ADF

1.What is memory forensic?

 A branch of digital forensics relating to recovery of digital evidence or
volatile data from a mobile device under “forensically sound conditions”
 It helps investigators uncover evidence of malicious activities, such as
malware infections, rootkits, network connections, encryption keys,
passwords, and hidden processes.

2.What is memory forensic examination?

Memory forensic examinations is the process of analysing the volatile memory
(RAM) from a computer system to extract evidence related to security
incidents.

Here's a detailed look at what's involved in memory forensic examinations:

1. Gather the Evidence: First, they take a snapshot of the computer's
memory, kind of like taking a photo of what's going on inside the
computer's brain right now.
2. Searching for Clues: Then, they look through this snapshot to find
important stuff like what programs are running, what files are open,
who's logged in, and if there are any suspicious activities.
3. Finding the Bad Guys: They try to spot anything fishy, like signs of
viruses, hackers.
4. Putting it Together: They piece together all these clues to figure out
what happened on the computer, like if someone broke in, if there's
malware lurking around, or if something got deleted.
5. Making a Report: Finally, they write down everything they found in a
report, just like detectives write down their findings, so that others can
understand what happened and take action if needed.

3.Tools used for memory acquisition?

Tools used for memory acquisition capture the contents of a computer's
volatile memory (RAM) for analysis in memory forensics.

Here's a comprehensive list of tools commonly used for memory acquisition:

1. Magnet RAM Capture: Supports memory acquisition from Windows,
macOS, and Linux systems.
 2. FTK Imager: Primarily a disk imaging tool but also supports memory
acquisition from Windows systems.
3. Volatility Framework: Primarily a memory forensics analysis tool but
includes memory acquisition plugins for Windows, macOS, and Linux.
4. Redline: Developed by FireEye, Redline offers memory acquisition
capabilities for live Windows systems.
5. Lime (Linux Memory Extractor): A loadable kernel module for Linux,
allowing memory acquisition from Linux systems.
6. Rekall: An open-source memory analysis framework with memory
acquisition plugins for Windows, macOS, and Linux.
7. DumpIt: Simple tool for acquiring memory from Windows systems.
8. Belka soft Live RAM Capturer: acquiring memory from Windows
9. AVML: -A portable volatile memory acquisition tool for Linux that can be
used to acquire memory without knowing the target kernel.

4.What are Rogue Processes?

Rogue processes, also known as “malicious processes or harm processes”,
refer to programs running on a computer system without our knowledge that
are potentially harmful to the system's integrity, called ROGUE Processes.

Some of the rogue processes are list down here:

1. Malware: Rogue processes often include various types of malwares, such
as viruses, worms, Trojans, ransomware, spyware, and adware. These
malicious programs can infect systems, steal sensitive information,
compromise security.

2. Unwanted Software: Some rogue processes may not be inherently

malicious but still unwanted or potentially harmful, such as unwanted
browser extensions, leads to degrade system performance.

3. Rootkits: Rootkits are stealthy malicious software designed to conceal

their presence and actions on a system.

4. Exploits: Rogue processes may exploit vulnerabilities in software or

operating systems to gain unauthorized access or execute malicious
code.

5. Backdoors: Backdoors can be installed by attackers to maintain

persistent access to compromised systems.
5.Analzing the process DLL and handles?
1. DLL developed by “MICROSOFT”
2. Dll is a file which can be used be used by multiple programs at the same time.
3. Dll is a shared library which contain code and data.
Ex-open dialog box
File name: -config.32
Types:1. load time dynamic linking
2.run time dynamic linking

6.What is handles?
In computing, handles are used in several ways to help with file access, object
references, and reverse engineering:
File handles: -When you open a file, the operating system assigns a handle to
it. This handle acts like a key to the open file.
 Read the file's contents
 Write the file's contents
 Manipulate the file's contents
 Perform other operations on the file

7.write a simple note on Review Network Artifacts?

Network artifacts are traces left behind the communication activities over a
network.

1. Capture Network Traffic: Use network monitoring tools to capture

network traffic passing through the network interfaces of devices.

2. Identify Communication Patterns: Review the captured network traffic

to identify communication patterns between devices, such as client-
server interactions, peer-to-peer communication.

3. Analyse Protocols: Examine the protocols used in network

communication, including HTTP, HTTPS, DNS, FTP, SSH, and others.

4. Inspect Payloads: Look for signs of malware, data exfiltration, command-

and-control communication.

5. Document Findings: noted down your findings, including details such as

timestamps, IP addresses, ports, protocols, and any observed anomalies
or suspicious activities.
8.What is rootkit? Rootkits are stealthy forms of malwares designed to hide
themselves and making it more difficult to malwares researches to identify.

1. Unexplained Network Activity: Rootkits often communicate with

command-and-control servers or transfer stolen data over the network.

2. Unexpected Processes: Use system monitoring tools to check for any

unfamiliar processes running on the system

3. Modified System Files: Rootkits might modify system files to hide their
presence

4. Strange System Behaviour: If the system behaves strangely, such as

frequent crashes, slow performance, or unexpected error messages, it could
be due to the presence of a rootkit.

5. Unexpected Pop-ups or Advertisements: Rootkits might install adware or

other unwanted software on the system to generate revenue for the
attacker.

6. Unexplained Files or Directories: Check for any unfamiliar files or

directories on the system, especially in sensitive areas such as system
folders or the Windows registry.

7. Suspicious Network Ports: Rootkits may open network ports to allow

remote access or communication with other compromised systems.

9.CODE INJECTION?
Code injection is a cyberattack technique where attacker injects malicious code
into a legitimate program typically to modify system behaviour of application
and gain unauthorized access and steal sensitive information.

There are several types of code injection techniques, including:

1. SQL Injection: Involves inserting malicious SQL code into a web application
to manipulate the database.
2. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages
viewed by other users, allowing them to steal cookies, session tokens, or
redirect users to malicious sites.

3. Remote Code Execution (RCE): Attackers inject and execute arbitrary code
on a vulnerable system, potentially gaining full control over the system.

4. Command Injection: Similar to SQL injection, but in command injection

attacker targets command-line interfaces by injecting commands to execute
arbitrary actions on the server.

5. DLL Injection: Involves injecting malicious dynamic-link libraries (DLLs) into

running processes, allowing attackers to execute arbitrary code within the
context of the targeted application.

6. Shellcode Injection: Attackers inject shellcode into vulnerable processes to

execute arbitrary commands or initiate further exploitation.

10.How to do Rootkit hunting in memory?

Rootkit Hunting is a technique in Memory forensic involves detecting and
eliminating the hidden malicious programs, known as root hunting in memory.

1.Memory Acquisition: Capturing a snapshot of the system's volatile memory

(RAM) to analyse its contents.

2.Forensic Imaging: Create a forensic image of the digital media to preserve its
state for further analysis without altering the original data.

3.Memory Analysis This involves analysing memory structures, process lists,

kernel objects, and other memory regions for anomalies.

4.Pattern Recognition: Searching for known signatures or patterns associated

with rootkit behaviour, such as hidden processes, modified system calls.

5.Behavioural Analysis: Analyzing the behaviour of processes and system

components to detect abnormal or malicious activities.

7.Signature Detection: Employ antivirus or endpoint detection tools to detect

known malicious processes and drivers.
8.Hash Comparison: Calculate and compare cryptographic hashes of files
against known malware databases to identify potential threats.

9.Rootkit Removal: Once a rootkit is identified, security professionals can take

steps to remove on the system.
MODULE-2
1.What is Registry?
The Registry is a central hierarchical database used in Windows
operating systems to store information regarding the system
activity, system configuration, users’ activity, network settings,
startup programmes, security settings, hardware information,
software information, ports information.

Goal: The registry serves as a repository, monitoring, observing,

and recording the what activities performed by the admin of the
computer.

 Keys: These are like folders can contain subkeys and values.
 Values: These are like files hold the actual data.

The Registry is organized in a hierarchical structure, with five

main categories:

 HKEY_LOCAL_MACHINE (HKLM): stores information regarding

hardware & operating system.

 HKEY_CURRENT_USER (HKCU): Contains the user profile for

the user who is currently logged in.
 HKEY_USERS: Stores info about all the users.

 HKEY_CLASSES_ROOT (HKCR): Is a subkey

HKEY_LOCAL_MACHINE
It stores the contents & info regarding various files & drives.

 HKEY_CURRENT_CONFIG (HKCC): Stores information about the

current hardware configuration.

2.What is the Windows Registry?

The Windows Registry is a central hierarchical database for storing system
activity, system configuration, users’ activity, network settings, startup
programmes, security settings, and hardware information, software
information, ports information.

It’s organized into a tree-like structure, with keys, subkeys, and

values.

3.Investigate Windows Services?

Windows Services are a crucial part of the operating system responsible for running various
system processes and tasks in the background.
 services can be categorized into 2 types: “system services and user-installed services”.
 System Services: services are installed and managed by Windows operating system itself.
Examples of system services include: Remote Desktop Services (RDS), Event Log, Windows
Update

 User-Installed Services: installed by users and administrator

Examples: - MySQL, Docker.

Here are the tools and commands used for investigating Windows services:
Command Prompt: The Command Prompt is a command-line interface that allows user to
execute commands and scripts.
Sc: command-line utility tool used to manage Windows services.
It can be used to start, stop, pause, resume, query, and configure services.
 Sc failure: Specifies what action to take upon failure of the service.
 Sc config: Configures a service to start automatically
 Sc query: Displays information about a service, its status and configuration.

net: Command-line tool used for managing network resources.

net start [service name]: Start a service.
net stop [service name]: Stop a service.
net pause [service name]: Pause a service.
net continue [service name]: Continue a paused service.
 Registry Editor (regedit.exe): Built-in Windows tool for viewing and editing the
Windows registry.
 Event Viewer: Built-in Windows tool for viewing event logs.

4.Hunting Malware Using Comparison Baseline Systems?

What are the Goals of Threat Hunting?
Threat hunting is the process of identify and eliminate threats that have
evaded traditional security measures.

How Does Threat Hunting Work?

Threat hunting teams use a combination of threat intelligence, threat
detection technologies, and cybersecurity expertise to identify and
eliminate the potential threats.
Tools used for threat and malware hunting?
Antivirus Software: Windows Defender, McAfee, Bitdefender, Kaspersky.

Endpoint Detection and Response (EDR): CrowdStrike Falcon, Carbon Black,

Network Traffic Analysis Tools: Wireshark, Darktrace.

Memory Analysis Tools: Volatility, Recall, Redline.

 Dumping Hashes and Credentials from Memory?

Dumping hashes and credentials from memory is a technique used by attackers to obtain
sensitive information, such as usernames and passwords, from a compromised system.
This process can be useful for security analysis, digital forensics, and penetration testing.
1. Identify Memory Analysis Tools: Several tools are available for dumping hashes and
credentials from memory.
 Mimikatz: A powerful post-exploitation tool that can be used to extract plaintext
passwords, password hashes memory
 Volatility: An open-source memory forensics framework that provides a wide range of
plugins for analysing memory dumps. Volatility plugins can be used to extract
passwords, hashes, and other sensitive information from memory.
 Rekall: Another open-source memory forensics framework similar to Volatility, Rekall
offers plugins for memory analysis, including the extraction of credentials and
authentication tokens.

Prefetch and Simcache Extraction via Memory?

1. Prefetch and Shimcache are two Windows components that store
information about executed programs and files to improve system
performance.

2. Prefetch is a cache manager that monitors all files and directories.

3. Shimcache, on the other hand, stores entries if a file is executed,
which is recorded on all versions of Windows starting from

3rd MODULE
What is memory forensic?
 A branch of digital forensics relating to recovery of digital evidence from a mobile device
under “forensically sound conditions”
 It helps investigators uncover evidence of malicious activities, such as malware
infections, rootkits, network connections, encryption keys, passwords, and hidden
processes.

Importance of Memory Forensics

 Memory analysis is one of the key components of successful digital forensic
investigation. Memory capturing is the very first step of digital forensic investigation if a
running system is found. Whereas before a few years, the number of tools to acquire the
memory was limited, today there are many tools available.
 To identify the best memory acquisition tool amongst them is a mandatory task for the
incident responder.

Information Available in RAM

1. Processes and Drivers 11.Logged in Users
2. Loaded Modules 12.Open Files
3. Network Socket Info 13.Unsaved Documents
4. Passwords 14.Live Registry
5. Encryption Keys 15.Video Buffers – screen shots
6. Decrypted files 16.BIOS Memory
7. Order of execution 17.VOIP Phone calls
8. Runtime State Information 18.Advanced Malware
9. Rootkits 19.Instant Messenger chat
10.Configuration Information

Order of Volatility
In digital forensics, the order of volatility is a sequence for
collecting and preserving digital evidence based on how likely it
is to change or disappear over time. The order of volatility is
important because it helps investigators prioritize the collection
of the most volatile data first, which is most susceptible to
rapid alteration.

The IETF and the Order of Volatility

The Internet Engineering Task Force (IETF) released a document titled,
Guidelines for Evidence Collection and Archiving. It is also known as RFC 3227.
This document explains that the collection of evidence should start with the
most volatile data and end with the least volatile data. So, according to the IETF

The order of volatility is:

1. CPU, cache, and register content
2. Routing table, ARP cache, process table, kernel statistics
3. Memory
4. Temporary file system/swap space
5. Data on hard disk
6. Remotely logged data
7. Physical Configuration, Network Topology
8. archival media

Data acquisition process from ram?

The data acquisition process from (RAM) involves copying the contents of
volatile memory to non-volatile storage.

Key Steps:
1. Identification: Identify the system from which data is to be acquired,
ensuring it is powered on and accessible.
2. Connection: Establish a connection to the system’s RAM, typically
through a physical interface (e.g., USB, Ethernet)
3. Acquisition Tool: Utilize a memory acquisition tool, such as FTK, EnCase,
or Volatility, to capture the RAM contents.
4. Data Transfer: Transfer the acquired RAM data to a non-volatile storage
device, such as a hard drive or solid-state drive.
5. Verification: Verify the integrity and completeness of the acquired data
to ensure a successful capture.

 Hardware acquisition method for memory capturing?

 Hardware acquisition method depends on a Direct Memory Access (DMA)
attack.
 It can be used by a DMA enabled system like a firewire or using hardware
like Capture Guard.
 The advantage of hardware-based acquisition is it works independent of
operating system API calls.
 In the firewire method, it bypasses the CPU and accesses the physical
memory.
 EX: -FIREWIRE Tribble

Software acquisition method for memory capturing

 Software acquisition is the process of copying the content of the physical
memory into the drive by running a forensic memory acquisition tool. It is
also called a memory dump.
 The whole idea is to capture the snapshot of the memory state at the time
of acquisition.
 For windows there are certain tools available to capture the physical
memory. The only disadvantage with a software method is it occupies some
space into the memory that will alter the memory.
 Many researches have been carried out in order to identify the best
memory acquisition tool.
Ex: - FTK, BELKASOFT

Tools available for Memory Acquisition

1. FTK Imager
2. Magnet RAM Capture
3. Belka soft Live RAM Capturer
4. DumpIt
5. Memoryze
6. Rekall
7. Volatility
8. Redline
9. Lime
10.AVML
11.Winpmem
12.Artifactcollector

Parameters to Identify Best Memory Acquisition Tool

 User Interface
 Portability
 Time taken by the tool to acquire the memory
 Space occupied by the tool in memory
Introduction to Virtualization Based Security
 Virtualization-based security (VBS) is a technology that protects a device
and operating system from malware and other attacks.
 VBS, a security feature in Windows, creates an isolated virtual environment
that separates a portion of main memory from the Operating System.
 This isolation aims to protect system resources and security solutions from
vulnerabilities in the OS and exploits like Malware.

Effects of VBS on Memory Acquisition

 Normally tools load the device driver into the kernel to capture the physical
memory.
 In many cases, while attempting to capture the physical memory of a VBS
enabled system, it may identify the drivers as malicious and can result in
(BSOD).

 Blue Screen of Death is an error screen displayed in a windows system.

 BSOD indicates system crash and may be caused by certain reasons like
hardware failure or unexpected termination of some crucial process.

 BSOD can result in wiping out all the information stored in physical memory
of the system.

What is process?
 A process is an instance of a program currently running on a computer system.
 or
 Process is a basic unit of execution runs in operating system called process.

 When a program is executed, a new process is generated which allows thread to run.

 When a process is created, a process memory is allocated by operating system.

 Every process has its own handle table which resides in kernel space.

 This structure contains various details about process like process name, process ID,
parent process name and ID, creation and exit time etc.

 Operating system keeps track of all active process in double linked lists and this way task
manager shows the processes running in a system.

What is DKOM attack?

1. A DKOM attack is a sophisticated rootkit technique which is used by
attackers to modify the kernel memory objects in order to hide malicious
activities and escalate privileges within an operating system.

2. This type of attack involves modifying the kernel data structures in the
operating system uses to manage processes, threads, and other system
objects, without going through the standard API or interfaces.
1. DKOM Targets:
2. Hide processes or malicious Activities
3. Hide tokens
4. Hides threads
5. Hide files
6. Hide network connections
7. Install backdoor for future access to the system

 In DKOM attack, process structure can unlink itself from double link list
 So, pslist plugin does not shows that process in output.
 To get those unlinked, hidden and terminated processes, can be used
psscan plugin.

Explain hollow process injection?

Hollow process injection is a sophisticated technique used by attackers to inject
malicious code into the memory space of a legitimate, running process, to
evade detection and execute malicious code in the legitimate process.
Common techniques:
DLL injection: Malicious DLLs are injected into the target process, causing it to
load and execute the attacker's code.
Code injection: Instead of injecting a DLL, the attacker directly injects their own
executable code into the memory space of the target process.
How it works:
 Select a target process: An attacker identifies a legitimate process running
on the system (such as explorer.exe, svchost.exe.
 Suspend the target process: The attacker suspends the target process so it
temporarily stops its execution. This is necessary to safely manipulate the
process's memory.
 Process Hollowing: Memory Allocation: The attacker allocates memory
within the suspended process using functions like VirtualAllocEx.VAD
Memory Writing: The malicious code, typically a DLL or shellcode, is written
into the allocated memory using functions like WriteProcessMemory.WCX
 Inject malicious code: The malicious code is written into the memory of the
suspended process. This can include payloads like reverse shells, exploits.
 Modify the process's context: The attacker alters the target process’s
execution context, such as its entry so that when the process is resumed, it
begins executing the injected code instead of its original code.
 Resume the process: The target process is resumed, but now, instead of
executing its normal code, it begins executing the injected code, which
 allows the attacker to run their payload while maintaining the appearance
of a legitimate process.

Key Points:
 Stealth: By executing malicious code within a legitimate process, attackers can evade
detection by traditional security solutions.
 Privilege Escalation: allowing the attacker to perform malicious actions with increased
permissions.
 Persistence: Malicious code can be injected into processes that start automatically on
system boot, ensuring persistence.
 Evade Evasion: Hollow process injection can bypass security solutions that rely on
signature-based detection or process behaviour analysis.

Fundamentals of Process Memory?

 The fundamental process of memory in computing refers to how a
operating system stores, retrieves, and manages data in its memory.

 Each process has its own process memory.

 When a process is started by any program, a memory is allocated to the

process and that process executable is loaded in memory with memory
protection WCX, Along with that, all DLLs, thread stack, PEB and process
heap.
 PEB stores the details about metadata i.e. where the executable is loaded and what is its
full path. PEB also contains three double link lists, LoadOrderList, MemoryOrderList,
InitOrderList.

 These double link list contains all the loaded modules

 LoadOrderList keeps track of all modules ordered too where loaded.

 MemoryOrderList keeps tracks of all modules but in the order in which they resides in
the memory.

 So InitOrderList does not keeps track of exe.

The fundamental process of memory in computing refers to how a computer system stores,
retrieves, and manages data in its memory.

Here's a breakdown of the key stages and concepts in the memory process:
1Memory Allocation
 Static Allocation: Memory is allocated at compile time. The size and structure of
memory are determined before the program runs.
 Dynamic Allocation: Memory is allocated during runtime, allowing programs to request
memory as needed (e.g., using functions like malloc () in C).

How it works:
When a program is launched, the operating system allocates a certain amount of memory
space for the program.

2Memory Segmentation: - Memory is divided into different segments based on usage:

 Code Segment: Contains the executable code of the program.
 Data Segment: Stores global variables and static variables.
 Heap: Used for dynamic memory allocation (e.g., malloc () in C).
 Stack: Stores function call information, local variables, and return addresses.

Each of these segments has a different role and is managed separately by the operating
system.

3. Reading and Writing Data

 Reading: When a program needs to retrieve data from memory, the CPU issues a read
command to the memory, which returns the data stored at a specific address.
 Writing: When a program modifies or stores new data, the CPU writes the data to a
specific location in memory.

Both reading and writing happen very quickly in RAM and occur as the CPU needs to access.

4.Memory Addressing
 Physical Addressing: Refers to the actual location in the physical RAM where data is
stored.
 Logical Addressing: The operating system and hardware manage the translation
between logical and physical addresses using mechanisms like paging.

5.Memory Management
The Operating System (OS) plays a critical role in managing memory through techniques
like:
 Paging: Divides memory into fixed-size blocks (pages) and maps them into physical
memory, making it easier to manage and allocate memory.
 Segmentation: Divides memory into variable-sized blocks (segments) based on logical
divisions, like code, data, and stack.

7 Memory Protection: - to prevent programs from accidentally or maliciously accessing

memory allocated to other programs or the OS itself.

Understanding Rootkits and Fileless Malware?

 Rootkits: Rootkits are malicious software designed to gain unauthorized
access and maintain control over a system while hiding their presence.
 Fileless Malware: -Fileless malware operates in memory rather than on
disk, making it harder to detect using traditional file-based approaches.

 Rootkit is a program which modifies the functionality of the operating

It can be done by hooking the API or unlinking the process from double linked
list (DKOM attack).
There are two types of rootkits
1. user space rootkits
2. kernel space rootkits
 In simple term, if any modification done by malware in user space it is called
as user space rootkits.
 if any modification is done in kernel space it is called as kernel space
rootkits.
Some common user mode rootkit techniques:
 IAT hooking
 Inline API hooking.
Some kernel mode rootkit techniques:
 SSDT (System Service Descriptor Table) hooking
 DKOM (Direct Kernel Object Manipulation)

API call flow?

When a process is created, a process memory is allocated, executable will be

loaded along with all dlls. A thread is also created which runs code within that
executable. Lets say, code says to run writefile function which resides in
kernel32.dll. Thread has to call that function.

Executable contains IAT (Import Address Table) which is a table of function

pointer. Meaning it contains details about location (address) of the respective
function. Writefile function within kernel32.dll calls another function
ntwritefile function within ntdll.dll.

The same function name ntwritefile is also residing within ntoskrnl.exe in

kernel.
So the ultimate objective is to call this kernel function. Job of ntwritefile user
space function is to run an instruction (SYSENTER [32 bit] or SYSCALL [64 bit])
and send thread running in user pace to kernel space.

 API Hooking The idea of hooking is to intercept or modifying the behaviour

of API functions.
Types of Hooking
 IAT hooking
 Inline API hooking
 Virtual Table Hooking

There are various places where an attacker can perform hooking. First attacker
has to inject a code into the memory. Now to know what victim is writing in the
file, he can modify the pointer in the IAT pointing towards the writefile function
to a malicious code. After that malicious module will call the actual writefile
function. It is like man-in-the-middle attack.

Use Cases of API Hooking:

Security Monitoring: Detecting malware and malicious activity.
Monitoring system calls and API usage.
Protecting sensitive data.
Debugging: Tracing function calls and parameters.
Setting breakpoints and inspecting variables.
Performance Monitoring: Measuring function execution time and resource
usage.

4th module

What is the use of kali-Linux?

 Kali Linux is a free and opensource Debian-based Linux distribution specifically designed
for digital forensics and penetration testing.
 It is developed and maintained by Offensive Security.
 It is used by security professionals, ethical hackers, and penetration testers to identify
and prevent security breaches.
Here are some of the key uses of Kali Linux:
 Penetration Testing: provides a wide range of 600+ tools for penetration testing
 Digital Forensics: Kali Linux is used for digital forensics, including data recovery
 Network Security: Kali Linux is used for network security testing, including network.
 Ethical Hacking: Kali Linux is used by ethical hackers to identify and exploit vulnerabilities
 Security Research: Kali Linux is used by security researchers to test and evaluate the
 Training and Education: Kali Linux is used in training and education programs for security
 Vulnerability management: - identify and protect from cyber-attacks.
 Security Auditing: Security audits can help identify issues such as: outdated software,
weak controls, inadequate encryption, and misconfigurations.

1.What is Package in Linux?

A package is in Linux is a compressed archive file that contains software Files,
configuration files, libraries, and resources essential for software installation
and managements runs on the system.

2.What is Linux Package Management?

Package managers help to automate the process of: Obtaining packages,
installing packages, upgrading packages, Removing packages, and Handling
dependencies on a Linux system.

3.Popular Package Managers in Linux?

1. APT (Advanced Package Tool): Debian, Ubuntu, and derivatives
o apt-get install — Install a package.
o Apt- get update — Update package list.
o apt-get upgrade — Upgrade installed packages.
o apt-get remove — Remove a package.
o apt-get search — Search for a package.

2. DNF (Dandified YUM):- Fedora, RHEL, CentOS, and derivatives (e.g. Linux.
o dnf install — Install a package.
o dnf update — Update all packages.
o dnf remove — Remove a package.
o dnf search — Search for a package.

3. YUM (Yellow dog Updater, Modified):-Older version Fedora, RHEL, CentOS

 o yum install— Install a package.
o yum update — Update all packages.
o yum remove — Remove a package.
o yum search — Search for a package.

5. Zypper: - openSUSE and SUSE Linux Enterprise.

o zypper install— Install a package.
o zypper update — Update all packages.
o zypper remove — Remove a package.
o zypper search— Search for a package.

6. Snap: - Ubuntu, Debian, Fedora, and other distributions.

o snap install— Install a Snap package.
o snap remove — Remove a Snap package.
o snap list — List installed Snap packages.

5.RPM (Red Hat Package Manager):- (e.g., RHEL, Fedora, CentOS,

 rpm -i — Install an RPM package.
 rpm -e — Remove an installed RPM package.
 rpm -U— Upgrade an existing package with a new .rpm.
 rpm -q — Query the installed
 rpm -V — Verify the integrity of an installed package.

6.DPKG (Debian Package):- (e.g., Debian, Ubuntu, Linux OS, Kali Linux.
 dpkg -i— Install a .deb package.
 dpkg -r — Remove a package.
 dpkg -P — Purge a package (remove it completely, including
 dpkg -l — List all installed packages.
 dpkg -S — Find which package a file belongs to

4. Pacman: - Arch Linux and derivatives.

o pacman -S — Install a package.
o pacman -Syu — Update the system.
o pacman -R — Remove a package.
o pacman -Ss — Search for a package.

7. Flatpak:- Fedora, Ubuntu, Arch, and other distributions (cross-platform).

o flatpak install — Install a Flatpak package.
 o flatpak uninstall — Uninstall a Flatpak package.
o flatpak update — Update Flatpak packages.

10. Nix:- Nix OS and other Nix-based systems.

o nix-env -i — Install a package.
o nix-env -u— Update a package.
o nix-env -e — Remove a package.

11.Aptitude: It performs package installation, removal, and upgrade by using

arrow keys and highlighting the selected option.

How Do Package Managers Help Users?

 Easy Software Installation
 Centralized Software Repository
 Version Management

What is Linux Kernel?

The Linux kernel is the main component of a Linux operating system

What it does?
 The Linux kernel acts as an interface between the hardware and software
layers of a computer.
 It manages system resources, allocates memory and CPU time, and
determines which processes can use the CPU.

The kernel has 4 jobs:

 Memory management: Keep track of how much memory is used to store.
 Process management: Determine which processes can use the central
processing unit (CPU), when, and for how long
 Device drivers: Act as mediator/interpreter between the hardware and
 System calls and security: Receive requests for service from the processes

What is the Use of Netcat?

 Netcat is a command line utility tool that uses TCP and UDP connections to
read and write in a network using netcat.
 It can be used for both attacking and security. It runs on all operating
 First, we have to open listener port on the client side and connect it with
server.
How it's used
Digital investigators use Netcat to establish a network listener on a suspect
program's TCP and UDP ports to gather information and analyze network
traffic.

Basic Syntax
 nc [options] [hostname] [port]
 [options]: Command-line options that modify Netcat's behavior.
 [hostname]: The target host or IP address.
 [port]: The port number to connect to or listen on.

following command:
 nc –l –p 4444
 nc [Target IP Address] [Target Port]
 use: Netcat is used to Establish a connection between two devices.

What to collect while using Netcat

⮚date - set date and time
⮚uname - print system information
⮚whoami - print effective userid
⮚who - show who is logged in
⮚last – list of logged in users
⮚history - display history list

Creating Disk Image?

Disk imaging is the process of making exact copies of storage devices
1. dd: A command-line utility for copying and converting data.
2. FTK Imager: A forensic imaging tool used for digital forensics investigations
3. EnCase: A digital forensics platform that includes disk imaging
4. dc3dd tool can be used for a variety of forensic tasks like disk imaging
5. dcfldd is used for Flexible disk wipe and Image verify
6. Gnome Disk: A graphical tool used for creating and restoring disk image
7. Clonezilla: A partition and disk imaging/cloning program.
8. Magnet Acquire is the best tool for physical and logical disk imaging

Image Analysis Using Sleuth Kit

The Sleuth Kit is a library and collection of command line tools that allow you
to investigate disk images.
The Sleuth Kit is capable of parsing NTFS, FAT/ExFAT.

Applications:
 use in forensics, its main purpose
 for understanding what data is stored on a disk drive
 for recovering deleted image files

What is D.E.F.T & SANS SIFT?

D.E.F.T. (Digital Evidence & Forensics Toolkit) and SANS SIFT (SANS
Investigative Forensic Toolkit) Workstation are both Linux-based distributions
specifically designed for digital forensics and incident response tasks.

1. D.E.F.T. (Digital Evidence & Forensics Toolkit):

D.E.F.T. is a Linux-based distribution developed by the U.S. Department of
Defense Cyber Crime Center (DC3) for digital forensics and incident
response purposes.

2. SANS SIFT (SANS Investigative Forensic Toolkit) Workstation:

SANS SIFT Workstation is a Linux-based distribution developed by the SANS
Institute for digital forensics & incident response, and malware analysis
tasks.

What is login History?

Login history refers to a record of user past attempts to access a particular
account.

Ex: Websites and Online Services: Many websites and online services allow
users to view their login history.

Here are some key things to look for when reviewing your login history:

 Time and Date: When did the login attempt occur?

 Location: Where did the login attempt originate from? (city, country)
 IP Address: What was the IP address used for the login attempt?
 Device: What type of device was used for the login attempt (computer,
phone, etc.)

What is Running process?

 Running processes refer to the programs or tasks that are currently executing
on a computer system.
Process States:
 Running: The process is currently executing and utilizing CPU resources.
 Sleeping: The process is waiting for an event.
 Stopped: The process has been paused.
 Zombie: The process has completed execution, but its entry remains in the
process table until the parent process retrieves its exit status.

What is system log files?

 System logs, also known as system event logs, are records of events and
activities that occur on a computer system.

 These logs provide valuable information for monitoring, troubleshooting,

auditing, and security analysis purposes.

 In Linux operating systems, system logs are typically stored in the /var/log/
directory.

What is Dumping Ram?

Dumping RAM, also known as memory acquisition or memory imaging, is

the process of creating a copy of the contents of a computer's (RAM) onto a
storage device like a hard drive and ssds

5th module

Introduction to smart phone?

 The first smartphone was introduced by “IBM in 1994”, nicknamed Simon.
 A smartphone is a handheld electronic device that provides a connection to a cellular
network and the internet.
 It is a combination of a mobile phone and a computer, offering advanced technologies
with functionality similar to a personal computer.

Here is the importance of smartphones in short points

 Communication: Smartphones enables instant communication with loved ones through
calls, texts, emails, and social media.

 Entertainment: They offer a wide range of games, music, and video streaming services.
  Information access: Smartphones provide access to the internet, allowing users to
search for information, news, and answers to their questions.

 Organization: They can be used to store notes, reminders, and important documents.

 Safety: Smartphones can be used to call for help in emergency situations, and some
models come equipped with features like GPS and emergency SOS buttons.

 Navigation: They can be used to get directions, find nearby businesses, and navigate
unfamiliar areas.

 Multimedia: Smartphones allow users to take photos, record videos, and listen to music,
making them a great way to capture and enjoy multimedia content.

 Health and Fitness: Various health and fitness apps help users track exercise, monitor
health metrics, and maintain a healthy lifestyle.

 Financial Management: Banking apps, budgeting tools, and mobile payment systems
enable convenient financial transactions and management.

 Social Connection: Social media apps foster connections with friends, family, and
communities, enabling sharing of updates, photos, and experiences.

what are the smart phone components and identifiers?

Hardware: refers to the physical parts of the phone.

Here are some of the main ones:

o Motherboard: The main circuit board that connects all the other components.
o Processor (CPU): The brain of the phone, responsible for processing information.
o RAM (Random Access Memory): Temporary memory that stores data.
o Storage: This is where the phone stores data permanently, such as apps, photos, and
videos. There are two main types: internal storage and external storage (microSD card).
o Display: The screen you use to interact with the phone. Most smartphones use LCD or
o Battery: Provides power to the phone.
o Cameras: Most smartphones have at least two cameras, a rear-facing one for taking
o Sensors: These detect things like motion, orientation, light, and proximity.
o Microphone: Allows you to capture sound for calls, videos, and voice recordings.
o Speaker: Plays back sound from the phone.
o Antenna: Connects the phone to the cellular network and Wi-Fi.
 Software: This is the set of instructions that tells to the hardware what to do and what not
to do.
The two main parts of a smartphone's software are:
o Operating System (OS): The core software that manages all the phone's resources and
provides the basic functionality. Popular smartphone operating systems include Android
o Apps: Applications that provide additional functionality to the phone. These can be
downloaded from app stores like Google Play Store or Apple App Store.

logical, file system and physical acquisition?

 Logical acquisition: -refers to captures bit-for-bit such as data files and
folders, without adding any deleted data.
 It is a faster and more efficient method compared to physical acquisition.
 Tools: Common tools Cellebrite UFED, Oxygen Forensic Suite, and XRY,
Mobiledit Forensic, and ADB Android Debug Bridge.

 File system acquisition, also known as advanced logical acquisition,

captures more data than a logical acquisition. It provides access to file
system data, which can include deleted files and folders.

 Physical acquisition: This is a bit-for-bit copy of the entire storage media,

where the examiner needs to analyse each and every piece of data,
including deleted files, hidden folders and encrypted data.
Tools: Tools for physical acquisition include Cellebrite UFED, XRY and EnCase

Introduction to forensic tools for smartphone?

Popular Mobile Device Forensic Tools:
1. Cellebrite UFED: A comprehensive forensic platform that supports a wide range of
devices and data extraction techniques.
2. Oxygen Forensic Suite: Offers a range of tools for mobile device forensics, including
data extraction, analysis, and reporting.
3. XRY: A powerful forensic toolset for extracting and analyzing data from mobile
devices.
4. Mobiledit Forensic: A user-friendly tool for extracting data from various mobile
devices.
5. ADB (Android Debug Bridge): A versatile tool for interacting with Android devices,
including data extraction and analysis.

Key Features of Mobile Device Forensic Tools:

 Data Extraction: Extracting data from various file systems, databases, and
 Data Analysis: Analysing extracted data to identify relevant information and.
 Timeline Analysis: Creating timelines of events based on timestamps and metadata.
 Cloud Data Extraction: Accessing and analyzing data stored in cloud services.
  Multimedia Analysis: Extracting and analyzing photos, videos, and audio files.
 Communication Data Analysis: Analyzing call logs, text messages, and social media
 Report Generation: Generating detailed reports of the forensic analysis

What is cold and hot state mobile phone?

 Cold State: - A cold state refers to when a mobile phone is completely powered off and
not running any processes is considered as cold state
Characteristics:
 No power consumption.
 All processes and applications are stopped.
 Typically involves a full shutdown.

 Hot State: - A hot state refers to when a mobile phone is fully powered on and
operational.
 In this state, the device is running its operating system and any active applications
Characteristics:
 Full power consumption according to the device's current activities.
 All processes and applications are running and accessible.
 Immediate response to user inputs.

Technical Context
 Cold Boot: Refers to the process of switch on the device from a complete powered-
off state.
 Warm Boot/Restart: refers to restarting the device without fully powering it off.

6.Mobile forensics

 Mobile forensics is a branch of digital forensics related to the recovery of

digital evidence from mobile devices.

 The mobile forensics process is broken into three main categories:

 seizure, acquisition, and examination.

Challenges in mobile forensics

1. Hardware differences
2. Mobile operating systems and Device Models
3. Data Volatility
4. Encryptions
5. Cloud storage data
6. Locked Devices and Biometric Authentication
7. Mobile platform security features
8. Lack of resources
9. Preventing data modification
10.Passcode recovery
11.Device alteration
12.Lack of availability of tools
13.Malicious programs
14.Drone Investigation
15.Legal issues

Anti-forensic techniques: refers to methods and strategies used such as data

hiding, data obfuscation, data forgery, destroy digital evidence, Steganography
and secure wiping, these techniques can be used by malicious actors to conceal
their tracks protect their privacy.

ere are some common anti-forensic techniques:

1. Data Wiping:
o Overwriting data multiple times to make it unrecoverable.
o Using specialized software to securely erase data.
2. Encryption:
o Encrypting data to make it inaccessible without the decryption
key.
o Strong encryption algorithms can make it difficult or impossible to
decrypt data.

3. Steganography:
o Hiding data within other data, such as images or audio files.
o Makes it difficult to detect and extract hidden data.
4. Temporal Key Integrity Protocol (TKIP):
o A weak encryption protocol used in Wi-Fi networks.
o Can be exploited to compromise network security.
5. Wi-Fi Protected Access (WPA):
o An older Wi-Fi security protocol that has vulnerabilities that can be
exploited.

Android memory capturing?

1.Prepare the Device:
 Ensure that the Android device is powered on and operational, as memory
acquisition requires access to the device's volatile memory (RAM).
 Disable automatic updates, backups, and any background processes that
may alter memory contents during the acquisition process.
 Connect the Android device to a forensic workstation using via USB cable
and enable Developer Options and USB debugging in the device settings.

2. Select Memory Acquisition Method

Choose an appropriate method for capturing memory from the Android device
based on factors such as device model, operating system version, and
available tools.

Common methods include:

1. Physical Memory Dump: Extracting a raw image of the device's physical
memory (RAM) using specialized hardware or software tools.
2. Logical Memory Dump: This involves acquiring a logical copy of memory
from an operating system's running processes, typically through software
3. Live Memory Acquisition: Capturing memory contents in real-time using
software-based tools running directly on the device or via a connected
computer.
4. Remote Memory Acquisition: Capturing memory remotely over a network
connection using tools capable of accessing the device's memory without
physical access.
5. Cold Memory Acquisition: Performed on a powered-down device, usually in
the case of physical devices such as smartphones or desktops.

3.Use memory Forensic Tools:

1. LiME (Linux Memory Extractor): A kernel module designed for capturing memory
from Linux-based systems, including Android devices. It requires root access on the
device.
2. Belkasoft Live RAM Capturer: A forensic tool for capturing live memory from
Windows, macOS, and Android devices, offering both physical and logical acquisition
methods.
3. ADB (Android Debug Bridge): Command-line tool for communicating with an
Android device from a computer, enabling memory acquisition and other forensic
tasks.
4. FTK Imager: A popular forensic tool that supports physical and logical memory
acquisition.
5. EnCase: A comprehensive digital forensics platform that includes memory acquisition
capabilities.
6. Helix: A flexible forensic tool that can be used for various types of digital forensics,
including memory acquisition.
 7. Volatility Framework: An open-source framework for memory analysis, providing a
wide range of tools for memory acquisition and analysis.
8. Memdump: A command-line tool for creating memory dumps on Linux systems.

4.Verify Integrity:
After capturing memory from the Android device, verify the integrity of the
memory dump by calculating hash values (e.g., MD5, SHA-1) and comparing
them with the original device memory.

5.Documention
Document the memory acquisition process, including the tool used, acquisition
method, date, time, and any relevant observations or anomalies.

6.Report
Generate a detailed report outlining the findings of the memory analysis,
including any potential evidence discovered and its significance to the
investigation.

1.List down evidence found from mobile device?

When investigating mobile devices, a variety of evidence types can be collected

· Device Information: MEI/MEID, Serial Number, Device Model, OS Version

· User Data: Contacts, Call Logs, Messages (SMS, MMS, Emails

· Multimedia: Photos, Videos, Audio Recordings, Screenshots

· Application Data: Data from installed apps, social media, Banking apps,

· Location Information: GPS Data, Wi-Fi Connections, Cell Tower Data

· Internet and Communication: Browser History, Cookies, Downloads,

· Files and Documents: Documents, Spreadsheets, Presentations

· System Logs and Configuration: System Logs, Configuration Files

· Network Connections: Bluetooth Devices, Wi-Fi Networks, Settings

· Security and Access: Stored Passwords, Biometric Data

· Financial Data: Transaction History, Cryptocurrency Wallets

· Deleted Data: Recoverable Files, Cleared Logs and History

· Device Usage and Behaviour: App Usage, Screen Time

what is cellular network?

A cellular network, also known as a mobile network, that allows mobile devices
to connect to the internet and communicate with each other through radio
waves.
Key components of cellular networks:
 Cell: A network of cell towers that divide a geographic area into cells.
 Base Station: A tower with consist of antennas that transmits and receives
radio signals.
 Mobile Switching Centre: The central system responsible for managing the
flow of data, calls, and messages across the entire network.
 Handoff: The process of transferring a call from one cell tower to another as
you move.

How it works:
1. Connection: When you turn on your mobile device, it searches for
available cellular networks and connects to the strongest signal.
2. Communication: Your device communicates with the base station using
radio waves. The base station then routes the signal through the
network of recipient another mobile device or a fixed-line phone.
3. Handoff: As you move from one cell to another, your device
automatically switches to the new base station, ensuring uninterrupted
service. This process is called handoff.

Different Generations of Cellular Networks:

 1G: Analog networks for voice calls only.
  2G: Digital networks for voice calls and basic data services (SMS).
 3G: Faster data speeds for mobile internet.
 4G (LTE): Even faster data speeds for high-quality video streaming and
online gaming.
 5G: The latest generation, offering significantly higher speeds, lower
latency, and greater capacity for IoT devices

How a phone call can establish?

 Control Channel: maintain for signaling and control information.
 Traffic Channel: Used for actual user data, such as voice calls, text
messages, and data transfers.
Forward Channel (Downlink):
 The communication path from the base station to the mobile device.
 Carries control channel information and traffic channel data to the
mobile device.
Backward Channel (Uplink):
 The communication path from the mobile device to the base station.
 Carries control channel information and traffic channel data from the
mobile device to the base station.

IMEI & IMSI?

 IMEI (International Mobile Equipment Identity)
 A unique 15-digit number specific to each individual mobile device.
 It's used to identify the device on a mobile network.
 It remains the same even if you change the SIM card in the device.
 It's often used to track stolen devices.

0IMSI (International Mobile Subscriber Identity)

 A unique 15-digit number specific to each SIM card.
  It identifies the subscriber mobile network.
 It changes when you change your SIM card.

FDMA, TDMA, and CDMA are three primary techniques used to divide a
communication channel among multiple users
FDMA (Frequency Division Multiple Access)
 How it works: Divides the available bandwidth into multiple frequency
bands, each assigned to a different user.

 Example: Analog cellular systems (like the old 1G networks)

TDMA (Time Division Multiple Access)
 How it works: Divides time into slots, allocating each slot to a different
user
 Example: GSM cellular networks
CDMA (Code Division Multiple Access)
 How it works: Assigns a unique code to each user, allowing multiple
users to share the same frequency band simultaneously.
 Example: 3G and 4G cellular networks.

What is GSM?
 GSM stands for Global System for Mobile Communication developed by
European.
 It's a standard technology for second-generation (2G) cellular networks.
 It was the dominant mobile communication technology for many years,
enabling voice calls, SMS messaging, and basic data services.
 It uses 4 different frequency bands 850 MHz, 900 MHz, 1800 MHz, and
1900 MHz.
 It uses the combination of FDMA and TDMA.
Features of GSM
 Supports international roaming
 Clear voice clarity
 Ability to support multiple handheld devices.
LTE (Long Term Evolution)
 Introduced: Late 2000s
 Type: 4G (Fourth Generation)
Long Term Evolution (LTE) is a high-speed wireless communication standard
designed to improve the performance of mobile networks

What is IAT and SSDT

Import Address Table (IAT)
The Import Address Table (IAT) is a key data structure used by Windows
operating systems to manage the dynamic linking of functions and procedures
from different dynamic link libraries (DLLs). When a program calls a function
that resides in a DLL, it uses the IAT to locate and call the function.

System Service Descriptor Table (SSDT)

The System Service Descriptor Table (SSDT) is a kernel-level structure used by
Windows operating systems to handle system calls.

1. pslist: Lists the processes running on the system by walking the doubly-
2. psscan: Scans for _EPROCESS structures in memory, which can find
processes that have been hidden or unlinked by rootkits.
3. pstree: Displays the process list in a tree structure, showing parent-child
relationships.
4. netscan: Scans for network-related structures, such as TCP and UDP
endpoints, to list active connections and listening ports.
5. dlllist: Lists the loaded DLLs for each process, which can help identify
injected or malicious DLLs.
6. handles: Enumerates the handles opened by each process, which can
include files, registry keys, and other objects.
7. cmdscan: Extracts command history from memory,
8. ssdt: Lists the System Service Descriptor Table to identify hooks placed
by rootkits.
9. hivelist: Locates and lists registry hive files present in memory.
10.hivedump: Dumps the contents of a registry hive file.
11.hashdump: Extracts password hashes from memory for offline cracking.

 apihooks: Identifies unexpected patches in system service tables and

IAT/EAT hooks.
 callbacks: Enumerates callback routines.
 cmdline: Shows command-line arguments for processes.
 cmdscan: Extracts command history from memory.
 connections: Lists TCP connections.
 connscan: Scans for TCP connections.
 consoles: Extracts console command history.
 crashinfo: Summarizes crash dump files.
 dlldump: Dumps DLLs from a process.
 dlllist: Lists loaded DLLs for each process.
 driverscan: Scans for driver objects.
 evtlogs: Extracts Windows event logs.
 filescan: Scans for file objects.
 handles: Lists handles opened by processes.
 hashdump: Dumps password hashes.
 hivedump: Dumps registry hive contents.
 hivelist: Lists registry hives.
 hivescan: Scans for registry hives.
 imageinfo: Identifies information about the memory image.
 kdbgscan: Scans for the KDBG structure.
 kpcrscan: Scans for the KPCR structure.
 ldrmodules: Identifies loaded, unloaded, and hidden modules.
 lsadump: Dumps LSA secrets.
 malfind: Finds hidden and injected code.
 memdump: Dumps memory ranges.
 moddump: Dumps kernel modules.
 modscan: Scans for kernel modules.
 modules: Lists loaded kernel modules.
 netscan: Scans for network artifacts.
 notepad: Extracts text from Notepad instances.
 printkey: Prints registry key contents.
 privs: Lists process privileges.
 procdump: Dumps process executables.
 psxview: Finds hidden processes.
 shellbags: Lists shellbag items.
 sockets: Lists open sockets.
 sockscan: Scans for open sockets.
 ssdt: Lists the System Service Descriptor Table.
 strings: Extracts strings from memory.
 thrdscan: Scans for threads.
 threads: Lists threads.
 vadinfo: Lists VAD (Virtual Address Descriptor) info.
 vaddump: Dumps VAD contents.
 vadtree: Shows VADs in a tree view.
 vadwalk: Walks the VAD tree.
 vboxinfo: Lists VirtualBox-related information.
 vmwareinfo: Lists VMware-related information.
 volshell: Provides an interactive shell.
 windows: Lists window stations and desktops.
 wintree: Shows window tree.
 wndscan: Scans for window objects.
Run Registry Key: The Run key specifies programs that are automatically launched whenever
a user logs on to the system

Location:
 HKEY_CURRENT_USER (HKCU): HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
 HKEY_LOCAL_MACHINE (HKLM): HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

 Run: Programs run every time a user logs in.

RunOnce: This key is similar to the Run key, but it’s designed to run programs
only once and then key is deleted after the next login called Run once key.
Usage:
 HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce:
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce: