Scribd
Upload
72 views4 pages

Forensic Tools and Techniques Overview

The document outlines various computer forensics projects involving memory analysis, file recovery, artifact analysis, and mobile forensics using tools like Kali Linux, FTK Imager, Belkasoft RAM Capturer, Foremost, Scalpel, bulk_extractor, Volatility Framework, Autopsy, Sleuth Kit, Python, and ADB. The projects are designed to recover deleted files, identify artifacts in memory, analyze network traffic, investigate application data, and extract data from Android devices both logically and physically.

Uploaded by

zaid khattak
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
72 views4 pages

Forensic Tools and Techniques Overview

The document outlines various computer forensics projects involving memory analysis, file recovery, artifact analysis, and mobile forensics using tools like Kali Linux, FTK Imager, Belkasoft RAM Capturer, Foremost, Scalpel, bulk_extractor, Volatility Framework, Autopsy, Sleuth Kit, Python, and ADB. The projects are designed to recover deleted files, identify artifacts in memory, analyze network traffic, investigate application data, and extract data from Android devices both logically and physically.

Uploaded by

zaid khattak
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
  • Kali Linux Projects
  • Artifact Analysis
  • Autopsy Projects
  • Python Projects
  • Mobile Forensics
  • Questions for Review

Computer Forensics Projects

1. Kali Linux
a. RAM acquisition with FTK Imager Including pagefile; analyse the image to
identify fol:
i. What all applications are running
ii. App traces in RAM
iii. Why is page file used and how to analyse traces of last apps executed
on computer from the PageFile
iv. What all data is saved in PageFile during running computer state
b. Belkasoft RAM Capturer (can be downloaded from https:// [Link]/ram-
capturer)
i. Find artifacts stored in memory
ii. find traces of malwares in cptr (use VM)
iii. Tasks mentioned above for FTK
c. Using Foremost for file recovery and data carving
i. understanding of foremost and the switches used in CLI
ii. Identify headers and footer of files
iii. Recover deleted files using foremost
iv. Analyse the logs (store it in a .txt file) of Drive scan to identify possible
deleted items
d. Using Scalpel for file carving
i. Identify headers and footers with possible false positives
ii. Analyse the [Link] file and summarise the results
iii. Tasks mentioned above for foremost
e. Comparing the results of Foremost and Scalpel for same dd file and analyse
the pros and cons of both tools.
f. Using the bulk_extractor for craving. Use kali linux randomly on various time
and get the image for analysing following … else
[Link]
redacted/
i. Credit card numbers
ii. Email addresses
iii. URLs
iv. Online searches
v. Website information
vi. Social media profiles and information
vii. Analyse the different txt file results and produce your findings.
viii. Bonus: try finding the same files using scalpel or foremost
g. Volatility Framework. create a memory dump, several tools, such as Belkasoft
Ram Capturer, FTK Imager, DD, DC3DD, Computer Aided INvestigative
Environment (CAINE), Helix, and Linux Memory Extractor (LiME)
i. investigate/ analyze by tools within Volatility Framework
ii. Analyse memory dumps for 32 bit and 64 bit OS and briefly produce the
differences
iii. Analyse the plugins provided by VF on the image taken.
iv. How to create different profiles and what are their uses.
v. Analyse following four plugins, pslist, pstree, psscan, psxview
vi. Analyzing network services and connections, connscan, sockets
vii. DLL analysis, Inspection of a process's running DLLs and the version
information of files and products in correlating differennt processes
h. Artifact Analysis
i. Identifying and fingerprinting devices, operating systems, and running
services with p0f and Nmap
ii. Analyzing memory dumps to discover traces of ransomware
iii. Performing swap analysis, swap_digger
iv. Using swap_digger and mimipenguin for password dumping - retrieve
artifacts running in memory by dumping memory processes that may
contain unencrypted passwords in plaintext
v. Examining the Firefox browser and Gmail artifacts using pdgmail
i. Autopsy
i. Image analysis: Analyze directories and files including sorting files,
recovering deleted files, and previewing files.
ii. File activity timelines: Create timelines based on the timestamps of files,
when they were written, accessed, and created.
iii. Image integrity: Create MD5 hashes of the image file used, as well as
individual files.
iv. Hash databases: Match the digital hashes or fingerprints of unknown
files (such as suspected malicious .exe files) against those in the NIST
National Software Reference Library (NSRL).
v. Events sequencer: Display events sorted by date and time.
vi. File analysis: Analyze the entire image file to display directory and file
information and contents.
vii. Keyword search: Allows searching using keywords and predefined
expression lists.
viii. Metadata analysis: Allows the viewing of metadata details and structures
of files that are essential for data recovery.
ix. Parsing data and indexing: Places a virtual mask over the actual
evidence. This allows views for investigators to run queries without
altering the "source data" or evidence.
x. Report generating: Allows the compilation of findings into a user-friendly
report.
j. Sleuth Kit
i. Find and list allocated and unallocated (deleted) files, and even files
hidden by rootkits.
ii. Reveal NTFS Alternate Data Streams (ADS), where files can be
concealed within other files.
iii. List files by type.
iv. Display metadata information.
v. Timeline creation
2. Python
a. use python to recover deleted items in the recycle bin
i. Using the OS Module to Find Deleted Items - script to remain
independent of the operating system
ii. Python to Correlate SID to User - use the windows registry to translate
this SID into an exact username
iii. write a small function to translate each SID into a username
iv. create a script that will print the deleted files still in the Recycle Bin.
b. write some scripts to extract metadata from some files
i. PyPDF to Parse PDF Metadata
ii. Understand and explain exchange image file format - Exif Metadata
iii. Reading Exif Metadata from Images with the Python Imaging Library
c. investigating application artifacts with python
i. Understanding the Skype Sqlite3 Database
1. Using Python and Sqlite3 to Automate Skype Database Queries
2. Script to print out the account profile, contacts, calls, and
messages stored on the target.
ii. Parsing Firefox Sqlite3 Databases with Python
1. examine what the Firefox application stores in a series of
databases
2. Firefox stores quite a bit of forensically rich data - use a Python
script to execute an SQLite SELECT statement for the appropriate
columns: name, source, and datetime
3. Running the script against the downloads. SQLite file
4. Python script to extract cookies from a user under investigation
5. create an operating system- independent script that will work on
Windows, Linux, and Mac OS
d. investigate itunes mobile backups and produce what all can be found
e. Network Traffic Analysis with Python
i. Geo-Locate Internet Protocol (IP) Traffic
ii. Discover Malicious DDoS Toolkits
iii. Uncover Decoy Network Scans
iv. Analyze Storm’s Fast-Flux and Conficker’s Domain Flux
v. Understand the TCP Sequence Prediction Attack
vi. Foil Intrusion Detection Systems with Crafted Packets (use python tools)
f. Wireless Confusion using Python
i. Sniffing Wireless Networks for Personal Information
ii. Listening for Preferred Networks and Identifying Hidden Wireless
Networks
iii. Taking Control of Wireless Unmanned Aerial Vehicles (may use a toy
quadcopter)
iv. Identifying Firesheep in Use
v. Stalking Bluetooth Radios
vi. Exploiting Bluetooth Vulnerabilities
g. Web Recon with Python
i. Anonymously Browsing the Internet with the Mechanize Class
1. Script that prints the HTML code for the index page
2. Anonymity – Adding Proxies, User-Agents, Cookies
ii. Mirroring Website Elements in Python Using Beautiful Soup
1. Parsing HREF Links
iii. Interacting with Google Using Python
iv. Interacting with Twitter Using Python
1. script has gathered several things about the target of our
reconnaissance automatically
2. Pulling Location Data Out of Tweets
v. Automated Spear-Phishing
3. Mobile Forensics
a. Logical data extraction using ADB pull, ADB backup, ADB dumpsys, and
content providers
b. Physical extraction, which covers imaging an Android device and SD card,
JTAG, and chip-off techniques
c. Analyzing and extracting data from Android image files using the open-source
tool, Autopsy
d. Various techniques to recover deleted files from the SD card and internal
memory
e. Analyzing some of the most widely used Android apps to retrieve valuable data
f. Techniques to reverse engineer an Android application
4. Explore BitLocker in Windows
a. How is the encryption done?
b. what is the key derivation mechanism and different types of keys used in it with
description of use for each key?
c. Where are the keys/ hashes stored?
d. How can a USB device encrypted with BitLocker can work on another PC
(which has no idea of the key hash of previous PC)? Will it calculate the reverse
of hash if it is stored in the USB?
5. In comparison to android devices having access control permissions for individual app,
where in windows can we use access control for apps. How can we restrict app permissions
for camera, GPS, compass etc. recover the logs for each access to these components?
6. Explore the 15 System files in NTFS partition. Elaborate their uses and how are the
making NTFS efficient? Give examples of their uses in a separate practical case of your
choice.

Common questions

Powered by AI

BitLocker provides significant security advantages for data encryption by using a combination of symmetric and asymmetric encryption techniques, ensuring robust data protection. Its key storage mechanisms, involving recovery keys and TPM integration, secure encryption keys against unauthorized access. BitLocker keys are typically stored securely within the TPM or provided to the user for safekeeping. This methodology ensures data integrity on USB devices, as encryption keys do not need to be stored or transmitted with the data. When a BitLocker-encrypted USB is accessed on a different PC, the recovery key may be required if TPM isn’t present, which prevents access without authorization and maintains data integrity .

Python enhances web reconnaissance tasks by leveraging libraries like Mechanize and Beautiful Soup. Mechanize allows for simulated web browsing sessions while maintaining anonymity using proxies and custom user-agents. It can automate browsing, ensuring the investigator's identity remains concealed. Beautiful Soup, on the other hand, is employed to parse HTML and extract valuable data such as links and textual content. This capability is crucial for systematic data gathering from target websites without alerting site owners. Python scripts can streamline reconnaissance processes, enhancing efficiency and effectiveness in gathering web intelligence while preserving anonymity .

Volatility Framework's plugin analysis significantly enhances forensic investigations by providing detailed insights into system processes and network activity. Key plugins such as pslist, pstree, and psscan reveal detailed information about active and terminated processes, including their hierarchy and timing, allowing forensic experts to identify anomalies or malicious behavior. Network-related plugins like connscan and sockets analyze network connections and open sockets, helping to trace potential intrusions or data exfiltration paths. This comprehensive analysis helps investigators construct a precise picture of system behavior, filtering out irrelevant noise and pinpointing crucial evidence related to network services and process activities .

Creating a file activity timeline is critical in forensic analysis as it helps establish a chronology of file interactions. Tools like Autopsy and The Sleuth Kit enable timeline creation by analyzing file metadata, such as timestamps of creation, access, and modification. This chronological data helps forensic experts reconstruct events and identify suspicious activities by comparing timestamp discrepancies or unusual access patterns. The process involves parsing filesystem metadata and possibly integrating with keyword searches to correlate file activities with known events. This visibility into file interactions can aid in proving or disproving hypotheses about a suspect's activities during an investigation .

FTK Imager and Belkasoft RAM Capturer both serve the purpose of RAM acquisition, but they have distinctive efficiency and artifact retrieval differences. FTK Imager is a versatile tool that captures both RAM and the page file, allowing forensic investigators to identify running applications and retrieve app traces. It is effective for acquiring a complete picture of the virtual memory space. In contrast, Belkasoft RAM Capturer is optimized specifically for RAM capturing, potentially offering a more focused and detailed RAM acquisition process. It highlights artifacts stored in memory and is particularly effective at detecting traces of malware. However, FTK Imager provides a broader scope of data collection, which can be both an advantage and a hindrance due to the volume of data collected .

p0f and Nmap are complementary tools used in network forensic analysis for fingerprinting devices, operating systems, and services. p0f employs passive fingerprinting techniques, interpreting network traffic without direct interaction, thereby avoiding detection. It identifies OS types and connection characteristics based on packet analysis. Nmap provides active scanning capabilities, offering detailed information about network hosts, open ports, and available services through probing. When used in conjunction, these tools provide a comprehensive fingerprint of systems on a network. Combining passive and active methods enhances accuracy in identifying configurations, potential vulnerabilities, and unauthorized devices .

The key differences in analyzing memory dumps from 32-bit and 64-bit operating systems using the Volatility Framework are mainly due to architecture differences. In a 32-bit OS, addressing and registers are limited to 32 bits, resulting in a maximum addressable space of 4 GB, which leads to different memory artifacts and layout compared to a 64-bit OS, where the addressable space is significantly larger. The Volatility Framework needs different profiles for each architecture to decode the memory structures accurately. This distinction affects how processes, memory management, and system structures are parsed and analyzed .

Foremost and Scalpel both perform file carving based on header and footer identification, but they differ in approach and efficiency. Foremost uses a configuration file to define what file types to carve and supports recovering deleted files along with analyzing logs for forensic evidence. Its strength lies in simplicity and ease of use. Scalpel, on the other hand, is a faster alternative, leveraging multi-threading for increased efficiency but may yield more false positives. While Scalpel tends to perform faster, it might require more detailed configuration and post-processing validation to ensure accuracy. Foremost is often more straightforward for beginners, whereas Scalpel appeals to those needing speed and extensive customization options .

Python offers several advantages in forensic investigations, particularly in the domains of recovering deleted files and extracting metadata. Through the use of modules such as OS and PyPDF, Python scripts can recuperate files from the recycle bin across different OS platforms and parse metadata from PDF documents, respectively. Python's ability to interact with system-level processes allows forensic experts to script automated tasks, enhancing accuracy and speed. Furthermore, Python can analyze Exif metadata from image files and parse database structures like those in Skype or Firefox, streamlining the extraction of valuable forensic information from diverse file types. This flexibility and cross-platform operability make Python an invaluable tool in digital forensics .

Autopsy ensures image integrity during forensic analysis by generating MD5 hashes for both the entire image file and all individual files contained therein. This hashing process creates a digital fingerprint that verifies authenticity and detects any alterations since acquisition. Hash databases, such as those from the NIST National Software Reference Library, are crucial in this process as they allow comparison of hash values against a known database of file fingerprints. This comparison helps identify any unauthorized modifications or suspicious files, enhancing the integrity and reliability of forensic analysis .

Computer Forensics Projects 1. Kali Linux a. RAM acquisition with FTK Imager Including pagefile; analyse the image to ide
i. Identifying and fingerprinting devices, operating systems, and running services with p0f and Nmap ii. Analyzing memory dum
2. Script to print out the account profile, contacts, calls, and messages stored on the target. ii. Parsing Firefox
a. How is the encryption done? b. what is the key derivation mechanism and different types of keys used in it with descripti

You might also like