Installation of Sleuth Kit on Linux. List all data blocks.

Analyze
EX.NO:01 allocated as well as unallocated
DATE: blocks of a disk image.

AIM:

To write Installation of Sleuth Kit on Linux. List all data blocks. Analyze allocated as well as unallocated
blocks of a disk image.

Procedure:

Step 1:Install the sleuthkit using the sudo apt command

Step 2:Then List all data blocks using the img_stat command.

1
 Step 3:Analyze allocated as well as unallocated blocks of a disk imag

Step 4:Recover the files in Image file

Recovered Files - tsk_recover

2
 Img offset

Command:

-i imgtype: The format of the image file (use 'i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-s start_sector: The sector number to start at
-e stop_sector: The sector number to stop at
-v: verbose output to stderr
-V: Print version
-t: display type only
-i imgtype: The format of the image file (use '-i list' for list of supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-v: verbose output to stderr
-V: Print version

3
Result:
Thus Installation of Sleuth Kit on Linux. List all data blocks. Analyze allocated as well as unallocated
blocks of a disk image is successfully executed.

4
EX.NO:02 Data extraction from call logs using Sleuth Kit
DATE:

AIM:

To write Data extraction from call logs using Sleuth Kit.

Procedure:

Step 1 : Open Autopsy Tool And Create A New Case

Step 2 : Create The Case Name:

5
Step 3 :Create The Case Number, Case Name , Phone and etc

6
Step 4 : Select Host And Disk Image VM File

Step 5: Choose The data.dd File As The Location

7
Step 6: Choose The Required Modules like Directories, Files , Application , Unallocated Space And etc

8
Step 7: Select Data Artifacts

Step 7.1: Select Phone To View All Phone Numbers

9
Step 8: Select Save Table As CSV

Step 9: View The CSV File And View The Phone Numbers And Messages

10
Result:
Thus the Data extraction from call logs using Sleuth Kit is executed successfully.

11
EX.NO:03 Data extraction from SMS and contacts using Sleuth Kit
DATE:

AIM:

To write Data extraction from SMS and contacts using Sleuth Kit.

Procedure:

Step 1:Open Terminal And Open Autopsy Tool

Step 2:Open The Link As Local Host

12
Step 3:Choose The Image File And Enter The Directory Location

Step 4: Analyse The Image File

13
Step 5:Then List Of Directory

Step 6:Export The SMS DB

Step 7:Use SQL Lite To Open The Data Base

14
Step 8:Export The SMS DB As CSV File

where you have to capture an image of any partition or drive of that particular computer system, the Image
of a disk can be obtained using dcfldd utility. To get the image, you can use the following command.
dcfldd if=<source> of <destination>bs=512 count=1 hash=<hash type>

if=the destination of drive you want to have an image of

of=the destination where a copied image will be stored (can be anything, e.g., hard drive, USB etc)
bs= block size (number of bytes to copy at a time)
hash=hash type (e.g md5, sha1, sha2, etc.) (optional)
We can further have a look at dd utility’s various other important options for capturing the image of a
partition or physical ram by using the following command:
dd –help
bs=BYTES read and write up to BYTES bytes at a time (default: 512);
cbs=BYTES convert BYTES bytes at a time
count=N copy only N input blocks
if=FILE read from FILE instead of stdin

iflag=FLAGS read as per the comma-separated symbol list

of=FILE write to FILE instead of stdout
oflag=FLAGS write as per the comma-separated symbol list
Each CONV symbol may be:
ascii from EBCDIC to ASCII

ascii from EBCDIC to ASCII

15
ibm from ASCII to alternate EBCDIC
lcase change upper case to lower case
ucase change lower case to upper case

swab swap every pair of input bytes

sync pad every input block with NULs to ibs-size; when used
Each FLAG symbol may be:
append append mode (makes sense only for output; conv=notrunc suggested)
direct use direct I/O for data
directory fail unless a directory
dsync use synchronized I/O for data
sync likewise, but also for metadata
fullblock accumulate full blocks of input (iflag only)
nonblock use non-blocking I/O

noatime do not update access time

nocache Request to drop cache

16
Result:
Thus the Data extraction from SMS and contacts using Sleuth Kit is executed successfully.

17
EX.NO:04 Install Mobile Verification Toolkit or MVT and decrypt encrypted
DATE: iOS backups.

AIM:

To write Install Mobile Verification Toolkit or MVT and decrypt encrypted iOS backups.

Procedure:
Step 1: First install some basic dependencies that will be necessary to build all required tools

Step 2: Add this to .bashrc or .zshrc file in order to add locally installed PyPI binaries to your
$PATH. Then install MVT directly from PyPI

18
Step 3: Decrypt encrypted iOS backups using mvt

Step 4: Check the decrypted backup

19
Encrypted backup

Decrypted backup

20
Result:
Thus the installation of Mobile Verification Toolkit or MVT and decrypt encrypted iOS backups were
executed successfully

21
EX.NO:05 Process and parse records from the iOS system
DATE:

AIM:

To write Process and parse records from the iOS system

Procedure:

step-1: Ensure you have a macOS or Linux system with Sleuth Kit and related tools installed. Also, make
sure you have a decrypted iOS backup available for analysis.

step-2:Use Sleuth Kit commands such as mmls and fsstat to identify the partition containing the iOS backup
on the disk image.Once identified, use Sleuth Kit's blkls command to list the contents of the partition and
locate the iOS backup file (typically named 3d0d7e5fb2ce288813306e4d4636395e047a3d28).
Extract the iOS backup file using Sleuth Kit's icat command:

icat -o <offset> <disk_image> <inode_number> > ios_backup.tar

Replace <offset> with the starting offset of the iOS backup partition, <disk_image> with the disk image file,
and <inode_number> with the inode number of the iOS backup file.

22
step-3: Once the iOS backup file is extracted, navigate to the directory containing it and extract its contents:
tar -xf ios_backup.tar
Explore the extracted files to locate relevant data such as call logs
(Library/CallHistoryDB/CallHistory.storedata), SMS messages (Library/SMS/sms.db), and contacts
(Library/AddressBook/AddressBook.sqlitedb).
Use SQLite tools (sqlite3) to query and extract data from the SQLite databases found within the iOS backup:

sqlite3 CallHistory.storedata
sqlite> SELECT * FROM call;

This command will display the contents of the call log table.
Similarly, extract SMS messages and contacts data using appropriate SQLite queries.

step-4:Analyze the extracted data to identify patterns, trends, or any relevant information.
Visualize the data using tools like matplotlib or pandas to create graphs or charts for better understanding.

23
Result:
Thus the Process and parse records from the iOS system were executed successfully

24
EX.NO:06 Extract installed applications from Android devices
DATE:

AIM:

To write Extract installed applications from Android devices

Procedure:

Step-1: Connect your Android device to the computer using a USB cable.

Step-2: On your Android device, go to Settings > About phone.

Tap on "Build number" seven times to enable Developer options.
Go back to Settings, then navigate to Developer options.
Enable USB debugging.

25
Step-3: If you haven't already installed ADB on your computer, you can download it from the Android
Developer website or install it via a package manager like Homebrew (for macOS) or apt (for Linux).

Step-4:Open a terminal or command prompt on your computer. Run the following command to verify that
your device is connected and recognized by ADB:

adb devices

You should see your device listed. If not, make sure USB debugging is enabled and that you have
proper drivers installed.

Step-5: Use the following ADB command to list all installed applications on the device:

adb shell pm list packages

This command will display a list of package names for all installed applications.

Step-6: You can redirect the output of the pm list packages command to a text file for easier viewing and
analysis. For example:
26
 adb shell pm list packages > installed_apps.txt

Step-7: If you want more detailed information about the installed applications, you can use the pm command
with the dump option for each package name. For example:
adb shell pm dump com.example.app

Replace com.example.app with the package name of the application you want to inspect.

27
Result:
Thus the Extract installed applications from Android devices were executed successfully

28
EX.NO:07 Extract diagnostic information from Android devices through the
DATE: adb protocol

AIM:

To write Extract diagnostic information from Android devices through the adb protocol.

Procedure :

I. Device Information :

To get basic information about connected devices:

Adb devices

Output:

To get detailed device information:

adb shell getprop

Output:

29
II. Logcat:

To view the device logs in real-time:

adb logcat

To save logcat output to a file:

adb logcat > logcat.txt

Output:

30
III. Dumpsys:

To get information from system services:

adb shell dumpsys

IV. Bugreport:
To generate a full bug report for diagnostic purposes: It can Working Only android 7.0 and Above

adb bugreport > bugreport.txt

31
V. Screenshot:
To capture a screenshot of the device:

adb shell screencap -p /sdcard/screenshot.png

32
VI. File Extraction:

To pull files from the device to your computer:

adb pull /sdcard/screenshot.png

VII. Battery Information: To get battery information adb shell dumpsys battery
VIII. Network Information:

To get information about the network status:

adb shell ip addr show

33
IX. Memory Information:

To get memory usage information:

adb shell dumpsys meminfo

34
Result:
Thus The Extraction of diagnostic information from Android devices through the adb protocol successfully
executed.

35
EX.NO:08 Generate a unified chronological timeline of extracted records
DATE:

AIM:

To write Generate a unified chronological timeline of extracted records

Procedure:

Step-1:

Ensure you have extracted relevant data from different sources, such as call logs (call_logs.csv),
SMS messages (sms_messages.csv), contacts (contacts.csv), and application installations
(installed_apps.txt).

Step-2:

If your extracted data is not in a format supported by Plaso (e.g., CSV, JSON), you may need to
convert it. Plaso supports various parsers for different data formats.

Step-3:

Use the log2timeline.py script provided by Plaso to create a super timeline. This script will process
the extracted data and generate a unified chronological timeline.

log2timeline.py timeline.plaso call_logs.csv sms_messages.csv contacts.csv installed_apps.txt

Replace call_logs.csv, sms_messages.csv, contacts.csv, and installed_apps.txt with the paths to your
extracted data files.

36
Step-4:

Once the super timeline (timeline.plaso) is generated, you can analyze it using various tools provided
by Plaso, such as psort:

psort.py -o timeline.csv timeline.plaso

This command will generate a CSV file (timeline.csv) containing the timeline events sorted
chronologically.

Step-5:

You can visualize the timeline using tools like Timeline Explorer or Kibana. These tools allow you
to create interactive timelines with filtering and aggregation capabilities.

37
Result:
Thus the Generate a unified chronological timeline of extracted records were executed successfully

38