SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
PRACTICAL 1
AIM: Study of Computer Forensics and different tools used for forensic investigation.
Computer forensics is the practice of collecting, analyzing, and preserving computer and digital data in a way
that is suitable for presenting in a court of law. It involves the identification, recovery, analysis, and
presentation of facts and opinions about the information stored on computers, digital devices, and networks.
It relies upon the fundamental concept that whenever a digital intrusion or crime is committed, the perpetrator
inadvertently leaves a bit of themselves behind for the investigator to find. These "bits" could be entries in log
files, changes to the registry, hacking software, malware, remnants of deleted files, etc. All of these can provide
clues and evidence to determine their identity and lead to the capture and arrest of the hacker.
Computer forensics plays a crucial role in modern digital crime investigations. With the right tools and
techniques, forensic investigators can uncover hidden or deleted data, analyze cyber incidents, and provide
evidence in legal cases. Each forensic tool has unique features, and using the appropriate tool is essential for
successfully conducting a digital investigation.
Tools Used in Computer Forensics
The field of computer forensics has evolved rapidly, and there are now a wide variety of tools available to
investigators. Here are some of the most commonly used tools:
Acquisition Tools
• FTK Imager: A popular tool for acquiring data from various storage devices.
• EnCase: A comprehensive forensic suite that includes acquisition, analysis, and reporting capabilities.
• AccessData Forensic Toolkit (ADFT): Another powerful forensic suite with a wide range of features.
Analysis Tools
• Autopsy: An open-source digital forensics platform that can be used to analyze data acquired from
various sources.
• The Sleuth Kit (TSK): A collection of command-line tools for analyzing file systems and data.
• Wireshark: A network protocol analyzer that can be used to analyze network traffic.
Mobile Forensics Tools
• Cellebrite Physical Analyzer: A popular tool for extracting data from mobile devices.
• XRY: Another tool for extracting data from mobile devices.
• MobiLab Forensic: An open-source mobile forensics platform.
210410107114 Page|1
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
Cloud Forensics Tools
• Cloud Witness: A cloud forensics platform that can be used to investigate incidents in cloud
environments.
• Cloud Examiner: Another cloud forensics platform that can be used to analyze cloud data.
Specialized Tools
• Forensic Disk Analyzer (FDA): A tool for analyzing disk images and identifying deleted files.
• Forensic Metadata Analyzer (FMA): A tool for analyzing metadata associated with digital files.
• Forensic Email Analyzer (FEA): A tool for analyzing email data.
Key Objectives of Computer Forensics
• Data Recovery: Retrieving lost, deleted, or corrupted data from storage devices.
• Legal Compliance: Ensuring the integrity of digital evidence and its admissibility in court.
• Incident Response: Investigating and responding to security breaches, cyberattacks, and unauthorized
data access.
• Evidence Preservation: Properly collecting and documenting digital evidence to avoid tampering or
data loss.
• Fraud Detection: Identifying digital traces of fraudulent activities and financial crimes.
Steps in Computer Forensics Investigation
1. Identification: Recognizing potential sources of data and evidence (e.g., computers, mobile devices,
network logs).
2. Acquisition: Collecting and duplicating the data or evidence from the identified sources. This includes
creating exact copies or forensic images of storage devices to ensure that the original evidence remains
unaltered for further analysis.
3. Preservation: Securing the evidence to ensure it is not tampered with. This includes creating disk
images and securing the crime scene.
4. Analysis: Examining the collected data for evidence using forensic tools and techniques.
5. Interpretation: Drawing conclusions from the analyzed data.
6. Documentation: Recording all steps, processes, and findings in detail for potential legal proceedings.
7. Presentation: Preparing the evidence in a format that can be understood by law enforcement, legal
professionals, and juries.
210410107114 Page|2
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
210410107114 Page|3
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
PRACTICAL 2
AIM: How to Capturing a Forensically Sound Image with use of FTK imager tool
FTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS
SIFT Workstation. The version used for this posting was downloaded directly from the AccessData web site
(FTK Imager version 2.6.0).
Run FTK [Link] to start the tool.
From the File menu, select Create a Disk Image and choose the source of your image. In the interest of a quick
demo, I am going to select a 512MB SD card, but you can select any attached drive. NOTE: FTK Imager does
not guarantee data is not written to the drive, so it is important to use a write blocker like the Tableau T35es
Click Add... to add the image destination. Check Verify images after they are created so FTK Imager will
calculate MD5 and SHA1 hashes of the acquired image.
210410107114 Page|4
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
Next, select the image type. The type you choose will usually depend on what tools you plan to use on the
image. The dd format will work with more open source tools, but you might want SMART or E01 if you will
primarily be working with ASR Expert Witness or EnCase, respectively.
If your version of FTK requests evidence information, you can provide it. If you select raw (dd) format, the
image meta data will not be stored in the image file itself.
Select the Image Destination folder and file name. You can also set the maximum fragment size of image split
files. Click Finish to complete the wizard.
210410107114 Page|5
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
Click Start to begin the acquisition:
A progress window will appear. Now is a good time to refill that coffee cup! Once the acquisiton is complete,
you can view an image summary and the drive will appear in the evidence list in the left hand side of the main
FTK Imager window. You can rightclick on the drive name to Verify the Image:
FTK Imager also creates a log of the acquisition process and places it in the same directory as the image,
[Link]. This file lists the evidence information, details of the drive, check sums, and times the image
acquisition started and finished.
210410107114 Page|6
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
PRACTICAL 3
AIM: How to Recover Deleted Files using Forensics Tools.
Installing the Foremost Tool:
1)Use the following command to install this tool in any Debian based Linux Operating System or in any
other Operating System using the APT package manager.
sudo apt install foremost
2)Use the following command to install this tool using dnf package manager
sudo dnf install foremost
3)Use the following command to install this tool using Pacman package manager or in Arch Linux.
sudo pacman -S foremost
Syntax:
foremost [options]
• Recovering from USB/Hard Disk:
[Link] the External memory storage with the system.
[Link], you need to know the path of your external memory device, for that use the command
210410107114 Page|7
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
fdisk -l
• Now from here, you can copy the path of the disk.
• After copying the device path, now we have to recover the files from that device.
Use the options available by the “foremost -h” command.
For example :
foremost -t jpg,pdf,mp4,exe -v -q -i /dev/sdb2 -o /root/desktop/recover
Here I use this command to recover the data from the device.
• -t: It is the type of files we want to recover. Here I want to recover jpg, pdf,mp4, and exe files.
• -q: It is a quick scan for the device
• -i: It means the input as in this case external memory.
• -o: It is the output folder, where to save the recovered files.
210410107114 Page|8
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
PRACTICAL 4
AIM: Image Forensics using EXIF Tool.
EXIF (Exchangeable Image File Format) plays a significant role in digital forensics, particularly in the analysis
of digital images. EXIF metadata is embedded in image files, providing valuable information about the
circumstances under which an image was captured.
It stores metadata such as:
• Date and Time: When the photo was taken
• Camera Model: The camera used to take the photo
• GPS Coordinates: The location where the photo was taken
• Exposure Settings: Aperture, shutter speed, ISO
• Software Used: The software used to edit the photo
EXIF Tool is a command-line utility that can be used to view, edit, and extract EXIF data from images. It's a
valuable tool for image forensics, as it can help to verify the authenticity and integrity of images.
Common Forensic Applications of EXIF Tool:
1. Determining Image Origin:
o GPS Coordinates: By examining the GPS coordinates, you can pinpoint the location where the
photo was taken.
o Date and Time: The timestamp can help corroborate or refute claims about when the photo was
taken.
2. Detecting Image Manipulation:
o Software Used: If the EXIF data shows that the photo was edited using a particular software, it
can be compared with the original image to identify any changes.
o Date and Time Modifications: If the date and time are inconsistent with other evidence, it may
indicate manipulation.
3. Identifying Image Sources:
o Camera Model: The camera model can help determine the type of device used to take the photo.
o Lens Information: The lens used can provide additional clues about the photographer's
equipment.
Using EXIF Tool:
To use EXIF Tool, you'll need to install it on your system. Once installed, you can use the following command
to view the EXIF data of an image:
210410107114 Page|9
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
Bash
exiftool [Link]
This will display a list of EXIF tags and their corresponding values. You can also extract specific tags
using the -d option:
Bash
exiftool -d "%Y-%m-%d %H:%M:%S" -DateTimeOriginal [Link]
This command will extract the original date and time the photo was taken in the specified format.
Additional Forensic Techniques:
• Hashing: Calculate the hash of the image to verify its integrity. Any changes to the image will result in a
different hash value.
• File Metadata: Examine other file metadata, such as file creation and modification times, to identify
potential inconsistencies.
• Image Analysis: Use specialized tools to analyze the image for signs of manipulation, such as
inconsistencies in lighting, shadows, or object placement.
210410107114 Page|10
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
PRACTICAL 5
AIM: Create Forensically Disk Imaging using Guymager Tool.
The forensic imager contained in this package, guymager, was designed to support different image file formats,
to be most user-friendly and to run really fast. It has a high speed multi-threaded engine using parallel
compression for best performance on multi-processor and hyper-threading machines.
How to install: sudo apt install guymager
210410107114 Page|11
� SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY
DIGITAL FORENSICS 3170725
210410107114 Page|12
