Scribd
Upload
166 views27 pages

DFIR Lab Manual

The document outlines the setup and practical applications of a Digital Forensics and Incident Response (DFIR) lab, detailing objectives, infrastructure, and necessary tools. It includes step-by-step instructions for various practical tasks such as disk imaging with FTK Imager, analyzing physical images using Autopsy, and creating RAM dumps. Each practical emphasizes the importance of evidence preservation and analysis techniques in digital forensics.

Uploaded by

wasplisbethsalander66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
166 views27 pages

DFIR Lab Manual

The document outlines the setup and practical applications of a Digital Forensics and Incident Response (DFIR) lab, detailing objectives, infrastructure, and necessary tools. It includes step-by-step instructions for various practical tasks such as disk imaging with FTK Imager, analyzing physical images using Autopsy, and creating RAM dumps. Each practical emphasizes the importance of evidence preservation and analysis techniques in digital forensics.

Uploaded by

wasplisbethsalander66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Enrolment No.

2203051260037 Digital Forensics & Incident Response (303105396)

Practical 1
Setting up a DFIR lab.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 1
Setting up a DFIR lab.
1. Define Objectives and Scope

• Determine the primary purpose (e.g., learning, testing tools, conducting


investigations).

• Decide the areas to focus on, such as:

o Disk forensics

o Network forensics

o Memory forensics

o Malware analysis

o Incident response processes

2. Infrastructure Setup
a. Hardware

• Workstations: High-performance systems with sufficient RAM (16GB+), CPU


cores (4+), and storage (SSD/NVMe drives).

• Server(s): For centralized log collection, analysis, and virtual machine hosting.
• Network Equipment: Switches, routers, and firewalls to simulate network
environments.

• Removable Media: External hard drives, USB drives, write-blockers for imaging.

b. Software Tools
• Forensic Tools:

o Open-source: Autopsy, FTK Imager, Sleuth Kit, Volatility, Rekall

o Commercial: EnCase, Magnet AXIOM, X-Ways Forensics

• Incident Response:

o SIEM: Splunk, ELK Stack (ElasticSearch, Logstash, Kibana)

o EDR: CrowdStrike, Carbon Black

• Malware Analysis:

o Static Analysis: Ghidra, IDA Pro

o Dynamic Analysis: Cuckoo Sandbox, REMnux

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

• Virtualization:

o VMware Workstation, VirtualBox, or Proxmox for isolated environments.


c. Virtual Machines

• Simulate environments:

o Windows: Client and server versions.

o Linux: Various distros (Ubuntu, CentOS, Kali Linux).


o Custom VM: With specific vulnerabilities for testing.

d. Storage Solutions

• Network-attached storage (NAS) or cloud storage for evidence preservation.


• RAID configurations for redundancy.

3. Network Environment

• Isolated network for lab activities to avoid accidental data leaks.

• Use network simulation tools like GNS3 or EVE-NG.

• Capture traffic with tools like Wireshark or Tcpdump for analysis.

4. Operating Environment

• Operating System:
o Use a forensic-focused OS like SANS Investigative Forensic Toolkit (SIFT)
or CAINE.

• Access Control:

o Ensure role-based access to lab systems.


o Secure systems with multi-factor authentication (MFA).

5. Practical Scenarios and Data Sets

• Use publicly available datasets or generate your own:


o Disk images: dd, FTK Imager

o Network traffic: PCAP files from honeypots.

o Memory dumps: Volatility or Rekall tools.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

• Create realistic scenarios:

o Simulate ransomware attacks.


o Conduct phishing and lateral movement exercises.

6. Documentation and Reporting

• Maintain a lab handbook with procedures for:


o Evidence acquisition and chain of custody.

o Log analysis and malware detection workflows.

• Include reporting templates for investigations.

7. Regular Updates
• Periodically update tools and environments.

• Stay informed about the latest threats and DFIR methodologies.

8. Optional Enhancements
• Cloud Integration: Use cloud platforms like AWS, Azure, or Google Cloud to mimic
enterprise environments.

• Team Collaboration: Set up a platform like GitLab or JIRA for task management.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 2
Non-Volatile Disk imaging using FTK Imager

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 2
Non-Volatile Disk imaging using FTK Imager
Disk imaging
Disk imaging is the process of creating an exact, sector-by-sector copy of a
storage device, such as a hard drive, solid-state drive (SSD), or USB flash drive.
This copy, known as a disk image, is typically stored as a single file or a set of
files on another storage medium. Disk imaging can capture all the data on the
source device, including the operating system, applications, files, and even
hidden or unused sectors.
FTK Imager
FTK Imager is a forensic imaging tool developed by AccessData. It is widely
used in digital forensics to create bit-by-bit copies of storage devices, such as
hard drives, SSDs, USB drives, and CDs/DVDs. These copies, known as forensic
images, are used for preserving digital evidence in investigations.
The Forensic Toolkit (FTK) is a comprehensive digital forensics software
suite developed by AccessData. It is widely used by law enforcement agencies,
cybersecurity professionals, and forensic investigators to analyze digital
evidence in criminal, civil, and corporate investigations. FTK is particularly
renowned for its efficiency in processing and analyzing large volumes of data.
Steps
Step 1: Download and install FTK Imager

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 2: Open FTK Imager

Step 3: Go to file option and click on Create Disk Image

Step 4: Select Physical Drive and then Select the source Drive

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 5: Select the destination folder and select the image type

Step 6: Add the evidence Item Information

Step 7: Select Image Destination and click on Finish

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 8: Start imaging

Conclusion: Non-volatile disk imaging with FTK Imager ensures accurate


evidence preservation by creating a bit-by-bit copy of the storage device.
This method maintains data integrity, supports thorough analysis, and
prevents evidence tampering during investigations.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 3
Analyzing the Physical image using Autopsy to extract
evidence

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 3
Analyzing the Physical image using Autopsy to extract
evidence
Autopsy is an open-source digital forensics tool used for analyzing and investigating
digital evidence. It is a graphical user interface (GUI) for The Sleuth Kit (TSK), a
collection of command-line forensic tools. Autopsy is widely used in criminal
investigations, incident response, and cybersecurity forensics.

Key Features of Autopsy:


1. File System Analysis:Supports file systems like NTFS, FAT, HFS+, EXT, and
APFS.Allows users to analyze file structures and locate hidden or deleted files.
2. Keyword Search:Performs indexed and live keyword searches across files,
metadata, and unallocated space.Supports regular expressions for advanced
search queries.
3. Timeline Analysis:Visualizes file system activity chronologically to help
investigators identify events of interest.
4. File Carving:Recovers deleted or fragmented files from raw disk images or
unallocated space.
5. Artifact Parsing:Extracts digital artifacts such as browser history, email data,
Registry files, and USB usage.
6. Hash Matching:Compares file hashes against known databases (e.g., NSRL) to
identify known malicious or important files.
7. Memory Analysis:Analyzes RAM dumps to identify running processes, network
activity, or malicious activity.
8. Email Analysis:Parses and analyzes email files (e.g., PST, OST, MBOX) to recover
messages and attachments.
9. Media File Identification:Identifies and previews images and videos, with tools
to detect inappropriate or suspicious content.

10. Pluggable Modules:Extensible via additional modules, including:

Volatility for memory analysis.


Bulk Extractor for extracting keywords, emails, and URLs from unallocated space.

11. Case Management:Manages multiple cases with easy bookmarking, tagging, and
reporting features.
12. Centralized Processing:Enables collaborative investigations by running Autopsy
on a central server.
13. Cross-Platform Support:Available for Windows, Linux, and macOS systems.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Steps:
Step 1: Download and Install Autopsy

Step 2: Open Autopsy

Step 3: Click On create a new Case

Step 4: Fill the case details.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 5: On the select host screen, leave it default.

Step 6: Select the data source type

Step 7: Select the data source.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 8: Configure the ingest - In this panel, we have to select the ingest or modules or the
things we have to extract from the image files, and click next.

Step 9: Click on Next. Auopsy will add the Data source as a New case and will start to
analyse the ingest.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 10: After the analysis, on the left side of the screen an evidence tree will be produced
from which you can view whichever data you want to analyse.

Step 11: To create a report of the analysis, there is an option called “Generate Report”.
Click on that and select the type of report we want to generate.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Conclusion: Analysis of the Physical image using Autopsy to extract evidence has been
successfully performed.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 4
Analyzing the Live running OS using Autopsy to extract
evidence without Imaging

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 4
Analyzing the Live running OS using Autopsy to extract
evidence without Imaging
Introduction
Autopsy is a tool that is used in digital forensics for the purpose of identifying what has
happened to a computer system. Autopsy can analyse disk image files, RAM dumps and
even can recover lost or deleted data.
Autopsy have a feature which allows the digital forensics expert to analyze live running
OS to extract evidence without imaging.
This feature copies the application and a batch file to a removable drive, allowing
systems to be analyzed without installing the software or imaging the drives.
To analyze a system, insert the drive and run "RunFromUSB.bat" as administrator, then
select the "Local Disk” option on the Add Data Source panel.
Another substitute for this feature in Autopsy is REDLINE. Redline is also used to extract
evidences From Requirements
1. Autopsy

2. A pendrive

3. A PC or Laptop
Procedure

1. Open Autopsy

2. Close the welcome page

3. Go to Tools and Select Manage Live Triage Drive

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

4. A screen will appear where you need to select the removable disk/pendrive

5. Once you click Ok, Autopsy will start to copy the Triage files onto the pendrive

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

6. Once the process is finished, you can use that pendrive on other live system to analyse
the system without imaging.

On the target system, insert the pendrive and run the RunFromUSB.bat file. It will
automatically perform the analysis and will be saved on the pendrive itself

Conclusion: Analyzing a live OS with Autopsy enables real-time access to volatile data
but risks altering evidence. This approach suits urgent cases but lacks the preservation
offered by imaging.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 5
Creating RAM dumps using Dump-IT and FTK

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Practical 5
Creating RAM dumps using Dump-IT and FTK
RAM dumps
A memory dump is the process of taking all information content in RAM and writing it to
a storage drive as a memory dump file (*.DMP format).

Volatile memory, or RAM, is used to store data currently used by a running process:
whether it is a user application ora system service. This type of memory is much quicker
than a regular hard drive but unlike files permanently stored on a drive (unless deleted),
data from RAM may disappear instantly. At the same time, it may store data crucial for
your case, including passwords in raw format without encryption or encoding, decrypted
data otherwise kept encrypted on a drive, decryption keys for various services, apps and
WDE, remote sessions data, chats in social networks, malware code, cryptocurrency
transactions, various system info such as loaded registry branches, and so on. This is why
it is not argued that capturing RAM contents must be one of the first steps in seizing a
running computer or laptop.

There are various tools that can be used for memory dump. Some of them are:

1.FTK Imager
2. Dump-IT

3. Belkasoft Live RAM Capturer

In this practical we will be using FTK Imager and Dump-IT for creating a RAM dump.

1. Download and install FTK Imager

FTK Imager should be downloaded from their official website which is given below
https://www.exterro.com/ftk -imager

2. Download and install Dump-IT

Dump-IT should be downloaded from their official website which is given below
https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Creating RAM dump using Dump-IT


Step 1: Open Dump-IT

Step 2: Browse the folder to which we want to save the memory dump.

Step 3: Create a File name and click on “Save”.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 4: Dump-IT will now start to capture the memory.

Step 5: After completion the RAW (.raw) file will be saved.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Creating RAM Dump using FTK Imager


Step 1: Open FTK Imager.

Step 2 : Go to File Option.

Step 3: Click on “Capture Memory”.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 4: Once you click “Capture Memory” option, select the destination path desination
and click on “Capture Memory”.

Step 5: FTK Imager will now capture the memory and will be saved on the destination
folder.

CSE-PIT(PU)
Enrolment No.2203051260037 Digital Forensics & Incident Response (303105396)

Step 6: Once the process is finished, you can close the window and start analysing the
memory file.

Conclusion: A RAM dump captures volatile memory, revealing active processes, network
connections, and transient data. Using Dump-IT ensures an efficient and reliable process,
preserving evidence for analysis without disrupting the live system.

CSE-PIT(PU)

You might also like