Computer Forensics Projects

1. Kali Linux
a. RAM acquisition with FTK Imager Including pagefile; analyse the image to
identify fol:
i. What all applications are running
ii. App traces in RAM
iii. Why is page file used and how to analyse traces of last apps executed
on computer from the PageFile
iv. What all data is saved in PageFile during running computer state
b. Belkasoft RAM Capturer (can be downloaded from https:// belkasoft.com/ram-
capturer)
i. Find artifacts stored in memory
ii. find traces of malwares in cptr (use VM)
iii. Tasks mentioned above for FTK
c. Using Foremost for file recovery and data carving
i. understanding of foremost and the switches used in CLI
ii. Identify headers and footer of files
iii. Recover deleted files using foremost
iv. Analyse the logs (store it in a .txt file) of Drive scan to identify possible
deleted items
d. Using Scalpel for file carving
i. Identify headers and footers with possible false positives
ii. Analyse the audit.txt file and summarise the results
iii. Tasks mentioned above for foremost
e. Comparing the results of Foremost and Scalpel for same dd file and analyse
the pros and cons of both tools.
f. Using the bulk_extractor for craving. Use kali linux randomly on various time
and get the image for analysing following … else
http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/drives-
redacted/
i. Credit card numbers
ii. Email addresses
iii. URLs
iv. Online searches
v. Website information
vi. Social media profiles and information
vii. Analyse the different txt file results and produce your findings.
viii. Bonus: try finding the same files using scalpel or foremost
g. Volatility Framework. create a memory dump, several tools, such as Belkasoft
Ram Capturer, FTK Imager, DD, DC3DD, Computer Aided INvestigative
Environment (CAINE), Helix, and Linux Memory Extractor (LiME)
i. investigate/ analyze by tools within Volatility Framework
ii. Analyse memory dumps for 32 bit and 64 bit OS and briefly produce the
differences
iii. Analyse the plugins provided by VF on the image taken.
iv. How to create different profiles and what are their uses.
v. Analyse following four plugins, pslist, pstree, psscan, psxview
vi. Analyzing network services and connections, connscan, sockets
vii. DLL analysis, Inspection of a process's running DLLs and the version
information of files and products in correlating differennt processes
h. Artifact Analysis
 i. Identifying and fingerprinting devices, operating systems, and running
services with p0f and Nmap
ii. Analyzing memory dumps to discover traces of ransomware
iii. Performing swap analysis, swap_digger
iv. Using swap_digger and mimipenguin for password dumping - retrieve
artifacts running in memory by dumping memory processes that may
contain unencrypted passwords in plaintext
v. Examining the Firefox browser and Gmail artifacts using pdgmail
i. Autopsy
i. Image analysis: Analyze directories and files including sorting files,
recovering deleted files, and previewing files.
ii. File activity timelines: Create timelines based on the timestamps of files,
when they were written, accessed, and created.
iii. Image integrity: Create MD5 hashes of the image file used, as well as
individual files.
iv. Hash databases: Match the digital hashes or fingerprints of unknown
files (such as suspected malicious .exe files) against those in the NIST
National Software Reference Library (NSRL).
v. Events sequencer: Display events sorted by date and time.
vi. File analysis: Analyze the entire image file to display directory and file
information and contents.
vii. Keyword search: Allows searching using keywords and predefined
expression lists.
viii. Metadata analysis: Allows the viewing of metadata details and structures
of files that are essential for data recovery.
ix. Parsing data and indexing: Places a virtual mask over the actual
evidence. This allows views for investigators to run queries without
altering the "source data" or evidence.
x. Report generating: Allows the compilation of findings into a user-friendly
report.
j. Sleuth Kit
i. Find and list allocated and unallocated (deleted) files, and even files
hidden by rootkits.
ii. Reveal NTFS Alternate Data Streams (ADS), where files can be
concealed within other files.
iii. List files by type.
iv. Display metadata information.
v. Timeline creation
2. Python
a. use python to recover deleted items in the recycle bin
i. Using the OS Module to Find Deleted Items - script to remain
independent of the operating system
ii. Python to Correlate SID to User - use the windows registry to translate
this SID into an exact username
iii. write a small function to translate each SID into a username
iv. create a script that will print the deleted files still in the Recycle Bin.
b. write some scripts to extract metadata from some files
i. PyPDF to Parse PDF Metadata
ii. Understand and explain exchange image file format - Exif Metadata
iii. Reading Exif Metadata from Images with the Python Imaging Library
c. investigating application artifacts with python
i. Understanding the Skype Sqlite3 Database
1. Using Python and Sqlite3 to Automate Skype Database Queries
 2. Script to print out the account profile, contacts, calls, and
messages stored on the target.
ii. Parsing Firefox Sqlite3 Databases with Python
1. examine what the Firefox application stores in a series of
databases
2. Firefox stores quite a bit of forensically rich data - use a Python
script to execute an SQLite SELECT statement for the appropriate
columns: name, source, and datetime
3. Running the script against the downloads. SQLite file
4. Python script to extract cookies from a user under investigation
5. create an operating system- independent script that will work on
Windows, Linux, and Mac OS
d. investigate itunes mobile backups and produce what all can be found
e. Network Traffic Analysis with Python
i. Geo-Locate Internet Protocol (IP) Traffic
ii. Discover Malicious DDoS Toolkits
iii. Uncover Decoy Network Scans
iv. Analyze Storm’s Fast-Flux and Conficker’s Domain Flux
v. Understand the TCP Sequence Prediction Attack
vi. Foil Intrusion Detection Systems with Crafted Packets (use python tools)
f. Wireless Confusion using Python
i. Sniffing Wireless Networks for Personal Information
ii. Listening for Preferred Networks and Identifying Hidden Wireless
Networks
iii. Taking Control of Wireless Unmanned Aerial Vehicles (may use a toy
quadcopter)
iv. Identifying Firesheep in Use
v. Stalking Bluetooth Radios
vi. Exploiting Bluetooth Vulnerabilities
g. Web Recon with Python
i. Anonymously Browsing the Internet with the Mechanize Class
1. Script that prints the HTML code for the index page
2. Anonymity – Adding Proxies, User-Agents, Cookies
ii. Mirroring Website Elements in Python Using Beautiful Soup
1. Parsing HREF Links
iii. Interacting with Google Using Python
iv. Interacting with Twitter Using Python
1. script has gathered several things about the target of our
reconnaissance automatically
2. Pulling Location Data Out of Tweets
v. Automated Spear-Phishing
3. Mobile Forensics
a. Logical data extraction using ADB pull, ADB backup, ADB dumpsys, and
content providers
b. Physical extraction, which covers imaging an Android device and SD card,
JTAG, and chip-off techniques
c. Analyzing and extracting data from Android image files using the open-source
tool, Autopsy
d. Various techniques to recover deleted files from the SD card and internal
memory
e. Analyzing some of the most widely used Android apps to retrieve valuable data
f. Techniques to reverse engineer an Android application
4. Explore BitLocker in Windows
 a. How is the encryption done?
b. what is the key derivation mechanism and different types of keys used in it with
description of use for each key?
c. Where are the keys/ hashes stored?
d. How can a USB device encrypted with BitLocker can work on another PC
(which has no idea of the key hash of previous PC)? Will it calculate the reverse
of hash if it is stored in the USB?
5. In comparison to android devices having access control permissions for individual app,
where in windows can we use access control for apps. How can we restrict app permissions
for camera, GPS, compass etc. recover the logs for each access to these components?
6. Explore the 15 System files in NTFS partition. Elaborate their uses and how are the
making NTFS efficient? Give examples of their uses in a separate practical case of your
choice.