INDEX

Sr. No. Name Of Practical Date Signature

1. Creating a Forensic Image using FTK Imager/Encase Imager :
a) Creating Forensic Image
1
b) Check Integrity of Data
c) Analyze Forensic Image
2. Data Acquisition:
a) Perform data acquisition using:
2 i) USB Write Blocker + Encase Imager
ii) SATA Write Blocker + Encase Imager
iii) Falcon Imaging Device
3. Forensics Case Study:
a) Solve the Case study (image file) provide in lab using Encase
3
Investigator or
Autopsy
4. Capturing and analyzing network packets using Wireshark
(Fundamentals) :
4 a) Identification the live network
b) Capture Packets
c) Analyze the captured packets
5. Analyze the packets provided in lab and solve the questions
using Wireshark :
a) What web server software is used by www.snopes.com?
b) About what cell phone problem is the client concerned?
5 c) According to Zillow, what instrument will Ryan learn to play?
d) How many web servers are running Apache?
e) What hosts (IP addresses) think that jokes are more
entertaining when they are
explained?
6. Using Sysinternals tools for Network Tracking and Process
Monitoring :
a) Check Sysinternals tools
b) Monitor Live Processes
6 c) Capture RAM
d) Capture TCP/UDP packets
e) Monitor Hard Disk
f) Monitor Virtual Memory
g) Monitor Cache Memory
7. Recovering and Inspecting deleted files
a) Check for Deleted Files
b) Recover the Deleted Files
7
c) Analyzing and Inspecting the recovered files Perform this
using recovery option in
ENCASE and also Perform manually through command line

8 8. Acquisition of Cell phones and Mobile devices

9 9. Email Forensics
 a) Mail Service Providers
b) Email protocols
c) Recovering emails
d) Analyzing email header
10.Web Browser Forensics
a) Web Browser working
10 b) Forensics activities on browser
c) Cache / Cookies analysis
d) Last Internet activity

1|Page
 PRACTICAL 1

Aim : Creating a Forensic Image using FTK Imager/Encase Imager :

- Creating Forensic Image

- Check Integrity of Data
- Analyze Forensic Image

 Creating Forensic Image

1. Click File, and then Create Disk Image, or click the button on the
tool bar.

2|Page
 2. Select the source evidence type you want to make an image of and
click Next.

3. Select the source evidence file with path .

3|Page
Click on “add” to add image destination

4. In the Image Destination Folder field, type the location path where
you want to save the image file, or click Browse to find to the
desired location.

4|Page
 Note: If the destination folder you select is on a drive that does not have
sufficient free space to store the entire image file, FTK Imager prompts
for a new destination folder when all available space has been used in the
first location.In the Image Filename field, specify a name for the image
file but do not specify a file extension.

5. After adding the image destination path click on finish and start the
image processing.

6. After the images are successfully created, click Image Summary to

view detailed file information, including MD5 and SHA1
checksums.
5|Page
Analyze Forensic Image:
Click on Add Evidence Item to add evidence from disk, image file or folder.

6|Page
Now select the source evidence type as image file.

Open the created evidence image file

7|Page
Now select Evidence Tree and analyze the image file .

8|Page
 PRACTICAL 2

Aim: Data Acquisition:

- Perform data acquisition using:
- USB Write Blocker + FTK Imager

Steps:

Step 1: First Open Prodiscover Basic and start with new case.

9|Page
 Step 2: The created project appears in left pane and select
add>capture & add image.

Step 3: fill the details as below. And click ok.

10 | P a g e
 Step 4: capturing of image starts.

11 | P a g e
 Step 5: Open the image created, go to Add > Images in left pane.

Step 6: Click on any File and type a comment.

12 | P a g e
 Step 7 : the cluster view is seen from the cluster view in left panel.

Step 8 : We can also view gallery view by Right Click.

13 | P a g e
 Step 9: Keyword search. Click on Search in left pane and Enter the file
name to be searched in the image created.

14 | P a g e
 Step 10 : Output of Keyword search.

Step 11 : Click on View>Report.

15 | P a g e
16 | P a g e
 PRACTICAL 3

AIM :- Forensics Case Study : Solve the Case study (image file) provide in lab
using Encase Investigator or Autopsy .

Step 1 : Open Autopsy

Step 2 : Click on new case

17 | P a g e
Step 3 : Enter details regarding the case and click on next button.

Step 4 : Enter further details and click on next button

18 | P a g e
Step 5 : Now here we have to select Type of data source to add , in our case disk
image or VM file and click on next

Step 6 : Now we have to select image file and click on next button

19 | P a g e
Step 7 : Now click on select all in order to Run ingest modules on: and click on
next.

Step 8 : Now click on finish

20 | P a g e
Step 9 : Now Autopsy window will appear and it will analyse the disk that we
have selected .

Step 10 : All image files appears in the Table tab. Select any file to see the data

21 | P a g e
Step 11 : Expand the tree from left side panel to view the document files.

Step 12 : To recover the files , go to view code  Deleted files node , here
select any file and right click on it then select Extract files option

22 | P a g e
Step 12: Select Path where you want to save extracted file and click on save .

23 | P a g e
Step 13 : Now click on OK

Step 14 : Now go to C:\autopsy\case_prac00124\Export folder to see recover

file

Step 15 : Click on generate report from Autopsy window and select the Excel
format and click on next

24 | P a g e
Step 16 : This window will appear

Step 17 : Now report is generated so click on close button. We can see the
Report on Report Node

25 | P a g e
Step 18 : Click on report

26 | P a g e
 PRACTICAL 4

AIM : Capturing and analyzing network packets using Wireshark

(Fundamentals) :

- Identification the live network

- Capture Packets
- Analyze the captured packets

Capturing Packets

Capture traffic on your wireless network, click your wireless interface.

You can configure advanced features by clicking Capture > Options, but this
isn’t necessary for now.

As soon as you single-click on your network interface’s name, you can see how
the packets are working in real time. Wireshark will capture all the packets
going in and out of our systems.
Promiscuous mode is the mode in which you can see all the packets from other
systems on the network and not only the packets send or received from your
network adapter. Promiscuous mode is enabled by default. To check if this
mode is enabled, go to Capture and Select Options. Under this window check,
if the
27 | P a g e
checkbox is selected and activated at the bottom of the window. The checkbox
says “Enable promiscuous mode on all interfaces”.

The red box button “STOP” on the top left side of the window can be clicked to
stop the capturing of traffic on the network.

Color Coding
Different packets are seen highlighted in various different colors. This is
Wireshark’s way of displaying traffic to help you easily identify the types of it.
Default colors are:

Light Purple color for TCP traffic

Light Blue color for UDP traffic

Black color identifies packets with errors – example these packets are
delivered in an unordered manner.
To check the color coding rules click on View and select Coloring Rules. These
color coding rules can be customized and modified to fit your needs.

28 | P a g e
Analyze the captured Packets:

First of all, click on a packet and select it. Now, you can scroll down to view all
its details.

29 | P a g e
Filters can also be created from here. Right-click on one of any details. From
the menu select Apply as Filter drop-down menu so filter based on it can be
created.

Display filter command –

1. Display packets based on specific IP-address
 ip.addr == 192.0.2.1

30 | P a g e
 2. Display packets which are coming from specific IP-address
 ip.src == 192.168.1.3

3. Display packets which are having specific IP-address destination

 ip.dst == 192.168.1.1

4. Display packets which are using http protocol

 http

31 | P a g e
 5. Display packets which are using http request
 http.request

6. Display packets which are using TCP protocol

 tcp

7. Display packets having no error connecting to server

 http.response.code==200

32 | P a g e
 8. Display packets having port number 80
 tcp.port==80 || udp.port==80

9. Display packets which that contains keyword facebook

 tcp contains facebook

33 | P a g e
 PRACTICAL 5

Aim :- Analyze the packets provided in lab and solve the questions using
Wireshark :
- What web server software is used by www.snopes.com?
- About what cell phone problem is the client concerned?
- According to Zillow, what instrument will Ryan learn to play?
- How many web servers are running Apache?

1. What web server software issued by www.snopes.com?

Analysis – The domain name be found from host header so we will set host
header column where we will see all domain name. Select any HTTP request
and expand the Hypertext Transfer Protocol then right click on Host header and
then Apply as Column.

34 | P a g e
Now we can see our host www.snopes.com in host column.

Right click on the selected packet and then select Follow TCP stream.

Now we can see the webserver name in server header it is Microsoft IIS 5.0

35 | P a g e
2. About what cell phone problem is the client concerned?

Analysis – Client talking about cell so we search for cell keyword in whole
packets. We will use regular express for searching the cell keyword. Apply
frame matches “(?!) cell”

36 | P a g e
After applying the filter now, we will start to check every HTTP request. We
noticed in the first HTTP request cell keyword is in URL and it was about cell
phone charging issue.

3. According to Zillow, what instrument will Ryan learn to play?

Analysis – As we did in the last challenge, we will apply a regular express filter
for the Zillow keyword. Apply frame matched “(?!) zillow”

37 | P a g e
After applying the filter, we found only one packet with the Zillow keyword

Select the packet and expand the Hypertext Transfer Protocol tab right click on
it go to Protocol Preferences and check Allow subdissector to resemble TCP
stream.

Now go to file and select Export Objects > HTTP. It will save all objects from
the packet.

38 | P a g e
Click on save all.

After saving all files in a directory and we found a swf file with name Zillow.
After opening the flash file, we saw that Zillow was trying to learn saxophone.

39 | P a g e
4. How many web servers are running Apache?

Analysis – The web server name can be retrieved from HTTP response header.
So will apply filter http. response and we can see all http response packets.

Now we will set the server header as column select any packet and right click
on it then select Apply as Column.

40 | P a g e
Now can see the server column where all server name is showing.

41 | P a g e
Now we have to check how many Apache packets are there we can’t count
manually for each packet so we will apply another filter http.server contains
“Apache”

After applying filter go to Statistics > Endpoints

It will show all connections

42 | P a g e
Check the limit to display filter then it will show the actual Apache connections.
Now there are showing 22 connections but will exclude 192.168.1.71 because it
is client’s IP not a server IP so there are actual 21 Apache servers.

43 | P a g e
CONCLUSION: We have successfully analyzed the packets provided and
solved the questions using wireshark.

44 | P a g e
 PRACTICAL 6

Aim :- Using Sysinternals tools for Network Tracking and Process Monitoring :

- Check Sysinternals tools

- Monitor Live Processes
- Capture RAM
- Capture TCP/UDP packets
- Monitor Hard Disk
- Monitor Virtual Memory
- Monitor Cache Memory

 Check Sysinternals tools : Windows Sysinternals tools are utilities to

manage, diagnose, troubleshoot, and monitor a Microsoft Windows
environment.
The following are the categories of Sysinternals Tools:
1. File and Disk Utilities
2. Networking Utilities
3. Process Utilities
4. Security Utilities
5. System Information Utilities
6. Miscellaneous Utilities

 Monitor Live Processes : (Tool: ProcMon)

To Do:
1. Filter (Process Name or PID or Architecture, etc)
2. Process Tree
3. Process Activity Summary
4. Count Occurrences

45 | P a g e
 Output:

46 | P a g e
47 | P a g e
  Capture RAM (Tool: RAMCapture)

To Do:
1. Click Capture
2. Creates a .mem file of the system memory (RAM) utilized.

Output:

48 | P a g e
  Capture TCP/UDP packets (Tool: TcpView) :

To Do: 1. Save to .txt file.

2. Whois

Output:

49 | P a g e
50 | P a g e
  Monitor Hard Disk (Tool: DiskMon) :
To Do:
1. Save to .log file.
2. Check operations performed in the disk as per time and sectors affected.

Output :

51 | P a g e
  Monitor Virtual Memory
( Tool : VMMAP) :
To Do:
1. Options – Show Free & Unusable Regions
2. File-> Select Process e.g. chrome.exe
3. Save to .mmp file.

Output :

52 | P a g e
  Monitor Cache Memory
(Tool: RAMMap)

TO DO :
1.Save to .RMP file.

Output:

53 | P a g e
 PRACTICAL 7

AIM : - Recovering and Inspecting deleted files

- Check for Deleted Files

- Recover the Deleted Files
- Analyzing and Inspecting the recovered files

Step 1: Start Autopsy from Desktop.

54 | P a g e
 Step 2: Now create on New Case.

Step 3: Enter the New case Information and click on Next Button.

55 | P a g e
 Step 4: Enter the additional Information and click on Finish.

Step 5: Now Select Source Type as Local disk and Select Local
disk form drop down list and click on Next.

56 | P a g e
 Step 6: Click on Next Button.

Step 7: Now click On Finish.

57 | P a g e
 Step 8: Now Autopsy window will appear and it will analyzing the
disk that we have selected.

Step 9: All files will appear in table tab select any file to see the data.

58 | P a g e
 Step 10:Expand the tree from left side panel to view the document files.

Step 11: To recover the file, go to view node-> Deleted Files node , here
select any file and right click on it than select Extract Files option.

59 | P a g e
 Step 12: By default Export folder is choose to save the recovered file.

Sep 13 : Now Click on Ok.

60 | P a g e
 Step 14: Now go to the Export Folder to view Recover file.

Step 15: Click on Generate Report from autopsy window and Select
the Excel format and click on next.

61 | P a g e
 Step 16: Now Report is Generated So click on close Button .we can see
the Report on Report Node.

62 | P a g e
 Step 17: Now open the Report folder and Open Excel File.

63 | P a g e
 PRACTICAL 8

Aim :- Acquisition of Cell phones and Mobile devices .

64 | P a g e
65 | P a g e
66 | P a g e
67 | P a g e
68 | P a g e
69 | P a g e
70 | P a g e
71 | P a g e
 PRACTICAL 9

Aim :- Email Forensics

- Mail Service Providers

- Email protocols
- Recovering emails
- Analyzing email header

FTK can filter or find files specific to e-mail clients and servers. You
can configure these filters when you enter search parameters.
Because of Jim’s responses to a poor performance review, the CEO of
Superior Bicycles,Martha Dax, suspects he might have obtained sensitive
information about the company’s business model that he’s leaking to a
competitor.
Martha asked her CIO, to have an IT employee copy the Outlook .pst file
from Jim Shu’s old computer to a USB
drive.
To process this investigation, we need to examine the Jim_shu’s.pst file,
locate the message, and export it for further analysis of its header to see how
Jim might have received it.

Recovering Email
Start AccessData FTK and click Start a new case, then click OK.
Click Next until you reach the Refine Case - Default dialog box
Click the Email Emphasis button , and then click Next .

72 | P a g e
 Click Next until you reach the Add Evidence to Case dialog box, and then
click the Add Evidence button.
In the Add Evidence to Case dialog box, click the Individual File
option button, and then click Continue.

73 | P a g e
 In the Select File dialog box, navigate to your work folder, click the
Jim_shu’s.pst file, and then click Open.

When the Add Evidence to Case dialog box opens, click Next. In the
Case summary dialog box, click Finish.
When FTK finishes processing the file, in the main FTK window, click
the E- mail Messages button, and then click the Full Path column
header to sort the records.

74 | P a g e
 For email recovery follow following steps:
Click the E-Mail tab. In the tree view, click to expand all folders,
and then click the Deleted Items folder.

75 | P a g e
 Select any message say Message0001 right click and select option Launch.
Detached Viewer and you can see detail of deleted message.

For analyzing header follow following

steps:
Click the E-Mail tab. In the tree view, click to expand all folders, and
then click the Inbox folder.
In the File List pane at the upper right, click Message0003; as shown in
the pane at the bottom, it’s from Sam and is addressed
to Jim_shu@comcast.net.

76 | P a g e
 Right-click on any message say Message0003 in the File List pane and click
Export File. In the Export Files dialog box, click OK.

77 | P a g e
 FTK saves exported files in the HTML format with no extension.

Right-click the Message0003 file and click Rename. Type Message0003.html

and press Enter.

Double-click Message0003.html to view it in a Web browser.

78 | P a g e
79 | P a g e
 PRACTICAL 10

Aim: Web Browser Forensics .

-Web Browser working

-Forensics activities on browser
-Cache / Cookies analysis
-Last Internet activity

Steps:
1. Open BrowserHistoryExaminer.

2. Click on file > Capture History

80 | P a g e
 3. Select the capture folder and click on next.

4. Enter the destination to capture the data.

81 | P a g e
 5. The History is been extracting.

82 | P a g e
 6. The data has been retrieved.

7. On the left panel click on bookmarks.

83 | P a g e
 8. On the left panel click on cached files.

9. On the left panel click on cached images.

84 | P a g e
 10. On the left panel click on cookies.

11. To Create Reports. Click on file > Report and save the report as pdf or
html page.

85 | P a g e
86 | P a g e
87 | P a g e