of the window.
35- You may double-click a folder to view the contents in it.

132 | P a g e Digital Forensics Technology & Practices Lab Manual

36- To take a snapshot of the computer, choose Tools → Snapshot Computer.

37- It will display the Live Machine Snapshot window. If you want to save the
snapshot, clickthe Save button.

133 | P a g e Digital Forensics Technology & Practices Lab Manual

38- The Save As window appears, select the location in which the snapshot has to be
saved and mention the file name in the File Name field, and click Save.

39- To create an image of physical memory, choose Tools →Physical memory.

134 | P a g e Digital Forensics Technology & Practices Lab Manual
40- Click Start to createan image of physical memory.

41- The Save As window appears, select the location in which the snapshot has to be
saved and mention the file name in the File Name field, and click Save.

42- Now go to Page 2 by clicking the (…..) button.

135 | P a g e Digital Forensics Technology & Practices Lab Manual
43- To generate an MD5 hash value of a file, clickthe Browse button and select a
file ( in this case, C:\CHFl- Tools\CHFlv9 module 06 operating System
Forensics\Windows Forensics Tools\Helix\EULA.pdf).
44- Click the Hash button to generate the hashvalueof the file.

136 | P a g e Digital Forensics Technology & Practices Lab Manual

137 | P a g e Digital Forensics Technology & Practices Lab Manual
45- Ahashvalue is generated, as shown in the screenshot:

46- Now clickthe File Recovery icon to recover the deleted files.

47- It will prompt you with the Notice window. Click Yesto run
Filerecovery.exe.

138 | P a g e Digital Forensics Technology & Practices Lab Manual

48- Select a language and clickthe (….)button in the Choose Language wizard.

49- Click the (…..)button in the Welcome window of the PC Inspector File
Recovery wizard.

139 | P a g e Digital Forensics Technology & Practices Lab Manual

50- Navigate to Object → Drive.

51- Now select a drive from the Logical drive or Physical drivetabs. In this lab, we are
recovering files for logical drives.
52- Select any drive from the Logical drivetab and clickthe (….)button.

140 | P a g e Digital Forensics Technology & Practices Lab Manual

53- It will take some time to retrieve the files and folders of the drive, as shown in the
screenshot:

54- In the left pane of the window, it will display a tree structure. In that structure, you
can find a Deleted file string.
55- Expand theDeleted node;select a folder from the left pane. The contents of the
folder appears in the right pane.
56- You can save those files to another hard drive or disk by right-clicking on the
respective file and clickingSave to, and then, specifying the location to store the file.
141 | P a g e Digital Forensics Technology & Practices Lab Manual
57- Now clickthe (…..)button to navigate to Page 3.

58- To know the contents of your drives, clickthe Browse icon in the left pane. It
displays allthe drives in the middle pane of the window.
59- Expand the drive of your choice and expand the folders within the drive. It displays
the files within the selected
folder in the right pane.
60- Now, select a file in the right pane. The application displaythefileproperties in the
lower right pane of the window as shown in the screenshot:

142 | P a g e Digital Forensics Technology & Practices Lab Manual

61- To scan images or pictures on the computer, clickthe Scan for Pictures icon, and
then click Load Folder to view the images.
62- Navigate to C:\CHFl-Tools\Evidence Files\Image Filesto load the pictures for scan then
click ok.

143 | P a g e Digital Forensics Technology & Practices Lab Manual

63- It will prompt with a Notice window asking you to be patient. Click ok.

64- You can view the images scanned by Helix as shown in the screenshot:

Lab A nalysis:

Analysis and document the results related to this experiment.

…………………………………………………………………………………………………………
……………………………………
…………………………………………………………………………………………………………
……………………………………

144 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab13: Acquiring Volatile Data in Linux System

Lab Objectives:
The objective of this lab is to help students learn to gather volatiledata from a live
Linux system and analyze it to find traces of attack to define the type, impact points,
path as well as the perpetrator.

Lab Environment:
To carry the lab, you need:

A computer running Ubuntu OS (Linux Distro).

Administrative privileges to run tools.
A web browser with an Internet connection.

Lab Tasks:
1- Launch a Terminal in the system

Note:Create a copy or image of the hard disk before acquiring any volatile data, as the
commands and actions used to analyze it can make changes to the file in the system.

2- Use the command uname -a to gather Linux system information in sequence

including kernel name, hostname, kernel releaseand machine hardware name.

145 | P a g e Digital Forensics Technology & Practices Lab Manual

3- Type sudo su and press Enter. You will prompted to enter a password. Type toor
and press Enter.
4- The user will be changed from Jason to root as shown in the screenshot:

5- The Ishw command will help you in printing the hardware details of the system.
Use -short option to print the summary of the information.

146 | P a g e Digital Forensics Technology & Practices Lab Manual

6- To know uptime details, type w and press Enter.

7- To gather the details of last login sessions, issue the command last -a .

147 | P a g e Digital Forensics Technology & Practices Lab Manual

8- Use the netstat command to check network status of the system.

9- You can review the current network settings using the command ifconfig -
a.

148 | P a g e Digital Forensics Technology & Practices Lab Manual

10- The lsof (list open files) command will help you in finding allthe open files
associated with particular ports, services, and processes. Use the command lsof >
openfiles.txt to save a text file in home directory, containing the result. The output
contained in the text file is shown in the screenshot for reference.

149 | P a g e Digital Forensics Technology & Practices Lab Manual

11- You can review the loaded modules in a Linux system using the command
lsmod .

150 | P a g e Digital Forensics Technology & Practices Lab Manual

12- Install a Linux auditing tool called auditd to the system using the command apt
install auditd .

Note:If Ubuntu is unable to download auditd, you need to update the repositories
using the commands apt-get update and apt-get upgrade .

13- The auditing tool consists of utilities the would help in creating records about the
system information.
14- Gather details of allthe login attempts made to the system by issuing the command
aureport .

151 | P a g e Digital Forensics Technology & Practices Lab Manual

15- Determine the User ID of a particular user using id root command, and then, track
all the user events pertaining to the userid with ausearch command. Syntax of the
command is ausearch -ui <userID> - -interpret. In this lab, the user id is 0 .

16- Linux stores the scheduled tasks in /var/spool/cron/ and /etc/cron.daily the
system files. Find the scheduled tasks by verifying these files.

17- The cron files also store data about the tasks scheduled hourly, daily, weekly and
monthly. To view the daily scheduled task files go to /etc/cron.daily.

152 | P a g e Digital Forensics Technology & Practices Lab Manual

18- The .bash_history file contain the command history in the Linux system. To
view the history, navigate to the
Home directory and double-click .bash_history to view the entire bash history.

153 | P a g e Digital Forensics Technology & Practices Lab Manual

19- Find the ARP Cache of the system using the arp command.

20- Use the ps command to view the running processes in the system. You can use
the option auxww to view alldetails of the running processes.

154 | P a g e Digital Forensics Technology & Practices Lab Manual

21- You can find the ports related to a particular process using the command ss -l -p -
n | grep <PID> .

Note:If any error related to grep appears, you need to install grep on the machine.
Issue the command, apt-get install grep to install grep on Ubuntu.

22- You can collect the current state data of the system by viewing the state of
processes running in the / proc file system.

23- Clipboard stores the details of files or text copied recently. Copy and review the
clipboard contents using the xclip command.

155 | P a g e Digital Forensics Technology & Practices Lab Manual

24- You can analyze the headers and sections of ELF files using the readelf
command. Syntax of the command is
readelf option <elf file> .

Lab A nalysis:

Analysis and document the results related to this experiment.

……………………………………………………………………………………………………
…………………………………………
……………………………………………………………………………………………………
…………………………………………
……………………………………………………………………………………………………
…………………………………………
……………………………………………………………………………………………………
…………………………………………

156 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 14: Analyzing Non-volatile Data in Linux System

Lab Objectives:

The objective of this lab is to help students learn how to analyze an image of a
Linux hard disk and gather required evidence from it.
Lab Environment:
To carry out the lab, you need:
Autopsy located at C:\CHFI-Tools\CHFIv9 Module 06 Operating System
Forensics\Linux Forensics
Tools\Autopsy
A computer running Windows server 2012
Administrative privileges to run tools
A web browser with an Internet connection
Lab Tasks:
1- Before beginning this lab, navigate to C:\CHFI-Tools\Evidence Files\Linux
Image, right-click on Linux_disk1.7z
and select Extract Here. On extracting the file, delete Linux_disk1.7z.
2- Navigate to C:\CHFI-Tools\CHFIv9Module 06Operating System
Forensics\Linux Forensics Tools\Autopsy.
3- Double-click autopsy-4.0.0.6-64bit.msc to launch the setup, and follow the
wizard-driven installation instructions to install the application.
4- Double-click Autopsy 4.0.0shortcut icon located on the Desktop to launch
the application.
5- The main window of Autopsy will appear.

Note:You can also launch the tool from Apps screen.

6- Click the Create New Case option.

157 | P a g e Digital Forensics Technology & Practices Lab Manual

7- In the New Case Information window, provide Case Name, Base Directory and
clickthe Next button.

8- Provide the Case Number and Examinerdetails, and click Finish button.

158 | P a g e Digital Forensics Technology & Practices Lab Manual

9- Click Browser button.

159 | P a g e Digital Forensics Technology & Practices Lab Manual

10- Navigate to the location, C:\CHFI-Tools\Evidence Files\Linux Image, select the
Linux_Image 1.img fileand click the Open button.

11- Click the Next btton.

160 | P a g e Digital Forensics Technology & Practices Lab Manual

12- Check the required boxes and click the Next button.

13- Click the Finish button.

Note:The tool will take time to analyze the image.

161 | P a g e Digital Forensics Technology & Practices Lab Manual

14- The tool will display the result after analysis. Expand the Data Sources node in
the left pane. The Data Sources option will include the name of the image file you
have analyzed.
15- Click the image name, here Linux_disk1.img, to expand and see its contents. It
will include allthe necessary operating systems data.

162 | P a g e Digital Forensics Technology & Practices Lab Manual

16- The image contains folders each of which stores data related to files, process,
services, tools and commands used on the Linux system.
17- The bin contains command binaries of allusers. Click the bin option to see
its content. Click the option you want to verify and review.
18- Select the auto partition-loop fileoption from the menu. Click the strings tab
to view allthe strings present in a selected file. You can observe that the file
contains Syslog information that stores Linux log data.

Note:The files that are marked with a red cross are the deleted files, which have
beenrecovered by Autopsy. Analyze the deleted files to find any suspicious
activities. It may also help in finding if the attacker has used any anti- forensic
techniques that delete files and folders after completion of given task.
19- The update-dev filestores data about login sessions of different users in the
Linux system. Select the update -dev file and clickon strings tab to view the file
information in textual format.

163 | P a g e Digital Forensics Technology & Practices Lab Manual

20- Click the boot menu option to view the bootloader files of the Linux
operating system present on the hard disk image.
21- Verifying these files helps you in finding the presence of any boot based
malware.

22- The dev file stores information about devices connected to the system. Click
the option to see information about different audio,media,etc., files connected
to the system.

164 | P a g e Digital Forensics Technology & Practices Lab Manual

23- The etc folder contains system configuration files. Expand the etc node and
clickon it on to view internal files.

165 | P a g e Digital Forensics Technology & Practices Lab Manual

24- The home file stores details of user home directories. It helps users to view
the files and folders stored on the system. It also consists of details of other user
accounts present on the system.

25- Select the var folder from the left side menu. Expand the log folder from the
sub menu and select apt folder under it. The apt folder contains history.log
filethe stores history of actions performed.

26- Select the cups folder. It stores access logs, error logs, and page logs. Select the
access log option in the table tab to view the logs.

166 | P a g e Digital Forensics Technology & Practices Lab Manual

27- The tool also display deleted files. Expand views option from the left menu
list, expand Deleted Files option and click Allto view allthe deleted files.

28- Select the results folder from left pane. It contains sections such as EXIF
Metadata files, Encrypted Content and
Extension MismatchDetected. Analyzethese files to look obfuscated malware files
as well as metadata files.

167 | P a g e Digital Forensics Technology & Practices Lab Manual

29- Similarly, analyze lib, media, mnt, opt, root, sbin, and tmp folders to analyze
libraries and kernel modules, mount points of removable media, temporary mount
points, add-on application packages, root user’s home directory, system binaries
and temporary files respectively.
30- Other system files include srv containing data for services provided, usr file
with secondary hierarchy and user commands, var file with variabledata such as
log files, mail spools, caches and lock files.

Lab A nalysis:
Analysis and document the results related to this experiment.
……………………………………………………………………………………………………
…………………………………………
……………………………………………………………………………………………………
…………………………………………

168 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 15. Scanning System and Network
Resources Using Advanced IP Scanner
Lab Objectives:
The objective of this lab is to help students perform a local network scan and discover all
the resources 011 die network.

 Perform a system and network scan

 Enumerate user accounts
 Execute remote penetration
 Gather information about local network computers
Lab Environment:
This Lab requires:

A computer running Windows 10virtual machine.

Administrative privileges to install and run tools.
A web browser with an Internet connection.
Advanced IP Scanner located at Z:\\CEHv8 Module 03 Scanning
Networks\Scanning Tools Advanced IP Scanner
You can also download the latest version of Advanced IP Scanner from the link
http://www.advanced-ip-scanner.com

Lab Tasks:
Use Advanced IP Scanner tool to get various type of information about local network
computers
1.0 after download and install this tool we will see this user interface

1.1 Now I enter local network IP addresses range

169 | l
1.2 Click on scan , for result for all devices in network with it’s information

170 | P a g e Digital Forensics Technology & Practices Lab Manual

1.3 Right click on any of this devices you get

It’s contain three main options which’s Wake on LAN , Shut down , and abort shut
down

1.4 Click on Shut down you can use windows authentication to remotely access to this
victim device and shut down this device

171 | P a g e Digital Forensics Technology & Practices Lab Manual

Tool/Utility Information Collected/Objectives achieved

Scan Information :

IP address

System Name

NetBIOS information

Manufacturer
Advanced IP
Scanner System status

Examine and evaluate the IP addresses and

range of IP addresses
Lab Question
Lab analysis

172 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 16. Monitoring TCP/IP Connections Using
the CurrPorts Tool
Lab Objectives:

The objective of this lab is to help students determine and list all the T C P/IP and UDP ports o
f a local computer.iIn this lab you need to:

 Scan the system for currently opened TCP/IP and UDP ports
 Gather information 011 die ports and p ro ce sse s that are opened
 List all the IP a d d re sse s that are currendy established connections
 Close unwanted TCP connections and kill the process that opened the ports.
Lab Environment:
This Lab requires:

A computer running Windows 10virtual machine.

Administrative privileges to install and run tools.
A web browser with an Internet connection.
CurrPorts located at D:\CEH-Tools\CEHv8 Module 03 Scanning N etw
orks\Scanning Tools\CurrPorts

You can also download the latest version of CurrPorts from the link
http: / / www.nirsoft.11e t/utils/cports.html

Administrator privileges to run die CurrPorts tool

• Open Currports. Then automatically displays (process name, ports, IP ,remote

addresses, states), see the screenshot

173 | P a g e Digital Forensics Technology & Practices Lab Manual

• If we want to view all reports as an HTML page, click View> HTML Report- All
Items, see the screenshot

The HTML Report, see the screenshot

174 | P a g e Digital Forensics Technology & Practices Lab Manual

• To save report from the web browser, click File > Save Page, see the screenshot

• If we want view only the selected report as HTML page, select reports and click
View>HTML Reports-
Selected Items., see the screenshot

175 | P a g e Digital Forensics Technology & Practices Lab Manual

• The Selected Report, see the screenshot

• To save report from the web browser, click File > Save Page, see the screenshot

176 | P a g e Digital Forensics Technology & Practices Lab Manual

• To view the properties of a port, select port and click File > Properties, see the
screenshot

• The Properties window displays all the properties for the selected port, see the
screenshot

177 | P a g e
• If there is TCP connection we think is suspicious, just close it, see the screenshot

• If we want Kill processes of selected ports, see the screenshot

178 |
• After we Finish , Exit the Currports tool , see the screenshot

Lab Analysis:

Information collected /Objectives

Tool / Utility Achieved
Profile Details : Network scan for open
ports.

Scanned Reports:
■ Process Name
■ Process ID
■ Protocol
CurrPorts
■ Local Port
■ Local Address
■ Remote Port
■ Remote Porn Name
■ Remote Address
■ Remote Host name

179 | P a g e Digital Forensics Technology & Practices Lab Manual

Questions:
1- Analyze the results from CurrPorts by creating a filter string that displays only
packets with remote TCP port 80 and UDP port 53 and running it.

2-Analyze and evaluate the output results by creating a filter that displays only the
opened ports in the Firefox browser.

3. Determine the use of each of the following options that are available under the
options menu of
CurrPorts :
a. Display Established
b. Mark Ports of Unidentified Applications
c. Display Items Without Remote Address
d. Display Items with Unknown State

180 | P a g e Digital Forensics Technology & Practices Lab Manual

Lab 17. Exploring and Auditing a Network
Using Nmap
Lab Objectives:
The objective of this lab is to help students learn and understand how to perform a network
inventory, manage services and upgrades, schedule network tasks, and monitor host or
service uptime and downtime. In this lab, you need to:
Scan TCP and UDP ports
Analyze host details and dieir topology
Determine the types of packet filters
Lab Environment:
This Lab requires:

A computer running Windows 10virtual machine.

Administrative privileges to install and run tools.
A web browser with an Internet connection.
Nmap located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning
Tools\Nmap
You can also download the latest version of Nmap from the link http: / / nmap.org.
/
Administrative privileges to run die Nmap tool

Lab Tasks:
• The main page of Nmap - Zenmp are displayed , see the screenshot

181 | P a g e Digital Forensics Technology & Practices Lab Manual

• We type in Target field the Local IP of own Network and in Profile field select Intense
Scan After that click Scan , see the screenshot

• Nmap scans the provided IP address with Intense scan and displays the scan result, see
the screenshot

182 | P a g e Digital Forensics Technology & Practices Lab Manual

• After the scan is complete, Nmap shows the scanned results, see the screenshot

183 | P a g e Digital Forensics Technology & Practices Lab Manual

• Ports/Hosts tab to display more information on the scan results, see the
screenshot

• View Nmap topology for the provided IP address in the Intense scan Profile, see the
screenshot

184 | P a g e Digital Forensics Technology & Practices Lab Manual

• Host Details tab to see the details of all hosts discovered during the intense scan
profile, see the screenshot

Network Management and Security (CS445)

Lab Assignment

• Scans tab to scan details for provided IP addresses , see the screenshot

185 | P a g e Digital Forensics Technology & Practices Lab Manual

• After that , click on Services tab , This tab displays the list of services, Click the http
service to list all the HTTP Hostnames, Ports, state , see the screenshot

• The ssh Service , see the screenshot

186 | P a g e Digital Forensics Technology & Practices Lab Manual

• The upnp Service , see the screenshot

187 | P a g e Digital Forensics Technology & Practices Lab Manual

• Xmas scan sends a TCP frame to a remote device with URG, ACK, RST, SYN, and FIN flags
set. FIN scans only with OS TCP/IP developed according to RFC 793. The current version of
Microsoft Windows is not supported. Now, to perform a Xmas Scan, we need to create a new
profile., see the screenshot

• We enter Xmas Scan in the Profile name text field , see the screenshot

188 | P a g e Digital Forensics Technology & Practices Lab Manual

• In the Scan tab, select Xmas Tree scan (‫־‬sX) from the TCP scan , see the screenshot

• Select None in die Non-TCP scans , and select Aggressive (-T4) in the Timing template,
After that click save changes see the screenshot

189 | P a g e Digital Forensics Technology & Practices Lab Manual

• We Enter the IP address in Target field, select the Xmas scan from the Profile click Scan,
see the screenshot

• Nmap display results on the Nmap Output tab , see the screenshot

190 | P a g e Digital Forensics Technology & Practices Lab Manual

• if we want see all die services of that host ,click on Service , see the screenshot

• Null scan works only if the operating system’s TCP/IP implementation is developed
according to RFC 793.in a null scan, attackers send a TCP frame to a remote host with NO Flags.
To perform a null scan for a target IP address, we need to create a new profile, see the
screenshot

191 | P a g e
• We enter Null Scan in the Profile name text field , see the screenshot

• In the Scan tab, select Null scan (-sN) from the TCP scan , see the screenshot

192 | P a g e Digital Forensics Technology & Practices Lab Manual

• Select None in die Non-TCP scans , and select Aggressive (-T4) in the Timing template,
After that click save changes see the screenshot

193 | P a g e Digital Forensics Technology & Practices Lab Manual

• We Enter the IP address in Target field, select the Null scan from the Profile click Scan, see
the screenshot

• Nmap display results on the Nmap Output tab , see the screenshot

194 | P a g e nual
195 | P a g e Digital Forensics Technology & Practices Lab Manual
• In Host Details tab , view the details of hosts, such as Host Status, Addresses, see the
screenshot

196 | P a g e Digital Forensics Technology & Practices Lab Manual

• Attackers send an ACK probe packet with a random sequence number. No response means
the port is filtered and an RST response means the port is not filtered.
To perform an ACK Flag Scan for a target IP address, We need create a new profile., see the
screenshot

• We enter ASK Flag Scan in the Profile name text field , see the screenshot

• In the Scan tab, select ASK scan (-sA) from the TCP scan , see the screenshot

197 | P a g e
• On Ping tab , check IPProto probes (-PO) to probe the IP address, then click Save Changes ,
see the screenshot

• We Enter the IP address in Target field, select the ASK Flag scan from the Profile click Scan,
see the screenshot

• Nmap display results on the Nmap Output tab , see the screenshot

198 | P a g e anual
• To view more details regarding the hosts, On Host Details tab, see the screenshot

Lab Analysis:

Information collected /Objectives

Tool / Utility Achieved
Types of Scan used:
■ Intense scan
■ Xmas scan
■ Null scan
■ ACK Flag scan
Intense Scan – Nmap Output
■ ARP Ping Scan –
■ Parallel DNS resolution of 1 host
Nmap ■ SYN Stealth Scan
- Discover open port on 192.168.100.1

■ MAC Address
■ Operating System Details
■ Uptime Guess
■ Network Distance
■ TCP Sequence Prediction
199 | P a g e Digital Forensics Technology & Practices Lab Manual
■ IP ID Sequence Generation
■ Service Info

Questions:
1. Analyze and evaluate the results by scanning a target network using tealth Scan (Half-
open Scan)
2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a target
machine in the network.

200 | P a g e Digital Forensics Technology & Practices Lab Manual

Reference:
1. https://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm
2. http://www.bullzip.com/products/md5/info.php
3. http://www.accessoryware.com/fileview.htm
4. CHFIv9Module02ComputerForensics Investigation Process
5. http://www.driveimage.com/Drive_Image_Download.shtm
6. CHFIv9Module03UnderstandingHard Disksand FileSystems\FiIeSystem Analysis
7. http://www.sIeuthkit.orglsleuthkit/download.php.
8. http://www.sleuthkit.org/autopsyl.
9. https://www.runtime.org/diskexplorer.htm
10. http://AccessData. Com/product-download/digital-forensics/ftk-imager-version-3.4.2
11. http://technet.microsoft.com/enUs/sysinternals/processexplorer.aspx.
12. CEH v8 Labs Module 03 Scanning Networks

201 | P a g e Digital Forensics Technology & Practices Lab Manual

Forensic and Investigative Accounting PDF
60% (10)
Forensic and Investigative Accounting PDF
1,293 pages
Forensics Lab Manual
No ratings yet
Forensics Lab Manual
171 pages
Cyber Forensics - Lab Manual
100% (3)
Cyber Forensics - Lab Manual
36 pages
Lab 05: Using Forensics Tools To Examine Windows Image
100% (1)
Lab 05: Using Forensics Tools To Examine Windows Image
11 pages
Forensic Aquisition
No ratings yet
Forensic Aquisition
42 pages
Lab Practical HandOut
No ratings yet
Lab Practical HandOut
99 pages
SCI4201 Lecture 9 - Forensics Analysis and Validation
No ratings yet
SCI4201 Lecture 9 - Forensics Analysis and Validation
38 pages
Lab Report 2-Joseph Sobanjo
No ratings yet
Lab Report 2-Joseph Sobanjo
42 pages
DF Final
No ratings yet
DF Final
24 pages
Computer Hacking Forensic Investigator Chfi v9
0% (2)
Computer Hacking Forensic Investigator Chfi v9
5 pages
CF Code Final
No ratings yet
CF Code Final
6 pages
91.580.203 Computer & Network Forensics
No ratings yet
91.580.203 Computer & Network Forensics
43 pages
1-Reference Material I Cse4004 Digital-Forensics Eth 1.1 47 Cse4004
No ratings yet
1-Reference Material I Cse4004 Digital-Forensics Eth 1.1 47 Cse4004
10 pages
DF Moddule 4
No ratings yet
DF Moddule 4
89 pages
Week3-Virtual Machine Forensics, Live Acquisitions
No ratings yet
Week3-Virtual Machine Forensics, Live Acquisitions
41 pages
Cci Lab Manual 10 Exps
No ratings yet
Cci Lab Manual 10 Exps
36 pages
CF Lab File
No ratings yet
CF Lab File
27 pages
Lecture 2 APIC 1.2.3
No ratings yet
Lecture 2 APIC 1.2.3
49 pages
Lec7 Analysis
No ratings yet
Lec7 Analysis
30 pages
Computer Forensics Notes
No ratings yet
Computer Forensics Notes
7 pages
CF Unit 3
No ratings yet
CF Unit 3
151 pages
NDG Forensicsv2 Lab 03
No ratings yet
NDG Forensicsv2 Lab 03
52 pages
Lab Manual For Digital Forensics
No ratings yet
Lab Manual For Digital Forensics
43 pages
Windows Forensics: Instructor: LT Dan Finnegan Spring 2010
No ratings yet
Windows Forensics: Instructor: LT Dan Finnegan Spring 2010
49 pages
Digital Forensics Lab Manual-Converted-Compressed
100% (1)
Digital Forensics Lab Manual-Converted-Compressed
44 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
58 pages
Computer Forensics Dissertation PDF
100% (2)
Computer Forensics Dissertation PDF
7 pages
Chapter 8 - Computer Forensics Analysis and Validation
No ratings yet
Chapter 8 - Computer Forensics Analysis and Validation
30 pages
NDG NISGTC Forensics Lab 03
No ratings yet
NDG NISGTC Forensics Lab 03
33 pages
Cyber Forensics
No ratings yet
Cyber Forensics
29 pages
CSE300 DiF Lab1 SPR 2024
No ratings yet
CSE300 DiF Lab1 SPR 2024
5 pages
Week3 Chapter5 Session2 Lab
No ratings yet
Week3 Chapter5 Session2 Lab
41 pages
DF Skillworkbook 1
No ratings yet
DF Skillworkbook 1
73 pages
Lecture 3 APIC 1.2.3
No ratings yet
Lecture 3 APIC 1.2.3
46 pages
CH 09
No ratings yet
CH 09
25 pages
Cyber Practicals Sem 5
No ratings yet
Cyber Practicals Sem 5
37 pages
Semester 7 Digital Forensics (3170725) : Q 1. Discuss File Carving and Deleted Data
No ratings yet
Semester 7 Digital Forensics (3170725) : Q 1. Discuss File Carving and Deleted Data
13 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
56 pages
CH 09
No ratings yet
CH 09
56 pages
DFM Lab Manual 1
No ratings yet
DFM Lab Manual 1
45 pages
Chaitanya Dhareshwar, Wherrelz IT Solutions
No ratings yet
Chaitanya Dhareshwar, Wherrelz IT Solutions
15 pages
Digital Forensics: Computer Forensics
No ratings yet
Digital Forensics: Computer Forensics
26 pages
Lecture 9 Data Analysis and Validation
No ratings yet
Lecture 9 Data Analysis and Validation
30 pages
CMCC CPT275 Chapter7
No ratings yet
CMCC CPT275 Chapter7
30 pages
Chap 3 Digital Forensics
100% (1)
Chap 3 Digital Forensics
121 pages
Win Hex
No ratings yet
Win Hex
18 pages
NDG NISGTC Forensics Lab 02
No ratings yet
NDG NISGTC Forensics Lab 02
36 pages
Digital Forensics Practical Exercise - Disk Image Analysis
No ratings yet
Digital Forensics Practical Exercise - Disk Image Analysis
2 pages
Windows Forensics Exercises
100% (2)
Windows Forensics Exercises
50 pages
Lab 02 - SleuthKit
No ratings yet
Lab 02 - SleuthKit
14 pages
Forensic Secrets Sample
0% (2)
Forensic Secrets Sample
28 pages
Cyber Forsenic Practical - Journal-1
No ratings yet
Cyber Forsenic Practical - Journal-1
77 pages
Cyber Forensic YHK U1p5
No ratings yet
Cyber Forensic YHK U1p5
12 pages
Chapter 6
No ratings yet
Chapter 6
7 pages
Helix Tool Use Case
No ratings yet
Helix Tool Use Case
32 pages
Lec 2 Digital Forensic
No ratings yet
Lec 2 Digital Forensic
21 pages
Best of Eforensics PDF
75% (4)
Best of Eforensics PDF
727 pages
DF Assignment-18bbtcs088 1
No ratings yet
DF Assignment-18bbtcs088 1
9 pages
Windows 7
From Everand
Windows 7
John Hales
No ratings yet
Evaluation of Some Android Emulators and Installation of Android OS on Virtualbox and VMware
From Everand
Evaluation of Some Android Emulators and Installation of Android OS on Virtualbox and VMware
Dr. Hidaia Mahmood Alassouli
No ratings yet
20 Windows Tools Every SysAdmin Should Know
From Everand
20 Windows Tools Every SysAdmin Should Know
padmin
4.5/5 (3)
References
No ratings yet
References
2 pages
NIST Cloud Computing Forensic Reference Architecture: NIST Special Publication NIST SP 800-201 Ipd
No ratings yet
NIST Cloud Computing Forensic Reference Architecture: NIST Special Publication NIST SP 800-201 Ipd
36 pages
Forensic Science Masters Thesis Topics
100% (3)
Forensic Science Masters Thesis Topics
7 pages
DFS23
No ratings yet
DFS23
1 page
Digital Forensics CAse Study
100% (1)
Digital Forensics CAse Study
2 pages
A Perspective On The Role of Forensic and Digital Evidence in Human Trafficking Related Offenses
No ratings yet
A Perspective On The Role of Forensic and Digital Evidence in Human Trafficking Related Offenses
22 pages
Forensic Investigations of Popular Ephemeral Messaging Applications
No ratings yet
Forensic Investigations of Popular Ephemeral Messaging Applications
13 pages
CH 1 ITT593
No ratings yet
CH 1 ITT593
56 pages
Identifying Unnecessary Files
No ratings yet
Identifying Unnecessary Files
16 pages
Advancements Cybercrime Investigation
No ratings yet
Advancements Cybercrime Investigation
428 pages
Ete Micro Project
100% (1)
Ete Micro Project
14 pages
Forensic Techniques in Cybersecurity
No ratings yet
Forensic Techniques in Cybersecurity
6 pages
BCI4001 Cyber Forensics and Investigation: LTPJC 3 0 0 4 4
No ratings yet
BCI4001 Cyber Forensics and Investigation: LTPJC 3 0 0 4 4
4 pages
08-Report Writing Expert Witness
No ratings yet
08-Report Writing Expert Witness
40 pages
An Open Source Toolkit For Ios Filesystem Forensics
No ratings yet
An Open Source Toolkit For Ios Filesystem Forensics
9 pages
Fraud Investigation Sem V PDF
No ratings yet
Fraud Investigation Sem V PDF
14 pages
A Road Map For Digital Forensic Research
No ratings yet
A Road Map For Digital Forensic Research
48 pages
Module 5 Part 1
No ratings yet
Module 5 Part 1
32 pages
Endsem Imp Cyber Security and Digital Forensics Unit 3
No ratings yet
Endsem Imp Cyber Security and Digital Forensics Unit 3
17 pages
Magnet Xiaomi
No ratings yet
Magnet Xiaomi
2 pages
Basics of Cyber Crime Investigation: Normal Investigation Methods Interview/Interrogation
No ratings yet
Basics of Cyber Crime Investigation: Normal Investigation Methods Interview/Interrogation
12 pages
Mock Endsem CSDF Question Paper
No ratings yet
Mock Endsem CSDF Question Paper
2 pages
Cyber Forensics - Handling of Digital Evidence
No ratings yet
Cyber Forensics - Handling of Digital Evidence
10 pages
Call For Papers - Journal of Forensic Justice
No ratings yet
Call For Papers - Journal of Forensic Justice
2 pages
Rapid7 Partner - Solution Brief - Velociraptor - EN Aug 2023
No ratings yet
Rapid7 Partner - Solution Brief - Velociraptor - EN Aug 2023
2 pages
Ensem CSDF All Pyq
No ratings yet
Ensem CSDF All Pyq
8 pages
Critical Analysis of Forensic Science in Effective Administration of Criminal Justice System in India
No ratings yet
Critical Analysis of Forensic Science in Effective Administration of Criminal Justice System in India
13 pages
Computer Forensics Seminar
100% (1)
Computer Forensics Seminar
17 pages
Week 13 Post Blast Investigation
No ratings yet
Week 13 Post Blast Investigation
33 pages