DIGITAL FORENSICS

DIGITAL ASSIGNMENT 1

Name: Arya Dubey

Registration Number: 20BCE0908
Faculty: Dr. Deepika J
Course Name & code : Digital Forensics & CSE4004

1. Study exercise on various Forensic tools (Min. 15) with Tool Name, Purpose,
Supportive OS, Category, Type, Logo and Source for documentation, downloads, etc .

1.GHIRO

Tool Name: Ghiro

Purpose: Open-source digital image forensics tool for analyzing images and
metadata. The forensic analysis is fully automated, report data can be searched or
aggregated in different perspectives. Ghiro is designed to assist you and your team in
the process of analyzing a massive amount of images, it could become an essential
tool in your forensic lab.It makes use of various techniques such as Error level
analysis,GPS localisation,hash digest generation,perceptual hash etc.

Supportive OS: Windows, macOS, Linux

Category: Image Forensics
Type: Open Source
Logo:
Source: [Ghiro GitHub](https://github.com/ghirensics/

2. Autopsy

Tool Name: Autopsy

Purpose: Autopsy® is a digital forensics platform and graphical interface to The
Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military,
and corporate examiners to investigate what happened on a computer. You can even
use it to recover photos from your camera's memory card.Autopsy analyzes major file
systems (NTFS, FAT, ExFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2) by hashing all files,
unpacking standard archives (ZIP, JAR etc.), extracting any EXIF values and putting
keywords in an index. Some file types like standard email formats or contact files are
also parsed and cataloged.
Supportive OS: Windows, macOS, Linux
Category: Disk Forensics
Type: Open Source
Logo:

Source: https://www.sleuthkit.org/autopsy/
3.RegRipper

Tool Name: RegRipper

Purpose: Windows Registry data extraction and analysis tool for forensic
examination. Regripper’s CLI tool can be used to surgically extract, translate, and
display information (both data and metadata) from Registry-formatted files via
plugins in the form of Perl-scripts. It allows the analyst to select a hive-file to parse
and a plugin or a profile, which is a list of plugins to run against the given hive. The
results go to STDOUT and can be redirected to a file, that the analyst designates.
Supportive OS: Windows
Category: Registry Analysis
Type: Open Source
Logo: RegRipper Logo
Source: https://www.regripper.net/

4.The Sleuth Kit (TSK)

Tool Name: The Sleuth Kit (TSK)

Purpose: The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-
based utilities for extracting data from disk drives and other storage so as to facilitate
the forensic analysis of computer systems.
Supportive OS: Windows, macOS, Linux
Category: Disk Forensics
Type: Open Source
Logo:
Source: https://www.sleuthkit.org/

5.EnCase

Tool Name: EnCase

Purpose: EnCase is traditionally used in forensics to recover evidence from seized
hard drives. It allows the investigator to conduct in-depth analysis of user files to
collect evidence such as documents, pictures, internet history and Windows Registry
information.
Supportive OS: Windows
Category: Disk Forensics
Type: Commercial
Logo:

Source: https://www.guidancesoftware.com/encase-forensic
6.Forensic Toolkit (FTK)

Tool Name: Forensic Toolkit (FTK)

Purpose: Digital investigation software for analyzing and recovering digital evidence.
It scans a hard drive looking for various information. It can, for example, potentially
locate deleted emails and scan a disk for text strings to use them as a password
dictionary to crack encryption.
Supportive OS: Windows
Category: Disk Forensics
Type: Commercial
Logo:

Source: https://accessdata.com/products-services/forensic-toolkit-ftk

7.Volatility

Tool Name: Volatility

Purpose: Memory forensics framework for analysing volatile memory (RAM)
captures. Volatility can be used during an investigation to link artifacts from the
device, network, file system, and registry to ascertain the list of all running processes,
active and closed network connections, running Windows command prompts,
screenshots, and clipboard contents that ran within the timeframe of the incident.
Supportive OS: Windows, Linux
Category: Memory Forensics
Type: Open Source
Logo:

Source: https://www.volatilityfoundation.org/

8.Wireshark

Tool Name: Wireshark

Purpose: Network protocol analyser for examining data from a live network or
capture files. It is used for education, analysis, software development,
communication protocol development and also for troubleshooting networks that
have performance issues. Cybersecurity professionals often use Wireshark to trace
connections, view the contents of suspect network transactions and identify bursts of
network traffic.
Supportive OS: Windows, macOS, Linux
Category: Network Forensics
Type: Open Source
Logo:
Source: https://www.wireshark.org/

9.OSForensics

Tool Name: OSForensics

Purpose: Digital investigation tool to search for and analyze evidence across various
devices. OSForensics allows you to use Hash Sets to quickly identify known safe files
(such as operating system and program files) or known suspected files (such as
viruses, trojans, hacker scripts) to reduce the need for further time-consuming
analysis.
Supportive OS: Windows
Category: General Forensics
Type: Commercial
Logo:

Source: https://www.osforensics.com/
10.Cellebrite UFED

Tool Name: Cellebrite UFED (Universal Forensic Extraction Device)

Purpose: Mobile forensics tool for data extraction and analysis from mobile devices.
Cellebrite is the leader in digital intelligence and investigative analytics, partnering
with public and private organizations to transform how they collect, review, analyze
and manage data in investigations to protect and save lives, accelerate justice, and
ensure data security.
Supportive OS: Windows
Category: Mobile Device Forensics
Type: Commercial
Logo:

Source: https://www.cellebrite.com/en/home/

11.1X-Ways Forensics

Tool Name: X-Ways Forensics

Purpose: Advanced computer forensics software for data recovery and analysis. X-
Ways Forensics produces exact sector-wise copies of most media types, either to
other disks (clones, mirrors) or to image files, using physical or logical disk access.
Very important for forensic examiners because it allows to work on a forensically
sound duplicate.
Supportive OS: Windows
Category: Disk Forensics
Type: Commercial
Logo:

Source: https://www.x-ways.net/forensics/

12.Digital Forensics Framework (DFF)

Tool Name: Digital Forensics Framework (DFF)

Purpose: Open-source digital forensics framework for various forensic analysis tasks.
It is used by professionals and non-experts to collect, preserve and reveal digital
evidence without compromising systems and data.
Supportive OS: Windows, macOS, Linux
Category: General Forensics
Type: Open Source
Logo:

Source: https://dff.readthedocs.io/en/latest/
13.PALADIN Toolbox

Tool Name: PALADIN Toolbox

Purpose: Linux distribution designed for digital forensics and incident response
tasks.
PALADIN is a complete solution for triage, imaging, examination and reporting
containing a collection of over a hundred open source forensic applications found
within our Forensic Tools directory.It has combined and simplified multiple forensic
tasks into one easy to use GUI (graphical user interface) that requires minimal
training and does not require users to utilize the command line.
Supportive OS: Linux
Category: Live Forensics
Type: Open Source
Logo:

Source: https://www.sumuri.com/software/paladin/

14.CAINE (Computer Aided INvestigative Environment)

Tool Name: CAINE (Computer Aided INvestigative Environment)

Purpose: Linux distribution focused on digital forensics, providing a complete set of
tools for investigation. CAINE provides software tools that support database,
memory, forensic and network analysis. File system image analysis of NTFS,
FAT/ExFAT, Ext2, Ext3, HFS and ISO 9660 is possible via command line and
through the graphic desktop. Examination of Linux, Microsoft Windows and some
Unix platforms is built-in.
Supportive OS: Linux
Category: General Forensics
Type: Open Source
Logo:

Source: https://www.caine-live.net/

15. Magnet RAM Capture

Tool Name: Magnet RAM Capture
Purpose: A memory acquisition tool that captures the live memory of a computer for
subsequent analysis in digital forensics investigations. Magnet RAM Capture allows
investigators to create memory images of live systems, which can then be analyzed to
gather insights into running processes, network connections, open files, and other
critical system information. This tool is particularly useful for volatile evidence
collection during incident response and digital investigations.
Supportive OS: Windows
Category: Memory Forensics
Type: Commercial
Logo:
Source: https://www.magnetforensics.com/magnet-ram-capture/

2.Computer Forensics Lab

Viewing Files of Various Formats Using the File Viewer Too

File Viewer

You can view over 150 different file types with File Viewer Lite. Simply drag and drop
a file onto File Viewer Lite to display the native view of the file.
Play Multimedia Files

File Viewer Lite supports a large number of audio and video formats. If you have a
song or movie file that Windows Media Player does not recognize, chances are you can
open it with File Viewer Lite.
View File Information

Use the Info panel to view information about each file, such as the file type, file size,
and location. The Info panel also displays hidden metadata stored in the file. You can
export the file information to a text file by selecting File -> Export File Info.
Copy File Data

You can copy text and image data from files opened with File Viewer Lite. The data is
stored in the Windows clipboard so you can paste into into another application.
 Four Different Types of Views

File Viewer Lite allows you to view file contents in Native View, Text View, Hex View,
and Icon View

1. Native View

Native view displays the standard view for supported file formats.
2. Text View

Text view displays the textual data of both text and binary files.
3. Hex View

Hex view displays the hexadecimal representation of the file contents.

4. Icon View

Icon view displays multiple sizes of the document icon.

 Crea ng a Disk Image File of a Hard Disk Par on using R-drive

Install R-Drive Image:Download and install R-Drive Image from the official website:
R-Drive Image.Launch R-Drive Image:Open the R-Drive Image application.
Choose Destination:

Select where you want to save the disk image. This could be an external hard drive,
network location, or another storage device.
Configure Image Options:
Set the image file name and specify additional options such as compression level and
splitting the image into smaller files if needed.
Verify Options:

Review the selected source, destination, and image options to make sure everything
is configured correctly.
Click the "Start" or "Create Image" button to initiate the imaging process.
Monitor Progress:R-Drive Image will display a progress bar indicating the status of
the imaging process. You can monitor the progress in real-time.
Complete the Imaging Process:Once the imaging process is complete, you'll receive a
notification indicating the success.

3.Computer Forensics Inves ga on Process

Recovering Data Using the EaseUS Tool, Recover My Files Tool, Recuva,
Tenoshare

RECUVA
Recuva accommodates both newcomers and experienced professionals, facilitating
an efficient recovery process.One of its key features is the ability to selectively
recover files, allowing users to specify the types of files they intend to retrieve.
Alternatively, users can opt for a comprehensive recovery of all file types. Recuva
offers two scanning modes: Quick Scan and Deep Scan. The Quick Scan option
swiftly identifies recently deleted files, while the Deep Scan mode meticulously
searches for more intricate and potentially fragmented files.Recuva addresses data
security with its "Secure Overwrite" feature, which enables the permanent deletion of
sensitive files by overwriting them with random data. Moreover, the software offers a
preview function, enabling users to view images and text files before initiating the
recovery process, enhancing accuracy and reducing unnecessary recovery
attempts.Efficient file management is another highlight of Recuva. The software
includes filtering and sorting options that allow users to sift through search results
based on various parameters, such as file name, size, modification date, or file path.
This assists in streamlining the selection of desired files for recovery.
2. Perform recovery of deleted files in a specific drive
File recovered: tile.png
Before Recovery:
File deleted from C drive:
File deleted from recycle bin:

File is not there in D Drive:

After recovery:
VirusTotal: tool to Identify any one malicious link / URL Link1:
  Performing Hash, Checksum, or HMAC Calculations
Using the HashCalc Tool
 Generating MD5 Hashes Using MD5 Calculator

BEFORE:

Hash obtained:
AFTER:
HASH OBTAINED: