Difference between CLI and GUI

Point CLI (Command Line Interface) GUI (Graphical User Interface)

Ease of Use Difficult for beginners (requires Easy to use with windows, icons,
remembering commands and menus (user-friendly).
syntax).

Learning Curve Steeper learning curve. Needs Shorter learning curve. Intuitive
command knowledge. controls.

Speed & Faster for experienced users, Slower for repetitive tasks, limited
Efficiency especially with repetitive tasks (can automation.
use scripts).

Customization Highly customizable through Limited customization, fixed set of

commands and scripting. functions.

Resource Lightweight, uses fewer system Heavy, uses more CPU and
Usage resources. memory.

Visualization Text-based output, less visual. Provides data visualization (charts,

timelines, file trees).

Errors High chance of mistakes due to Lower risk of typing errors, but may
typos or wrong commands. hide internal processes ("black
box").

Tool Classifications in Digital Forensics

1. Open Source vs Commercial Tools

Open Source Tools

● Pros: Free, transparent (source code visible), customizable, flexible.

● Cons: Steeper learning curve, limited support, documentation may be less polished.

● Examples:

○ Autopsy (GUI, front-end for Sleuth Kit).

○ Sleuth Kit (TSK) (CLI forensic toolkit).

 Commercial Tools

● Pros: User-friendly, professional support, specialized functions, widely used in industry.

● Cons: Expensive (license cost), “black box” (internal working not visible), limited customization.

● Examples:

○ FTK (Forensic Toolkit) (GUI with some CLI utilities).

○ X-Ways Forensics (GUI forensic suite with scripting).

2. Validation and Integrity Tools

These tools ensure data integrity, reliability, and admissibility of evidence.

● Hashing Tools – Verify evidence is unchanged (MD5, SHA-1, SHA-256).

● Hex Editors – View/edit raw binary data, detect malware, check file signatures, recover deleted
data.

● Autopsy Validation Workflow –

1. Acquire evidence & generate hash.

2. Run ingest modules (file type check, hash lookup, integrity check).

3. Validate file system structures.

4. Perform keyword/signature analysis.

5. Re-check integrity by re-hashing.

6. Generate reports (with chain of custody details).

Summary for Exams:

● Open source tools (Autopsy, Sleuth Kit) are free, transparent, and customizable.

● Commercial tools (FTK, X-Ways) are user-friendly, supported, but costly.

● Validation tools (hashing, hex editors, Autopsy workflow) ensure integrity, accuracy, and court
admissibility of digital evidenc
 Data Validation and Integrity
Definition:

● Data validation ensures that digital evidence is accurate, reliable, and authentic.

● Integrity means the evidence remains unchanged from the time of collection to its presentation
in court.

Key Methods

1. Hashing (MD5, SHA-1, SHA-256):

○ Creates a digital fingerprint of the evidence.

○ Any change in evidence changes the hash value.

○ Used during acquisition and analysis to confirm integrity.

2. Hex Editors:

○ Allow examiners to view/edit raw binary data.

○ Help detect malware, analyze file signatures, recover deleted files, and check timestamps.

3. File System Validation:

○ Ensures partitions, metadata, and timestamps are consistent with the original disk.

○ Detects anomalies like deleted/hidden files.

4. Autopsy Validation Workflow:

○ Evidence acquisition & hashing.

○ Ingest modules (file type check, hash lookup, integrity verification).

○ Re-hashing at different stages.

○ Final reports include original hashes and chain of custody.

Importance in Digital Forensics

● Maintains chain of custody.

● Ensures evidence is legally admissible in court.

● Prevents tampering or alteration of digital data.

● Builds trust and credibility in forensic analysis.

Autopsy Validation Workflow – Case Study

Case Scenario:
A forensic investigator receives a suspect’s hard disk image (.E01). The goal is to validate
integrity and analyze for hidden evidence using Autopsy.

Steps in Workflow

1. Evidence Acquisition & Hashing

○ Disk image (.E01) is added to Autopsy.

○ Cryptographic hash (MD5/SHA-1/SHA-256) is generated.

○ Purpose: Ensure evidence is not modified (chain of custody).

2. Ingest Modules Run

○ Autopsy automatically runs modules:

■ File Type Identification – compares headers with extensions.

■ Hash Lookup – matches against known good (NSRL) and bad (malware) hash sets.

■ Integrity Check – detects corrupted or incomplete files.

3. File System Validation

○ Autopsy checks partitions, metadata, timestamps.

○ Identifies deleted files, hidden partitions, or anomalies.

4. Keyword & Signature Analysis

○ Searches for suspicious keywords (emails, chats, logs).

○ Validates file structures (e.g., JPEG header/footer consistency).

5. Integrity Re-checks

○ Re-hash evidence or files at any stage.

○ Confirms no tampering during analysis.

6. Reporting & Documentation

○ Final report contains:

■ Original and verified hash values.

■ Findings (malware, deleted data, hidden files).

■ Chain of custody details.

○ Report is admissible in court.

Case Study Example (Exam Style):

An investigator analyzes a 500GB hard disk image from a fraud case.

● Autopsy’s hash values (SHA-256) confirm the image is unaltered.

● Ingest modules detect deleted emails and hidden partitions.

● File system validation shows tampered timestamps.

● Re-hashing proves evidence remained unchanged.

● Final report is submitted in court as validated digital evidence.

Summary (2–3 lines for exam):

Autopsy’s validation workflow ensures digital evidence is authentic by using hashing, ingest
modules, file system checks, re-hashing, and detailed reporting. In case studies, this process
confirms that the evidence is accurate, reliable, and legally admissible.
Data Hiding Techniques
In digital crimes, suspects often try to hide data instead of deleting it. Common techniques
include:

1. Partition Hiding

● Concept: A partition of the disk is hidden from the operating system.

● Methods:

○ Modify partition table (MBR/GPT) entries.

○ Mark partition as “unallocated.”

● Normal User View: Partition is invisible in File Explorer.

● Forensic Detection: Tools (Autopsy, FTK, Sleuth Kit) can scan raw disk and reveal hidden
partitions.

● Example: A 500 GB drive shows only 300 GB → 200 GB hidden partition.

2. Bad Sector Marking

● Concept: Data is hidden in sectors marked as “bad” so the OS ignores them.

● Methods: Manipulate file system metadata to flag good sectors as bad.

● Normal User View: OS treats those areas as damaged, cannot access.

● Forensic Detection: Imaging tools (FTK Imager, X-Ways, dd) can copy sector-by-sector and
recover hidden data.

● Example: A 4 KB “bad” cluster may actually contain secret files or keys.

3. Alternate Data Streams (ADS)

● Concept: A feature of NTFS that allows multiple data streams in a single file.

● Normal User View: File looks normal in Explorer.

● Forensic Detection: Use dir /R or forensic tools (FTK, Autopsy) to detect hidden streams.
 Example:

echo Secret > [Link]:hidden

● → File “[Link]” looks normal but hides extra data.

4. Bit Shifting

● Concept: Bits of data are shifted left/right to obfuscate content.

● Use Cases: Malware hiding, steganography, data corruption tricks.

● Detection: Forensic analysts reverse the shift using hex editors or scripts.

● Example: Shifting image data by 2 bits makes it unreadable until reversed.

Summary Table
Technique How it Works Normal View Forensic Detection

Partition Hiding Alters partition table Partition Disk scan shows hidden
entries invisible partition

Bad Sector Marks good sectors as OS ignores Sector imaging recovers

Marking “bad” them data

ADS (NTFS) Hidden streams in files Looks normal dir /R, forensic tools

Bit Shifting Moves data bits to hide Appears Reverse shifting with tools
meaning corrupted

Alternate Data Streams (ADS)

Definition:

● ADS is a feature of the NTFS file system that allows a file to have multiple data streams.

● Every file has one main stream (its content), but hidden streams can be attached to it.

How it Works:

● Data is stored in a hidden stream linked to the file.

● The file appears normal in size and content when viewed in File Explorer.

● Hidden content does not appear in directory listings.

Example Command:

echo Secret > [Link]:hidden

● Here, [Link] looks like a normal text file, but the hidden stream :hidden contains secret
data.

Why It’s Used:

● Legitimate Use: Storing file metadata.

● Malicious Use: Attackers hide malware, logs, or stolen data inside ADS.

● Forensics Concern: Evidence may be concealed inside normal-looking files.

Detection Methods:

● Windows Command:

○ dir /R → shows files with ADS.

○ more < [Link]:hidden → reads ADS content.

● Forensic Tools:

○ FTK, X-Ways, Autopsy, Sysinternals [Link].

Forensic Importance:

● ADS can hide incriminating files without changing the visible file.

● Investigators must check ADS during analysis to uncover hidden malware or evidence.

Exam Line Summary:

Alternate Data Streams (ADS) in NTFS let attackers hide data inside normal files. They are
invisible in standard views but detectable using forensic tools and commands like dir /R. ADS
analysis is crucial to uncover hidden evidence.
 Hexa editor - unallocated space:
1. What is a Hex Editor?

● A Hex Editor is a tool that allows investigators to view and edit files in binary/hexadecimal
format.

● It displays data as:

○ Address area (location of bytes),

○ Hex area (actual data in hex),

○ Character area (ASCII view).

2. What is Unallocated Space?

● Unallocated space is the part of storage that is not assigned to any file or directory by the
operating system.

● It may still contain:

○ Entire deleted files,

○ Fragments of deleted files,

○ Remnants of old data.

3. Role of Hex Editor in Analyzing Unallocated Space

● File Carving: Detect file headers/footers (magic numbers) in raw unallocated space to
reconstruct deleted files.

● Detect Hidden Data: Can reveal fragments of files, malware, or steganographic content.

● Recover Timestamps & Metadata: Helps identify when files were created/modified, even if
deleted.

● Manual Analysis: Investigators can scroll through raw bytes to detect patterns, keywords, or
anomalies.

4. Example (Exam Case Study Style):

 ● A suspect deletes incriminating images.

● OS marks clusters as “free” (unallocated), but data remains.

● Using a hex editor, the investigator searches unallocated space for JPEG header FFD8 and
footer FFD9.

● The hidden/deleted image is reconstructed and presented as evidence.

Exam Line Summary:

A hex editor allows forensic experts to analyze unallocated space by recovering deleted files,
detecting hidden data, and verifying file signatures. This ensures valuable evidence is not lost
even after deletion

Forensic Software Benchmarking

Definition:

● Forensic software benchmarking is the process of testing and comparing digital forensic
tools to ensure their accuracy, reliability, and efficiency in evidence handling.

● It helps investigators select the most appropriate tool and ensures court admissibility of
evidence.

Why It Is Important:

1. Credibility of Evidence – Evidence is only accepted in court if tools are reliable.

2. Accuracy – Validates algorithms and reduces error rates.

3. Efficiency – Identifies tools that save time/resources.

4. Standard Compliance – Ensures tools follow standards (e.g., NIST CFTT).

Key Benchmarking Parameters:

● Acquisition – Ability to capture complete and accurate data.

● Hashing – Correct generation of digital fingerprints (MD5, SHA-1, SHA-256).

● File Recovery – Success in restoring deleted files.

● Data Parsing – Ability to process different formats and file systems.

 ● Compatibility – Works across OS, file systems, cloud platforms.

● Error Rate – Frequency of wrong or misleading results.

● User Friendliness – Ease of use of the tool.

How Benchmarking is Conducted:

1. Define Test Cases – Prepare standard forensic scenarios.

2. Use Reference Data Sets – Known files used for testing accuracy.

3. Compare Tools – Run multiple tools on the same data.

4. Automated Frameworks – Tools like AutoDFBench automate testing.

5. Documentation – Record and analyze results for transparency.

Exam Line Summary:

Forensic software benchmarking ensures tools are reliable, accurate, and efficient by testing
them against standard datasets, measuring performance (acquisition, hashing, recovery), and
following guidelines like NIST CFTT. It guarantees that evidence produced is trustworthy and
legally admissible.

Cloud and Mobile Forensics

1. Mobile Forensics

Definition:

● Mobile forensics is the process of recovering digital evidence from mobile devices
(smartphones, tablets, GPS units).

Purpose:

● To investigate crimes like fraud, cyberbullying, and terrorism by examining calls, SMS, app
data, deleted files, and location history.

Process:

1. Acquire data from the device using specialized tools.

2. Preserve data integrity (hashing).

3. Analyze communication records, media, and app activity.

4. Interpret evidence to reconstruct events.

Key Challenges:

● Device diversity (different OS versions).

● Encrypted/locked devices.

● Rapidly changing apps and mobile technologies.

2. Cloud Forensics

Definition:

● Cloud forensics involves investigating and preserving digital evidence from cloud
platforms (Google Drive, AWS, Microsoft Azure, etc.).

Purpose:

● To detect data breaches, analyze user activity, recover compromised data, and identify
vulnerabilities.

Process:

1. Collect logs and data from cloud providers.

2. Validate evidence integrity (hashing, timestamps).

3. Analyze user accounts, access history, and stored files.

4. Correlate with local device data.

Key Challenges:

● Data distributed across multiple servers.

● Jurisdiction issues (data stored in different countries).

● Privacy and access restrictions.

Integration of Cloud & Mobile Forensics

● Mobile devices often sync data with cloud services (e.g., WhatsApp backups, Google Drive,
iCloud).

● Investigators must correlate evidence from both sources for a complete picture.

Examples of Tools:

● Magnet AXIOM – Unified analysis across devices and cloud.

● UFED (Cellebrite) – Extracts mobile and cloud data.

● AXIOM Cloud – Cloud-specific acquisition and analysis.

Exam Line Summary:

Mobile forensics deals with extracting and analyzing evidence from smartphones and tablets,
while cloud forensics focuses on investigating cloud-stored data. Both face challenges like
encryption, jurisdiction, and large data volumes. Together, they provide a complete view of user
activity in digital investigations.

Unit 3

FAT and NTFS – Theory & Differences

1. FAT (File Allocation Table)

● Definition: FAT is an older file system used by computers and devices to organize data on
storage.

● Types: FAT12, FAT16, FAT32.

● Structure: Uses a simple table to keep track of clusters (small disk units) allocated to files.
● Features:

○ Easy to implement and widely compatible.

○ File size limit: 4 GB (FAT32).

○ Limited security (no encryption/permissions).

○ More prone to fragmentation and data loss.

● Usage: Still used in USB drives, memory cards, and devices requiring cross-platform sup

2. NTFS (New Technology File System)

● Definition: NTFS is the default file system for modern Windows systems.

● Features:

○ Supports larger files (up to 16 TB).

○ File-level security – access control lists (ACLs), encryption (EFS).

○ Journaling – logs changes to prevent corruption.

○ Fault tolerance – can recover quickly after crashes.

○ Efficient space utilization and faster performance.

● Usage: Windows OS, large disks, secure systems.

3. Key Differences Between FAT and NTFS

Feature FAT (FAT32) NTFS

Complexity Simple structure Advanced, complex structure

Max File Size 4 GB Up to 16 TB

File Name Length 8.3 characters (old) 255 characters

Security Minimal (network level only) Strong (permissions, ACLs, EFS)

Fault Tolerance No journaling, prone to loss Journaling, auto-repair possible

Performance Slower, more fragmentation Faster, efficient disk usage

 Compatibility Works on most devices/OS Limited to modern Windows systems

1. Linux Types (Distributions)

Linux is an open-source OS with many distributions (distros) for different purposes.

Type / Distro Features / Use Case

Ubuntu User-friendly, good for beginners, desktop and server use

Debian Stable, reliable, used in servers and development

Red Hat / RHEL Commercial support, enterprise servers, security-focused

Fedora Latest features, community-supported, testing ground for RHEL

Kali Linux Specialized for digital forensics & penetration testing

Arch Linux Lightweight, rolling updates, customizable by advanced users

2. Mac Types (macOS Versions)

macOS is a closed-source OS by Apple. Main types are based on macOS versions:

Version Name Key Features / Use Case

macOS Ventura Latest features, security improvements

macOS Monterey Stability, updated apps

macOS Big Sur Redesigned interface, enhanced

performance
macOS Catalina 64-bit apps only, improved security

macOS Mojave Dark mode, security enhancements

Exam Line Summary:

● Linux: Multiple distributions exist for beginners, developers, servers, or forensic testing (e.g.,
Ubuntu, Debian, Kali Linux).
● Mac: Different macOS versions exist for Apple devices with improved features, security, and
performance.

Unallocated Space – Theory

Definition:

● Unallocated space is the portion of a storage device that is not currently assigned to any
active file or directory by the file system.

● It may still contain remnants of deleted files or previously used data.

Characteristics:

● Not visible in the operating system’s file explorer.

● Data in unallocated space remains until it is overwritten by new files.

● Often found in disk clusters marked free.

Importance in Forensics:

● Critical for recovering deleted files.

● May contain fragments of previous files, hidden data, or malware.

● Forensic tools scan unallocated space for file headers, footers, and data signatures.

Recovery Methods:

1. Hex Editors: View raw bytes in unallocated space.

2. File Carving: Detect file headers/footers to reconstruct deleted files.

3. Forensic Software: Autopsy, FTK, Sleuth Kit, X-Ways can analyze unallocated clusters.

● Unallocated space may contain recoverable evidence from deleted or hidden files.

Exam Line Summary:

Unallocated space is the part of a storage device not assigned to current files. It may contain
remnants of deleted or hidden files, making it an important area for forensic recovery and
analysis.
Slack Space – Theory
Definition:

● Slack space is the unused space in a disk cluster that exists between the end of a file and
the end of the cluster allocated to it.

● It occurs because files rarely fill an entire cluster completely.

Types of Slack Space:

1. File Slack – Space between the end of the file and the end of the cluster.

2. RAM Slack – Portion of file slack that may contain data left from RAM content when the OS
writes to disk.

Importance in Forensics:

● Slack space can contain residual data from previously deleted files.

● Investigators can recover hidden or residual evidence from slack space using forensic tools.

● Often used to detect data hiding or malware.

Slack Space Diagram

● Each cluster may have partial file data + leftover slack.

● Forensic tools scan this area to recover hidden data.

Exam Line Summary:

Slack space is the leftover unused space in a disk cluster after a file ends. It may contain
remnants of deleted files or other data, making it important for forensic investigations.
 Master File Table (MFT) – Theory
Definition:

● The Master File Table (MFT) is a special system file in NTFS that stores information about
every file and directory on the volume.
● Acts as the index or database of all files on an NTFS disk.

Contents of MFT:

Each MFT entry contains:

1. File Name – Name of the file or directory.

2. File Size – Size of the file.

3. Timestamps – Creation, modification, and access times.

4. File Attributes – Read-only, hidden, system file flags.

5. Data Pointers – Location of file data clusters.

6. Security Information – Permissions (ACLs).

Importance in Forensics:

● MFT allows investigators to reconstruct deleted files.

● Even if file data is deleted, metadata in MFT may remain, providing timestamps and file
structure.

● Useful for analyzing file system activity, slack space, and hidden files.

Every file/directory has a separate MFT entry.

● Small files may be stored entirely in the MFT (resident files).

Exam Line Summary:

The Master File Table (MFT) in NTFS stores metadata for all files and directories. It helps
forensic analysts recover deleted files, analyze file activity, and access timestamps and
attributes.

Deleted Files – Theory

 Definition:

● Deleted files are files that a user has removed from a storage device, but their data may still
exist on the disk until overwritten.

● Deletion usually removes the file entry from the file system table (FAT, MFT) but does not
erase the actual data.

Types of Deletion:

1. Soft Deletion:
○ File entry removed from directory, but data remains in unallocated space.

○ Can often be recovered using forensic tools.

2. Hard Deletion / Wiping:

○ File data is overwritten with zeros or random data.

○ Recovery is very difficult.

Recovery of Deleted Files:

● Hex Editors: Inspect raw disk sectors for file signatures.

● File Carving: Identify file headers/footers to reconstruct files.

● Forensic Tools:

○ Autopsy, FTK, X-Ways, Sleuth Kit can recover deleted files from FAT, NTFS, or unallocated
space.

● Important Considerations:

○ Time since deletion (older files may be overwritten).

○ File system type (FAT vs NTFS).

○ Slack space may contain parts of deleted files.

● File metadata is gone from directory table.

● Data remains in unallocated or slack space until overwritten.

 Exam Line Summary:
Deleted files are removed from the file system directory but may remain in unallocated or slack
space. Forensic tools and file carving techniques allow investigators to recover these files for
evidence.