Digital Forensic Investigation Process

The computer forensics investigation process is a methodological approach of preparing for an

investigation, collecting and analyzing digital evidence, and managing the case from the reporting of the
crime until the case’s conclusion. This process takes place in a computer forensics lab.

Lab Scenario

The rapid increase in incidents of cyber-crime has led to development of various laws and standards that
define cyber-crimes, digital evidence, search and seizure methodology, evidence recovery, and
investigation process. The investigators must follow a forensics investigation process that complies with
local laws and established precedents and any deviation from the standard process may jeopardize the
whole investigation. As digital evidence is fragile in nature, a proper and thorough forensic investigation
process that ensures the integrity of evidence is critical to prove a case in a court of law. The
investigators must follow a repeatable and well-documented set of steps such that every iteration of
analysis gives the same findings, otherwise the findings of the investigation can be invalidated during
cross examination.
Hence, as a computer forensic investigator, it is important to have knowledge of the process involved
during a forensic investigation, such as collecting the digital evidence, building a computer forensics lab,
recovering the deleted data, etc.

Lab Objectives

The objective of this lab is to provide expert knowledge about the tools used in the forensic investigation
process. This includes knowledge of the following tasks:
1. Recovering deleted files from the evidence

2. Generating hashes and checksum files

3. Calculating the MD5 value of the selected file

4. Viewing files of various formats

5. Analyzing an evidence file and generating investigative report

6. Creating a disk image file of a hard disk partition

Lab Environment

This lab requires:

1. A system running a Windows Server 2016 virtual machine

2. A system running a Windows 10 virtual machine
3. A web browser with Internet access
4. Administrative privileges to run tools
Lab Duration Time:

180 minutes

Overview of the Computer Forensics Investigation Process

A computer forensics expert should be well-versed with the various tools for data recovery. By using
tools such as EaseUS Data Recovery Wizard, MD5 Calculator, and HashCalc, it is possible to recover files
that have been deleted even from a device’s recycle bin, make a duplicate, and compare the checksums
with the original data.
A computer forensics lab (CFL) is a designated location for conducting computer-based investigations on
collected evidence. It is an efficient computer forensics platform that can investigate any cybercrime
event. In a CFL, the investigator analyzes media, audio, intrusions, and any type of cybercrime evidence
obtained from the crime scene.
Many organizations have built a forensics lab to prevent unauthorized access to sensitive information.
The information that comes from the laboratory can help in determining the guilt or innocence of a
person or corporation.

Lab Tasks
Recommended labs to assist in computer forensic investigation process:

1. Recovering Data from a Windows Hard Disk

2. Performing Hash or HMAC Calculations
3. Comparing Hash Values of Files to Check their Integrity
4. Viewing Files of Various Formats
5. Handling Evidence Data
6. Creating a Disk Image File of a Hard Disk Partition

Lab Analysis

Analyze and document the results related to the lab exercise. Give your opinion on your target’s security
posture and exposure.

LAB 1

Recovering Data from a Windows Hard Disk

A hard disk is a non-volatile data storage device used to store data or install programs on your
computer.

Lab Scenario

A finance manager in a reputable company modifies the financial data of the company and transfers
the company’s funds to his personal account. In order to conceal the evidence, he permanently
deletes the original files from his computer using Shift+Del. The company then hires a computer
forensic investigator to investigate the issue. What tool(s) should the investigator use to recover the
deleted files?
To be an expert computer forensic investigator, one must have sound knowledge of the tools that
 can be used to recover deleted files/data.

Lab Objectives

The objective of this lab is to help students understand and perform data file recovery using the
EaseUS Data Recovery Wizard tool.

Lab Environment

This lab requires:

1. A computer running a Windows 10 virtual machine

2. A computer running a Windows Server 2016 virtual machine
3. Administrative privileges to execute the commands
4. A web browser with internet access
5. EaseUS Data Recovery Wizard

Note: You can download the latest version of EaseUS Data Recovery Wizard from the link
https://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm

Note: Make sure that Real-Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration Time:

30 minutes

Overview of the Lab

This lab familiarizes you with the tool EaseUS Data Recovery Wizard and helps you understand how to
recover files that have been deleted from a Windows system.

Lab Tasks

1. Log on to the Windows 10 virtual machine.

2. Make sure that the Windows Server 2016 virtual machine is also turned on.
3. Before beginning this lab, navigate to Documents directory and create a folder named Recovered Files.

4. Navigate to the location of your tool; EaseUS Data Recovery Wizard and double-click
DRW13.5_Free.exe.

A Select Setup Language window will appear; ensure to select English language and click OK.

Note: If an Open File - Security pop-up appears, click Run.

Note: If a User Account Control pop-up appears, click Yes.
Note: If a Windows Security dialog box appears, enter the credentials of the Windows Server 2016
virtual machine and then click OK.

5. Setup - EaseUS Data Recovery Wizard will appear; follow the wizard-driven installation steps to
install the application.

6. In the final step of the installation, uncheck Participate in the Customer Experience Improvement
Program and click Finish
Note: If a pop-up appears stating This app can’t open, click Close.
Note: An EaseUS Installation Successful webpage appears in a web browser. Close the browser.

7. If a Check Update pop-up appears and the application begins to look for updates, click Cancel to
cancel the updates.

8. EaseUS Data Recovery Wizard opens along with an EaseUS Data Recovery Wizard pop-up at the
lower-right side corner of the screen. Close the pop-up.
9. EaseUS Data Recovery Wizard displays the Hard Disk Drives under the Devices and Drivers
section. Hover the mouse cursor over the drive/location you want to scan so that the Scan
button appears below the location. In this lab, we will be scanning D Drive (D:\); therefore,
hover the cursor over the New Volume (D:) to see the Scan button, then click on Scan

10. The application runs two types of scans: Quick Scan and Advanced Scan. Upon completion of
the scan, it displays the scan results under three folders: Deleted Files, Lost Files, and Existing
Files.
11. The deleted files are contained within the Deleted Files directory under the Quick Scan section.
You can choose either to preview these files or recover them depending on your requirement.

12. In this lab, we will be previewing a text file named 1.txt. To do that, expand Deleted Files and
then select Text Files folder. A list of files associated with this folder appears in the right pane,
right-click on 1.txt and select Preview.

13. The preview of the selected file will appear as shown in the screenshot below:
14. If you wish to recover this text file, click on Recover.
15. A Browse for Folder window appears where you need to choose the location for saving of the
file. We will be saving the file to the Recovered Files directory that we created in the beginning
of the lab.
16. Therefore, under This PC section, expand Documents, select Recovered Files folder, and click
OK. The file being recovered then gets saved to this Recovered Files folder.

17. On completing the recovery, a Recover Complete window will appear, and the application
automatically directs you to the Recovered Files folder.
18. Close the Recover Complete window and the Preview window.
19. EaseUS auto-creates a sub-folder named Preview inside yet another auto-created sub-folder
named Easeus [DD HH_MM] under the Recovered Files folder, where DD denotes the date, HH
denotes the hours, and MM denotes the minutes.

20. You can also manually view this recovered file by navigating to the location Documents\
Recovered Files\Easeus [DD HH_MM]\Preview (or C:\Users\Admin\Documents\Recovered
Files\Easeus [DD HH_MM] \Preview) .

21. To recover multiple files, select the files you want to recover, then click Recover. In this lab, we
are going to recover 2.txt, 3.txt, 4.txt, 5.txt, Information.txt.
Therefore, select these files and click Recover.
22. On clicking Recover, the Browse for Folder window appears where you need to choose the
location for saving of the file, like the previous case where a single file was recovered. You may
either choose the Recovered Files folder created earlier to save the files or choose another
location. In this lab, we will be saving the files to the same folder (Recover Files).
23. Following the same method as in the previous case, from the Browse for Folder window, expand
Documents, select Recovered Files folder, and click OK. The file being recovered then gets saved
to this Recovered Files folder.
24. On completing the recovery, a Recover Complete window appears as previously seen, and the
application automatically directs you to the location where the recovered files are saved.

25. Close the Recover Complete window.

26. EaseUS auto-creates a series of sub-folders inside Recovered Files folder in
this order: Easeus [DD HH_MM] → New Volume(D) → Deleted Files, where DD denotes the
date, HH denotes the hours, and MM denotes the minutes.
27. To view the recovered files, open Deleted Files → Text Files. The recovered files appear in this
location, as shown in the following screenshot:

28. In the same way, you may recover single or multiple folders, sub-folders, or even the entire
Deleted Files folder by following the above steps.

Note: If the space required for saving the files/folders is insufficient, then consider saving the
data to another location such as an external hard disk with adequate space and create a backup.
The recovered data may also be saved to cloud.
Note: Since we are using the trial version of EaseUS Data Recovery Wizard, the tool may have
the limitation of not supporting the preview/recovery of files of certain formats.

Lab Analysis
Analyze and document the results related to this lab exercise. Submit your opinion and
experiences with the EaseUS Data Recovery Wizard.

Lab 2: Performing Hash or HMAC Calculations

Hashing is performed on data such as files or text to generate unique fixed-length string called
hashes or checksum. The generated hashes are helpful in determining whether the given data
has maintained integrity.

Lab Scenario
A multi-national company has undergone a network attack and has called a forensics investigator
to investigate the issue. The investigator found some codes that appear to be familiar and needs
to cross-check for their availability across a malware database. The major problem here is that
the codes are huge and require a large amount of storage space, making it difficult for search
and indexing purposes. Therefore, the investigator uses hash values of the code to find their
traces in the database.
 To be an expert computer forensic investigator, one must have sound knowledge of hashing and
the tools used to compute hashes.

Lab Objective
The objective of this lab is to demonstrate how to:
1. Compute hashes of files and text string
2. Check the hashes on VirusTotal to see if the file(s) are malicious

Note: Hashes or hash values may also be referred to as checksums.

Lab Environment
This lab requires:

1. A computer running a Windows Server 2016 virtual machine

2. Administrative privileges to execute the commands
3. A web browser with internet access

Note: You can download the latest version of HashCalc from the link
https://www.slavasoft.com/hashcalc/

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration Time:

20 minutes

Overview of the Lab

This lab familiarizes you with HashCalc, a tool that helps you determine the hash values of various files.
Determining the hash values of files enables an investigator to establish their integrity.

Lab Tasks

1. Login to Windows Server 2016 virtual machine

2. Double-click on setup.exe and follow the wizard-driven installation steps to install the
application.
3. Locate the evidence for this lab

Note: If an Open File - Security Warning pop-up appears, click Run

4. In the final step of installation, uncheck View the README file option, check Launch HashCalc
option, and click Finish.

5. The HashCalc application’s main window will appear, as shown in the following screenshot:
6. In the Data Format drop-down list, select data format as File and click the ellipsis button
associated with the Data field to select the file.

7. Subsequently, Find window will appear; navigate to locate the evidence. In this location, you
need to select an evidence file, whose hash value needs to be calculated. In this lab, we have
selected Fan-oven.png. Once you select the file, click Open.
8. The selected file will be displayed in the Data field
Note: To calculate the message digests/checksums for the data, the HMAC box must be unchecked

9. Select the algorithms you want to use for calculations by checking the boxes with the
appropriate names, and then click the Calculate button.
10. Hash values will be displayed for the selected file, as shown in the following screenshot:

11. To calculate the Keyed - Hash Message Authentication Code (HMAC) for the data:
1. Check the HMAC box.
2. In the Key Format combo box, select the type of the key you want to use for calculations.
 HashCalc allows you to perform calculations using text keys or hex keys (Here, we have selected
Text String in the Key Format combo box).
3. In the Key box, enter the key for HMAC calculations (for example, test is entered as key here).
4. Select the algorithms you want to use for calculations by checking the required algorithms,
and then click Calculate.

12. HashCalc calculates the hashes of the specified file and displays them as shown in the following
screenshot:
13. Both the windows, containing MD5 hash values - one generated using HMAC and the other
without using HMAC, respectively are shown below for students’ understanding:

14. If you want to perform a calculation for a text string, first select Text string from the Data Format
drop-down list, uncheck HMAC box and then enter the text in the Data field.

15. Select the algorithms you want to use for calculations by checking the required algorithms and
then click the Calculate button.

16. Hash values will be displayed for the selected algorithms, as shown in the following screenshot:
17. Next, we shall calculate the MD5 hash value of an infected/malicious pdf and search this hash
value in the VirusTotal database to see whether the file is safe to access or malicious
18. In this lab, we shall be testing a file named Infected.pdf located in the Evidence Files folder
19. In the Data Format drop-down list, select file format as File and click the ellipsis button
associated with the Data field to select the file.

20. Locate an infected pdf

21. The selected file will be displayed in the Data field; click Calculate to calculate the hash value of
the file

22. Since MD5 algorithm is already selected, HashCalc calculates the MD5 value followed by the
other hashes (that were selected) of the file. Copy the MD5 hash value as shown in the following
screenshot:
23. Now, launch Firefox web browser and browse the URL
https://www.VirusTotal.com/gui/home/search. The VirusTotal Search page will appear as shown
in the screenshot below:

24. Paste the MD5 hash in the Search field and click Search.
 25. VirusTotal searches this value in its database and returns the result as shown in the following
screenshot

Note: The number of anti-virus engines and detection rate might vary in your lab environment.

26. The result indicates that many anti-virus engines detected the file as malicious. In real-time,
when a file appears to be suspicious, you may upload the file or its hash value in malware
scanning applications like VirusTotal to know if the file is malicious.
27. This way, you can calculate the MD5 hashes of files and text strings and look up for the hash
values of suspicious files in online malware scanners.
 Lab Analysis
Document all Hash, MD5, and CRC values for further reference.

Comparing Hash Values of Files to Check their Integrity

Hashing is performed on data such as files or text to generate unique fixed-length strings called hashes
or checksum. Using hashes, one can determine the integrity of the given data.

Lab Scenario

During an investigative process, a forensics examiner has to check the integrity of copies of several files
that contained sensitive data of an organization. For this, he/she must calculate the hash values of the
copies that are suspected to have been modified and compare them with the hash values of the original
files that store the organization’s confidential data. Essentially, the investigator needs to compare the
hashes of the suspect files with their pre-existing hashes to check whether the integrity of files is
preserved. What tool should the investigator use to compute and compare the hashes?

To be an expert computer forensic investigator, one must have sound knowledge of tools used for
computing hashes.

Lab Objectives

This objective of this lab is help you learn how to:

1. Generate the MD5 hash value of selected files using MD5 Calculator

2. Compare the generated hash values of files with their pre-existing hash values to determine the
integrity of files

Lab Environment

This lab requires:

1. A computer running a Windows Server 2016 virtual machine

2. Administrative privileges to execute the commands
3. A web browser with internet access

Note: You can download the latest version of MD5 Calculator from the link
https://www.bullzip.com/download.php

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration

20 Minutes
Overview of the Lab
Calculating Hash Values
In this lab, you will be calculating the hashes of the files and comparing them with the hashes stored in
the repository (i.e., what I am going to provide for you).

Lab Tasks

1. Log in to Windows Server 2016 virtual machine.

2. Locate and Double-click md5calc(1.0.0.0).msi to launch the setup, and follow the wizard-driven
instructions to install the application.

Note: If an Open File - Security Warning pop-up appears, click Run.

3. Upon completing the installation, click Close to exit the installation wizard.
4. Locate the evidence. To calculate the MD5 hash of a file, first select a file, right-click on it and
then select MD5 Calculator from the context menu. Here, we are selecting the image file
cartoon-article.jpg for calculation of its MD5 hash value:

5. The MD5 Calculator window will subsequently appear, displaying the MD5 hash value for the
selected file as shown in the following screenshot:
6. Text file will be provided which contain hashes of the files checked.

7. Copy the hash value in the text file and paste in the compare to section

8. If the hashes do not match, the file’s integrity is under question and it needs to be further
investigated. The file might have possibly been modified to act as a payload for an attack (or) to
hide data inside it, etc
9. This way, you can check the file hashes using MD5 Calculator, and compare the hashes to verify
the file/files’ integrity.

Lab Analysis
Analyze and document all the calculated hash values related to this lab exercise by using MD5
Calculator.
 Lab 4 Viewing Files of Various Formats
A file format is a layout of a file that tells a program how to display its contents. Some of the
common file formats are .doc, .gif, .jpg, .png, .mp3, .pdf, .txt, etc

Lab Scenario
A network administrator has reported transmission of some unknown files across the company’s
network after a security breach incident. Upon investigation, the investigators found that the
attacker had hidden the file format to confuse the network administrator. The investigators used
File Viewer to recognize the format and extract its contents that led to the attack.
To be a computer forensic expert, you must have sound knowledge of various file viewing tools
used for forensic investigations. This knowledge includes how to locate files quickly, view files of
different formats, etc.

Lab Objectives
The objective of this lab is to help students learn and perform file viewing with the help of File
Viewer. File viewer is used for viewing files of various formats.

Lab Environment
This lab requires:
1. A computer running a Windows Server 2016 virtual machine
2. Administrative privileges to install and run tools
3. File Viewer installer

Note: You can also download the latest version of File Viewer from
http://www.accessoryware.com/fileview.htm

Kindly note that if you decide to download the latest version, then the screenshots shown in this lab
might differ slightly.
Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration

30 minutes

Overview of the Lab

In this lab, you will learn how to examine files of various formats using File Viewer and understand if they
need further investigation.

Lab Tasks

1. Log in to Windows Server 2016 virtual machine.

2. Navigate to the location of FileViewer, double-click FileView.exe to launch the setup and follow
the wizard-driven installation steps to install the application.

Note: If an Open File - Security Warning pop-up appears, click Run.

Note: If a User Information section appears, provide details in the Name and Company fields and click
Next to continue.

3. On completing the installation, click Finish.

4. Double-click File Viewer 9.5 icon to launch the application.
5. The File Viewer Registration pop-up appears. Click the Close button to open the File Viewer
window.
6. The File Viewer main window will appear, along with a Getting Started with File Viewer dialog
box. Check the Do Not Show on Start Up option and click Cancel.
7. If the dialog box does not appear, skip to the next step.

8. Go to File menu and click Open.

9. In the Open dialog box:
a. Locate the evidence file path.
b. Select All files (*.*) in the File type drop-down list.
c. Select the file Friends2.jpg and then click Open.

10. If a Getting Started with File Viewer dialog box appears, click Cancel.
11. The image Friends2.jpg opens in the file viewer screen, as shown in the following screenshot:

12. Navigate to File → File Properties to view various properties of the selected image.
13. The File Properties window will pop up showing various properties of the selected file. Click OK
to close the window.

14. Now, we shall open an mp4 (520px-Biohazard_symbol_(blue).mp4) file in the application.

15. Go to File menu and click Open
16. In the Open dialog box:
a. Locate the evidence file path.
b. Select All files (*.*) in the File type drop-down list.
c. Select the file 520px-Biohazard_symbol_(blue).mp4 and then click Open
17. If a Getting Started with File Viewer dialog box appears, click Cancel.
18. If a File Viewer pop-up appears stating LTMM Error, click OK to close the pop-up.
19. File Viewer will try to run the mp4 file but will fail to do so, as shown in the following screenshot:

20. This happens when a file is either corrupt or its file extension is forcefully changed, resulting in a
blank screen. Such files need to be further investigated.

21. Before investigating, you need to identify such files that are suspicious. Identification of such
files and their original file formats is covered in a lab ahead.
 Lab Analysis

Analyze and document the results related to the lab exercise. Give your opinion on your target’s
security posture and exposure.

Lab 5: Handling Evidence Data

Forensic evidence is obtained via bit-by-bit copying of original media such as hard drive, USB drive, etc.,
found at the crime scene. It contains information such as files/folders, deleted data, etc., that can serve
as a potential source of evidence during investigation.

Lab Scenario

After concluding the investigation process, a junior investigator had submitted the evidence files to the
court for trial. The judge dismissed the case citing submission of poorly handled evidence or improperly
presented data. This incident shows the importance of properly handling evidence and presenting the
data in a viable manner. To be a computer forensic expert, you must have sound knowledge of handling
forensic data more efficiently by using different tools such as Paraben’s E3.

Lab Objectives

The objective of this lab is to help students learn and use Paraben’s E3 Forensic Platform for handling
evidence data.

Lab Environment

This lab requires:

1. A computer running a Windows Server 2016 virtual machine

2. Administrative privileges to install and run tools
3. A web browser with internet access

Note: You can download the latest version of Paraben’s E3: Universal from the link
https://paraben.com/dfir-tools-trial/

Explore the page https://paraben.com/e3-trial-sample-files/ on Paraben’s official website for options and
instructions on signing up for the Paraben’s E3 trial setup.

If you download the latest version of Paraben’s E3 and use it for examination, then the screenshots
shown in this lab might differ.

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration

50 minutes
Overview of the Lab
In this lab, you will learn how to conduct forensic examinations on an evidence file using Paraben’s E3
Forensic Platform.

Lab Tasks

1. Log in to the Windows Server 2016 virtual machine.

Note: Make sure that you have active internet connection throughout the lab.
Note: Make sure you sign up for trial version edition of E3 platform on https://paraben.com/dfir-
tools-trial/, download the tool and communicate with the Paraben team in order to obtain
license for activation.
2. Double-click on the Paraben installer (here, we are using Paraben_E3-x64_2.6.13017.17333.msi
installer) to launch the setup and follow the wizard-driven installation steps to install the
application.
Note: If an Open File - Security Warning pop-up appears, click Run.

3. At the end of the installation process, click Finish to exit the installation wizard.
Note: If a Paraben’s Driver Pack download webpage opens in the default browser, close it.
4. Double-click on the Electronic Evidence Examiner icon located on the desktop to launch the
application. Alternatively, you can launch the application from the Apps screen.
Note: If the tool has been activated earlier, then you can skip directly to the step where we
create a new case in the next task and get started with the lab exercise.
5. Upon launching the tool, the main window of Paraben’s E3 opens up along with a Paraben’s E3
pop-up. Close the pop-up.
Note: If the activation window opens up, close it.
Note: If the tool opens up Paraben’s webpage in the default browser, close it.
Note: If Paraben’s tutorial pop-up appears along with the main window of E3 on launching the
application, close the tutorial menu pop-up.
 Note: Activation of the application as a trial version is highly recommended as the trial version
offers full functionality of all the features of this tool, on par with its full, paid version. The free
version of the tool offers only limited features and may not be suitable to run the lab.
6. To activate the trial version, go to Case in the menu bar and from the drop-down, click on
Activation. Then click the option Activate as shown in the below screenshot

7. Paraben’s Electronic Evidence Examiner Activation window appears listing the options for
activation. Ensure that the option Internet License is selected and click on Activate button

8. A Registration dialog box appears asking you to restart the application to finish the activation.
Click OK. Close the application and restart it.
 Note: The Paraben’s E3 trial version is valid only for 7 days
9. Next, Connect to Web License Server window opens up and asks for user credentials to connect
to the web license server. Here, you must enter the Login ID (or email ID) and Password that has
been used to sign up/register for the Paraben’s E3 trial setup in order to access the trial version
of the tool. Upon entering the credentials, click the Connect button.

10. The main window of the application opens up along with the Paraben’s E3 pop-up that we saw
upon launching the application for the very first time after completing its installation. Close the
pop-up.
11. Go to Case on the menu bar and click Help to check whether the tool has been activated. In the
right window pane, you can find information pertaining to Paraben’s E3 registration along with
Registration key.

Note: When the trial version of the application has been activated, you will also find that its
name at the top of the window is Paraben’s E3: Universal instead of Paraben’s E3: Free, which
 will be seen only when using the free version of the tool.

12. Next, we will examine a forensically acquired digital evidence using the Paraben’s E3 forensic
platform. In order to examine a new evidence, go to Case on the menu bar and click Create New
Case.

13. A New Case window appears which displays the Welcome section. Click Next button.
14. In the Case Properties section, provide a Case name and case Description in the respective fields.
You may enter these details according to your requirement. Click Next.

15. In the Additional Information section, enter additional information related to the investigator
(you may also enter your details in this section) and click the Finish button.
Note: Additional information is not mandatory and can be filled any time through the Properties
pane.
16. In the New case creation window that appears next, navigate to the Desktop and create a folder
named Reports. Then, go into the Reports folder by ensuring that it is selected and clicking
Open. Specify a file name for the case (here, it is Case 1.e3) in the File Name field and then click
Save.
17. In the Add New Evidence window that appears next, select Image File under the Category
section in the left pane, then select Auto-detect image under the Source type section in the
right pane and click OK

18. An Open window will appear; navigate to evidence location and select
Windows_Evidence_001.dd and click Open button.
19. A pop-up appears where we can specify a new name for the evidence that we added. We will
retain the default name (Windows_Evidence_001) for our evidence file. Click OK.
20. An NTFS Settings window pops up. Check all the options specific to deleted data recovery and
click OK.
Note: If the image file uses a FAT file system, then the below window will not pop up.

21. The selected image file is added to the case (Case 1 file under the Case Content tab in the left
pane of the application window)
22. Expand Case 1 → Windows_Evidence_001 → NTFS → Root. You will find the data pertaining to
the evidence file.

23. During forensic investigation, retrieving deleted data from the evidence image file is crucial. The
information pertaining to the deleted data can be retrieved from the Trash folder. Click on the
 Trash folder to find deleted data.

24. To view the properties of a deleted file, select it. Its properties will then be displayed under the
Properties tab in the right pane of the window as shown in the screenshot (here, we have
selected the image file Tweety1.gif):
25. To view the actual image contained in the selected file (since the selected file is of image file
format), click the File View tab. The image will be displayed in the right pane of the window.

26. Apart from viewing the actual image contained in a selected file, Paraben’s E3 also lets you view
its Hex values. Hex values help determine the raw and exact contents of a file even if it has been
deleted or overwritten. Hex values thus help you identify and retrieve information of forensic
value that normally cannot be accessed by the operating system.
27. To view the hex values of the selected file, click the Hex View tab. The Hex values will be
displayed in the right pane of the window.

28. To view the text values of a text file document, select the text file (here, we have selected the
text file New Text Document.txt) and then click the Text View tab as indicated in the screenshot
 below:

29. To generate an investigative report, first select the desired files that must be included in the
report. Then click on Reports on the menu bar, and then click Generate Report as indicated in
the screenshot below:

30. In the Reports Wizard window that appears next, we need to select the report type to be
generated and also specify a Destination folder. In this lab, we will be selecting the HTML
Investigative Report type option and the default destination folder location shown by the
application. Ensure to check the options Include Parsed Embedded Data and Open report on
finish. Click Next.
Note: If you want the report to be opened automatically at the end of the lab without having to
manually open it by navigating to the location where it has been saved, then do ensure to check
the option Open report on finish.
31. You can Add or Edit any additional investigator information, if needed, in the Investigator’s
Information section that appears next, and then click the Next button

32. In the Filesystem Types section that appears next, select the file types that you want included in
the report and click Next button
33. In the File properties section that appears next, select those details under properties that you
want included in the report, then click Next.
34. In the Other evidence section that appears next, select the options according to your
requirement (you may also leave these options set to default). Click Next.
35. In the Sorted files section that appears next, select the Include only data checked as “Include to
reports” radio button and then click Next.

36. In the Custom Report View section that appears next, you can customize the report view by
adding your custom logo, custom header, and custom footer. Click Next after customizing the
report view.
Note: Customizing the report view is not mandatory and can be skipped by clicking Next.
37. In the Summary and Conclusion section that appears next, you can add the summary and
conclusion pertaining to the evidence examination in the Examination Summary and
Examination Conclusion sections respectively. Click on the Edit Section buttons below the
Examination Summary and Examination Conclusion sub-sections respectively. An Editing
Section window (which looks similar to a word document) for each of those sub-sections will
open. In the Editing Section windows for each of those sub-sections, you can respectively write a
brief summary on the evidence file examined and a conclusion describing the actions performed
on it and the result generated. After adding the summary and conclusion, click Next.
Note: The Summary and Conclusion section is not mandatory to edit and can be skipped by
clicking Next.
38. In the Logs and Supplementary files section, check the Include Case History option and click
Finish.

39. A Task Status Notification window appears indicating that report generation is finished and that
the generated report has been saved to the default destination (in this case: C:\Users\
Administrator\Documents\E3 Cases\Reports\Case 1\). Click OK or close the window.

Note: If asked about how you want to open the generated report, as shown in the screenshot
below, then make your choice and click OK. The report will then be opened through the browser
that you selected. After this operation, whenever you attempt to open the investigative report
that you generated, it will always be opened automatically through the browser that you have
 chosen here.

40. You can also manually navigate to the folder where you have saved the report file and open it
from there. In this folder, you will find a sub-folder named Case 1. Open that sub-folder and
double-click the Case 1.html file to open and view the report.

41. A detailed Investigative Report will open in the web browser; scroll down the browser window
to examine the report in detail.
42. In this manner, you can use Paraben’s E3 utility to handle evidence data

Lab Analysis

Analyze and document the results related to the lab exercise.

Creating a Disk Image File of a Hard Disk Partition

A disk image is a bit-by-bit copy of a hard disk or a disk partition, which includes all the files/folders,
deleted files, files left in the slack space and unallocated space, file system information, etc.

Lab Scenario

An investigator was performing forensics on a hard disk copy when he triggered a pre-loaded process
that deleted the entire disk data leading to loss of evidence. However, he had already created a
forensic copy of the disk and this gave him the option to work on the same data again. Therefore,
investigators should always create duplicates of the hard disk and perform the forensics process on
the copy.
To be a computer forensics expert, you must have sound knowledge of the various disk imaging tools
used for forensics investigation.

Lab Objectives

The objective of this lab is to help students understand how to create a disk image file of a hard disk
partition using R-Drive Image.
 Lab Environment

This lab requires:

1. A system running a Windows 10 virtual machine

2. A system running a Windows Server 2016 virtual machine
3. Administrative privileges to install and run tools
4. The R-drive Image installer

Note: You can also download the latest version of R-drive Image from the link https://www.drive-
image.com/Drive_Image_Download.sht

Please note that if you use the latest version of software for this lab, then the screenshots shown in this
lab might differ slightly.

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is running)
before beginning this lab.

Lab Duration

30 minutes

Overview of the Lab

This lab helps you learn how to create the disk image file of a hard-disk partition. Imaging of a hard disk
or a hard disk partition helps you create the forensic copy of the disk or a partition on it so that you can
use the forensic copy for investigation purposes.

Lab Task

1. Log in to Windows 10 virtual machine.

2. Navigate to R-drive Image.

3. Double-click RDriveImage6.exe to launch the setup, select the language (here, English) and
follow the wizard-driven installation steps to install the application.

Note: If an Open File - Security Warning pop-up appears, click Run.

Note: If a User Account Control pop-up appears, click Yes.

Note: If a Windows Security dialog box appears, enter the credentials of the Windows Server 2016
virtual machine and then click OK.

4. On completing the installation, ensure that Launch R-Drive Image option is checked and click
Finish

5. The R-Drive Image GUI will appear; click Next.

6. In the Action Selection panel, Create an Image option is selected by default. Click Next to
continue.
7. In this lab, we will be creating an image for D:. Therefore, in the Partition Selection panel, select
D drive to create a drive image file of the drive. Click Next.

8. In the Image Destination panel:

1. Expand This PC and select the Forensic Disk (F drive) to save the file in this drive.
2. The filename will be automatically taken by the application.
3. Select R-Drive Image files (*.rdr) in the Files of type field and click Next.

9. In the Image Options panel, click Next

Note: Providing a password is optional.
10. In the Backup Options panel, click Next.

11. The Processing panel displays the summary of all the processes. Click Start to start the disk
partition imaging process.
12. The Progress bar in the Processing panel will show the percentage of task completed.

13. Once the processing is done, a pop-up will appear displaying Image created successfully. Click
OK
14. In the Processing panel, click Continue to complete the process

15. In the R-Drive Image window that reads Action Selection at the top, click the Exit button to close
the application.
16. Now, navigate to the Forensic Disk (F Drive) to view the created disk partition image file.

Note: The size of the image file depends on the space filled in the drive. Since we are imaging D
drive, which is currently empty, the size of the generated image file is relatively less.
17. Examination of disk image files.

Lab Analysis

Analyze and document the results related to the lab exercise.

Lab 6: Recovering Deleted Files from Hard Disks

Data recovery is a process of restoring lost/deleted, corrupt, or inaccessible data from the storage
device.
Lab Scenario

The forensic investigators started scanning the computers for deleted data to catch the perpetrator,
who has been collecting the company’s private data for harmful purposes. To avoid identification,
the perpetrator had deleted the data from the system. However, the investigators were able to trace
the system used by the perpetrator by analyzing the file systems and recovering deleted data using
the WinHex tool.
As a computer forensic investigator, you should know how to recover files that have been
permanently deleted and the tools that can be used for recovering them.

Lab Objectives

The objective of this lab is to help you understand how to recover files that have been permanently
deleted using the WinHex tool.

Lab Environment

This lab requires:

1. A computer running a Windows Server 2016 virtual machine

2. Administrative privileges to execute the commands
3. A web browser with internet access
4. WinHex 19.9 tool

Note: You can also download the latest version of WinHex from https://www.x-ways.net/winhex.

If you are using the latest version of software for this lab, then the steps and screenshots
demonstrated in the lab might differ.

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is
running) before beginning this lab.

Lab Duration

Time: 40 minutes

Overview of the Lab

This lab familiarizes you with the WinHex tool. It helps you understand how to import an image into
this application and recover files of specified file types from the image file.

Lab Tasks

1. Log in to Windows Server 2016 virtual machine.

2. locate the evidence files
3. double-click winhex.exe to launch the application.
4. Navigate to File → Open to add the evidence file.
5. Open Files window appears; navigate to image location and then select
Linux_Evidence_001.img. Upon selecting the file, click Open

6. WinHex evaluation pop-up will subsequently appear; click OK to close the pop-up.

7. WinHex will process the image file and display the following window with a Data Interpreter
pop-up at the lower right corner of the window.
8. Navigate to Tools → Disk Tools → File Recovery by Type...

9. A WinHex pop-up appears, click OK

10. File Header Search on Linux_Evidence_001.img window appears displaying file types that you
want to extract.
11. In this lab we are going to extract pictures; therefore, click on the + node to expand the Pictures
folder
12. Select the image file formats of your choice under the Pictures folder and click OK.
Note: Similarly, you can also choose other file types for the investigation process. The output
might vary depending on the file types that you selected.
13. Select Target Folder window will appear. Navigate to the location where you want to save the
retrieved files (here, Desktop), create a folder named Retrieved Files and then click Open.

14. The application now displays the selected folder. Click OK.

15. To start the recovery process, click OK in the File Header Search on Linux_Evidence_001.img
window. This action will close the window and start recovering the files (with the specified file
types) from the image.
16. After the recovery process is complete, click OK in the File Recovery by Type pop-up window to
close the processing window.

17. To view the recovered files, open the destination folder (here, it is Retrieved Files on Desktop)
where you saved them.
18. This way, you can recover files from a forensic image using WinHex.

Lab Analysis

Check recovered files that have been deleted from the hard disk. Investigate those recovered files
and document the results related to the lab exercise.

Lab 7: Investigating Email Crimes

The ease, speed, and relative anonymity of email have made it a powerful tool for criminals. Email
crime investigation involves the extraction, acquisition and analysis, and revival ofemail messages
related to any cybercrime and identification ofits origin.

Lab Scenario

Emily had received an email stating that she has won a huge amount from a big company but the
amount can be collected only after paying certain taxes. The email also had instructions along with
the account number to send the tax amount to as a precursor to receiving the cash prize. She
followed all instructions in the email and later came to know that it was a spoofed email, and
someone had scammed her.
To investigate email crimes as a forensic investigator, you must know how to examine the email
headers within an email message, trace the origin of a malicious email message, and extract or
recover deleted email messages using various email tracking and investigation tools.

Lab Objectives

The objective of this lab is to help you understand how to examine different components of an email
message and other responsibilities that include:
1. Extracting metadata from email headers
2. Finding the origin of a spoofed email message
3. Recovering deleted email messages

Lab Environment

To carry out the lab, you need:

1. A computer running a Windows Server 2016 virtual machine

2. A web browser with an internet connection
3. Administrative privileges to run the tools

Lab Duration

100 minutes

Overview of Investigating Email Crimes

Email crime investigation is primarily conducted to examine the content as well as the origin of any
email message that is found to be offending or suspected to be spoofed. Investigators need to use
different forensic tools to examine emails related to spamming, mail bombing/mail storms, spoofing,
phishing attacks, and email hijacking.

Lab Tasks
Recommended labs to assist you in investigating email crimes:

1. Investigating a Suspicious Email

2. Recovering Deleted Email Messages Using Recover My Email
3. Recovering Deleted Email Messages Using Paraben’s E3: Universal

Lab Analysis

Analyze and document the results related to the lab exercise. Give your expert opinion on email
crime.

Investigating a Suspicious Email

Investigating a suspicious e-mail message involves the analysis of its email headers to determine if it
is spoofed. It also involves determining the origin of the email message and checking the
validity/genuineness of the sender’s email address.

Lab Scenario

John Dove, a manager at a reputed hotel, received an email in the hotel’s official email account that
stated that the hotel’s Facebook account handle had been compromised and that the password to
the account needs to be reset in order to recover the account. The email contained a link and an
attachment in the form of a document that supposedly contained the instructions to reset the
password for the affected Facebook account. Panicked, John clicked on the link so he could follow
the instructions to reset the password for the hotel’s Facebook account and recover it.

As he went through the process, John realized that something was fishy about the Facebook page he
was interacting with on the screen. However, during this process, he also inadvertently parted with
the hotel’s confidential information. The hotel’s management soon learned that its key confidential
information was stolen and was being misused for malicious purposes. John reported his encounter
with the fishy email he received that stated itself to be from Facebook. Upon learning of the
incident, the hotel’s management sought the services of a cyber-forensics agency.

Investigator Johnson now has to analyze the suspicious email and find its origin.

Lab Objectives

The objective of this lab is to help you understand how to perform forensic investigation on
suspicious emails and how to analyze them.

Lab Environment
In this lab, you will need:

1. A computer running a Windows Server 2016 virtual machine

2. Administrative privileges to execute the commands
3. A web browser with internet access
4. SysTools EML Viewer for Windows

Note: You can download the latest version of SysTools EML Viewer from the link
https://www.systoolsgroup.com/eml-viewer.html

If you are willing to use the latest version of software for this lab, then the steps and screenshots
demonstrated in the lab might differ.

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is
running) before beginning this lab.

Lab Duration

Time: 20 minutes

Overview of the Lab

This lab familiarizes you with the process of identifying a suspicious email and examining it in detail
to determine if it is spoofed.

Lab Tasks

1. Log in to Windows Server 2016 virtual machine

2. In this lab exercise, you will investigate an email file named Suspicious Email Message, which is a
.eml file obtained from a Gmail account and will provided to you
3. However, in a real scenario as a forensic investigator, you will first have to identify and download
the suspicious email message that you want to investigate from the inbox of the suspect email
account
4. Therefore, in this lab, we will first demonstrate how to identify a suspicious email message and
download it before proceeding with our investigation of the above-mentioned evidence file
5. The below screenshot represents a suspicious-looking email message, which we shall examine
and download:

6. Upon examining the email message in the screenshot above, we find that there are multiple
suspicious elements in it:
A. At the very top, we find that the subject line is drafted in a manner that creates a sense of
urgency and panic in the recipient’s mind.

B. Then, we see that the sender’s name is reflecting as Facebook Accounts Team whereas the
sender’s email address is [email protected] (Facebook, on its part, never uses
personal email addresses to send emails to its users) .

C. We also find that the email message contains a few spelling errors, which gives us the
impression of a poorly drafted email - a pattern that is generally found in phishing emails.

7. All the above findings are an indication toward the email being suspicious. Therefore, we shall
now download this email message for further examination.

8. To download the email message in Gmail, click on icon

representing More, and then click on Download message from the drop-down. The email
message will be downloaded as a .eml file. We have named this downloaded .eml file as
Suspicious Email Message and this file will be provided to you
9. Now we shall look at a normal email message, as indicated through the screenshot below. The
email message shown below has been accessed from the same suspect email account from
which we had accessed the suspicious email.
10. Next, we will be examining and comparing the details of both the email messages (suspicious
and normal email message) so you can differentiate a spoofed email message from a genuine
one. We downloaded the above email message and saved it with the name Normal Email
Message, which also be provided to you
Note: In a real scenario as a forensic investigator, you will be downloading only the suspicious
email message for investigation. The normal-looking email message has been used only for the
demonstrative purpose of this lab, wherein we can show you how the details of a normal email
message look like by comparing them with those of a suspicious email message.
11. Next, to proceed with our investigation, we need to install the SysTools EML Viewer tool.
Therefore, navigate to its location and double-click the file eml-viewer.exe, and then follow the
wizard-driven instructions to complete the installation of the tool.
12. During the setup, when you see the Select Additional Tasks section, ensure that the Create a
desktop icon option is checked so that you also have the convenience of launching the tool from
a Desktop shortcut, if needed. Click Next.
13. As you complete the setup, you might see a SysTools web page appearing in the browser
window. Close the SysTools web page.

14. In the final step of the setup, ensure that the Launch SysTools EML Viewer option is checked and
then click Finish

15. The main window of the SysTools EML Viewer tool will now open along with the Check for
Prerequisites window in which you will see that Access To File System is enabled by default.
 Click OK to proceed further.

16. Next, in the main window of the application, we need to add our evidence file(s). To add the
evidence file(s), in the left pane of the application window, navigate to This PC→Local Disk
(C:)→CHFI-Tools→Evidence Files by expanding the corresponding nodes and then select the
EML Files folder under Evidence Files. Upon selecting the EML Files folder, the .eml files stored
within it will be listed in the right pane of the window as indicated in the screenshot below:

17. As seen in the screenshot above, the first .eml file is selected by default. Here, the first .eml file
corresponds to the Normal Email Message and the second .eml file corresponds to the
Suspicious Email Message that we had saved earlier from the suspect Gmail inbox.
18. The contents in the body of an email message can be viewed under the Mail tab in the lower
pane of the application window. Select the second .eml file (Suspicious Email Message file) to
view its body contents under the Mail tab, as indicated in the screenshot below (drag the margin
of the lower pane of the window up using the mouse cursor for a full view of the email’s
 contents):

19. Now we shall examine the body of the suspicious email message in an HTML format to establish
whether the email message is genuine or malicious.
20. Therefore, ensure that the second .eml file (Suspicious Email Message file) is selected and then
click the HTML tab in the lower pane of the application window. The contents of the email
message body will now be displayed in an HTML format, as indicated in the screenshot below:

21. As seen in the screenshot above, in the last line under the HTML tab, we find that the href field
displays a private IP address (10.0.0.23) linked to Facebook’s URL for its Help Centre page. This
means that upon clicking the URL, the user will be redirected to some other page instead of
Facebook’s Help Centre page. Further, the URL containing the private IP address contains http
instead of https, which means that the communication will be unsecure - an indication that the
page is unsafe. This strongly indicates email scamming.
Note: In HTML, the href attribute shows the URL of a particular web page that will open upon
clicking on a link.
22. Having found that the second email message (suspicious email message) is indicative of email
scamming, we shall now investigate its email headers and compare them with those of the
 normal email message. Examining the email header information helps establish whether an
email message is genuine or spoofed. When using SysTools EML Viewer, all the email header
information pertaining to an email message is under the Message Header tab.

23. We will begin our investigation of email headers by examining the Message ID of Suspicious
Email Message and comparing it with that of the Normal Email Message.
24. Therefore, select the second .eml file (Suspicious Email Message file) and click on the Message
Header tab. Under this tab, you will find the Message ID of the selected email message. Upon
examining the Message ID, you can see that it reflects localhost after the @ symbol instead of
reflecting the fully qualified domain name as seen in the screenshot below:

25. The presence of localhost after the @ symbol in the Message ID as seen in the screenshot above
is a key indicator that the email message is spoofed. If the email message were genuine, the
Message ID would have shown the fully qualified domain name (i.e., mail.gmail.com) instead of
showing localhost since the sender’s email address is a Gmail address
([email protected]).
26. Now select the first .eml file (Normal Email Message file) and click the Message Header tab.
Scroll down under this tab to find the Message ID for the selected .eml file. You will find that the
Message ID of the normal email message reflects the fully qualified domain name (i.e.,
mail.gmail.com) after the @ symbol as seen in the screenshot below
27. From the above screenshot, we can infer that the presence of the fully qualified domain name
(i.e., mail.gmail.com) after the @ symbol in the Message ID is an indicator of the email being
genuine. This is consistent with the sender’s email address ([email protected])
Note: In the above case, mail.gmail.com is the domain name as we are discussing an email
received from a Gmail account. The domain names will vary for different email service
providers).
28. Now we will examine the Received headers of both email messages.

29. Therefore, first select the second .eml file (Suspicious Email Message file). Under the Message
Header tab, you will see that the Received header field shows localhost in place of the domain
name, beside the associated IP address from which the email message originated, as shown in
 the screenshot below:

30. As seen in the screenshot above, the presence of localhost instead of the domain name from
which the email originated in the Received header field is another indicator that the email
message is spoofed. If it were genuine, then the Received header field would reflect the domain
name from which the email message originated instead of reflecting localhost.
31. Now select the first .eml file (Normal Email Message file) and under the Message Header tab,
you will see that the Received header field displays the domain name (mail-sor-f41.google.com)
and the associated IP address from which the email message originated, as shown in the
screenshot below
32. From the screenshot above, we can infer that the presence of the domain name (i.e., mail-sor-
f41.google.com) in the Received header field is an indicator that the email is genuine.
33. We will now examine the Received-SPF field in both email messages.
34. First select the second .eml file (Suspicious Email Message file) and scroll down under the
Message Header tab to find the Received-SPF field. In this field, you will notice the occurrence
of a softfail along with a message that reads [email protected] does not designate
93.99.104.21 as permitted sender, as seen in the screenshot below:
35. For the selected email message above, the occurrence of a softfail along with the message
specified above means that IP address 93.99.104.21 is not authorized by the domain (here,
gmail.com) to send any emails on its behalf. This is another indication of the email message
being spoofed.
36. Now select the first .eml file (Normal Email Message file). Under the Message Header tab,
locate the Received-SPF field where you will see the occurrence of a pass along with a message
that reads domain of [email protected] designates 209.85.220.41 as permitted sender,
as shown in the screenshot below:
37. For the selected email message above, the occurrence of a pass along with the message
specified above means that the IP address 209.85.220.41 is authorized by the domain (here,
gmail.com) to send emails on its behalf. This means that any email message received from
[email protected] is genuine
38. Now we shall see how to preview the malicious attachment that has been received through the
spoofed email message. To preview the attachment, select the suspicious email message
(second .eml file listed in the application window) and then click on the Attachments tab. The
application will then show a preview of the attachment’s contents in the lower right section of
the window, as indicated in the screenshot below:
 Note: In this lab, we are covering only the aspect of how to preview the contents of a malicious
attachment within a spoofed email message. The aspect of analyzing a malicious email
attachment is covered in Malware Forensics.
39. Now that we have investigated the critical elements within the spoofed email message, we shall
probe its originating IP address on whatismyipaddress.com to determine its geographic origin
and the entity that sent it.

40. Launch a browser, type https://whatismyipaddress.com/ip-lookup in the address bar and press
Enter. You will land on the whatismyipaddress.com/ip-lookup webpage where you will find the
Get IP Details field. Type the IP address 93.99.104.21 in the field and then click on the Get IP
Details button, as indicated in the screenshot below:
41. You will now be redirected to the next page where you will see details pertaining to the IP
address 93.99.104.21. As seen in the screenshot below, the IP address is registered with the
hostname 93.99.104.21.net.upc.cz for an organization named Liberty Global, which is
geographically located in Czechia, Europe.

Note: The hostname and/or organization name might vary in your lab environment.
Note: The IP address 93.99.104.21 has been shown only for the demonstrative and educational
purposes of this lab. Do not try to go beyond whois lookups on this IP.
42. Now we shall check the suspect email ID’s validity using an online tool named Email Dossier.
43. To do so, type https://centralops.net/co/EmailDossier.aspx in the browser address bar and
press Enter. Email Dossier’s homepage appears where you will see the email address field. Type
the suspect email ID, i.e., [email protected] in the email address field and then click
go as indicated in the following screenshot:
44. You will now be redirected to the next page, where you will see the validation result pertaining
to [email protected].

45. From the above finding, we can infer that the email address [email protected] is
valid. However, since it has been used to send a spoofed email message, we can interpret the
finding as follows:
1. The specified email address may have been created by the attacker himself to send a
spoofed email message; Or,

2. The specified email address may belong to a genuine user but has been compromised by the
attacker to send the spoofed email message.
46. Thus, in this manner, you can investigate a suspicious email, determine if it is spoofed, and find
its origin.

Lab Analysis
Investigate a suspicious email and document the results related to the lab exercise. Give your
expert opinion on the suspicious email.
 Lab 07: Recovering Deleted Email Messages Using Recover My Email
Cybercriminals often delete email messages after committing a crime to avoid being tracked.
Investigators can use tools such as Recover My Email, which can retrieve deleted email messages
from either Microsoft Outlook PST files or Microsoft Outlook Express DBX files.

Lab Scenario
Daniel is a web expert and part of a group that hacks other’s accounts for monetary benefits.
Daniel was a suspect in a case wherein the attacker has used email attachments to send malware
to the victim that could copy the user’s passwords and other private details and prompt them to
the sender. However, when Robert, the forensic investigator dealing with this case, checked
Daniel’s system, he did not find any incriminating emails. Robert suspected that Daniel might
have deleted those emails already. Robert now has to use the right forensic tool to retrieve the
deleted email messages and examine them, if any

Lab Objectives
The objective of this lab is to help investigators understand how to recover deleted email
messages and attachments.

Lab Environment
For this lab, you will need:
1. A computer running a Windows Server 2016
2. Administrative privileges to execute the commands
3. A web browser with internet access
4. Recover My Email tool

Note: You can also download the latest version of Recover My Email from the link
http://www.recovermyemail.com/inbox-repair-tool-download.php

If you are willing to use the latest version of software for the lab, the steps and screenshots
shown in the lab might differ.
Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it is
running) before beginning this lab.

Lab Duration

30 minutes

Overview of the Lab

This lab familiarizes you with the process of recovering deleted or lost emails with the help of
the Recover My Email tool

Lab Tasks

1. Logon to Windows Server 2016 virtual machine.

2. In this lab, we will examine Microsoft Outlook database files for deleted emails.
3. Navigate to the tool
4. Double-click RecoverMyEmail-Setup.exe to launch the setup for Recover My Email
application and follow the wizard-driven instructions to complete its installation.
Note: If an Open File - Security Warning pop-up appears, click Run.
Note: If a License Agreement appears, select I accept the agreement and select Next.
5. While installing the application, in the Select Additional Tasks section, ensure to check the
Create a desktop icon option so that you have the convenience of launching the application
using the Desktop shortcut, if needed. Click Next.

6. In the last step of the installation, ensure that the Launch Recover My Email option is
checked and then click the Finish button.

7. The Recover My Email main window appears along with Tip of the Day pop-up, as shown in
the screenshot below. Click the Close button to close the pop-up window.
8. Click the Open Email File button to be able to upload the required evidence file.

Note: If you see a Microsoft Office Outlook pop-up stating the absence of a default email
client, select OK to close it and click the Open Email File button again to proceed.
9. An Open window will appear; navigate to select the target 1.pst file, and then click Open.

10. The Recover My Email application will now scan the selected .pst email file and fetch and
display the results in the left pane of the window.
11. To see the emails that have been recovered, click Recovered Messages under the Folder
View tab in the left pane of the application window. The application will now display the list
of recovered email messages in the right pane of the window. Here, details such as the
Subject of the emails, their Received date and time, etc. will be shown.

12. To be able to view the content(s) within a particular recovered email message, we need to
search through the All Mail folder with the concerned email message’s recipient address and
its subject line that you see in the Recovered Messages folder. To perform this search
operation, first click the Search button at the top as indicated in the screenshot below
13. A Recover My Email window will appear where you need to select the options that you want
to use as filters to search through the email messages and locate the desired email message
14. In this lab, we are selecting By To: (this field will include a recipient’s email ID) and By
Subject: (this will include the subject line) options as our filtering criteria.
15. We will provide the input as martinsmith6 in the By To: field and as Hi in the By Subject:
field (we have already seen the terms that match our search filters in the screenshots above
in the recipient’s (To) email address and the Subject columns, respectively). After specifying
the input in these fields, click OK.
Note: In a real scenario, you will be applying search filters depending on the email addresses
and the Subject lines seen during the investigation.
16. Now click the All Mail folder option in the left pane of the window. The application will
display the list of emails matching your search criteria in the right pane, as indicated in the
screenshot below. In a real scenario, if you see more than one result, then make your search
more specific by including other details such as file size, dates, etc., in the search operation.
17. To see the actual content(s) of the email in the bottom pane of the window, click on it as
indicated in the screenshot below:

18. To see the attachments, if any, click the file name of the attachment listed under the
Attachments tab in the left pane of the window. This operation will display the attachment’s
content(s) in the Data Viewer pane. In the screenshot below, we have selected the
attachment file named animals.jpg under the Attachments tab:
19. To save the recovered emails, select the email(s) you want to save (A) and click the Save
Message(s) as PST (B) button at the top

20. Select the format in which you want to save the email from the subsequent drop-down list
that would appear upon clicking the Save Message(s) button

Note: The trial version of the tool does not allow users to save the recovered messages. If
you want to save the files, you need to buy the product activation key from the vendor.

Lab Analysis
Analyze the deleted messages after recovery and document the results related to the lab
exercise. Give your expert opinion on the suspicious email.

Lab 08. Recovering Deleted Email Messages Using Paraben’s E3: Universal
Retrieval of deleted email messages is a key component of email forensics. Investigators can
use tools such as E3: Universal by Paraben Corporation, which can recover email messages
and attachments from a wide variety of email archives.
Lab Scenario
A brokerage firm has filed a complaint with the district authorities stating that one of its
employees has been sharing their trade secrets as well as contract information with their
rivals through e-mails. The firm, though aware of the suspect employee’s activities, could not
prove her guilt due the lack of evidence on the emails she was sending out to the rivals. This
was because all the emails she had been sending and then receiving in response were being
deleted by her in order to evade detection.
The court of law has now ordered a probe, which includes scanning of individual devices for
emails containing suspicious information. Jason, the forensic investigator, is now assigned
with the task of recovering the deleted emails to find out what information has been leaked
out of the firm and to prove the suspect’s crime and guilt.

Lab Objectives
The objective of this lab is to help investigators understand how to perform investigation of
cyber-crimes wherein emails have been deleted and also how to retrieve them using tools
such as Paraben’s E3: Universal

Lab Environment
1. A computer running a Windows Server 2016 virtual machine
2. Administrative privileges to install and run the tools
3. A web browser with internet access
4. Paraben’s E3: Universal installed on the virtual machine

Note: You can download the latest version of Paraben’s E3: Universal from the link
https://paraben.com/dfir-tools-trial/

Explore the page https://paraben.com/e3-trial-sample-files/ on Paraben’s official website for

options and instructions on signing up for the Paraben’s E3 trial setup.

If you download the latest version of Paraben’s E3 and use it for examination, then the
screenshots shown in this lab might differ.

Note: Make sure that Real Time Protection is disabled in Windows 10 virtual machine (if it
is running) before beginning this lab.

Lab Duration

30 minutes

Overview of the Lab

This lab familiarizes you with the process of search and retrieval of deleted emails using
Paraben’s E3: Universal.

Lab Tasks

1. Log in to Windows Server 2016 virtual machine.

Note: Make sure that you have active internet connection throughout the lab.
Note: Make sure you sign up for trial version edition of E3 platform on
 https://paraben.com/dfir-tools-trial/ , download the tool and communicate with the
Paraben team in order to obtain license for activation.
Note: Before starting the lab, create a folder named Email Crime Investigation on the
Desktop. This folder is where we will save our case as we proceed with the investigation.
2. Launch Paraben’s E3 using the same process as demonstrated in that lab.
3. Before the tool launches, you will be asked to enter your Login ID and Password that you
have used to sign up for the trial version.
4. Enter the credentials and click the Connect button.

5. Paraben’s E3 main window appears along with a Paraben’s E3 pop-up. Close the pop-
up.

6. Before starting an investigation, you should create a new case by clicking on CASE in the
menu bar and then clicking on the Create New Case button.
7. A New Case window appears that displays the Welcome section. Click Next to go to Case
Properties section.

8. In the Case Properties section, fill the Case name and Description fields with the
appropriate information. In this lab, we are entering the Case name as E-Mail Crime
Investigation 1 and Description as Investigating email crime. Click the Next button to go
 to Additional Information section.

9. In the Additional Information section, fill the required fields and click the Finish button.
You may also enter your name in these fields.
Note: This section is optional and can be filled later.

10. After clicking Finish, a New case creation window will appear. Navigate to Desktop,
select the Email Crime Investigation folder, then click Open. Next, upon entering the
Email Crime Investigation folder, click Save to save our case in this location.
Note: You may also choose any other location to save the case.
11. Next, the Add New Evidence window will appear. Here, select E-mail Database under
the Category section in the left pane of the window, then select MS Outlook database
under the Source type section in the right pane of the window, and then Click OK.
12. An Open window will appear. Navigate and select the file target 1.pst, and click Open

13. A pop-up will appear where you can enter a new name for the selected evidence file.
Enter a name according to your preference or retain the default name (here, we have
retained the default name). Click OK.

14. Next, an MS Outlook Database Settings pop-up will appear with two options:
1. Raw Mode: Select this option to display all database content including system,
orphaned, and deleted items
 2. Scan database for deleted messages (slows down opening): Select this option to
find and recover deleted messages in the database. This can take longer time than
the above option

Here, we are selecting Scan database for deleted messages (slows down opening).
After selecting the desired mode, click the OK button.

15. In the main window of the tool, you will now see the case name E-mail Crime
Investigation 1 listed under Items in the left pane of the window below the Case
Content tab. Right-click on it and select Content Analysis from context menu. From the
subsequent dropdown, select the Content Analysis option to open the Content Analysis
Wizard

16. The Content Analysis Wizard first displays the General Options section. Check all the
options in this section and click the Next button.
17. In the Data analyzing options section that appears next, check E-Mail databases under
Recursive data analysis in option and also check Include files of undetected format
under Sorting option. Click Next.
18. In the Advanced options section that appears next, leave the settings as set to default
and click the Finish button.

Note: If you see a Task Status Notification pop-up, click OK to close it.
19. In the left pane of the main window of the application, expand the node for E-Mail
Crime Investigation 1 to find target 1; then expand the node for target 1 and also
expand the node for Outlook Personal Storage to find Top of Outlook data file.

20. To view the contents of the email, you need to check the folders under Top of Outlook
data file. Therefore, expand the node for Top of Outlook data file to find the various
email folders under it.
21. Here, we will examine the email contents present in the Inbox folder. Click on Inbox
folder. In the middle pane of the E3 main window, you can now find a list of received
emails, which also includes deleted emails (the red-colored cross(x) mark stamped on
the emails indicate that they are deleted emails).
22. Select any email (here, we have selected the first deleted email) to view its contents
under the E-mail Data section and the additional information pertaining to it under the
Properties section.

23. You can view the contents of the selected message in five formats: RFC Header, Text,
RTF, HTML, and Raw HTML. To view the message in the required format, click the
corresponding tab at the bottom of the E-mail Data pane.
24. To examine whether the email message has any attachments, click on the Attachments
icon, which you will find upon clicking on the small forward arrow icon in the bottom-
right corner of the E-mail Data section as indicated in the screenshot below:
 Note: As indicated in the screenshot, there are no attachments to be retrieved from the
selected email message. In case any attachments are present in the emails, then
Paraben’s E3: Universal can retrieve them when you click on the Attachments option and
the data pertaining to deleted content can be seen in the Properties pane.
25. In this manner, you can recover deleted email messages using Paraben’s E3 utility.

Lab Analysis
Analyze the findings and document the results related to the lab exercise. Give your
expert opinion on the investigation performed for the retrieval of deleted email
messages.