Laboratory Manual for

Digital Forensic (3170725)

B.E. Semester 7
Computer Engineering

L. D. College of Engineering
Ahmedabad

Name Enrollment Number

MODI PRIYA D. 220283107014

 Certificate

This is to certify that Mr./Ms. MODI PRIYA DINESHKUMAR

Enrollment No. 220283107014 of B.E Semester 7TH Computer Engineering of this
Institute (GTU Code:3170725) has satisfactorily completed the Practical /
Tutorial work for the subject DIGITAL FORENSICS for the academic year
2023 -24.

Place:

Date:

Name and Sign of Faculty member

Head of the Department

 Preface
With the rapid growth of internet users over the globe, the rate of cybercrime is also increasing.
Nowadays, Internet applications become an essential part of every discipline with their variety
of domain-specific applications. The basic objectives to offer this course are to aware
engineering graduates to understand cybercrimes and their Operandi to analyze the attack.

By using this lab manual students can go through the relevant theory and procedure in advance
before the actual performance which creates an interest and students can have basic idea prior to
performance. This in turn enhances pre-determined outcomes amongst students. Each
experiment in this manual begins with competency, relevant skills, course outcomes as well as
practical outcomes (objectives). The students will also achieve safety and necessary precautions
to be taken while performing practical.

This manual also provides guidelines to faculty members to facilitate student centric lab
activities through each experiment by arranging and managing necessary resources in order that
the students follow the procedures with required safety and necessary precautions to achieve the
outcomes. It also gives an idea that how students will be assessed by providing rubrics.
Industry Relevant Skills
The following industry relevant competency is expected to be developed in the student by
undertaking the practical work of this laboratory.
1. Investigation and analysis skills: Develop the ability to investigate and analyze
various digital devices and systems, including computers, mobile devices, and
networks. Learn how to extract and analyze data from these devices and systems to
identify evidence of cybercrime.
2. Evidence handling and preservation skills: How to handle and preserve digital
evidence in a way that is admissible in court. This includes learning about chain of
custody, evidence storage, and documentation.
3. Technical skills: Technical skills related to computer and network security, including
knowledge of operating systems, file systems, and network protocols. Students may
also learn about encryption, steganography, and other techniques used to hide
information.
4. Legal and regulatory knowledge: Relevant laws and regulations related to
cybercrime, such as the IT Act 2000. Students will learn about legal procedures,
courtroom procedures, and other aspects of the legal system.
5. Communication and reporting skills: Students will learn how to communicate
complex technical information to non-technical stakeholders, such as lawyers,
judges, and juries. They will also learn how to write clear and concise reports that
summarize their findings and conclusions.
6. Critical thinking and problem-solving skills: Complex problem-solving scenarios that
require students to think critically and apply their knowledge and skills to real-
world situations.
Guidelines for Faculty members
1. Teacher should provide the guideline with demonstration of practical to the
students with all features.
2. Teacher shall explain basic concepts/theory related to the experiment to the students
before starting of each practical
3. Involve all the students in performance of each experiment.
4. Teacher is expected to share the skills and competencies to be developed in the
students and ensure that the respective skills and competencies are developed in the
students after the completion of the experimentation.
5. Teachers should give opportunity to students for hands-on experience after the
demonstration.
6. Teacher may provide additional knowledge and skills to the students even though not
covered in the manual but are expected from the students by concerned industry.

7. Give practical assignment and assess the performance of students based on task
assigned to check whether it is as per the instructions or not.
8. Teacher is expected to refer complete curriculum of the course and follow the
guidelines for implementation.
Instructions for Students
 1. Students are expected to carefully listen to all the theory classes delivered by the faculty
members and understand the COs, content of the course, teaching and examination scheme,
skill set to be developed etc.
2. Students shall organize the work in the group and make record of all observations.
3. Students shall develop maintenance skill as expected by industries.
4. Student shall attempt to develop related hand-on skills and build confidence.
5. Student shall develop the habits of evolving more ideas, innovations, skills etc. apart
from those included in scope of manual.
6. Student shall refer technical magazines and data books, follow real cyber forensic cases.
7. Student should develop a habit of submitting the experimentation work as per the
schedule and s/he should be well prepared for the same.
Common Safety Instructions
Students are expected to carefully perform each experiment without damaging the lab computer
systems. All the experiments are for learning purpose only and never perform anywhere else
without proper authorization.
 Vision & Mission of L D College of Engineering, Ahmedabad and Computer Department
Vision:
8. To contribute for sustainable development of nation through achieving excellence in
technical education and research while facilitating transformation of students into
responsible citizens and competent professionals.
Mission:
 To impart affordable and quality education in order to meet the needs of industries and achieve
excellence in teaching-learning process.
 To create a conducive research ambience that drives innovation and nurtures research-oriented
scholars and outstanding professionals.
 To collaborate with other academic & research institutes as well as industries in order to strengthen
education and multidisciplinary research.
 To promote equitable and harmonious growth of students, academicians, staff, society and
industries, thereby becoming a center of excellence in technical education.
 To practise and encourage high standards of professional ethics, transparency and accountability.

PROGRAM-SPECIFIC OUTCOME
 Graduates will be able to explore and propose effective solutions to the problems in the
area of Computer Engineering as per the needs of society and industry.
 Graduates will be able to apply standard practice and strategies to develop quality
software products using modern techniques, programming skills, tools & an open ended
programming environment and work in a team.
 Graduates will manifest the skills of continuous learning in the fast changing field of
Computer Engineering.

PROGRAM EDUCATIONAL OBJECTIVES

 Provide computing solutions of complex problems as per business and societal needs.
 Procure requisite skills to pursue entrepreneurship, research and development, higher
studies and imbibe high degree of professionalism in the fields of computing.
 Embrace life-long learning and remain continuously employable.
 Work and excel in a highly competence supportive, multicultural and professional
environment which is abiding to the legal and ethical responsibilities.

Course outcomes of Digital Forensics

CO-1 Describe Forensic science and Digital Forensic concepts
CO-2 Determine various digital forensic Operandi and motive behind cyber attacks
CO-3 Interpret the cyber pieces of evidence, Digital forensic process model and their legal
perspective.
CO-4 Demonstrate various forensic tools to investigate the cybercrime and to identify the
digital pieces of evidence
CO-5 Analyze the digital evidence used to commit cyber offences.
Index
(Progressive Assessment Sheet)

Page Assessment Sign. of

Sr. Date of Date of Remarks
No. Teacher
Objective(s) of Experiment performance submission Marks
No. with
date
1. Write the Following
2. Vision & Mission of L D
College of Engineering,
Ahmedabad
and Computer Department
0 3. Program Outcome (LDCE)
4. PSOs and PEOs of
Computer
Engineering
Department
(LDCE)
5. Course outcomes of Digital
Forensics
Study of packet analyzer tool
1 (Wireshark /
NMap / Networkminer)
Study of forensic commands of
2 Linux.
Make a disk image using an
3 imaging tool.
Using hex editor (HxD tool)
4 analyze metadata
of a file.
Study and perform Microsoft office
5 file
metadata analysis.
Image metadata analysis.
6
Study of browser forensics - Collect
7 data of
history, cache etc. and prepare
report.
Using Sysinternals tools for
8 Network Tracking
and Process Monitoring
Recovering and Inspecting deleted
9 files using
Autopsy
Acquisition of Cell phones and
10 Mobile
 devices.

Study any one digital forensic

collection and
11
analysis tool used in
analysis of digital evidence
(For eg., Coffee tool,
Mangnet
capture tool, Ram capture tool, NFI
Defragger,
Toolsley, Volatility)
For crime occurred in recent time
(example online fraud). Prepare a
report containing
● Name of the crime, which year,
victim and attacker name
● List of digital devices
available for forensics
● List of tools (that can be used
for
investigation) along with short
description of their utility
Total
 Practical-1
AIM: Study of packet analyzer tool.

Wireshark: Packet Analyzer Tool

Wireshark is the world’s foremost and widely used network protocol analyzer. It lets you
see what’s happening on your network at a microscopic level and is the de facto (and often de
jure) standard across many commercial and non-profit enterprises, government agencies, and
educational institutions. Wireshark development thrives thanks to the volunteer contributions
of networking experts around the globe and is the continuation of a project started by Gerald
Combs in 1998.
Wireshark has a rich feature set which includes the following:
Deep inspection of hundreds of protocols, with more being added all the time Live
capture and offline analysis

Standard three-pane packet browser

Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many
others

Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
The most powerful display filters in the industry Rich VoIP analysis

Read/write many different capture file formats: tcpdump (libpcap), Pcap NG,
Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General
Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, and many others
Capture files compressed with gzip can be decompressed on the fly

Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB,
Token Ring, Frame Relay, FDDI, and others (depending on your platform) Decryption
support for many protocols, including IPsec, ISAKMP, Kerberos,
SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis
Output can be exported to XML, PostScript®, CSV, or plain text
Installation Steps:

Step 1: Download and install Wireshark from https://www.wireshark.org/#download by

clicking on the link as shown in the image.

Step 2: After the file is downloaded, double-click on the file to open it.

Step 3: Select Next to start the Setup Wizard.

Step 4: Review the license agreement. If you agree, select I Agree to continue.

Step 5: Select “Next” to accept the default components.

Step 6: Select the shortcuts you would like to have created. Leave the file extensions selected. Select
Next.

Step 7: Choose the install location you prefer and click Next.
Step 8: At the Packet Capture page make sure Install WinPcap 4.1.3 is selected. You need this to capture traffic with
Wireshark. Without it you can still view Wireshark capture files. Click Next.

Step 9: At the USB Capture page you can choose to Install USBPcap. Check the box next to Install USBPcap 1.2.0.3 if
you desire to capture raw usb traffic as well (such as from a USB to RJ45 Ethernet adapter). Click Install.

The software will begin installing.

Step 10: Eventually the installer will pause at “Execute: “C:\Program Files\Wiresharek\WinPcap_4_1_3.exe” and lunch
a new installer window for WinPcap. Click Next in this window.

Step 11: Read the license agreement and click I Agree.

Step 12: Make sure the check box is checked next to “Automatically start the WinPcap driver at boot time” unless you
have a good reason for disabling this and click Install.

Step 13: The install will begin and eventually complete. Click Finish.
Capturing Packets using Wireshark:

 This is the first screen Wireshark that you’ll see when it is opened.

 Click on the network adapter of which you want to see the traffic.
 Here, you’ll see all the
traffic that is coming to
and going from your
system.
 You can see the
information like packet
no, time, source IP,
destination IP.
 If source IP is same as
your system then it is
the packet which if
going from our system.
 If destination IP is same
as your system then it is the packet which is intended for your system.
 We can also see the protocol used for the transmission of the packet like TCP,UDP,TLS
etc.
 Aside it we can see the length of the packet which is in bytes and some information

about what the packet contains.

 We can double click on any packet to see more information about it.
 We can right click on any packet then click on follow > TCP/UDP stream to see all the
whole stream of information of that packet.
Here the information is red is request sent and in blue we can see the response received.

All the information till now is being captured and in order stop capturing and save it we can
click on the red icon show above. Then we can click ctrl+s to save it so that we can analyse it
later.

It will be saved in a special pcapng file which can be later again opened with the help of
Wireshark. So, in this way we can use Wireshark for detailed analysis of our network.
References used by the students:

https://www.wireshark.org/docs/

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-2
AIM: Study of forensic commands of Linux.
1. history: Using the history command without options displays the list of commands used
since the start of the terminal session:
● Syntax: $ history
Parameter Description
| less If you wish to view the history one page at a time, you can
use this command. Now, you can simply use the spacebar to
view one page at a time or use the down arrow to view one
line at a time.
| tail To view just the last ten commands.
n (where n = any number To view the last n (15 here) commands.
for e.g: 15)
history with ctrl+R This will output a search feature. Just begin typing a
command and it will complete the command with the most
recent match. If it is not the one you need, simply type a few
more letters until you find the command you wanted. Once
you find it, simply press the return key to run or press the
right arrow key to edit it.
● Example:
 2. find: The find command in UNIX is a command line utility for walking a file hierarchy. It
can be used to find files and directories and perform subsequent operations on them. It
supports searching by file, folder, name, creation date, modification date, owner, and
permissions.
● Syntax:
$ find [where to start searching from] [expression determines what to find] [-options]
[what to find]

(.): For current directory name

(/): For the root directory

Options Description
-exec Other UNIX commands can be executed on files or folders
found.
-name demo Search for files that are specified by ‘demo’.
-newer file Search for files that were modified/created after ‘file’.

-print Display the path name of the files found by using the rest
of the criteria.
-empty Search for empty files and directories.
-user name Search for files owned by user name or ID ‘name’.
\(expr)\ True if ‘expr’ is true; used for grouping criteria combined
with OR or AND.
● Example:
 3. last: The last command in Linux is used to display the list of all the users logged in and
out since the file /var/log/wtmp was created. One or more usernames can be given as an
argument to display their login in (and out) time and their host-name.

Syntax: $ last [options] [username..] [tty…]

Example:

4. file: determines file type. File tests each argument in an attempt to classify it. There are three
sets of tests, performed in this order: filesystem tests, magic number tests, and language
tests. The first test that succeeds causes the file type to be printed.

Syntax:
$ file [option] [filename]
▪ $ file [ -bchikLnNprsvz ] [ -f namefile ] [ -F separator ] [ -
m magicfiles ] file ...

▪ $ file -C [ -m magicfile ]
Options Description
-[number] This option is used to specify the number of lines to display.
-R This option is used to hide the host-name field.
-F This option is used to display the login and logout time
including the dates.
-a This option is used is to display the host-name in the last
column.
-d This option is used to translate the IP address back into its
host-name.
-w This option is used to display full user and domain names.
-help This option is used to display help regarding all options
belonging to the last command.
Example:

5. lastlog: reports the most recent login of all users or of a given user. It formats and prints the contents
of the last login log /var/log/lastlog file. The login-name, port, and last login time will be printed. The
default (no flags) causes lastlog entries to be printed, sorted by their order in /etc/passwd.

Syntax: $ lastlog [options]

Options Description
-c, --checking-printout Cause a checking printout of the parsed form of the magic
file. This is usually used in conjunction with -m to debug a
new magic file before installing it
-C, --compile Write a magic.mgc output file that contains a pre-parsed
version of file.
-f, --files-from namefile Read the names of the files to be examined
from namefile (one per line) before the argument list.
Either namefile or at least one filename argument must be
present; to test the standard input, use ‘‘-’’ as a filename
argument.
-F, --seperator seperator Use the specified string as the separator between the filename
and the file result returned. Defaults to ‘‘:’’.
-k, --keep-going Don’t stop at the first match, keep going.
-m, --magic-file list Specify an alternate list of files containing magic numbers.
This can be a single file, or a colon-separated list of files. If a
compiled magic file is found alongside, it will be used
instead. With the -i or --mime option, the program adds
".mime" to each file name.
-i, --mime Causes the file command to output mime type strings rather
than the more traditional human readable ones. Thus it may
say ‘‘text/plain; charset=us-ascii’’ rather than ‘‘ASCII text’’.
 --help Print a help message and exit.

Example:

4. fsck: check and repair a Linux file system. fsck is used to check and optionally repair one
or more Linux file systems. filesys can be a device name (e.g. /dev/hdc1, /dev/sdb2), a
mount point (e.g. /, /usr, /home), or an ext2 label or UUID specifier (e.g. UUID=8868abf6-
88c5-4a83-98b8-bfc24057f7bd or LABEL=root). Normally, the fsck program will try to
handle filesystems on different physical disk drives in parallel to reduce the total amount
of time needed to check all of the filesystems.

Syntax:

$ fsck <options> <filesystem>

▪ $ fsck [-sAVRTMNP] [-C [fd]] [-t fstype] [filesys...] [--] [fs-specific-options]

Options Description
-a Try to repair filesystem errors automatically. There will be no prompts, so use
it with caution.
-A Check all filesystems listed in /etc/fstab.
-C Show progress for ext2 and ext3 filesystems.
-f Force fsck to check a filesystem. The tool checks even when the
filesystem appears to be clean.
-l Lock the device to prevent other programs from using the partition during the
scan and repair.
-P Use to run a scan on multiple filesystems in parallel. It can cause issues,
depending on your setup. Use with caution.
 -R Tell the fsck tool not to check the root filesystems when you use the -A option.
-r Print device statistics.
-t Specify which filesystems type(s) to check with fsck.
-y Try to repair filesystem errors automatically during the check.

Example:

5. stat: display file or file system status. stat is a linux command line utility that displays a
detailed information about a file or a file system. It retrieves information such as file type;
access rights in octal and human-readable; SELinux security context string; time of file
creation, last data modification time, and last accessed in both human-readable and in
seconds since Epoch, and much more.
Syntax: $ stat [options] filenames

Options Description
-f, --file-system display file system status instead of file status

-L, --dereference Follow link

-c, -- use the specified FORMAT instead of the default; output a newline
format=FORMAT after each use of FORMAT
--printf = FORMAT like --format, but interpret backslash escapes, and do not output a
mandatory trailing newline; if you want a newline, include \n in
FORMAT
-t, --terse print the information in terse form

Example:

6. lsof: It for List Of Open File. This command provides a list of files that are opened. Basically, it
gives the information to find out the files which are opened by which process. With one go it lists
out all open files in output console. It cannot only list common regular files, but it can list a
directory, a block special file, a shared library, a character special file, a regular pipe, a named
pipe, an internet socket, a UNIX domain socket, and many others. it can be combined with grep
command can be used to do advanced searching and listing.

Syntax: $ lsof [option] [username]

Options Description
-u There are several users of a system and each user have different requirements
and accordingly they use files and devices. To find a list of files that are opened
by a specific user this command is useful.
-c This command can list out all the files opened by a particular process. -
c followed by process names can find out all the files that are opened by that
particular process that is named in the command.
-p Each file is associated with some process ID. There can be many files that are
opened by a particular process. By using lsof -p process ID, files opened by a
particular process can be checked.
-R There may be many child processes of a process and this process can also be
termed as the parent process. To find out the list of files opened by parent
process Id lsof command is used with the option -R.
-D It lists out the files which are opened by a particular directory. There are files
as well as the directory in a system. So there can be several files opened by a
directory as well as the regular file.

Example:
References used by the students:

https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/linux-
forensics

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-3
AIM: Make a disk image using an imaging tool.

□ Creating a good backup of your computer system involves not only backing up all of your
data, but also backing up all Windows and system files when they are in a working and stable
state. When a hard drive crashes or the Windows operating system becomes corrupt, it would
be preferable to not only be able to load back your data quickly, but also to load back the
entire OS with all of your user settings, bookmarks, installed drivers, installed applications,
and more.

□ A good way to have both things taken care of at once is to create an image of your hard
drive. By creating an image, your entire system state, including the OS and data files, is
captured like a snapshot and can be reloaded at any time. It’s the best way to protect your
data and is the fastest solution also.

What Is FTK Imager?

□ FTK Imager is a tool for creating disk images and is absolutely free to use. It was
developed by The Access Data Group. It is a tool that helps to preview data and for
imaging.
Step 1: Download and install the FTK imager on your machine.

Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with the FTK
Imager dashboard.
Now, to create a Disk Image. Click on File > Create Disk Image.

Now you can choose the source based on the drive you have. It can be a physical or a logical
Drive depending on your evidence.

A Physical Drive is the primary storage hardware or the component within a device, which is
used to store, retrieve, and organize data.
A Logical Drive is generally a drive space that is created over a physical hard disk. A logical
drive has its parameters and functions because it operates independently.
Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic
perspective, it should be copied in a separate hard drive and multiple copies of the original
evidence should be created to prevent loss of evidence.

Select the format of the image that you want to create. The different formats for creating the
image are:
1. Raw(dd): It is a bit-by-bit copy of the original evidence which is created without any
additions and or deletions. They do not contain any metadata.
2. SMART: It is an image format that was used for Linux which is not popularly used
anymore.
3. E01: It stands for EnCase Evidence File, which is a commonly used format for imaging
and is similar to
4. AFF: It stands for Advanced Forensic Format that is an open-source format type.
Now, add the details of the image to proceed.

Now finally add the destination of the image file, name the image file and then click on Finish.
Once you have added the destination path, you can now start with the Imaging and also click on
the verify option to generate a hash.

Now let us wait for a few minutes for the image to be created.
After the image is created, a Hash result is generated which verifies the MD5 Hash, SHA1
Hash, and the presence of any bad sector.
References used by the students:

None

Rubric wise marks obtained:

1 2 3 4 5 TOTAL
RUBRICS

MARKS
Practical-4

AIM: Using hex editor analyze metadata of a file.

HxD tool

✔ HxD is a carefully designed and fast hex editor which, additionally to raw disk
editingand modifying of main memory (RAM), handles files of any size.
✔ The easy-to-use interface offers features such as searching and replacing, exporting,
checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting
offiles, statistics and much more.
✔ Editing works like in a text editor with a focus on a simple and task-oriented operation,
assuch functions were streamlined to hide differences that are purely technical.
✔ For example, drives and memory are presented similar to a file and are shown as a whole,in
contrast to a sector/region-limited view that cuts off data which potentially belongs
together. Drives and memory can be edited the same way as a regular file including support
for undo. In addition, memory-sections define a foldable region and inaccessible sections
are hidden by default.
✔ Furthermore, a lot of effort was put into making operations fast and efficient, instead of
forcing you to use specialized functions for technical reasons or arbitrarily limiting file
sizes. This includes a responsive interface and progress indicators for lengthy
operations.

Features:
● Available as a portable and installable edition
● RAM-Editor

▪ To edit the main memory

▪ Memory sections are tagged with data-folds

● Disk-Editor (Hard disks, floppy disks, ZIP-disks, USB flash drives, CDs, ...)

▪ RAW reading and writing of disks and drives

▪ for Win9x, WinNT and higher

● Instant opening regardless of file-size

▪ Up to 8EB; opening and editing is very fast

● Liberal but safe file sharing with other programs
● Flexible and fast searching/replacing for several data types

▪ Data types: text (including Unicode), hex-values, integers and floats

Search direction: Forward, Backwards, All (starting from the beginning)
● File compare (simple)
● View data in Ansi, DOS, EBCDIC and Macintosh character sets
● Checksum-Generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5,
...
● Exporting of data to several formats

▪ Source code (Pascal, C, Java, C#, VB.NET)

▪ Formatted output (plain text, HTML, Richtext, TeX)
▪ Hex files (Intel HEX, Motorola S-record)
● Insertion of byte patterns

Installation Steps:

Step 1: Go to https://mh-nexus.de/en/hxd/ . scroll down and click on the download page .

Select English language and click on the to download the zip file
Step 2: Go to the folder where you have downloaded the zip file unzip the zip file, run portable installer
and choose folder for config file.

Step 3: click on the executable and explore the functionalities.

 Functionalities:

In HxD we can open any disk or a ram(main memory) and also a files.

in HxD we can easily open any file and do searching , replacing , inserting and also we can
see the statistics of that file.
Statistics:
Searching:
Replacing:

References used by the students:

None

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-5
AIM: Study and perform Microsoft office file metadata analysis.

● Microsoft Word is currently the word processing software of choice for most individuals
and companies. Many users are under the mistaken belief that the final version of the
"visible" Word document is the only substantive content contained in the "saved file."

● Beyond the visible document and hidden in Word files is data known as "metadata".
Metadata can include things like revision history, authors, and "track changes" which
reveals the evolution of a document and the various edits that led to the final Word file.

● According to Microsoft metadata found in Word files can include:

• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments

View Document Properties:

1. Open a Word document.

2. Click the File tab.
3. Click “Info” and then click “Show all Properties” to view the metadata entries for the file.
Use Document Inspector

1. Open a Word document and then click the “File” tab and look under “Info.”
2. Select “Check for Issues” and then click on “Inspect Document” to launch the
Document Inspector.
3. Click the check boxes to select the types of metadata the Document Inspector scans
for and then click “Inspect.” Microsoft Word will display the results of the inspection and
provide an option to remove the metadata.
References used by the students:
https://support.microsoft.com/en-us/word

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-6
AIM: Image metadata analysis.

● Image metadata is text information pertaining to an image file that is embedded into the
file or contained in a separate file that is associated with it.

● Image metadata includes details relevant to the image itself as well as information about its
production. Some metadata is generated automatically by the the device capturing the image.
Additional metadata may be added manually and edited through dedicated software or general
image editing software such as GIMP or Adobe Photoshop. Metadata can also be added
directly on some digital cameras.

✔ Technical metadata is mostly automatically generated by the camera. It includes camera details
and settings such as aperture, shutter speed, ISO number, focal depth, dots per inch (DPI). Other
automatically generated metadata include the camera brand and model, the date and time when
the image was created and the GPS location where it was created.

✔ Descriptive metadata is mostly added manually through imaging software by the

photographer or someone managing the image. It includes the name of the image creator,
keywords related to the image, captions, titles and comments, among many other possibilities.
Effective descriptive metadata is what makes images more easily searchable.

✔ Administrative metadata is mostly added manually. It includes usage and licensing rights,
restrictions on reuse, contact information for the owner of the image.

● Several standardized formats of metadata exist, including: Information Interchange Model

(IPTC), Extensible Metadata Platform (XMP), EXchangable Image File (Exif), Dublin Core
Metadata Initiative (DCMI) and Picture Licensing Universal System (PLUS).
Example of image metadata analysis:

Adobe Photoshop is a commercial application that includes an XMP viewer. In Photoshop CS5, it
is under File → File Info. While not as powerful or as complete as Exiv2 and ExifTool, Adobe's
viewer does provide the ability to decode XMP, IPTC, Exif, and other types of metadata in a
graphical interface.

● You can add metadata to any document in Illustrator®,Photoshop®, or InDesign by

choosing File > File Info.
● Here, title, description, keywords, and copyrightinformation have been inserted.

● You can view the metadata in InDesign by selecting an image and choosing File Info from
the Info panel menu. Or you can use the metadata by choosing Object > Captions
>Caption Setup (as shown).
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-7

AIM: Study of browser forensics - Collect data of history, cache etc. and
prepare report.

o The most widely used applications by the majority of user of computer are Web Browsers.
A Web browser is an application program for accessing the Internet. Users performs their
many activities such as, browsing on the internet, download files, use social media
applications, accessing e-mail accounts via web browser. If user uses illegally the Internet
as a source of information, the evidence related to the browser uses would be saved in the
log file of the Web browser. Web browser’s log file can help to collect information of
criminal. After considering existing research and tools, this paper suggests a new evidence
collection and analysis methodology and tool for forensic process.

o Google Chrome is one of the most popular browsers of all the browsers available. It runs on
all platforms and has been developed by google. Few salient features offered by chrome –

1) Can be integrated with all google services

2) Password synchronization between various devices

3) Plugins and extensions availability

4) Incognito mood support

Google chrome artifacts

o An artifact is a remnant or trace left behind on the computer which helps to identify the
source of malicious traffic and attack conducted onto the system. Few examples include
cache data, History, Downloads etc.

o Chrome stores these artifacts inside specific folders in the operating system. The file location
for every browser is different but the file format remains the same. Following are the
common artifacts stored by Chrome –
1) Navigation History – This reveals navigation history of the user. It can be used to
track whether a user has visited any malicious URL or not.

2) Autocomplete Data – This reveals data that has been used on various forms and search
terms etc. It is used with Navigation History for more insight.

3) Bookmarks
4) Add-ons, Extensions and Plugins

5) Cache – Contains cache data from various websites like Images, JavaScript Files etc.
6) Logins

7) Form Data

8) Favicons

9) Session Data

10) Thumbnails

11) Favorites

12) Sensitive data

Collecting data from history:

See your history

On your computer, open Chrome.

At the top right, click More More.

Click History and then History.

Browser cache:

Your web browser stores complete or partial copies of the pages you recently viewed together
with the media (images, audio, and video) in a file on your computer called the cache. The cached
files are temporary files that help the internet pages load quicker. That’s why when you clear your
browser cache, you’ll often see that the sites load slower than usual.

How To View Cached Pages And Files

In order to see cached pages and files, you first need to locate them. You can’t always see them
since the folder where they’re stored may be hidden.

Inside the Cache folder you’ll find files with various extensions and random file names. The
difficulty here is that you won’t know exactly what you’re looking at. Most of the names are
random and there’s no way to tell the format of the file or where it came from.

You can either click on every file to open it or decode the cached files using special software or a
browser extension. One of the best options is to use one of the web browser tools by Nirsoft. For
Google Chrome it’s the ChromeCacheView.
After you download the cache viewer, double-click to open the main window. You’ll find the complete
list of files stored in the cache of your browser.
How To View Cookies In Your Browser

Since cookies are responsible for exposing your private details to the web, in most browsers you
can find them in the Privacy section of the SettiNGS
 /

References used by the students:

https://www.nirsoft.net/utils/chrome_cache_view.html

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical - 8
Aim: Using Sysinternals tools for Network Tracking and Process
Monitoring
- Check Sysinternals tools
- Monitor Live Processes
- Capture RAM
- Capture TCP/UDP packets
- Monitor Hard Disk
- Monitor Virtual Memory
- Monitor Cache Memory
 Check Sysinternals tools: Windows Sysinternals tools are utilities to manage, diagnose,
troubleshoot, and monitor a Microsoft Windows environment.
The following are the categories of Sysinternals Tools:

1. File and Disk Utilities

2. Networking Utilities

3. Process Utilities

4. Security Utilities

5. System Information Utilities

6. Miscellaneous Utilities

 Monitor Live Processes: (Tool: ProcMon) To

Do:

1. Filter (Process Name or PID or Architecture, etc)

2. Process Tree

3. Process Activity Summary

4. Count Occurrences

Output:
 Capture RAM (Tool: RAMCapture)
To Do:
1. Click Capture
2. Creates a .mem file of the system memory (RAM) utilized.
Output:
 Capture TCP/UDP packets (Tool: TcpView) : To Do: 1. Save to .txt file.
4. Whois

Output:

 Monitor Hard Disk (Tool: DiskMon) :

To Do:
1. Save to .log file.
2. Check operations performed in the disk as per time and sectors affected.
Output:
 Monitor Virtual Memory ( Tool :
VMMAP) : To Do:
1. Options – Show Free & Unusable Regions
2. File-> Select Process e.g. chrome.exe
3. Save to .mmp file.
Output :
 Monitor Cache Memory
(Tool: RAMMap)
TO DO :
1.Save to .RMP file.
Output:
References used by the student
https://learn.microsoft.com/en-us/sysinternals/

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical – 9
AIM: Recovering and Inspecting deleted files

- Check for Deleted Files

- Recover the Deleted Files
- Analyzing and inspecting the recovered files
Step 1: Start Autopsy from Desktop.

Step 2: Now create on New Case.

Step 3: Enter the New case Information and click on Next Button.

Step 4: Enter the additional Information and click on Finish.

Step 5: Now Select Source Type as Local disk and Select Local disk form drop
down list and click on Next.
Step 6: Click on Next Button.

Step 7: Now click On Finish.

Step 8: Now Autopsy window will appear and i

Step 9: All files will appear in table tab select any file to see the data.

Step 10: Expand the tree from left side panel to view the document files.

Step 11: To recover the file, go to view node-> Deleted Files node , here select any file and
right click on it than select Extract Files option.

Step 12: By default, Export folder is chosen to save the recovered file.
Step 13: Now Click on Save.
Step 14: Now go to the Export Folder to view Recover file.
Step 15: Click on Generate Report from autopsy window and Select the desired
format and click on next.
Step 16: Now Report is Generated So click on close Button. we can see the Report-on-Report Node.

Step 17: Now open the Report folder and Open Excel File.
References used by the students:

None

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical - 10
Aim: Acquisition of Cell phones and Mobile devices.
References used by the students:

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-11
Aim: Study any one digital forensic collection and analysis tool used in

analysis of digital evidence

Forensic Evidence Extractor (COFEE)

 Introduction:
 Computer Online Forensic Evidence Extractor (COFEE) is a forensic tool
developed by Microsoft designed to assist law enforcement and forensic
investigators in gathering digital evidence from computers. It is particularly useful
for obtaining critical information from live systems during investigations.
 Purpose

COFEE aims to:

 Extract digital evidence quickly and efficiently from suspect computers.

 Preserve data integrity while performing forensic analysis.
 Facilitate the investigation process for law enforcement agencies.
 Key Features
 Live Evidence Collection: Extracts data from running systems without requiring
a reboot.
 Automated Scripts: Comes with predefined scripts for common forensic tasks
such as collecting file metadata, browsing history, and installed software lists.
 Data Integrity Verification: Uses hashing algorithms to ensure the integrity of
extracted data.
 User-Friendly Interface: Simplifies the process for investigators, allowing for
easy navigation and execution of forensic tasks.
 Customizable: Allows users to create custom scripts to tailor the evidence
extraction process according to specific investigation needs.
 Functionality
 COFEE operates through a series of modules that perform various tasks,
including:
 File and Directory Enumeration: Collects information about files and
directories present on the system.
 Registry Analysis: Extracts information from the Windows registry,
including user settings and system configurations.
 Network Information: Gathers network-related data such as active
connections, IP addresses, and routing information.
 Browser History: Retrieves browsing history and cached files from
popular web browsers.
 Installation
 Requirements
 Windows operating system (COFEE is compatible with various versions).
 USB drive for portability (optional but recommended).
 Installation Steps

1. Download COFEE: Obtain the COFEE toolkit from the official Microsoft
 website or authorized sources.

2. Extract Files: Unzip the downloaded file to a designated folder on your

computer or USB drive.

1. Run the Application: Double-click the COFEE.exe file to launch the tool.
 Usage
 Collecting Evidence

1. Connect COFEE: Connect the COFEE toolkit to the suspect

computer via USB.

2. Select Modules: Choose the required modules from the COFEE

interface based on the evidence needed.

3. Run the Scripts: Execute the predefined or custom scripts to start the
extraction process.

4. Review Collected Data: Monitor the output to ensure all

necessary data is captured.

 Post-Collection Steps:
 Analyze Extracted Data: Use forensic analysis tools to examine the
collected evidence.
 Document Findings: Maintain detailed documentation of the collection
process, including any scripts used and data obtained.
 Best Practices
 Conduct Evidence Collection in a Controlled Environment:
Avoid any actions that may alter the evidence.
 Maintain Chain of Custody: Document all interactions
with the evidence to ensure its integrity.
 Regularly Update COFEE: Keep the toolkit updated to
ensure compatibility with new technologies and systems.
  Conclusion:
 COFEE serves as an invaluable tool for forensic investigators,
providing a means to extract critical digital evidence efficiently. Its
ease of use and functionality make it an essential component in
modern digital forensic investigations.

References used by the students:

 Microsoft Official Documentation for COFEE.

 Forensic analysis best practices literature.
 Related case studies utilizing COFEE in digital investigations.
Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS
 Practical-12
Aim: For crime occurred in recent time (example online
fraud).

Prepare a report containing all details.

1. Incident Overview
1.1 Name of the Crime:
Online Fraud - Business Email Compromise (BEC)
1.2 Year of Incident:
2020
1.3 Victim Information
 Name: Ubiquiti Networks.
 Industry: Technology/Networking.
1.4 Attacker Information
 Name: Unknown (identified as a group based in Nigeria)
 Method: Compromised email accounts of company
executives to initiate fraudulent wire transfers.
2. Digital Devices Available for Forensics
1. Personal Computers/Laptops
 Used by executives to access corporate email and initiate
financial transactions.
 Contained crucial evidence in the form of email logs and
document histories.
2. Smartphones
 Devices used for mobile access to corporate
email and communications.
 Possible evidence of phishing messages and suspicious activity.
3. Servers
 Email servers that stored logs of communications between the
 attackers and the victim.
 Potentially contained malware or unauthorized access logs.
4. Network Routers
 Provided logs of IP addresses and traffic patterns, aiding in
tracing the source of the fraudulent emails.
5. External Storage Devices
● USB drives or external hard drives may have been used to transfer
sensitive data or perform backups
3. Tools for Investigation
Description
Tool Name
A leading forensic tool for data recovery and
analysis. It was used to examine the victim’s
email logs and recover any deleted
EnCase
Forensic communications.
A disk imaging tool that created forensically
sound copies of devices used by the executives.
This helped in analyzing file structures and email
histories.
FTK Imager
Captured and analyzed network traffic,
identifying unauthorized communications
between the victim and the attackers.
Wireshark
Scanned the devices for any malicious software
that may have been used to compromise email
accounts.
Malwarebytes

A digital forensics platform used to analyze the

hard drives of compromised computers,
retrieving evidence of unauthorized access.
Autopsy
 An administrative tool that provided logs and
insights into user activity within the company’s
Google Workspace
Admin Console email system, allowing investigators to track the
timeline of the attacks.
Social Engineering Tools and techniques to analyze phishing
Analysis
techniques used to gain access to executive
emails, providing context to the attack.

4. Case Resolution
4.1 Discovery of Fraud
In March 2020, Ubiquiti Networks reported the loss of approximately $46.7 million
due to wire transfers that were authorized based on fraudulent communications. An
investigation revealed that attackers had used phishing tactics to compromise the
email accounts of company executives.
4.2 Investigation Steps
1. Email Log Analysis: Investigators used Google Workspace Admin
Console to review email logs, revealing the timeline of the
phishing emails and unauthorized wire transfers.
2. Network Traffic Monitoring: Wireshark was utilized to analyze
network traffic, confirming that communications originated
from suspicious IP addresses linked to known cybercriminal
activities.
3. Device Forensics: Using EnCase Forensic and Autopsy,
investigators recovered deleted emails and documents,
providing insights into the attackers' tactics.
4. Linking to Attackers: The investigation identified the attackers as a
group operating out of Nigeria, with ties to other BEC scams
targeting various organizations.
4.3 Outcome
 The investigation was referred to federal law enforcement agencies,
leading to ongoing international cooperation to apprehend the
individuals involved. Ubiquiti Networks implemented
stronger cybersecurity measures, including multi- factor
authentication and employee training on recognizing phishing
attempts.
1. Recommendations
 Strengthen Email Security: Organizations should implement
advanced email filtering and monitoring systems to detect phishing
attempts.
 Conduct Employee Training: Regular training sessions should
educate employees on identifying suspicious communications and
report them.
 Enhance Incident Response Protocols: Develop and maintain an
incident response plan to quickly address and mitigate potential cyber
threats.

References used by the students:

https://www.salvationdata.com/work-tips/write-a-forensic-report/

Rubric wise marks obtained:

RUBRICS 1 2 3 4 5 TOTAL

MARKS