Laboratory Manual for

Digital Forensic (3170725)

B.E. Semester 7
Computer
Engineering

L. D. College of Engineering
Ahmedabad

Name Enrollment Number

Aa. Bb. Ccc 111111111111
 Certificate

This is to certify that Mr./Ms.

Enrollment No. of B.E. Semester Computer
Engineering of this Institute (GTU Code: ) has satisfactorily completed the
Practical / Tutorial work for the subject for the
academic year 202 -2 .

Place:

Date:

Name and Sign of Faculty member

Head of the Department

 Preface
With the rapid growth of internet users over the globe, the rate of cybercrime is also
increasing. Nowadays, Internet applications become an essential part of every discipline with
their variety of domain-specific applications. The basic objectives to offer this course are to
aware engineering graduates to understand cybercrimes and their Operandi to analyze the
attack.

By using this lab manual students can go through the relevant theory and procedure in advance
before the actual performance which creates an interest and students can have basic idea prior
to performance. This in turn enhances pre-determined outcomes amongst students. Each
experiment in this manual begins with competency, relevant skills, course outcomes as well as
practical outcomes (objectives). The students will also achieve safety and necessary
precautions to be taken while performing practical.

This manual also provides guidelines to faculty members to facilitate student centric lab
activities through each experiment by arranging and managing necessary resources in order
that the students follow the procedures with required safety and necessary precautions to
achieve the outcomes. It also gives an idea that how students will be assessed by providing
rubrics.
Industry Relevant Skills
The following industry relevant competency is expected to be developed in the student by
undertaking the practical work of this laboratory.
1. Investigation and analysis skills: Develop the ability to investigate and analyze
various digital devices and systems, including computers, mobile devices, and
networks. Learn how to extract and analyze data from these devices and systems
to identify evidence of cybercrime.
2. Evidence handling and preservation skills: How to handle and preserve digital
evidence in a way that is admissible in court. This includes learning about chain of
custody, evidence storage, and documentation.
3. Technical skills: Technical skills related to computer and network security, including
knowledge of operating systems, file systems, and network protocols. Students
may also learn about encryption, steganography, and other techniques used to
hide information.
4. Legal and regulatory knowledge: Relevant laws and regulations related to
cybercrime, such as the IT Act 2000. Students will learn about legal procedures,
courtroom procedures, and other aspects of the legal system.
5. Communication and reporting skills: Students will learn how to communicate
complex technical information to non-technical stakeholders, such as lawyers,
judges, and juries. They will also learn how to write clear and concise reports that
summarize their findings and conclusions.
6. Critical thinking and problem-solving skills: Complex problem-solving scenarios that
require students to think critically and apply their knowledge and skills to
real-world situations.
Guidelines for Faculty members
1. Teacher should provide the guideline with demonstration of practical to the
students with all features.
2. Teacher shall explain basic concepts/theory related to the experiment to the students
before starting of each practical
3. Involve all the students in performance of each experiment.
4. Teacher is expected to share the skills and competencies to be developed in the
students and ensure that the respective skills and competencies are developed in
the students after the completion of the experimentation.
5. Teachers should give opportunity to students for hands-on experience after the
demonstration.
6. Teacher may provide additional knowledge and skills to the students even though
not covered in the manual but are expected from the students by concerned
industry.
 7. Give practical assignment and assess the performance of students based on task
assigned to check whether it is as per the instructions or not.
8. Teacher is expected to refer complete curriculum of the course and follow the
guidelines for implementation.
Instructions for Students
1. Students are expected to carefully listen to all the theory classes delivered by the faculty
members and understand the COs, content of the course, teaching and examination
scheme, skill set to be developed etc.
2. Students shall organize the work in the group and make record of all observations.
3. Students shall develop maintenance skill as expected by industries.
4. Student shall attempt to develop related hand-on skills and build confidence.
5. Student shall develop the habits of evolving more ideas, innovations, skills etc. apart
from those included in scope of manual.
6. Student shall refer technical magazines and data books, follow real cyber forensic cases.
7. Student should develop a habit of submitting the experimentation work as per the
schedule and s/he should be well prepared for the same.
Common Safety Instructions
Students are expected to carefully perform each experiment without damaging the lab
computer systems. All the experiments are for learning purpose only and never perform
anywhere else without proper authorization.
 Index
(Progressive Assessment Sheet)

Pag Sign. of
Date of Date of Assessm
Sr.
e Teacher Remar
Objective(s) of Experiment perfor submis e nt
No. with ks
No. m ance s ion Marks date
Write the Following
1. Vision & Mission of L D College of
Engineering, Ahmedabad and Computer
Department
2. Program Outcome (LDCE)
0 3. PSOs and PEOs of Computer
Engineering Department (LDCE)
4. Course outcomes of Digital Forensics
Study of packet analyzer tool (Wireshark /
1 NMap / Networkminer)
Study of forensic commands of Linux.
2
Make a disk image using an imaging tool.
3
Using hex editor (HxD tool ) analyze metadata
4 of a file.
Study and perform Microsoft office file
5 metadata analysis.
Image metadata analysis.
6
Study of browser forensics - Collect data of
7 history, cache etc. and prepare report.
Using Sysinternals tools for Network Tracking
8 and Process Monitoring
Recovering and Inspecting deleted files using
9 Autopsy
Acquisition of Cell phones and Mobile
10 devices.

Study any one digital forensic collection and

analysis tool used in analysis of digital
11
evidence (For eg., Coffee tool, Mangnet
capture tool, Ram capture tool, NFI Defragger,
Toolsley, Volatility)
For crime occurred in recent time (example
online fraud). Prepare a report containing
● Name of the crime, which year, victim and
attacker name
● List of digital devices available for
forensics
● List of tools (that can be used for
investigation) along with short description
of their utility

Total
Note: Following content is for reference. It can be taken as per the applicability in the
given list of practical.
Practical-1
AIM: Study of packet analyzer tool.
Wireshark: Packet Analyzer Tool

​ Wireshark is the world’s foremost and widely used network protocol analyzer. It lets you
see what’s happening on your network at a microscopic level and is the de facto (and
often de jure) standard across many commercial and non-profit enterprises, government
agencies, and educational institutions. Wireshark development thrives thanks to the
volunteer contributions of networking experts around the globe and is the continuation of
a project started by Gerald Combs in 1998.
​ Wireshark has a rich feature set which includes the following:

​ Deep inspection of hundreds of protocols, with more being added all the time

​ Live capture and offline analysis

​ Standard three-pane packet browser

​ Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD,

and many others
​ Captured network data can be browsed via a GUI, or via the TTY-mode TShark
utility
​ The most powerful display filters in the industry

​ Rich VoIP analysis

​ Read/write many different capture file formats: tcpdump (libpcap), Pcap NG,
Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor,
Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and
NetXray®, and many others
​ Capture files compressed with gzip can be decompressed on the fly

​ Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
​ Decryption support for many protocols, including IPsec, ISAKMP, Kerberos,
SNMPv3, SSL/TLS, WEP, and WPA/WPA2
​ Coloring rules can be applied to the packet list for quick, intuitive analysis
 ​ Output can be exported to XML, PostScript®, CSV, or plain text

Installation Steps:

Step 1: Download and install Wireshark from https://www.wireshark.org/#download by

clicking on the link as shown in the image.

Step 2: After the file is downloaded, double-click on the file to open it.

Step 3: Select Next to start the Setup Wizard.

Step 4: Review the license agreement. If you agree, select I Agree to continue.
Step 5: Select “Next” to accept the default components.

Step 6: Select the shortcuts you would like to have created. Leave the file extensions selected.
Select Next to continue.
Step 7: Select Next to accept the default install location.

Step 8: Select Next to install WinPcap.

Step 9: If you would like to capture USB traffic, install USBPcap as well.

Step 10: Select Next to start the Setup Wizard.

Step 11: Select Install to proceed with the installation the requisite software WinPCap. Please
note that WinPcap is a mandatory software to ensure Wireshark Packet Analyzer works properly.

Step 12: Review the license agreement. If you agree, select I Agree to continue.
Step 13: Installation of WinPcap should start automatically one you agreed and selected next.

Step 14: Select Finish to complete the installation of WinPcap.

​ Step 15: Select Next to continue with the installation of Wireshark.

​ Step 16: Select Finish to complete the installation of Wireshark. Once installed, you can
open the Wireshark and start monitoring network traffic.
Capturing Packets using Wireshark:

1. Select Capture | Interfaces

2. Select the interface on which packets need to be captured. This will usually be the
interface where the Packet/s column is constantly changing, which would indicate the
presence of live traffic. If you have multiple network interface cards (i.e. LAN card and
Wi-Fi adapter) you may need to check with your IT administrator to determine the right
interface.
3. Click the Start button to start the capture.
4. Recreate the problem. The capture dialog should show the number of packets
increasing. Try to avoid running any other internet applications while capturing, closing
other browsers, Instant messengers etc.
5. Once the problem which is to be analyzed has been reproduced, click on Stop. It
may take a few seconds for Wireshark to display the packets captured.
6. Save the packet trace in the default format. Click on the File menu option and select
Save As. By default, Wireshark will save the packet trace in libpcap format. This is a
filename with a.pcap extension.

​ The image below shows the captured packet’s information.

​ Moving to the Ethernet layer as shown in below image, we can see that it is pretty simple.
It contains a destination address- 72:2c:b3:25:33:fc and a source address-
04:d3:b0:65:16:cf . The data link layer is relatively simple in that it is only
concerned with getting a frame to the next adjacent node on the physical medium.
​ The IP layer is concerned with moving between networks. As shown in the image
destination address- 192.168.250.102 and source address- 47.246.51.224. And rest of the
fields are highlighted.

​ The transport layer is where applications communicate via the use of ports. As shown in
below image Source port is 53328 and destination port is 80.
​ TCP Packet
 ​ UDP Packet

References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical-2
AIM: Study of forensic commands of Linux.
1. history: Using the history command without options displays the list of commands used
since the start of the terminal session:
● Syntax: $ history

Parameter Description
| less If you wish to view the history one page at a time, you can
use this command. Now, you can simply use the spacebar to
view one page at a time or use the down arrow to view one
line at a time.
| tail To view just the last ten commands.
n (where n = any number To view the last n (15 here) commands.
for e.g: 15)
history with ctrl+R This will output a search feature. Just begin typing a
command and it will complete the command with the most
recent match. If it is not the one you need, simply type a few
more letters until you find the command you wanted. Once
you find it, simply press the return key to run or press the
right arrow key to edit it.
● Example:
 2. find: The find command in UNIX is a command line utility for walking a file hierarchy. It
can be used to find files and directories and perform subsequent operations on them. It
supports searching by file, folder, name, creation date, modification date, owner, and
permissions.
● Syntax:
$ find [where to start searching from] [expression determines what to find] [-options]
[what to find]

(.): For current directory name

(/): For the root directory

Options Description
-exec Other UNIX commands can be executed on files or folders
found.

-name demo Search for files that are specified by ‘demo’.

-newer file Search for files that were modified/created after ‘file’.
-print Display the path name of the files found by using the rest of
the criteria.

-empty Search for empty files and directories.

-user name Search for files owned by user name or ID ‘name’.
\(expr)\ True if ‘expr’ is true; used for grouping criteria combined with
OR or AND.

● Example:

1. last: The last command in Linux is used to display the list of all the users logged in and
out since the file /var/log/wtmp was created. One or more usernames can be given as an
argument to display their login in (and out) time and their host-name.
​ Syntax: $ last [options] [username..] [tty…]
Options Description
-[number] This option is used to specify the number of lines to display.
-R This option is used to hide the host-name field.
-F This option is used to display the login and logout time
including the dates.
-a This option is used is to display the host-name in the last
column.
-d This option is used to translate the IP address back into its
host-name.
-w This option is used to display full user and domain names.
-help This option is used to display help regarding all options
belonging to the last command.
​ Example:
 2. lastlog: reports the most recent login of all users or of a given user. It formats and prints
the contents of the last login log /var/log/lastlog file. The login-name, port, and last login
time will be printed. The default (no flags) causes lastlog entries to be printed, sorted by
their order in /etc/passwd.
​ Syntax: $ lastlog [options]

Options Description
-b, --before DAYS Print only lastlog records older than DAYS.
-h, --help Display help message and exit.
-t, --time DAYS Print the lastlog records more recent than DAYS.
-u, --user LOGIN Print the lastlog record for user with specified LOGIN only.
​ Example:

3. file: determines file type. File tests each argument in an attempt to classify it. There are
three sets of tests, performed in this order: filesystem tests, magic number tests, and
language tests. The first test that succeeds causes the file type to be printed.
It has three sets of tests as follows:

​ filesystem test: This test is based on the result which returns from a stat system
call. The program verifies that if the file is empty, or if it’s some sort of special
file. This test causes the file type to be printed.
​ magic test: These tests are used to check for files with data in particular fixed
formats.
​ language test: This test search for particular strings which can appear
anywhere in the first few blocks of a file.

​ Syntax:

▪ $ file [option] [filename]

▪ $ file [ -bchikLnNprsvz ] [ -f namefile ] [ -F separator ] [ -

m magicfiles ] file ...
▪ $ file -C [ -m magicfile ]

Options Description
-b, --brief Do not prepend filenames to output lines (brief mode).
-c, --checking-printout
-C, --compile
-f, --files-from namefile
-F, --seperator seperator
-k, --keep-going
-m, --magic-file list
-i, --mime
--help
​ Example:
Cause a checking printout of the parsed form of the magic
file. This is usually used in conjunction with -m to debug a
new magic file before installing it
Write a magic.mgc output file that contains a pre-parsed
version of file.
Read the names of the files to be examined
from namefile (one per line) before the argument list.
Either namefile or at least one filename argument must be
present; to test the standard input, use ‘‘-’’ as a filename
argument.
Use the specified string as the separator between the filename
and the file result returned. Defaults to ‘‘:’’.
Don’t stop at the first match, keep going.
Specify an alternate list of files containing magic numbers.
This can be a single file, or a colon-separated list of files. If a
compiled magic file is found alongside, it will be used
instead. With the -i or --mime option, the program adds
".mime" to each file name.
Causes the file command to output mime type strings rather
than the more traditional human readable ones. Thus it may
say ‘‘text/plain; charset=us-ascii’’ rather than ‘‘ASCII text’’.
Print a help message and exit.

4. fsck: check and repair a Linux file system. fsck is used to check and optionally repair one
or more Linux file systems. filesys can be a device name (e.g. /dev/hdc1, /dev/sdb2), a
mount point (e.g. /, /usr, /home), or an ext2 label or UUID specifier (e.g.
UUID=8868abf6-88c5-4a83-98b8-bfc24057f7bd or LABEL=root). Normally, the fsck
program will try to handle filesystems on different physical disk drives in parallel to
reduce the total amount of time needed to check all of the filesystems.
​ Syntax:

▪ $ fsck <options> <filesystem>

▪ $ fsck [-sAVRTMNP] [-C [fd]] [-t fstype] [filesys...] [--] [fs-specific-options]

Options Description
-a Try to repair filesystem errors automatically. There will be no prompts, so use
it with caution.
-A Check all filesystems listed in /etc/fstab.
-C Show progress for ext2 and ext3 filesystems.
-f Force fsck to check a filesystem. The tool checks even when the
filesystem appears to be clean.
-l Lock the device to prevent other programs from using the partition during the
scan and repair.
-P Use to run a scan on multiple filesystems in parallel. It can cause issues,
depending on your setup. Use with caution.
-R Tell the fsck tool not to check the root filesystems when you use the -A option.
-r Print device statistics.
-t Specify which filesystems type(s) to check with fsck.
-y Try to repair filesystem errors automatically during the check.
​ Example:

5. stat: display file or file system status. stat is a linux command line utility that displays a
detailed information about a file or a file system. It retrieves information such as file
type; access rights in octal and human-readable; SELinux security context string; time of
file creation, last data modification time, and last accessed in both human-readable and
in seconds since Epoch, and much more.
​ Syntax: $ stat [options] filenames
Options Description
-f, --file-system display file system status instead of file status

-L, --dereference Follow link

-c, -- use the specified FORMAT instead of the default; output a newline
format=FORMAT after each use of FORMAT
--printf = FORMAT like --format, but interpret backslash escapes, and do not output a
mandatory trailing newline; if you want a newline, include \n in
FORMAT
-t, --terse print the information in terse form
​ Example:

6. lsof: It for List Of Open File. This command provides a list of files that are opened.
Basically, it gives the information to find out the files which are opened by which
process. With one go it lists out all open files in output console. It cannot only list
common regular files, but it can list a directory, a block special file, a shared library, a
character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain
 socket, and many others. it can be combined with grep command can be used to
do advanced searching and listing.
​ Syntax: $ lsof [option] [username]

Options Description
-u There are several users of a system and each user have different requirements
and accordingly they use files and devices. To find a list of files that are opened
by a specific user this command is useful.
-c This command can list out all the files opened by a particular process. -
c followed by process names can find out all the files that are opened by that
particular process that is named in the command.
-p Each file is associated with some process ID. There can be many files that
are opened by a particular process. By using lsof -p process ID, files opened
by a particular process can be checked.
-R There may be many child processes of a process and this process can also be
termed as the parent process. To find out the list of files opened by parent
process Id lsof command is used with the option -R.
-D It lists out the files which are opened by a particular directory. There are files
as well as the directory in a system. So there can be several files opened by a
directory as well as the regular file.
​ Example:
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical-3
AIM: Make a disk image using an imaging tool.

⮚ Creating a good backup of your computer system involves not only backing up all of your
data, but also backing up all Windows and system files when they are in a working and
stable state. When a hard drive crashes or the Windows operating system becomes corrupt, it
would be preferable to not only be able to load back your data quickly, but also to load back
the entire OS with all of your user settings, bookmarks, installed drivers, installed
applications, and more.
⮚ A good way to have both things taken care of at once is to create an image of your hard
drive. By creating an image, your entire system state, including the OS and data files, is
captured like a snapshot and can be reloaded at any time. It’s the best way to protect your
data and is the fastest solution also.

What Is FTK Imager?

⮚ FTK Imager is a tool for creating disk images and is absolutely free to use. It was
developed by The Access Data Group. It is a tool that helps to preview data and for
imaging.

Step 1: Download and install the FTK imager on your machine.

Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with the FTK
Imager dashboard.
Now, to create a Disk Image. Click on File > Create Disk Image.
Now you can choose the source based on the drive you have. It can be a physical or a logical
Drive depending on your evidence.
A Physical Drive is the primary storage hardware or the component within a device, which is
used to store, retrieve, and organize data.
A Logical Drive is generally a drive space that is created over a physical hard disk. A logical
drive has its parameters and functions because it operates independently.
Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic
perspective, It should be copied in a separate hard drive and multiple copies of the original
evidence should be created to prevent loss of evidence.
Select the format of the image that you want to create. The different formats for creating the
image are:
1. Raw(dd): It is a bit-by-bit copy of the original evidence which is created without any
additions and or deletions. They do not contain any metadata.
2. SMART: It is an image format that was used for Linux which is not popularly used
anymore.
3. E01: It stands for EnCase Evidence File, which is a commonly used format for imaging
and is similar to
4. AFF: It stands for Advanced Forensic Format that is an open-source format type.
Now, add the details of the image to proceed.
Now finally add the destination of the image file, name the image file and then click on Finish.

Once you have added the destination path, you can now start with the Imaging and also click on
the verify option to generate a hash.
Now let us wait for a few minutes for the image to be created.
After the image is created, a Hash result is generated which verifies the MD5 Hash, SHA1
Hash, and the presence of any bad sector.
References used by the students:

Rubric wise marks obtained:

1 2 3 4 5 TOTAL
RUBRICS

MARKS
Practical-4
AIM: Using hex editor analyze metadata of a file.

❖ HxD tool

✔ HxD is a carefully designed and fast hex editor which, additionally to raw disk
editingand modifying of main memory (RAM), handles files of any size.
✔ The easy-to-use interface offers features such as searching and replacing, exporting,
checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting
offiles, statistics and much more.
✔ Editing works like in a text editor with a focus on a simple and task-oriented
operation, assuch functions were streamlined to hide differences that are purely
technical.
✔ For example, drives and memory are presented similar to a file and are shown as a
whole,in contrast to a sector/region-limited view that cuts off data which potentially
belongs together. Drives and memory can be edited the same way as a regular file
including support for undo. In addition, memory-sections define a foldable region and
inaccessible sections are hidden by default.
✔ Furthermore, a lot of effort was put into making operations fast and efficient, instead
of forcing you to use specialized functions for technical reasons or arbitrarily limiting
file sizes. This includes a responsive interface and progress indicators for lengthy
operations.

❖ Features:
● Available as a portable and installable edition
● RAM-Editor
▪ To edit the main memory

▪ Memory sections are tagged with data-folds

● Disk-Editor (Hard disks, floppy disks, ZIP-disks, USB flash drives, CDs, ...)
▪ RAW reading and writing of disks and drives

▪ for Win9x, WinNT and higher

● Instant opening regardless of file-size
▪ Up to 8EB; opening and editing is very fast
● Liberal but safe file sharing with other programs
● Flexible and fast searching/replacing for several data types
▪ Data types: text (including Unicode), hex-values, integers and floats
 ▪ Search direction: Forward, Backwards, All (starting from the beginning)
● File compare (simple)
● View data in Ansi, DOS, EBCDIC and Macintosh character sets
● Checksum-Generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5,
...
● Exporting of data to several formats

▪ Source code (Pascal, C, Java, C#, VB.NET)

▪ Formatted output (plain text, HTML, Richtext, TeX)

▪ Hex files (Intel HEX, Motorola S-record)

● Insertion of byte patterns
 ❖ Installation Steps:

Step 1: Go to https://mh-nexus.de/en/hxd/ . scroll down and click on the download page .

Select English language and click on the to download the zip file

Step 2: Go to the folder where you have downloaded the zip file .unzip the zip file.
Step 3: click on the executable and explore the functionalities.

❖ Functionalities:

In HxD we can open any disk or a ram(main memory) and also a files.

in HxD we can easily open any file and do searching , replacing , inserting and also we can
see the statistics of that file.
Insertion of bytes:

Searching:
Replacing:

References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical-5
AIM: Study and perform Microsoft office file metadata analysis.

⮚ Microsoft Word is currently the word processing software of choice for most individuals
and companies. Many users are under the mistaken belief that the final version of the
"visible" Word document is the only substantive content contained in the "saved file."

⮚ Beyond the visible document and hidden in Word files is data known as "metadata".
Metadata can include things like revision history, authors, and "track changes" which
reveals the evolution of a document and the various edits that led to the final Word file.
According to Microsoft metadata found in Word files can include:

• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments

View Document Properties:

1. Open a Word document.

2. Click the File tab.
3. Click “Info” and then click “Show all Properties” to view the metadata entries for the file.
Use Document Inspector

1. Open a Word document and then click the “File” tab and look under “Info.”
2. Select “Check for Issues” and then click on “Inspect Document” to launch the
Document Inspector.
3. Click the check boxes to select the types of metadata the Document Inspector scans
for and then click “Inspect.” Microsoft Word will display the results of the inspection and
provide an option to remove the metadata.
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical-6
AIM: Image metadata analysis.

⮚ Image metadata is text information pertaining to an image file that is embedded into the
file or contained in a separate file that is associated with it.

⮚ Image metadata includes details relevant to the image itself as well as information about its
production. Some metadata is generated automatically by the the device capturing the image.
Additional metadata may be added manually and edited through dedicated software or
general image editing software such as GIMP or Adobe Photoshop. Metadata can also be
added directly on some digital cameras.

✔ Technical metadata is mostly automatically generated by the camera. It includes camera

details and settings such as aperture, shutter speed, ISO number, focal depth, dots per inch
(DPI). Other automatically generated metadata include the camera brand and model, the date
and time when the image was created and the GPS location where it was created.

✔ Descriptive metadata is mostly added manually through imaging software by the

photographer or someone managing the image. It includes the name of the image creator,
keywords related to the image, captions, titles and comments, among many other
possibilities. Effective descriptive metadata is what makes images more easily searchable.

✔ Administrative metadata is mostly added manually. It includes usage and licensing rights,
restrictions on reuse, contact information for the owner of the image.

⮚ Several standardized formats of metadata exist, including: Information Interchange Model

(IPTC), Extensible Metadata Platform (XMP), EXchangable Image File (Exif), Dublin Core
Metadata Initiative (DCMI) and Picture Licensing Universal System (PLUS).
Example of image metadata analysis:
Adobe Photoshop is a commercial application that includes an XMP viewer. In Photoshop CS5,
it is under File → File Info. While not as powerful or as complete as Exiv2 and ExifTool,
Adobe's viewer does provide the ability to decode XMP, IPTC, Exif, and other types of metadata
in a graphical interface.

⮚ You can add metadata to any document in Illustrator®,Photoshop®, or InDesign by

choosing File > File Info.
⮚ Here, title, description, keywords, and copyrightinformation have been inserted.
⮚ You can view the metadata in InDesign by selecting an image and choosing File Info from
the Info panel menu. Or you can use the metadata by choosing Object > Captions
>Caption Setup (as shown).

References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical-7
AIM: Study of browser forensics - Collect data of history, cache etc. and
prepare report.

⮚ The most widely used applications by the majority of user of computer are Web
Browsers. A Web browser is an application program for accessing the Internet. Users
performs their many activities such as, browsing on the internet, download files, use
social media applications, accessing e-mail accounts via web browser. If user uses
illegally the Internet as a source of information, the evidence related to the browser
uses would be saved in the log file of the Web browser. Web browser’s log file can help
to collect information of criminal. After considering existing research and tools, this
paper suggests a new evidence collection and analysis methodology and tool for
forensic process.

⮚ Google Chrome is one of the most popular browsers of all the browsers available. It
runs on all platforms and has been developed by google. Few salient features offered by
chrome –
1) Can be integrated with all google services

2) Password synchronization between various devices

3) Plugins and extensions availability

4) Incognito mood support

Google chrome artifacts

⮚ An artifact is a remnant or trace left behind on the computer which helps to identify the
source of malicious traffic and attack conducted onto the system. Few examples include
cache data, History, Downloads etc.

⮚ Chrome stores these artifacts inside specific folders in the operating system. The file
location for every browser is different but the file format remains the same. Following are
the common artifacts stored by Chrome –
1) Navigation History – This reveals navigation history of the user. It can be used to
track whether a user has visited any malicious URL or not.

2) Autocomplete Data – This reveals data that has been used on various forms and search
terms etc. It is used with Navigation History for more insight.
3) Bookmarks
4) Add-ons, Extensions and Plugins

5) Cache – Contains cache data from various websites like Images, JavaScript Files etc.

6) Logins

7) Form Data

8) Favicons

9) Session Data

10) Thumbnails

11) Favorites

12) Sensitive data

Collecting data from history:

See your history

On your computer, open Chrome.

At the top right, click More More.

Click History and then History.

Browser cache:

Your web browser stores complete or partial copies of the pages you recently viewed together
with the media (images, audio, and video) in a file on your computer called the cache. The
cached files are temporary files that help the internet pages load quicker. That’s why when you
clear your browser cache, you’ll often see that the sites load slower than usual.

How To View Cached Pages And Files

In order to see cached pages and files, you first need to locate them. You can’t always see them
since the folder where they’re stored may be hidden.

Inside the Cache folder you’ll find files with various extensions and random file names. The
difficulty here is that you won’t know exactly what you’re looking at. Most of the names are
random and there’s no way to tell the format of the file or where it came from.

You can either click on every file to open it or decode the cached files using special software or a
browser extension. One of the best options is to use one of the web browser tools by Nirsoft. For
Google Chrome it’s the ChromeCacheView.
After you download the cache viewer, double-click to open the main window. You’ll find the
complete list of files stored in the cache of your browser.
How To View Cookies In Your Browser

Since cookies are responsible for exposing your private details to the web, in most browsers you
can find them in the Privacy section of the Setti

ngs.
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical - 8
Aim: Using Sysinternals tools for Network Tracking and Process
Monitoring

- Check Sysinternals tools

- Monitor Live Processes
- Capture RAM
- Capture TCP/UDP packets
- Monitor Hard Disk
- Monitor Virtual Memory
- Monitor Cache Memory

⮚ Check Sysinternals tools: Windows Sysinternals tools are utilities to manage, diagnose,
troubleshoot, and monitor a Microsoft Windows environment.
The following are the categories of Sysinternals Tools:
1. File and Disk Utilities
2. Networking Utilities
3. Process Utilities
4. Security Utilities
5. System Information Utilities
6. Miscellaneous Utilities

⮚ Monitor Live Processes: (Tool: ProcMon)

To Do:
1. Filter (Process Name or PID or Architecture, etc)
2. Process Tree
3. Process Activity Summary
4. Count Occurrences
Output:
Student Name [Enrollment Number] Page 62 of 90
⮚ Capture RAM (Tool: RAMCapture)

To Do:
1. Click Capture
2. Creates a .mem file of the system memory (RAM) utilized.
Output:
 Capture TCP/UDP packets (Tool: TcpView) :

To Do: 1. Save to .txt file.

2. Whois

Output:
Monitor Hard Disk (Tool: DiskMon) :
To Do:
1. Save to .log file.
2. Check operations performed in the disk as per time and sectors affected.

Output :
Monitor Virtual Memory ( Tool : VMMAP) :
To Do:
1. Options – Show Free & Unusable Regions
2. File-> Select Process e.g. chrome.exe
3. Save to .mmp file.
Output :
 Monitor Cache Memory
(Tool: RAMMap)
TO DO :
1. Save to .RMP file.
Output:
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical – 9
AIM: Recovering and Inspecting deleted files

- Check for Deleted Files

- Recover the Deleted Files
- Analyzing and inspecting the recovered files

Step 1: Start Autopsy from Desktop.

Step 2: Now create on New Case.

Step 3: Enter the New case Information and click on Next Button.
Step 4: Enter the additional Information and click on Finish.

Step 5: Now Select Source Type as Local disk and Select Local disk form drop
down list and click on Next.
Step 6: Click on Next Button.

Step 7: Now click On Finish.

Step 8: Now Autopsy window will appear and it will be analyzing the disk that we have selected.

Step 9: All files will appear in table tab select any file to see the data.
Step 10: Expand the tree from left side panel to view the document files.
Step 11: To recover the file, go to view node-> Deleted Files node , here select any file and
right click on it than select Extract Files option.

Step 12: By default, Export folder is chosen to save the recovered file.
Sep 13: Now Click on Ok.

Step 14: Now go to the Export Folder to view Recover file.

Step 15: Click on Generate Report from autopsy window and Select the Excel
format and click on next.
Step 16: Now Report is Generated So click on close Button. we can see the Report-on-Report Node.

Step 17: Now open the Report folder and Open Excel File.
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
Practical - 10

Aim: Acquisition of Cell phones and Mobile devices.

References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS