Digital Forensic (CSDC8012) LAB MANUAL Lab Objectives 1. To demonstrate the procedures for identification, preservation, and acquisition of digital evidence, 2. To demonstrate techniques and tools used in digital forensics for operating systems and malware investigation, 3, To demonstrate tools for mobile forensics and browser, email forensics, 4, Tocexplore scenario based crime forensics investigations Experiment 1 : Analysis of forensic images using open source tools. © FTK Imager © Autopsy Forensic Analysis Forensic Data Analysis (FDA) is a branch of Digital forensics. It examines structured data with regard to incidents of financial crime. The aim is to discover and analyze patterss of fraudulent activities, Data from application systems or fiom their underlying databases is referred to as structured data, ‘Unstructured date in contrast i taken from communication and office applications or from mobile vices. This data has no overarching structure and analysis thereof me 8 applying keywords or :mapping communication pattems. Analysis of unstructured data is usually referred to as Computer forensies. Autopsy Autopsy is a digital forensics platform and graphical interface to The Sleuth Kits? and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate ‘what happened on a computer. You can even use itt recover photos from your camera's memory card Autopsy was designed to be intuitive out of the box, Installation is easy and wizards guide you through every step. All results are found ina single tree, See the intuitive page for more details, “Autopsy was designed to be an end-to-end platform with modules that come with it out ofthe box and others that are availabe from third-parties. Some of the modules provide: ‘+ Timeline Analysis - Advanced graphical event viewing interface (video tutorial included. ‘+ Hash Filtering - Flag known bad files and ignore known good,‘+ Keyword Search - Indexed keyword search to find files that mention relevant terms. ‘© Web Anifucts - Extract history, bookmarks, and cookies ftom Firefox, Chrome, and IE, + Data Carving - Recor leted files from unallocated space using PhotoRec + Multimedia - Extract EXIF from pictures and watch videos ‘of Compromise - Scan a computer using STIX. Turning on Autopsy Going to the browser WARNING: Your browser currently has Java Script enabled, ‘Yu do not need Java Script to use Autopsy and itis recommended that it be turned off for security reasons. ‘Autopsy Forensic Browser 2.24‘Opening new caseDirectly adding the mounted image Selecting calculate hash | Ignore the hash value for this image. © catcutate the hash value for this image. Add the following MDS hash value for this image:Getting the add image summary ‘Opening the dashboard File browsing modemage Details‘Viewing Directory Hex Value Hi Hi if #8 a HE oss 15966 8060 4040 ‘002A 060 9005 900A 81GF 0062 9000 0008 (0000 986 9216 8042 8080 0000 9000 OD8e {8112 8863 9606 9601 6661 0009 811A 9005 ‘0000 061 9000 909¢ 6116 0005 9000 0001 (8080 OAK 0228 8063 8080 0061 8002 0600 (0132 062 9908 9614 6090 OOAC 8213 0003 (2000 8061 9801 9000 8769 000% 9000 0001 (8606 2cd 8825 9668 6060 0601 9000 833A (0000 039C 5361 073 756e 6700 4761 6C61 ‘7a79 294E 6578 7873 0060 0009 048 0800 (8661 260 9645 9600 6061 3739 5135 3439Exporting FileClosing back everything Select the case to open or create a new one CASE GALLERY n Name Description Okhuljasimsim None Provided detailsExperiment 2 : Explore forensics tools in kali linux for acquiring, analyzing and ‘duplicating data, od © dead Forensic Duplication + Forensic duplication is the copying of the contents of a storage device completely and without alteration, The technique is sometimes known as bitwise duplication, sector copying, or physical imaging, Forensic duplication is the primary method for collecting hard disk, floppy, CD/DVD, and flash-based data for the purpose of evidence gathering. + Copying files from a suspects device using standard techniques (Windows Explorer, cutting and pasting, xcopy) or imaging of logical drives (using Ghost or Drive Image) provides some of the data for an investigation but is usually insufficient for forensic imaging and may violate best evidence rules. © Note © When applic to a drive as a whole, this imaging is generally not sufficient. Copies of individual files can be made and used as evidence (such as those gathered in a live acquisition or from a shared drive), but it needs to be documented why bitwise imaging was not performed and the «examiner needs to understand the limitations. pp + The dd too! is used to copy bits from one file to another. Copying bits in this manner is the basis for all forensic duplication tools. dd is versatile and the source code is available to the publi Furthermore, éd can be compiled on nearly every Unix platform, This section discusses the ‘methods that dd can implement to perform a forensic duplication, ‘© dd was writen originally for data conversion by Paul Rubin, David MacKenzie, and Stuart Kem, ‘The source code and man page don't actually say what dd stands for, bu itis generally thought of as "data dump." dd is included in the GNU fileutils package and can be downloaded from Intp//mirrors kernel org/gno‘ileutils DCFLDD + diin general is data management tool and was not particularly built for forensies purposes. ‘Therefore it as its shortcomings. + Nicholas Harbour of the Defense Computer Forensies Laboratory (DCFL) developed @ tool that works very similar than dd but adds many features to support forensics data acquisition defldd offers the following options+ Log errors to an output file for analysis and review o Various hashing options MDS, SHA-1, SHA-256, ete o Indicating the acquisition progress + Split image file into segmented volumes © Verify acqui Description ed data with the original sou Getting device mount directory Tee CLES Ea Go al itr Duplicating data and generating hash using dd if-Hdev/sde] be=2048 | mdSsum ear eee EERE. eee!Using DCFLDD Conclusion : Successfully performed Forensic DuplicationExperiment 3 : Performing penetration testing using Metasploit - kali Linux. Description + Metasploit Pro is an exploitation and vulnerability validation tool that helps you divide the penettation testing workflow into manageable section + The Metasploit Framework is a program and sub-project developed by Metasploit LLC. It was initially created in 2003 in the Perl programming language, but was later completely re-written in the Ruby Programming Language. + With the most recent release (3.7.1) Metasploit has taken exploit testing and simulation to a complete new level which has muscled out its high priced commercial counterparts by increasing. the speed and lethality of code of exploit in shortest possible time. ‘Working with Metagpoit + Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers, + Metasploit Framework follows these common steps while exploiting a any target system + Select and configure the exploit to be targeted. This is the code that will be targeted toward a system with the intention of taking advantage of a defect in the software Validate whether the chosen system is susceptible to the chosen exploit. leet and configure a payload that will be used. ‘This payload represents the code that will be run on a system after a loop-hole has been found in the system and an enty point is set + Select and configure the encoding schema to be used to make sure that the payload can evade Intrusion Detection Systems with ease te exploit + Iwill be taking you through this demo in BackTrack 5 [Reference 2], so go ahead and download that if you don't already have it. The reason for using BackTrack 5 is that it comes with perfect setup for Metasploit and everything that Pen Testing person ever need, Metasploit framework has three work environments, the msfeonsole, the msfeli interface and the asfweb interface. However, the primazy and the most preferred work area is the ‘msfeonsole’. I is sn efficient command-line interface that has its own command set and environment system LIST OF ALL VULNERABILITIES IN WINDOWS XP [Link] com/product/739/[Link]?vendor_id=26 Imeroson» windows: vmerananystanstes aera Ted Ov Tine ae | ee ee