Scribd
Upload
1K views6 pages

Digital and Mobile Forensics Laboratory - Experiment 1

Uploaded by

Arsath Ahamed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views6 pages

Digital and Mobile Forensics Laboratory - Experiment 1

Uploaded by

Arsath Ahamed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

‭CCS343 -‬‭Digital and Mobile Forensics‬

‭Laboratory Experiments‬

‭1.‬ I‭ nstallation‬ ‭of‬‭Sleuth‬‭Kit‬‭on‬‭Linux.‬‭List‬‭all‬‭data‬‭blocks.‬‭Analyze‬‭allocated‬‭as‬‭well‬‭as‬


‭unallocated blocks of a disk image.‬

‭2.‬ ‭Data extraction from call logs using Sleuth Kit.‬

‭3.‬ ‭Data extraction from SMS and contacts using Sleuth Kit.‬

‭4.‬ ‭Install Mobile Verification Toolkit or MVT and decrypt encrypted iOS backups.‬

‭5.‬ ‭Process and parse records from the iOS system.‬

‭6.‬ ‭Extract installed applications from Android devices.‬

‭7.‬ ‭Extract diagnostic information from Android devices through the adb protocol.‬

‭8.‬ ‭Generate a unified chronological timeline of extracted records.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭Experiment 1‬

I‭ nstallation‬‭of‬‭Sleuth‬‭Kit‬‭on‬‭Linux.‬‭List‬‭all‬‭data‬‭blocks.‬‭Analyze‬‭allocated‬
‭as well as unallocated blocks of a disk image.‬

‭Procedure & Commands:‬

‭Pre - Requisites:‬
‭1.1 Sleuthkit‬

‭ .2 Disk Image File (Raw file (.dd) format recommended)‬


1
‭We‬‭need‬‭a‬‭disk‬‭image‬‭file‬‭on‬‭which‬‭we‬‭are‬‭going‬‭to‬‭perform‬‭our‬‭experiment,‬‭i.e.‬‭we‬
‭are‬‭going‬‭to‬‭use‬‭the‬‭disk‬‭image‬‭to‬‭analyse‬‭the‬‭disk‬‭and‬‭the‬‭contents‬‭inside‬‭to‬‭gather‬
‭information about it.‬

‭●‬ U ‭ se‬‭a‬‭Pendrive‬‭(Physical‬‭disk)‬‭to‬‭create‬‭a‬‭disk‬‭image‬‭so‬‭that‬‭we‬‭have‬‭an‬‭image‬
‭of a physical disk.‬
‭●‬ ‭Using‬‭the‬‭image‬‭of‬‭a‬‭partition‬‭of‬‭the‬‭disk‬‭in‬‭the‬‭computer‬‭itself‬‭may‬‭result‬‭in‬
‭creation‬ ‭of‬ ‭a‬ ‭logical‬ ‭disk‬ ‭image‬ ‭which‬ ‭my‬ ‭not‬ ‭help‬ ‭us‬‭with‬‭the‬‭experiment.‬
‭(Commands like‬‭mmls‬‭may not produce proper output for us to understand.)‬
‭●‬ ‭So,‬ ‭we‬ ‭are‬ ‭going‬ ‭to‬ ‭investigate‬ ‭a‬ ‭pendrive‬ ‭(‬ ‭a‬ ‭physical‬ ‭disk)‬ ‭using‬ ‭it’s‬ ‭disk‬
‭image.‬

‭Create a disk image:‬


‭a)‬ ‭Insert‬ ‭a‬ ‭pendrive.‬ ‭(‬‭A‬‭pendrive‬‭of‬‭4GB/8GB‬‭is‬‭preferred‬‭as‬‭the‬‭disk‬‭image‬
‭creation time depends on the size of the pendrive)‬

‭ )‬ ‭Use‬‭the‬‭command‬‭lsblk‬‭to‬‭list‬‭all‬‭the‬‭disk‬‭blocks‬‭and‬‭to‬‭know‬‭block‬‭name‬
b
‭ f the pendrive.‬
o

‭Here,‬‭sdb‬‭is the block of my pendrive‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


c‭ ) Now run the command:‬
‭$ sudo dd if=‬‭/dev/sdb‬‭of=‬‭diskimage.dd‬‭bs=4M‬
‭(- Replace /dev/sdb with your pendrive’s block name (It could be the same in‬
‭most of the cases.‬
‭-‬‭diskimage.dd‬‭is the image file that will be created.)‬

‭This will create the disk image for the pendrive. (This may take a while)‬

‭Now, we are ready to proceed with our experiment.‬

‭1. Get image information‬‭-‬‭img_stat‬

‭2. List all data blocks (Allocated and Unallocated)‬‭-‬‭mmls‬

‭ ere,‬‭Start‬‭and‬‭End‬‭denote the offsets.‬


H
‭For example, the The‬‭Empty‬‭partition starts from the offset‬‭64‬‭and ends at‬‭7660227.‬
‭The next partition starts from 7660228.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭3. Analyzing an allocated partition‬‭-‬‭fsstat‬‭and‬‭-fls‬
‭We are going to analyze the partition named‬‭“Empty”.‬ ‭You can choose any partition.‬
‭●‬ ‭File system information of the partition‬

‭●‬ ‭Looking into the file system (Files and directories inside it)‬

‭Here,‬‭64‬‭denotes the starting of the partition‬‭“Empty”.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭●‬ ‭Looking into a directory inside the partition.‬
‭I am going to look inside the directory named “‬‭manjaro”.‬‭We have to mention‬
‭the‬‭inode‬‭of the directory for that, which is‬‭6.‬

‭Here,‬‭x86_64‬‭is a directory which is present inside the‬‭“manjaro”‬‭folder.‬

‭●‬ ‭Expand all the directories inside the partition.‬

‭All the directories and their subdirectories and files inside the partition are shown.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭4. Analyzing an unallocated partition‬
‭Perform the same operations for an unallocated partition.‬

‭Here, I have used the offset starting point‬‭7668420‬‭which is of an unallocated partition.‬


‭(Refer the output of‬‭mmls‬‭command above)‬

‭5. Recover the files in the image file.‬


‭This will recover all the files in the disk image to your computer.‬

‭ ere,‬‭test_recover‬‭is just the name of the folder in which the recovered files will be‬
H
‭stored. You can give any name.‬

‭Check for the recovered files using‬‭ls‬‭command.‬

‭Thus, we have all the files in the disk recovered.‬

‭*******‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy