Scribd
Upload
51 views

DF Skillworkbook 1

Uploaded by

myrhzqhjq4
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
51 views

DF Skillworkbook 1

Uploaded by

myrhzqhjq4
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 73

21CS3259R–DIGITAL FORENSICS

SKILLING WORKBOOK

TEAM CS
KONERU LAKSHMAIAH EDUCATION FOUNDATION | DIGITAL FORENSICS – 21CS3259R
21CS3259R DIGITAL FORENSICS

SKILLING WORKBOOK

Dr.N RAMA RAO


21CS3259R DIGITAL FORENSICS
Table of Contents

1. Analysis of Browser History, Cache & Cookies + Event Log .... 5

2. Software Write Block ...................................................................... 17

3. File System Identification ............................................................... 20

4. Recovering Files from Forensic Images ....................................... 26

5. Data Artifacts in Registry ...............................................................42

6. Evidence Integrity ............................................................................. 50

7. File Analysis – Signature and Metadata ...................................... 61

8. Email Analysis .................................................................................... 70

9. Prefetch Files ..................................................................................... 75

10. Password Forensics ........................................................................ 81

11. Network Traffic ............................................................................... 89

12. Mobile Forensics .............................................................................. 99


21CS3259R DIGITAL FORENSICS

2023-24 EVEN SEMESTER LAB CONTINUOUS EVALUATION


21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

1. Analysis of Browser History, Cache & Cookies + Event Log

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of data extraction.
• To understand and implement the concept of information extraction.Analysis of Web Browser
Cache-

Task: Extract the details of all cache files stored by Web browser.

ChromeCacheView extracts the details of all cache files stored by Google Chrome Web browser.

❖ To extract the cache information of Chrome Web browser from external drive:
❖ From user interface: Go to File->Select Cache Folder (F9) and choose the Chrome cache folder
in the external disk.
❖ From command-line: Use -folder command-line parameter to specify the cache folder in the
external drive, for example:
❖ ChromeCacheView.exe -folder "c:\Documents and Settings\Administrator\Local
Settings\Application Data\Google\Chrome\User Data\Default\Cache"

❖ Visit this link for the software: http://bit.ly/digital_forensics


21CS3259R DIGITAL FORENSICS

Analysis of Cookies stored in browser- Task:


List all cookies stored by Web browser.

ChromeCookiesView is an alternative to the standard internal cookies viewer of Google


Chrome Web browser. It displays the list of all cookies stored by Google Chrome Web browser,
and allows you to easily delete unwanted cookies. It also allows you export the cookies into
text/csv/html/xml file.

For every cookie, the following information is displayed:

“Host Name, Path, Name, Value, Secure (Yes/No), HTTP Only Cookie (Yes/No), Last Accessed
Time, Creation Time, Expiration Time.”

Visit this link for the software: http://bit.ly/digital_forensics


21CS3259R DIGITAL FORENSICS

Analysis of Event Log -


Task: Display the details of all events from the event log of Windows.

FullEventLogView displays the details of all events from the event log of Windows (Including
the event description). You can load multiple event log files and watch all of them in a single
table. In order to watch events from external drive, you have to open the 'Choose Data Source'
window (F7), select the 'Load events from external folder with log files' option and then type
event logs folder (e.g: c:\Windows\system32\winevt\Logs)

Visit this link for the software: http://bit.ly/digital_forensics

1. Go to the above link and extract the folder named Digital forensics skill 1.rar.
2. You will find the Analyze FullEventLogView folder.
3. Run the exe named FullEventLogView.

4. Then you will get the details of all events from the event log of Windows
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
Analysis of Browser History –

Task: Displays the browsing history of Web browsers in one table. The result should include
the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User
Profile.

BrowsingHistoryView is a utility that reads the history data of 4 different Web browsers
(Internet Explorer, Mozilla Firefox, Google Chrome, and Safari) and displays the browsing
history of all these Web browsers. BrowsingHistoryView allows you to watch the browsing
history of all user profiles in a running system, as well as to get the browsing history from
external hard drive.

Visit this link for the software: http://bit.ly/digital_forensics


21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

2. Software Write Block

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of software write blockers.
• To understand and implement the concept of regedit.
Task-
Modify the Windows Registry to prevent data from being written to a USB storage device.
21CS3259R DIGITAL FORENSICS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

3. File System Identification

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of File System Identification.
• To analyse the partition table within the forensic image.
Task-
“Identify the file systems of forensic images with fsstat, which is included with The Sleuth Kit”.
Instructions:
Download The Sleuth Kit using the following url:
https://drive.google.com/open?id=1XM2Df-NZuDEH80E-MrejRNF6auyP9I8K Download
the forensic image files using the following url:
https://drive.google.com/open?id=1kv_lJTvv17YeI_Z8wIARDbecKNfolZtG

1. For drive1.E01,what is:

a. The File System?


Ans:FAT32
b. With which operating system is this file system likely used?
Ans:IN all windows operating systems it works.
c. The volume ID or serial number?
Ans: 0x1881387d
d. The volume label or name?
Ans: NO NAME
e. The sector or inode size?
Ans: Sector Size: 512
f. The cluster or block size?
Ans: Cluster Size: 4096
21CS3259R DIGITAL FORENSICS

2. For drive2.E01,what is:


a. The File System?
Ans: Ext4
b. With which operating system is this file system likely used?
Ans:Linux
c. The volume ID or serial number?
Ans: Volume ID: e018ba1739a539b4a941a806e678b8a2
d. The volume label or name?
21CS3259R DIGITAL FORENSICS
Ans:no name
e. The sector or inode size?
Ans: Inode Size: 256
f. The cluster or block size? Ans: Block Size: 4096

3. For drive3.E01,what is:


a. The File System?
b. With which operating system is this file system likely used?
c. The volume ID or serial number?
d. The volume label or name?
e. The sector or inode size?
f. The cluster or block size?
21CS3259R DIGITAL FORENSICS

4. For drive4.E01,what is:


a. The File System?
Ans: NTFS
b. With which operating system is this file system likely used?
Ans: Windows XP
c. The volume ID or serial number?
Ans: Volume Serial Number: 5CD233B1D2338E70
d. The volume label or name?
21CS3259R DIGITAL FORENSICS
Ans:NO NAME
e. The sector or inode size?
Ans: Sector Size: 512
f. The cluster or block size? Ans: Cluster Size: 4096

5. For drive5.E01,what is:


a. The File System?
Ans: File System Type: exFAT
b. With which operating system is this file system likely used?
Ans:windows
c. The volume ID or serial number?
Ans: Volume Serial Number: 9cc1-6dbd
d. The volume label or name?
Ans:no name
e. The sector or inode size?
Ans: Sector Size: 512
f. The cluster or block size
Ans: Cluster Size: 32768
21CS3259R DIGITAL FORENSICS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R DIGITAL
FORENSICS WORKBOOK

4. Recovering Files from Forensic Images

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of File Recovery.
• To analyse the partition table within the forensic image.

Task 1 : Recovering Files From Forensic Images with FTK Imager

Tools:

Product: FTK Imager Manufacturer: AccessData Group, Inc. Web site: http://accessdata.com/product-
download

Additional Resources:
drive2.E01 :https://tinyurl.com/DiFSkill
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
Task 2 : Recover files from a forensic image with Autopsy
Tools:
Product: Autopsy Manufacturer: Brian Carrier
Web site: http://www.sleuthkit.org/autopsy/download.php

Additional Resources:
drive2.E01 :https://tinyurl.com/DiFSkil
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

5. Data Artifacts in Registry

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of analysing system usage data.
• To analyse the Registry in Windows OS.

Aside from containing configuration settings for a Windows-based system, the Windows
Registry contains a wealth of data pertaining to system usage. Since manipulating the
Registry is something the typical computer user does not do, the data found in the Registry
is considered inherently more reliable (although not perfect) compared to user data files.

On Windows-computer systems with large storage capacities some investigators find


examining the Registry to be an effective triage, because it is easier to recover all of the
Registry files and focus on them rather than performing a physical acquisition of a multi-
terabyte drive.

Task 1 :Read an offline Registry file with Regedit.

Additional Resources:

RegistryFiles-1.zip : https://tinyurl.com/DiFSkill

Q1. What is the name of the Windows product?

Ans: Microsoft windows XP

Q2. What is the product ID number?

Ans:
21CS3259R DIGITAL FORENSICS

Q3. In what directory on the system is the operating system running?

C:/WINDOWS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

6. Evidence Integrity

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of evidence integrity.
• To analyse the hashes of files.

Forensic examiners use the analogy a hash is like a digital fingerprint. No two files should
have the same hash.
Hashing is typically performed for one of three purposes:
1. To uniquely identify a file.
2. To compare two files against each other to show that they are identical copies or not.
3. To search through a list of files to identify known files, e.g., searching through a list offiles
using hashes of known contraband or known “good” files, i.e., previously verified and
hashed operating system files.

Task 1 : Calculate hashes of files and compare the hashes.

Tools:

Product: HashCalc

Manufacturer: SlavaSoft

Web site: http://www.slavasoft.com/hashcalc/


Additional Resources:

File_Hashing_1.zip : https://tinyurl.com/DiFSkill

Q1. What is the MD5 hash of Image1.jpg?

Ans: 71800aa19a191caf813397386f66573b
21CS3259R DIGITAL FORENSICS

Q2. On the desktop, rename Image1.jpg to “kluniversity.jpg.” What is the hash value of the
file?

Ans: 078bae59af4752e670d8f6acf49d64df78c766b2

Q3. What is the SHA1 hash of Image2.jpg? Ans:

078bae59af4752e670d8f6acf49d64df78c766b2

Q4. What is the CRC32 hash of Image3.jpg?

Ans: dcf764ab
Task 2 : Calculate hashes of a folder’s contents and search the folder for a known hash value.

Tools:

Product: HashMyFiles Manufacturer: NirSoft

Web site: http://www.nirsoft.net/utils/hash_my_files.html

Additional Resources:

File_Hashing_2.zip : https://tinyurl.com/DiFSkill

File_Hashing_3.zip : https://tinyurl.com/DiFSkill

Q1. How many files were hashed from File_Hash_3?

Ans:28.
21CS3259R DIGITAL FORENSICS

Q2. Which file matches the hash ‘b638b9a62b9623babaa28af46e0f7409’?


21CS3259R DIGITAL FORENSICS

File hashing 15.docx

Q3. Which files have the hash 1db3c94e386cc8a3cdd8bfffc084f1fa?


21CS3259R DIGITAL FORENSICS

File-Hashing-2.jpg

Q4. Which files have the hash a26337b5c811c0ea3d5f1a228495984a30c7c75f?

Ans: File-Hashing-16.docx

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

7. FileAnalysis – Signature and Metadata

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and implement the concept of file analysis.
• To understand and implement the concept of file signatures.
• To analyse the metadata within Microsoft Office Word files.

File Signatures -
File signatures, also called “Magic Numbers,” are embedded within a file’s header and the
signatures are used to identify a file’s type. File signatures, also called “Magic Numbers,”
are embedded within a file’s header and the signatures are used to identify a file’s type.
Some operating systems rely on file signatures to associate a data file with the application
that can be used to open and modify the file. Some operating systems, such as Windows,
do not rely on file signatures. Instead, Windows relies on a file’s extension. The issue with
this convention is a file’s name and extension may not be available during an investigation,
e.g., the name of the file is corrupt and unreadable or a user changed a file extension
intentionally or unintentionally. As a result, the true nature of a file may be obscured. File
signature analysis is the process of comparing a file’s signature with its file extension.

File Metadata -
When analyzing files recovered from a piece of media, it is important to examine more than
the just the contents, i.e., the visible body of the file, itself. Frequently, when a file is saved
to a piece of media, additional data is saved. This data describes the file in question and it
can be extremely valuable. This "data about data" is frequently called meta data. The most
commonly analyzed meta data includes: filenames, timestamps, and file ownership. When
meta data is created automatically and stored in a location, which cannot be typically
modified by the user, the meta data has inherent reliability.

User files frequently contain meta data within the files, but the user typically does not see
or alter this information. This information is often stored in the file’s header or in the file’s
footer.
21CS3259R DIGITAL FORENSICS
Task 1 : You will examine several files to determine their signatures and then look up those
values online to determine the file’s type.

Tools:

Product: WinHex Manufacturer: X-Ways

Web site: http://www.x-ways.net/winhex/

Additional Resources:

File_Signature-Examples.zip : https://tinyurl.com/DiFSkill

Q1. What is the file signature, file extension associated with the signature of File1?
Write its description.

Ans:

For first file we got 50 4B 03 04. So here this code represents the zip file. So File 1 is zipped
file.
21CS3259R DIGITAL FORENSICS

Q2. What is the file signature, file extension associated with the signature of File2?
Write its description.

Ans:

So here the code D0 CF 11 E0, represents the excel sheet file. xlsx.
21CS3259R DIGITAL FORENSICS

Q3. What is the file signature, file extension associated with the signature of File3?
Write its description.

Ans: The code generated here is 25 50 44 46, so the file is pdf file.

Q4. What is the file signature, file extension associated with the signature of File4?
Write its description.

Ans:The code generated here is 17 00 00 00, so file is exe file.


21CS3259R DIGITAL FORENSICS

Task 2 :Examine meta data contained within Microsoft Office files.

Additional Resources:

File_Analysis.zip : https://tinyurl.com/DiFSkill

Q1. Who created the Word document?

Ans: Charles Galileo

Q2. Who last modified the Word document?

Ans:Michael Robinson

Q3. When was the document last modified?

Ans:9th October, 2015, time :12:59am

Q4. How many times was the document modified?

Ans:3

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

8. Email Analysis

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and analyse the concept of browser artifacts.
• To understand and implement the concept of log analysis.

When analyzing e-mail, it’s very important to analyze the e-mail header to identify the
source and destination of the email. This is particularly important in situations, where a
person attempts to refute sending an e-mail or where investigators attempt to identify the
source of spam/phishing scams.
E-mail headers typically have the following information:
• The sender’s e-mail address
• The address to which returns or replies are sent
• The recipient of the mail server
• The name(s)/IP address(es) of the mail server(s) used to transmit the e-mail
• The date and time when the e-mail was sent
• The subject line

Task 1 :Examine several e-mail headers which are from Yahoo!, Gmail, AOL and Microsoft

Office 365. Additional Resources: e-mail_headers.zip : https://tinyurl.com/DiFSkill

Q1. Based on the e-mail header of ‘Header_from_Yahoo_e-mail_account.txt’, from what


account did the e-mail originate?

ANS:[email protected]
21CS3259R DIGITAL FORENSICS

Q2. Based on the e-mail header, who was the intended recipient?

ANS:[email protected]

Q3. Based on the e-mail header, who was the intended recipient?

ANS:[email protected]

Q4. Based on the e-mail header, which e-mail server received the e-mail?

ANS:Google

Q5. Based on the e-mail header, when did the Yahoo! mail server receive the e-mail?

ANS:11/6/2013, 11:46:33 PM GMT+5:30

Q6. Based on the e-mail header, if the recipient replies to the email, then to where will the
reply go?

ANS : Google

Q7. What are the names and IP addresses of the servers, which processed the mail server
from initial sending server to final receiving server in ‘Mailheader2.png’?

ANS : imr-da04.mx.aol.com - 205.188.105.146

mtaomg-mb03.r1000.mx.aol.com - 172.29.41.74

core-mkb001b.r1000.mail.aol.com – 172.29.98.1

Q8. Did the user send the mail through a thick mail client or through a browser, webmail
interface?

ANS: AOL webmail

Q9. What was the public facing IP address of the sender?

ANS: 214.16.41.245

Q10. Who was the sender of the e-mail in ‘Header_from_Office365.rtf’?

ANS: Human Resources & Payroll <[email protected]>


Q11. To whom was the e-mail sent?

ANS: [email protected]

Q12. What anti-virus mail appliance/product scanned the e-mail?

ANS : Ironport Antivirus.

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

9. Prefetch Files

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and analyse the concept of Prefetch.
• To understand and analyse the concept of Prefetch File Analysis.

With Windows XP, Microsoft introduced Prefetch to improve a computer’s performance.


When an application is launched, whether it is an authorized application or malware,
Windows monitors the system for ten seconds to determine which files are read. This data
is recorded in a file stored in the Windows Prefetch directory. On subsequent launches of
an application, Windows reads the data written to the Prefetch file so the operating system
can more efficiently start the application. The Prefetch directory typically holds up 128 files
and the operating system performs periodic, automatic maintenance of the directory’s
contents.

The presence of a Prefetch file can indicate whether or not a file was launched, but the real
value of a Prefetch file is the data contained within it. Within a Prefetch file are valuable
artifacts associated to the running an application, including:
• The name and location of the executable that was run.
• A list of files that were read within ten seconds of the application being launched.
• The number of times the application has been run.
• The date and time the application was last run.

Prefetch files use the .pf extension. Within the name of the Prefetch file is a hash of the path
that contains the executable, which was run.

Task 1 :Analyze a series of Windows Prefetch files using WinPrefetchView.

Tools:
21CS3259R DIGITAL FORENSICS
Product: WinPrefetchView

Manufacturer: NirSoft

Web site: http://www.nirsoft.net/utils/win_prefetch_view.html

Additional Resources:

Prefetch_Examples : https://tinyurl.com/DiFSkill

Q1. How many times was the application run?

Ans: install winprefetchview software .

go to options -> advanced options->browse the file(prefetch files)


21CS3259R DIGITAL FORENSICS

Q2. When was the last time the application was run?

Ans:08-10-2015 12:06:22 AM

Q3. Where is the executable stored on the computer’s hard drive?

Ans:\DEVICE\HARDDISKVOLUME1\PROGRAM

FILES\AUTOPSY-3.1.3\BIN\AUTOPSY64.EXE

Q4. Based on the review of the files that were accessed, where is the configuration file for
Autopsy located?

Ans:
21CS3259R DIGITAL FORENSICS

Processpath:\DEVICE\HARDDISKVOLUME1\PROGRAM

FILES\AUTOPSY-3.1.3\BIN\AUTOPSY64.EXE

Q5. What is the location of the executable for the various Notepad Prefetch files?

Ans:

Location: \DEVICE\

HARDDISKVOLUME1\WINDOWS\SYSTEM32\NOTEPAD.EXE
21CS3259R DIGITAL FORENSICS
Location: \DEVICE\HARDDISKVOLUME1\USERS\ADMIN\DESKTOP\NOTEPAD.EXE

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


21CS3259R DIGITAL FORENSICS
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

10. Password Forensics

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and analyse the concept of password cracking.
• To understand and analyse the concept of Prefetch File Analysis.

Identifying passwords on computers can be significant in forensic investigations. Computer


systems stopped storing passwords in plaintext quite some time ago. One-way hashes of
passwords or encryption techniques are considered much more secure manners of keeping
passwords. As some system owners/operators may be less than cooperative in supplying a
password, it may be necessary for a forensic examiner to crack a password through a variety
of techniques to obtain the necessary information.

Task 1 : Crack passwords taken from a Windows-based computer using Ophcrack in Kali
Linux.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0
c089c0:::

Guest:501:
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:54f2810a212387bd2ed3651200011465:fbadfb1325c5a4d06130da2fa2
51f32c:::
Jim:1003:828a5954e6da729caad3b435b51404ee:bc62ac0f8ea9dd1ad703c8b4f0a968c4:::

Sparky:1004:72452d2682b2ba9c93e28745b8bf4ba6:ef3b88c0e908711adae65c0825ea7e3
0:::

test_account:1005:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13c
ef42:::
21CS3259R DIGITAL FORENSICS
21CS3259R DIGITAL FORENSICS

Q1. Find the passwords of the following accounts:

• Administrator
• Guest
• HelpAssistant
• Jim
• Sparky
Ans:S
• test_account ans:D
21CS3259R DIGITAL FORENSICS

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

11. Network Traffic

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and analyse the concept of network traffic.
• To understand and utilise the Wireshark tool.

Analyzing network traffic can be incredibly valuable in forensic investigations, as it is


possible to identify source and destination IP addresses for network traffic along with
payloads. This can be especially useful in situations, where media, e.g., a server’s hard drive,
does not contain sufficient levels of detail. If data on a drive were deleted and/or
overwritten, it could be difficult for a forensic examiner to perform event reconstruction;
however, a network packet capture would contain evidence of downloads or data
exfiltration.
Records of network activity may take the form of logs from a firewall or an intrusion
detection system (IDS), but in very fortunate cases it may include full network packet
captures.
Task 1 :Use Wireshark to review the results of a previously recorded Ping, filter the results,
and export results to a new file.

Tools:

Product: Wireshark

Manufacturer: Wireshark Foundation

Web site: https://www.wireshark.org


Additional Recources: ping.pcapng :

https://tinyurl.com/DiFSkill

Q1. Based on the Packet List Pane, how many packets were sent back and forth?

Ans:8 packets

Q2. What was the source of the Pings and what was the target of them?

Ans:source-192.168.17.133,target-192.168.17.134

Q3. What protocol is used with Ping?

Ans:ICMP

Q4. What are the sequence numbers associated with the Pings?

Ans:

seq:33/8448,

34/8704,

35/8960

36/9216

Q5. How many hops can the Ping pass before it is dropped by a router?

Ans:8

Q6. How long did it take for the first reply/request to traverse the network for the first
PING?

Ans:0.000673
21CS3259R DIGITAL FORENSICS

Q7. After filtering for the ip address ‘192.168.17.133’, how many packets are displayed and
what are their relative numbers?

Ans:

3 packets displayed.

Q8. Based on the filter, do the displayed packets show requests or replies?

Ans: Yes.The displayed packets show requests and replies.

For packet 1:Request: id=0x0001

Reply in 2

For packet 2:Request: id=0x0001

Reply in 4

For packet 3:Request: id=0x0001

Reply in 6

For packet 4:Request: id=0x0001

Reply in 8
Task 2 : Use Wireshark to review the results of a previously recorded TCP Three-way
Handshake.
Tools:

Product: Wireshark

Manufacturer: Wireshark Foundation

Web site: https://www.wireshark.org

Additional Resources:

ThreewayHandshake-Connection.pcapng : https://tinyurl.com/DiFSkill

Q1. How long did it take for the three packets in the TCP Three-way Handshake to go back
and forth between the source and destination?

Ans:0.064736

Q2. What is the IP address of the host that initiated the TCP Three-way Handshake?

Ans:192.168.0.35

Q3. What is the IP address of the host, which is responding to the Handshake?

Ans:173.192.121.250

Q4. What was the likely type of server to which the connection was being established?

Ans: private ip address

Q5. Based on the information in the Packet Details Pane, what flag is set in the first packet
of the TTCP Three-way Handshake?

Ans:SYN

Q6. Based on the information in the Packet List Pane, what are the flags for the second and
third packets in the Handshake?

Ans:
21CS3259R DIGITAL FORENSICS
2nd packet flag: SYS, ACK

3rd packet flag: ACK

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:


1CS3259R DIGITAL FORENSICS

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 21CS3259R
DIGITAL FORENSICS WORKBOOK

12. Mobile Forensics

Date of the Session: / / Time of the Session: to

Learning Outcomes:
• To understand and analyse the concept of mobile forensics.
• To understand and analyse the SQLite database.
• To understand and analyse the concept of suspicious apks.

With over 6.8 billion mobile devices in use, the odds are fairly high that a forensic examiner
will encounter a mobile device, i.e., a phone or tablet, during an investigation. Mobile apps
often store data in SQLite databases or flat files, and in the case of iPhones .list files are also
used. Applications on non-rooted or non-jailbroken devices are sandboxed and contained
within their own individual directories. Recovering and analysing these files can identify
app-to-app communication, including activity from malware, as well as activity performed
by the user.

Task 1 :Analyze the packages.xml file from a phone to identify apps and their associated
permissions.

Additional Resources: container.apk.zip

:https://tinyurl.com/DiFSkill
Q1. Examine the packages.xml file. What are the permissions associated with
com.surpax.ledflashlight.panel?

READ_PHONE_STATE

READ_EXTERNAL_STORAGE
CAMERA
GET_TASKS
WRITE_SETTINGS
INTERNET
WRITE_EXTERNAL_STORAGE
ACCESS_WIFI_STATE
FLASHLIGHT
WAKE_LOCK
ACCESS_NETWORK_STATE

Q2. Examine the packages.xml file. What are the permissions associated with

com.roidapp.photogrid? android.permission.READ_EXTERNAL_STORAGE android.permission.GET_TASKS


com.android.vending.BILLING

android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET android.permission.VIBRATE
android.permission.ACCESS_WIFI_STATE
android.permission.ACCESS_NETWORK_STATE
21CS3259R DIGITAL FORENSICS

Task 2 :Use DB Browser for SQLite to analyze a SQLite database retrieved from
BBM (BlackBerry Messenger) on an Android

phone.

Tools: Product: DB Browser for SQLite

Manufacturer: Mauricio Piacentini, René Peinthor and Martin Kleusberg

Web site: http://sqlitebrowser.org

Additional Resources:

SQLiteDB.zip : https://tinyurl.com/DiFSkill

Q1. In the table named “File Transfers.” How many files were transferred and what were
their names?

Ans:

/storage/emulated/0/DCIM/Camera/1406832981515.jpg
/data/data/com.bbm/files/bbmcore/files/1
21CS3259R DIGITAL FORENSICS

Q2. Examine the master.db database, specifically the Profile table. What is the BlackBerry
PIN for this user?

Ans : 79081225
21CS3259R DIGITAL FORENSICS
Q3. Examine the master.db database, specifically the Text Messages table. When was the
text message “Round 3 reply” sent?

Ans: 1406832884

Task 3 : Examination of a Suspicious .apk from an Android-based device using dex2jar and
jd-gui to analyze a classes.dex file.

Tools:

Product: Manufacturer: Bob Pan

Web site: https://github.com/pxb1988/dex2jar

Product: Java Decompiler-GUI (jd-gui) Manufacturer: Emmanuel Dupuy

Web site: http://jd.benow.ca

Additional Resources: container.apk.zip :

https://tinyurl.com/DiFSkill

Q1. Based on a review of the app, what functionality is taking place near sixth major section
of code?
Ans: MANIFEST.MF

Manifest. MF contains information about the files contained in the JAR file. Whenever a JAR
file is created a default manifest.mf file is created inside META-INF folder and it contains the
default entries like this: Manifest-Version: 1.0 Created-By: 1.7.0_06 (Oracle
Corporation)
21CS3259R DIGITAL FORENSICS

Q2. Use virustotal.com and search for the MD5 hash of the .apk file. What all companies
detected it as malicious?

Ans: MD5 - ef819779fc4bee6117c124fb752abf57

BitDefenderFalx

Android.Trojan.InfoStealer.DU

CAT-QuickHeal

Android.Trogle.A

Comodo

Malware@#1tvc4pdn213du

Cynet

Malicious (score: 85)


21CS3259R DIGITAL FORENSICS
Cyren

AndroidOS/Trogle.A.gen!Eldorado

DrWeb

Android.SmsBot.146.origin

ESET-NOD32

A Variant Of Android/Trogle.A

F-Secure

Malware.ANDROID/Trogle.FHCF.Gen

Ikarus

Trojan.AndroidOS.Trogoogle

K7GW

Trojan ( 0049fd671 )

Kingsoft

Android.Troj.XXshenqi.b.(kcloud) MAX

Malware (ai Score=100)

MaxSecure

Android.smsthief.es

McAfee

Artemis!EF819779FC4B

McAfee-GW-Edition

Artemis!Trojan
21CS3259R DIGITAL FORENSICS
Microsoft

Trojan:Script/Wacatac.C!ml

NANO-Antivirus

Trojan.Android.Trogle.dinjhz

Qihoo-360

Trojan.Android.Gen

Sophos

Andr/SmsSend-FA

Symantec

Android.Trogle

(For Evaluator’s use only)

Comment of the Evaluator (if Any) Evaluator’s Observation


Marks Secured: out of

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

You might also like