CYBER CRIME INVESTIGATION AND CYBER FORENSICS LAB

MODULE 1

AUTOPSY

Data Analysis and Recovery using Autopsy

The Sleuth Kit is a library and a collection of command-line tools used to investigate disk
images. Autopsy is the GUI program for TSK (The Sleuth Kit). The results of the forensic search
carried over the images are displayed here. These results help the investigator to locate relevant
sections of data in their investigation. It is used by law enforcement, military, and corporate
examiners to investigate the actions taken place on the evidence computer; however, it can be
used to recover deleted data from digital devices too.

1. Getting Started
Open Autopsy and create a new case.

Click on Finish after completing both the steps.

2. Add a data source.
Select the appropriate data source type.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

1 POLYTECHNIC
  Disk Image or VM file: Includes images that are an exact copy of a hard drive or
media card, or a virtual machine image.
 Local Disk: Includes Hard disk, Pendrive, memory card, etc.
 Logical Files: Includes local folders or files.
 Unallocated Space Image File: Includes files that do not contain a file system but
need to run through ingest.
The data source used here is a disk image. Add the data source destination.

Configure ingest modules.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

2 POLYTECHNIC
The ingest modules determine factors for which the data in the data source is to be analyzed.
Here is a brief overview of each of them.

 Recent Activity: Discover the recent operations performed on the disk, for example, the
files that were last viewed.
 Hash Lookup: Identify files using hash values.
 File Type Identification: Identify files based on their internal signatures rather than just
file .extensions.
 Extension Mismatch Detector: Identify files whose extensions are tampered
with/changed possibly to hide evidence.
 Embedded File Extractor: It extracts embedded files such as .zip, .rar, etc. and uses the
derived file for analysis. Another example could be a PNG image saved inside a doc to
make it appear as a document and thus hide crucial information.
 EXIF (Exchangeable Image File Format) Parser: It is used to retrieve metadata about
the files, for example, date of creation, geolocation, etc.
 Keyword Search: Search for a particular keyword/pattern in the data source.
 Email Parser: If the disk holds any form of email database, for example, pst/ost files of
outlook then information from these files can be extracted using an email parser.
 Encryption Detection: Detects and identifies encrypted / password-protected files.
 Interesting File Identifier: Let’s set custom rules regarding the filtering of data.
Examiner is notified when results pertaining to these rules are found.
 Correlation Engine: Allows saving properties in and then retrieved from the central
repository. It helps in displaying correlated properties.
 PhotoRec Carver: Recover files, photos, etc. from the unallocated space.
 Virtual Machine Extractor: Extract and analyze any Virtual machine found on the data
source.
 Data Source Integrity: Calculates the hash values and stores them in the database in
case they aren’t already present. Otherwise, it will verify the hash values associated with
the database.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

3 POLYTECHNIC
  Plaso: Extract timestamp for various types of files.
 Android Analyzer: Analyze SQLite and other files retrieved from an Android device.

Select all that will serve the purpose of your investigation and click Next. Once the data source is
added, click Finish. It will take some buffer time to extract and analyze the data depending upon
the size of the Data Source.

3. Exploring the data source:

The Data Source information: Here the basic metadata is shown. A detailed analysis is displayed
in the bottom section. These details can be extracted in the form of Hex values, Results, File
Metadata, etc.

The disk image is then broken down based upon its volume partitions.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

4 POLYTECHNIC
Each volume can be browsed for its contents, results for which are displayed in the section at the
bottom. For example, the content shown below belongs to Data Sources -> Mantooth.E01 ->
MSOCache-> [Parent Folder].

Views (Determines the factor of file classification)

 File Type: Here the files are categorized based upon their type. The classification can be
done either on the basis of file .extension or MIME type. While both of these provide a
hint about how to deal with a file, file extensions are commonly used by the OS to decide
what program shall be used to open a file and MIME types are used by the browser to
decide about how to present the data (or by the server on how to interpret the data
received). Files displayed here also include the deleted files.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

5 POLYTECHNIC
  Deleted Files: Here information about the files that were specifically deleted can be
found. These deleted files can be recovered as well: Right-click on the file to be
recovered -> click on Extract File(s). -> Save the file in an appropriate destination.

 MB Size Files: Here files are classified based upon their size. The range starts from
50MB. This enables the examiner to determine exclusively large files.

Note: It is usually advised to not scan or extract any suspected files/ disks such as payload files,
etc. in the main system, rather scan them in safe environments such as a virtual machine, and
then extract the data, as they hold the possibility of being corrupt and may infect the examiner’s
system with viruses.

Results:

All the extracted data is viewed in Views/ Data Source. In Results, we get the information about
this data.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

6 POLYTECHNIC
Extracted Content: Each Extracted Content displayed below can be further explored. The
following briefly explains each of them.

 EXIF Metadata: It contains all the .jpg images that have EXIF Metadata associated with
them, this Metadata can be analyzed further.
 Encryption Detection: It detects files that are password protected/ encrypted.
 Extension Mismatch Detection: As explained above, it Identifies the files whose
extensions do not match their MIME types and thus they may be suspicious.
 Installed Programs: It gives details about the software used by the user. This
information is extracted with the help of the Software Registry hive.
 Operating System Information: It gives information about the OS with the help of the
Windows Registry hive and the Software Registry hive.
 Operating System User Account: It lists information about all the user accounts, for
example, accounts belonging to the device are extracted from the Software Hive and the
accounts associated with the Internet Explorer using index.data files.
 Recent documents: Lists all the documents that were accessed nearby the time the disk
image was captured.
 Recycle Bin: Files that are temporarily stored on the system before being permanently
deleted are visible here.
 Remote Drive: Shows information about all the remote drives accessed using the system.
 Shell bags: A shell bag is a set of registry keys that stores details about a folder being
viewed, such as its position, icon, and size. All the Shell bags from the system can be
viewed here.
 USB Device attached: All the information about the external devices attached to the
system is displayed here. This data is extracted from Windows Registry which is actually
a maintained database about all the activities taking place on the system.
 Web Cookies: Cookies saves the user information from the sites and thus provide a lot of
information about the user’s online activities.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

7 POLYTECHNIC
 Web History: All the details about the browser history is shown here.
 Web Searches: Details about the web searches made are displayed here.
 Keyword Hits: Here specific keywords can be looked for in the image of the disk.
Multiple data sources can be selected for the lookup. The search can be restricted to exact
match, Substring match and Regular expression, for example, emails/ IP Addresses, etc.

 HashSet Hits: Here the search can be made using hash values.
 E-mail Messages: Here all the outlook.pst files can be explored.

 Interesting Items: As discussed before, these are the file results based upon the custom
rules set by the examiner.
 Accounts: Here all the details regarding the accounts present on the disk are shown. This
disk has the following EMAIL accounts.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

8 POLYTECHNIC
 Reports: Reports about the entire analysis of the data source can be generated and
exported in many formats.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

9 POLYTECHNIC
Additional Features:

 Add a Data Source: Each case can hold multiple Data Sources.
 Images/Videos: Images/ Videos in the data source can be viewed in Gallery View. The
information here is displayed in the form of attribute-value pairs.

 Communications: All the communications made using the source device are displayed
here. This device had communications only in the form of emails.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

10 POLYTECHNIC
  Geolocation: This window displays the artifacts that have longitude and latitude
attributes as waypoints on a map. Here the data source has no waypoints.
 Timeline: Information about when the computer was used or what events took place
before or after a given event can be found, this greatly helps in investigating events near
about a particular time.

Almost all the basic features and how actually Autopsy works have been discussed in this article.
However, it is always recommended to go through different sample data sources to explore even
more.

HEX EDITOR
A hex editor is a special type of editor that can open any type of file and display its contents,
byte by byte.

Most of the time when you open a file, you are seeing the program’s interpretation of that file’s
contents. Even plaintext files contain invisible characters that denote the beginning of the file,
where lines should break, the end of the file, and more.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

11 POLYTECHNIC
You can see these invisible characters (and regular characters, too) with a hex editor, where they
appear as hexadecimal values.

Usage:

 Get rid of invisible data: Hex editors can help you get rid of watermarks or other data
that is hidden within a file.
 Reverse-Engineer old or unknown files: Programs and games often use their own file
type that an in-program engine decompiles and uses. However, if the original program is
not available you won’t be able to open the file unless you have a hex editor.
Since hex editors show you the raw data of a file, not the interpretation of that data, hex
editors can open absolutely any type of file, allowing you to dig around and find out what
they really are.
 Fix corrupted files: You can view the file’s bytes and diagnose the issues with a hex
editor.
 Fun stuff: Hex editors are a favorite tool of game modding communities, and there are
some more uses for a hex editor that are a little more fun:
o Breaking GIFs
o Modding Games
o Modifying game savefiles

HEXVIEWER IN NOTEPAD++
Installing Hex Viewer in Notepad++

 Open Notepad++ and go to Plugins.

 Navigate to Plugins Admin…

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

12 POLYTECHNIC
 Search for the Hex keyword

 Select HEX-Editor

 Click on Install

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

13 POLYTECHNIC
Using Hex Editor to Fix a Corrupted Image file:

 Open Notepad++ and import the corrupted png file (simply by drag and drop)
After opening the file it will look like this:

 Navigate to Plugins, then HEX-Editor, and click on View in HEX

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

14 POLYTECHNIC
 Similarly open another png file (which is not corrupted)
 Right Click on the file name and select Move to Other View

 Select the corrupted png file

 Navigate to Plugins, then HEX-Editor, and click on Compare HEX
The Orange part is the difference in the files.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

15 POLYTECHNIC
 Now change only the header part of the file by overwriting the bits by comparing the
non-corrupted file

 Close the non-corrupted file

 Select the corrupted file and navigate to Plugins, then HEX-Editor, and click on View in
HEX
The view will change to this:

 Save the file

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

16 POLYTECHNIC
  Open the file to check the image

METADATA AND EXIF DATA ANALYSIS

Metadata is a set of data that describes and gives information about other data. For example,
author, date created, date modified and file size are examples of very basic document file
metadata.

Using the file command to extract basic metadata

The file command determines the file type, file tests each argument in an attempt to classify it.
There are three sets of tests, performed in this order: file system tests, magic tests, and language
tests. The first test that succeeds causes the file type to be printed.

[kali@kali ~]$ file <Filename>

Using the strings command to extract metadata

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

17 POLYTECHNIC
The strings command prints the sequence of printable characters in files. For each file given,
strings prints the printable character sequences that are at least 4 characters long (or the number
given with the options below) and are followed by an unprintable character. strings is mainly
useful for determining the contents of non-text files.

[kali@kali ~]$ strings <Filename>

ExifTool is a free and open source software program which is used to read, write and update
metadata of various types of files such as PDF, Audio, Video and images.

It is platform independent, available as a perl library as well as a command line application.

Metadata can be described as information about the data such as file size, date created, file type,
etc.

ExifTool is very easy to use and gives a lot of information about the data.

Installing ExifTool

It is quite easy to install ExifTool on Linux Machine. It can be installed by typing the following
command in the terminal

ubuntu@ubuntu:~$ sudo apt-get install libimage-exiftool-perl

1. Extracting Entire Metadata of File

We can get entire metadata of a file by using the following command in the terminal

ubuntu@ubuntu:~$ exiftool <file_name>

When we type above command, we get all the information about file as shown below

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

18 POLYTECHNIC
2. Extracting Common Metadata
We can extract the most common metadata of a file by using <common> option along
with Exiftool command. Type the following command in the terminal to display common
metadata of file.

ubuntu@ubuntu:~$ exiftool -common <file_name>

It will give us general information of the file as shown in the following image.

3. Verbose Mode of ExifTool

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

19 POLYTECHNIC
 Verbose mode of ExifTool gives us more details of the file as compared to normal mode.
We can go to verbose mode by using <-v> option along with ExifTool. The syntax of
verbose mode is as follows

ubuntu@ubuntu:~$ exiftool -v <file_name>

HASHING
Cryptography uses hashing to confirm that a file is unchanged.

In Linux, you're likely to interact with one of two hashing methods:

 MD5
 SHA256

Hashing a file and comparing with a duplicate

 Open a text editor and create a file named original.txt with a line of text that reads:
Original information.

[kali@kali ~]$ vim original.txt

[kali@kali ~]$ cat original.txt
Original information.
[kali@kali ~]$

 Next, run the file through a hash algorithm. Use MD5 for now. The command is
md5sum.

[kali@kali ~]$ md5sum original.txt

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT
20 POLYTECHNIC
 80bffb4ca7cc62662d951326714a71be original.txt
[kali@kali ~]$

Notice the resulting checksum value. This value is large enough that it's difficult to work
with. Store that value for future use by redirecting it into a file:

[kali@kali ~]$ md5sum original.txt > hashes.txt

[kali@kali ~]$ cat hashes.txt
80bffb4ca7cc62662d951326714a71be original.txt
[kali@kali ~]$

 Copy that file to the /tmp directory with the name duplicate.txt. Copy the file by using the
following command:

[kali@kali ~]$ cp original.txt /tmp/duplicate.txt

[kali@kali ~]$

 Run the following command to create a checksum of the copied file:

[kali@kali ~]$ md5sum /tmp/duplicate.txt

80bffb4ca7cc62662d951326714a71be /tmp/duplicate.txt
[kali@kali ~]$
 Append the hash result to our hashes.txt file and then compare the two (Be very careful to
use the >> append redirect operator here, because > will overwrite the hash value of the
original.txt file)
Run the following command:

[kali@kali ~]$ md5sum /tmp/duplicate.txt >> hashes.txt

[kali@kali ~]$ cat hashes.txt
80bffb4ca7cc62662d951326714a71be original.txt
80bffb4ca7cc62662d951326714a71be /tmp/duplicate.txt
[kali@kali ~]$

The two hash results are identical, so the file did not change during the copy process.

 Next, simulate a change. Type the following command to change the /tmp/duplicate.txt
file contents, and then rerun the md5sum command with the >> append operator:

[kali@kali ~]$ hostname >> /tmp/duplicate.txt

[kali@kali ~]$ md5sum /tmp/duplicate.txt >> hashes.txt
[kali@kali ~]$

 Proving that the duplicate.txt file is no longer identical to the original.txt file

[kali@kali ~]$ cat hashes.txt

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

21 POLYTECHNIC
 80bffb4ca7cc62662d951326714a71be original.txt
80bffb4ca7cc62662d951326714a71be /tmp/duplicate.txt
1f59bbdc4e80240e0159f09ecfe3954d /tmp/duplicate.txt
[kali@kali ~]$

In the above example, we manually compare the hash values by displaying them with cat.
Use the --check option to have md5sum do the comparison for us.

[kali@kali ~]$ md5sum --check hashes.txt

original.txt: OK
/tmp/duplicate.txt: FAILED
/tmp/duplicate.txt: OK
md5sum: WARNING: 1 computed checksum did NOT match
[kali@kali ~]$

We can repeat the above steps substituting sha256sum for the md5sum command to see how the
process works using the SHA algorithm. The sha256sum command also includes a --check
checksum option that compares the resulting hashes and displays a message for whether the files
differ.

RECOVERY OF DELETED FILES (USING TESTDISK)

TestDisk is powerful free data recovery software. It was primarily designed to help recover lost
partitions and/or make non-booting disks bootable again when these symptoms are caused by
faulty software: certain types of viruses or human error (such as accidentally deleting a Partition
Table).

Download Test disk

Test disk does not need to be installed. Simply download the file from this link and extract it to
use it.

Link: https://www.cgsecurity.org/Download_and_donate.php/testdisk-7.2-WIP.win.zip

Using TestDisk to recover deleted files from dummy USB

 Open testdisk_win.exe
 Select Create and press Enter. It will take some time to load.

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

22 POLYTECHNIC
 Select the USB device which in here is the SanDisk Cruzer Blade and select Proceed
and press

 Select the partition table type. If you are confused, just keep the default selected and
press Enter

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

23 POLYTECHNIC
 Select Advanced and press Enter

 Select the partition (in our case we have only one partition. But there can be multiple
partitions). Next, select Undelete to see the deleted files and press Enter

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

24 POLYTECHNIC
 Press “a” to select all files and “C” to copy the selected files to the location where you
want to save them.

After pressing “a”:

After pressing “C”:

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

25 POLYTECHNIC
 Navigate to your destination folder by pressing the Left and Right keys on your
keyboard to move back and forth.
After reaching the destination folder, press “C” to select the destination and save the file
there.
 Exit Testdisk by pressing “q” multiple times

DR. SUDIPTA KR GHOSAL, LECTURER, DEPT. OF CFS, BEHALA GOVERNMENT

26 POLYTECHNIC