0% found this document useful (0 votes)
101 views27 pages

CF Lab File

The steps are: 1) Open the command prompt and navigate to the folder containing the files to be hidden. 2) Use the copy /b command to combine the files into a new file, with the text file coming first followed by the image file. 3) The new file will be an image file that appears normal but contains the hidden text file within it. 4) To extract the hidden text file, use the copy /b command again to separate the files from the combined file.

Uploaded by

Arpit R
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
101 views27 pages

CF Lab File

The steps are: 1) Open the command prompt and navigate to the folder containing the files to be hidden. 2) Use the copy /b command to combine the files into a new file, with the text file coming first followed by the image file. 3) The new file will be an image file that appears normal but contains the hidden text file within it. 4) To extract the hidden text file, use the copy /b command again to separate the files from the combined file.

Uploaded by

Arpit R
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

DELHI TECHNOLOGICAL UNIVERSITY

(Formerly Delhi College of Engineering)


Shahbad Daulatpur, Bawana Road, Delhi
110042

DEPARTMENT OF INFORMATION
TECHNOLOGY

CYBER FORENSICS (IT-312)


PRACTICAL FILE

Submitted By Submitted To
Divyanshu Thakur Ms. Allam Venkata Swetha
2K20/IT/47 Dept of Information Technology
Computer Forensics Laboratory
LIST OF EXPERIMENTS
S.L. Experiment Page
No. No.
1 Study of Computer Forensics and different tools used for forensic 2
investigation
2 Study the steps for hiding and extract any text file behind an image 8
file/ Audio file using Command Prompt.

3 How to Extract Exchangeable image file format (EXIF) Data from 13


Image Files using Exifreader Software
4 How to make the forensic image of the hard drive using EnCase 15
Forensics.

5 How to Restoring the Evidence Image using EnCase Forensics 21


6 How to Extracting Browser Artifacts 24
7 How to View Last Activity of Your PC 26
8 Find Last Connected USB on your system (USB Forensics) 27
EXPERIMENT- 1
Aim: Study of Computer Forensics and different tools used for forensic investigation
What Is Digital Forensics?
Digital forensics is the field of determining who was responsible for a digital
intrusion or other computer crime. It uses a wide range of techniques to gain
attribution to the perpetrator.
It relies upon the fundamental concept that whenever a digital intrusion or crime is
committed, the perpetrator inadvertently leaves a bit of themselves behind for the
investigator to find. These "bits" could be entries in log files, changes to the registry,
hacking software, malware, remnants of deleted files, etc. All of these can provide
clues and evidence to determine their identity and lead to the capture and arrest of
the hacker.
As a hacker, the more you know and understand about digital forensics, the better
you can evade the standard forensic techniques and even implement anti-forensic
measures to throw off the investigator.

The Digital Forensic Tools


Just like in hacking, there are a number of software tools for doing digital forensics.
For the hacker, becoming familiar with these tools and how they work is crucial to
evading them. Most digital forensic investigators rely upon three major commercial
digital forensic suites.
1. Guidance Software's EnCase Forensic
2. Access Data's Forensic Tool Kit (FTK)
3. Prodiscover
These three suites are comprised of multiple tools and reporting features and can be
fairly expensive. While these suites are widely used by law enforcement, they use the
same or similar techniques as the free open-source suites without the fancy interfaces.

By using the open-source and free suites, we can come to understand how such tools as
EnCase work without the expense. EnCase is the most widely used tool by law
enforcement, but not necessarily the most effective and sophisticated. These tools are
designed for user-friendliness, efficiency, certification, good training, and reporting.

There are a number of the free, open-source forensic suites, including the following
three.
1. The Sleuthkit Kit (TSK)
2. Helix
3. Knoppix

The Forensic Tools Available in BackTrack


In addition, there are a large number of individual tools that are available for digital
forensics, some of which are available in our BackTrack and Kali distributions.
Some of the better tools in BackTrack include the following, among many others.

• sleuthkit • rifiuti2 • scalpel


• truecrypt • ptk • dc3dd
• hexedit • exiftool • driftnet
• autopsy • evtparse.pl • timestomp
• iphoneanalyzer • fatback

What Can Digital Forensics Do?


Digital forensics can do many things, all of which the aspiring hacker should be aware
of. Below is a list of just some of the things.
• Recovering deleted files, including emails
• Determine what computer, device, and/or software created the malicious file,
software, and/or attack
• Trail the source IP and/or MAC address of the attack
• Track the source of malware by its signature and components
• Determine the time, place, and device that took a picture
• Track the location of a cell phone enabled device (with or without GPS enabled)
• Determine the time a file was modified, accessed or created (MAC)
• Crack passwords on encrypted hard drives, files, or communication
• Determine which websites the perpetrator visited and what files he downloaded
• Determine what commands and software the suspect has utilized
• Extract critical information from volatile memory
• Determine who hacked the wireless network and who the unauthorized users are
And that' just some of the things you can do with digital forensics!

What Is Anti-Forensics?
Anti-forensics are techniques that can be used to obfuscate information and evade the
tools and techniques of the forensic investigator. Some of these techniques include the
following.
• Hiding Data: Hiding data can include such things as encryption and
steganography.
• Artefact wiping: Every attack leaves a signature or artefact behind. Sometimes
it's wise to attempt to wipe these artefacts from the victim machine so as to leave
no tell-tale trail for the investigator.
• Trail Obfuscation: A decent forensic investigator can trail nearly any remote
attack to an IP address and/or MAC address. Trail obfuscation is a technique that
leads them to another source of the attack, rather than the actual attack.
• Change the timestamp: Change the file timestamp (modify, access, and change)
to evade detection by forensic tools.

List of Forensic tool

Forensics Field Tools


Forensics Field Tools
FTKImager
Forensic disk imager and file recovery.
Log Parser Lizard GUI
Flexible and powerful log file parser. It also does much much more.
Noxcivis Field Toolkit
The Noxcivis Field Toolkit (NFT) is a free and open interface that allows forensic
examiners and collection teams to collect information from a computer.
Active@ Partition Recovery
Recover deleted partitions.
Autopsy

Forensics tool. Autopsy is a digital forensics platform and graphical interface to The
Sleuth Kit® and other digital forensics tools. It can be used by law enforcement,
military, and corporate examiners to investigate what happened on a computer. You
can even use it to recover photos from your camera's memory card.
CAINE (Computer Aided Investigative Environment)

CAINE (Computer Aided Investigative Environment) is an Italian GNU/Linux live


distribution created as a project of Digital Forensics. CAINE represents fully the
spirit of the Open Source philosophy because the project is completely open,
everyone could take the legacy of the previous developer or project manager. The
distro is open source, the Windows side (Wintaylor) is open source and, the last but
not the least, the distro is installable, so giving the opportunity to rebuild it in a new
brand version, so giving a long life to this project.
Capture-BAT Download Page | The Honeynet Project

Capture-BAT Download Page Capture BAT is a behavioural analysis tool of


applications for the Win32 operating system family. Capture BAT is able to monitor the
state of a system during the execution of applications and processing of documents,
which provides an analyst with insights on how the software operates even if no source
code is available. Capture BAT monitors state changes on a low kernel level and can
easily be used across various Win32 operating system versions and configurations.

cFAIR Technologies Tools


cFAIR Technologies Tools for forensics and eDiscovery

Digital Forensics Framework (DFF)

Open Source Digital investigation software DFF (Digital Forensics Framework) is a free and Open
Source computer forensics software built on top of a dedicated Application Programming Interface
(API). It can be used both by professional and non-expert people in order to quickly and easily
collect, preserve and reveal digital evidence without compromising systems and data.

EnCase Forensic Imager


FREE software to capture a forensically sound copy of data.
Explorer Suite
Suite of executable file forensics utilities.
File and Partition Recovery Software

Free download Partition Recovery Software, Deleted Partition Recovery, Active Partition
Recovery Software. Realize partition data recovery with Free Partition Recovery Software, Free
Active Partition Recovery Software, Free Disk Partition Recovery Tool, Free NTFS Partition
Recovery Tool, Recovery Partition, Hard Disk Recovery, Drive Partition Recovery, Deleted
Partition Recovery and Hard Drive- Partition Recovery Tool. Support FAT12, FAT16, FAT32,
VFAT, NTFS, NTFS5 and Windows 2000 Professional/XP/Vista/7/8 and so on.
EXPERIMENT- 2
Aim: To study the steps for hiding and extract any text file behind an image file/ Audio file
using Command Prompt.
Any file like .rar .jpg .txt or any file can be merged inside another file. In a simple
way, we shall learn how to hide a text file inside an image file using the Command
Prompt.
How to Hide the FILE?
Suppose you have to hide a text file “A.txt” with the image file “B.jpg” and combine
them in a new file as “C.jpg”.Where “C.jpg” is our output file which contains the
text hidden in the image file.

Follow the steps:


1. copy the file,u need to hide, to desktop(for our tutorial let us assume the file
to be "A.txt")
2. copy the image, within which you need to hide the file, to desktop (let it be
"B.jpg")
3. now open the cmd:
>ctrl+r
>type: cmd and hit enter
4. in cmd first type the code as follows:
>cd desktop
NOTE: this code is for assigning the location on cmd to desktop
5. Now type the following code:

> copy /b B.jpg + A.txt C.jpg

Syntax: copy /b Name-of-file-containing-text-you-want-to-hide.txt + Name-of-


initial-image.jpg Resulting-image-name.jpg

"C.jpg" is the output image inside this out image our file is hidden
How to retrieve the file?
1. locate C.jpg file from where you want to retrieve text data
2. Right-click and open with notepad

Done! Successfully opened! In the last of the notepad, you’ll find the content of the
text file.

Hide A Message Into Image:


Open Run command window by pressing win + r.
Open command prompt by typing cmd and press OK
Enter the directory where you have your files. Then type the command :
echo "Your Message">>"image.jpg"
Now the message is successfully hidden in the image file.
To view the message: Open with Notepad, at last, you’ll find the Your Message

Another Method
1. Open Run command window by pressing win + r.
2. Open command prompt by typing cmd and press OK

3. Enter the directory where you have your files.


4. Then type the command :
>> copy /b B.jpg + A.rar C.jpg
Here a.rar is the file to hide behind the image file (b.jpg) and the output file is c.jpg.
To view the RAR file: right-click on the output image (here, c.jpg) and open with
WinRAR. You’ll find the file inside the image.

Hide File and text behind Audio File


Firstly get hold of a sound file you want to hide the data in (example sound.mp3), then
gather all your files you want to hide and put them in a ZIP (example secret.zip).

Our chosen Sound and zip file:

Windows 7/10: Shift+right click in the folder containing the files will open the
command prompt in that directory Windows: Open command prompt (start->run
cmd), then use cd to get to the folder where the files are stored.

Linux: You know what to do, open terminal and move to the directory containing
files.
We now need to merge these files together, but we want to use a binary merge
to keep the two files intact. With Windows copy command this uses the /B
switch. (Binary Data)

Windows
Code:
copy /b secret.zip + sound.mp3 newfile.mp3

Linux
Code:
cat sound.mp3 secret.zip > newfile.mp3

You should now have gained a new file called newfile.mp3. This should look
identical to the sound you started with when opened with a media player, but with a
secret payload hidden within. Here is the example sound containing a ZIP:

The two simplest ways to get your data back out of these files is to either change the
extension from .mp3 to .zip or to open your chosen ZIP program and open
newfile.mp3 within that. You should now be presented with your original files.
EXPERIMENT- 3
Aim: How to Extract Exchangeable image file format (EXIF) Data from Image Files
using Exifreader Software.
Introduction:
In many cases when a computer, phone, or mobile device is seized for evidence, the
system will have graphic images that might be used as evidence. Obviously, in some
cases, these graphic images may be evidence such as in child pornography cases.
Most digital devices "stamp" information on these graphic images that can tell us a
lot about the who, what, when, and where the pictures were taken. This information
is known as EXIF data and can very often be useful to the forensic investigator.
Exchangeable image file format (EXIF) is a standard set by the digital camera
industry to identify formats for digital images and sound files. This information
includes camera settings, time, date, shutter speed, exposure, whether a flash was
used, compression, the name of the camera, and other information critical to viewing
and editing the image in image-editing software. This information can be useful to
the forensic investigator.
There are numerous applications that can extract this EXIF data from graphic files.
Nearly every one of the major forensic suites (EnCase, FTK, Oxygen, etc.) has this
capability built-in. For this lab, we will be using a simple, Windows-based tool called
ExifReader (free).
Extract EXIF Data from Image Files
Step-01:
Download the ExifReader from the above link and click on the .exe file
(ExifRead.exe) and it will open a clean and simple GUI Wizard as shown below:
Now, simply click on the "Open" button and browse to the pictures from the system
or media. Normally, JPEG and JPG contain the maximum information, so let's use a
JPEG file.
Step-02: Open a Picture File
Once the selected picture opens the picture, it will load the picture into the thumbnail
to the left and display the EXIF data to the right down the page as shown below.

There are lots of information you can collect in the EXIF data, but most are related to
the technical specifications of the camera and photography. GPS coordinates of where
the picture was taken. Most of this is of limited value to the forensic investigator.
EXPERIMENT- 4
Aim of the Experiment: How to make the forensic image of the hard drive using
EnCase Forensics.

2. Introduction
In solving computer crime cases, computer forensics is used to gather evidence,
which will be analyzed and presented to a court of law to prove the illegal activity. It
is important that when doing computer forensics, no alteration, virus introduction,
damages or data corruption occurs. In order to do a good analysis, the first step is to
do a secure collection of computer evidence. Secure collection of evidence is
important to guarantee the evidential integrity and security of information. The best
approach for this matter is to use a disk imaging tool. Choosing and using the right
tool is very important in computer forensics investigation.
Disk imaging
Disk imaging as defined by Jim Bates, Technical Director of Computer Forensics
Ltd, refers to:
“An image of the whole disk was copied. This was regardless of any software on the
disk and the important point was that the complete content of the disk was copied
including the location of the data. Disk imaging takes sector-by-sector copy usually
for forensic purposes and as such it will contain some mechanism (internal
verification) to prove that the copy is exact and has not been altered. It does not
necessarily need the same geometry as the original as long as arrangements are made
to simulate the geometry if it becomes necessary to boot into the acquired image.”
Disk imaging is also one of the approaches for backup except that backup only
copies the active file. In backup, ambient data will not be copied. This is an area
where the most important source for the evidence could be found. Ambient data is a
data stored in Windows swap file, unallocated space and file slack.
Scenario: Mr. X is suspected to be involved in selling his company’s confidential
data to the competitors, but without any evidence, no action could be taken against
him. To get into reality and proof Mr. X guilty, the company has requested the
forensic services and have come to know all the relevant data is present inside the
desktop provided to him.
Since it is never advised to work with the original evidence because we may lose
some relevant data accidentally, so we will create an image of the original evidence
and work on it further. This way the original evidence is safe and the integrity and
authenticity of the evidence could be proved through hash values.
Step-01:
To image the computer hard drive, we will use Encase Imager. EnCase Imager is a
software which is bundled with numerous features which aid in all the four phases of
forensic investigation i.e. Collection, Preservation, Filtering and Report.
First, download the Encase Imager demo from here and install in your computer.
Once it is installed, Initialize the Software in Enterprise Mode.

Step 2: Click On New For Creating A New Case. Fill the labels.

Click On Finish.
Step 3: View the Case by Clicking On Case 1 <Case Name>

Step 4: Click on add local device for Adding Devices to Your Case. If there is any write
blocker attached with the machine and digital deice then tick to 1,2 and 5 option otherwise
untick to all and click on Next button.
Step 5: Tick in the box of name column which shows the connected device name
or label like (1,2,3 or any numeric number) and click on the finish button.

Step-06: Now to open evidence click on label number of the device which shows in
“name” column and again right-click on label number and choose acquire the option.
Step-07: Then a pop up will appear with three tabs. In the location tab, fills all the fields. In format
tab if you want to encrypt the evidence file then enable the Compression field otherwise disable it. In
Verification Hash field value should be chosen MD5 and SHA1 after it click on OK button. File
format selected here is E01 as this is supported by multiple tools and is suitable for further analysis.
If we want to password protect/encrypt our image we can do this at this stage.
Step-08: After it, image creation will be start and time taken to create
the image will be shown on the right side of the bottom. you can check
the status of image acquisition on the same window at the lower right
corner along with the time remaining (refer below image).

Step-09: Device will automatically disconnect after creating the image. The image will save in
the folder which we set the path earlier. Once the acquisition is complete the image will get
saved to the output folder (refer below image).
EXPERIMENT- 5
Aim: How to Restoring the Evidence Image using EnCase Imager Open Encase
Imager and add the evidence to Encase imager

Browse to the image (.E01) file and add it to the case. The evidence added will get
listed

Double click on the image, select he files to be restored and select the restore option
located under Device option.
When we click on restore, connect the drive where we want to restore the image and
click next. All the drives will be read. All the drives will be displayed, select the
drive where the image is to be restored. Use the blank drive for restoring the image
as the existing data will be wiped.

If required we can verify the Hash values and click on finish.

Type “Yes” in the text box and click on OK this will wipe the existing data on the
drive and start with the image restoration.
Image Restoration will start, we can check the progress on the lower right corner of
the window.

Once the restoration is complete, we can see the data in the drive we have selected.

To ensure the integrity of the data, we can see the report section on the bottom pane
and check the hash values. The hash values should be the same as of the image (we
can check the original hash value in the image report.)

If required we can copy and save the report in any text / word file for any future
reference.
EXPERIMENT- 6
Aim: How to Extracting Browser Artifacts
ChromeHistoryView: is a small utility that reads the history data file of Google
Chrome Web browser, and displays the list of all visited Web pages in the last days.
For each visited Webpage, the following information is displayed: URL, Title, Visit
Date/Time, Number of visits, number of times that the user typed this address
(Typed Count), Referrer, and Visit ID.

ChromeCacheView: Chromecacheview is a small utility that reads the cache folder


of Google Chrome Web browser, and displays the list of all files currently stored in
the cache.
For each cache file, the following information is displayed:
URL, Content type, File size, Last accessed time, Expiration time, Server name, Server
response, and more. You can easily select one or more items from the cache list, and
then extract the files to another folder, or copy the URLs list to the clipboard.
IEHistoryView: This utility reads all information from the history file on your
computer, and displays the list of all URLs that you have visited in the last few days.
It also allows you to select one or more URL addresses, and then remove them from
the history file or save them into text, HTML or XML file.

IECacheView: IECacheView is a small utility that reads the cache folder of Internet
Explorer, and displays the list of all files currently stored in the cache. For each
cache file, the following information is displayed: Filename, Content Type, URL,
Last Accessed Time, Last Modified Time, Expiration Time, Number of Hits, File
Size, Folder Name, and full path of the cache filename.
EXPERIMENT- 7
Aim: How to View Last Activity of Your PC
LastActivityView is a tool for Windows operating system that collects information
from various sources on a running system, and displays a log of actions made by the
user and events occurred on this computer.
EXPERIMENT- 8
Aim: Find Last Connected USB on your system (USB Forensics)
USBDeview is a small utility that lists all USB devices that currently connected to
your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description,
device type, serial number (for mass storage devices), the date/time that device was
added, VendorID, ProductID, and more…
USBDeview also allows you to uninstall USB devices that you previously used,
disconnect USB devices that are currently connected to your computer, as well as to
disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you log in to that
computer with admin user.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy