Download - Lab Mannual For Cyber Forensic Tools
EXPERIMENT – 1
INTRODUCTION TO HEX EDITOR 18.5
REFERENCE: https://en.wikipedia.org/wiki/Hex_editor
A hex editor (or binary file editor or byte editor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name 'hex' comes from 'hexadecimal': a standard numerical format for representing binary data. A typical computer file occupies multiple areas on the platter(s) of a disk drive, whose contents are combined to form the file. Hex editors that are designed to parse and edit sector data from the physical segments of floppy or hard disks are sometimes called sector editors or disk editors.
DETAILS
1. With a hex editor, a user can see or edit the raw and exact contents of a file, as opposed to the interpretation of the same content that other, higher level application software may associate with the file format.
2. Hex editors may be used to correct data corrupted by system or application program problems where it may not be worthwhile to write a special program to make the corrections.
3. In most hex editor applications, the data of the computer file is represented as hexadecimal values grouped in 4 groups of 4 bytes(or two groups of 8 bytes), followed by one group of 16 printable ASCII characters which correspond to each pair of hex values (each byte).
HISTORY
Since the invention of computers and their different uses, a variety of file formats has been created. For some, it was convenient to be able to access the data as a series of raw digits. A program called SUPERZAP was available for IBM OS/360 systems which could edit raw disk records and also understood the format of executable files. Hexadecimal and also octal are common because these digits allow one to see which bits in a byte are set. Today, decimal instead of hexadecimal representation is becoming a popular second option due to the more familiar number base and additional helper tools, such as template systems and data inspectors, that reduce the benefits of the hexadecimal numerical format.
TEMPLATE SYSTEM
Some hex editors offer a template system that can present the sequence of bytes of a binary file in a structured way, covering part or all of the desired file format. Usually the GUI for a template is a separate tool window next to the main hex editor. Some cheat engine systems consist only of such a template GUI.
Typically, a template is represented as a list of labelled text boxes, such that individual values of a file can be easily edited in the appropriate format (e.g., as string, colour, or decimal number). Without template support, it is necessary to find the right offset in a file where the value that is to be changed is stored. Templates can be stored as files, thereby exchanged by users, and are often shared publicly over the manufacturer's website. Most if not all hex editors define their own template file format; there is no trend to support a standard or even compatibility between the various formats out in the wild.
SCRIPTING SYSTEMS
Advanced hex editors have scripting systems that let the user create macro like functionality as a sequence of user interface commands for automating common tasks. This can be used for providing scripts that automatically patch files (e.g., game cheating, mudding, or product fixes provided by community) or to write more complex/intelligent templates.
Scripting languages vary widely, often being product specific languages resembling MS-DOS batch files, to systems that support fully-fledged scripting languages such as Lua or Python.
EXPERIMENT – 2
INTRODUCTION TO ENCASE FORENSICS 4.20
REFERENCE: https://en.wikipedia.org/wiki/EnCase
EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. The company also offers EnCase training and certification.
Data recovered by EnCase has been used in various court systems, such as in the cases of the BTK Killer and the murder of Danielle van Dam.
EnCase technology is available within a number of products, currently including: EnCase Forensic, EnCase Cyber security, EnCase eDiscovery, and EnCase Portable.[3] Guidance Software also runs training courses and certification
FEATURES
EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.
Expert Witness File Format
EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary Expert Witness File format; the compressible file format is prefixed with case data information and consists of a bit-by-bit (i.e. exact) copy of the media inter-spaced with CRC hashes for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.
Mobile forensics
As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from Guidance Software.
EXPERIMENT – 3
INSTALLATION OF HEX EDITOR AND ENCASE FORENSICS
A: INSTALLATION OF HEX EDITOR 18.5
REFERENCE: http://winhex.software.informer.com/18.5/
1. Click on the “DOWNLOAD” button.2. A .zip file is downloaded with name “winHex.zip”.3. Unzip the file.4. Click on WinHex.exe file and run.
Figure 1: Locate WinHex.exe
5. WinHex is opened.
Figure 2: WinHex opened
6. Drag and drop files inside the Hex Editor for comparison
Figure 3: A file inside the Hex Editor
B: INSTALLATION OF ENCASE 4.20
1. Search for Encase 4.20 and download.2. Click on “EnCase_Forensic_4.20.rar_downloader.exe” file.
EXPERIMENT – 4
COMPARISION OF FILES USING HEX EDITOR 18.5 AND FC COMMAND
A: USING HEX EDITOR 18.5
We have broadly looked upon the headers and footers of different types of computer files present in an operating system. The first offset shows the header and the last shows the footer.
1. Microsoft Word 2007
2. Microsoft PowerPoint 2007
3. Mp3
4. MP4 file
5. Jpeg File
6. Png File
7. Object File
8. Ico File
9. Executable File
10. Microsoft Word 2013 File (.docx)
B: USING COMMAND PROMPT (FC COMMAND)
The file command or fc command takes the form of
1. Input : fc /B <filename1.extension> <filename2.extension>
Output: File comparison in the same window where filename1 and filename2 are the input.
Figure 1: Command for binary comparison of two files
Figure 2: Comparison result
2. Input: fc /b <filename1.extension> <filename2.extension> <filename. Extension>Output: The resultant is stored in file named filename.
Figure 3: Comparison result is stored in text file
Figure 4: Result in text file
EXPERIMENT – 5
IMAGING USING ENCASE FORENSICS 4.20
Step 1: Initialize the Software in Enterprise Mode
Step 2: Click On New For Creating A New Case. Fill the labels.
Click On Finish.
Step 3: View the Case by Clicking On Case 1 <Case Name>
Step 4: Click On Add Device in Menu Bar for Adding Devices to Your Case
Step 5: For Testing Your Pen Drive Click on Last Option
The Last Drive Is The Pen Drive Attached From The System, Marking It Will Show The Contents Within Window.
Step 6: The Pen Drive Opens Like Following
EXPERIMENT – 6
IMAGING USING FTK IMAGER 3.2.0.0
REFERENCE: https://support.accessdata.com/
FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence.
CREATING IMAGE
1. Click file> create disk image2. Select the source evidence type
Figure 1: selecting source type
3. Click next4. Select the drive or browse to the source of the image you want and then click finish.5. In the Create Image dialog, click add.
Figure 2: Adding image source
6. Select the type of image you want to create.
Figure 3: Type of image to be created
7. Click next8. Specify evidence item information
Figure 4: Evidence details
9. Click next and select the path of the location where you want to save the data.
Figure 5: Selecting image destination
10. Click finish and then click on start.
Figure 6: Image creation is in progress
11. After the image is created successfully, the Drive/Image verify results dialog box show detailed image information.
Figure 7: Image detailed information
12. Click close and go to image summary.
Figure 8: Image summary
13. Click OK to close image summary.14. Click close to exit back to imager. 15. Add the image you created to view it.
Figure 9: Save the image you created
16. Choose image file since that’s what you have just created.
Figure 10: Select the type of image you have created
17. Click next and select the path.
Figure 11: Enter evidence source to view the result
18. View the image.
Figure 12: Image view
Figure 13: List of files recovered
Figure 14: Export files to take backup
EXPERIMENT – 7
EXTRACTING BROWSER ARTIFACTS
ChromeHistoryView: is a small utility that reads the history data file of Google Chrome Web browser, and displays the list of all visited Web pages in the last days. For each visited Web page, the following information is displayed: URL, Title, Visit Date/Time, Number of visits, number of times that the user typed this address (Typed Count), Referrer, and Visit ID.
Figure 1: Chromehistoryview
ChromeCacheView: Chromecacheview is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
For each cache file, the following information is displayed:
URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, and more. You can easily select one or more items from the cache list, and then extract the files to another folder, or copy the URLs list to the clipboard.
Figure 2: Chromecacheview
IEHistoryView: This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. It also allows you to select one or more URL addresses, and then remove them from the history file or save them into text, HTML or XML file.
Figure 3: IEHistoryView
IECacheView: IECacheView is a small utility that reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: Filename, Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number of Hits, File Size, Folder Name, and full path of the cache filename.
Figure 4: IECacheView
EXPERIMENT – 8
FILE CARVING USIND TESTDISK AND PHOTOREC
A: USING TEST DISK
REFERENCE: http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
Download TestDisk and extract the files from the archive including sub directories.
1. Log Creation
Choose Create to instruct Testdisk to create a log file containing technical information and messages, unless you have a reason to append data to the log or you execute TestDisk from read only media and must create the log elsewhere.
Figure 1: Create log
2. Disk selection
All hard drives should be detected and listed with the correct size by TestDisk.
Use up/down arrow keys to select your hard drive with the lost partition/s. Press Enter to Proceed.
Figure 2: List of disks
3. Partition table type selection Select the partition table type - usually the default value is the correct
one as TestDisk auto-detects the partition table type. Press Enter to Proceed.
Figure 3: Selecting partition table
4. Current partition table status
Use the default menu "Analyse" to check your current partition structure and search for lost partitions.
Confirm at Analyse with Enter to proceed.
Figure 4: Current partition table status
Now, your current partition structure is listed. Examine your current partition structure for missing partitions and errors.
Figure 5: Checking for missing partitions
5. Quick search for partitions During the Quick Search, TestDisk has found two partitions including the
missing logical partition labelled Partition 3.
Figure 6: Quick search
6. Deeper search
Deeper Search will also search for FAT32 backup boot sector, NTFS backup boot superblock, ext2/ext3 backup superblock to detect more partitions,
Figure 7: Deeper search
7. Highlight the first partition Partition 2 and press p to list its data.
Figure 8: List of data in a partition
B: USING PHOTOREC
REFERENCE: http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
1. Disk Selection
Available media are listed. Use up/down arrow keys to select the disk that holds the lost files. Press enter to proceed.
Figure 1: Disk selection
2. Source partition selection
Choose
Search after selecting the partition that holds the lost files to start the recovery, Options to modify the options, File Opt to modify the list of file types recovered by Photorec.
Figure 2 : Source partition selection
3. PhotoRec options
Figure 3: Photorec options
4. Selection of files to recover
Figure 4: Selection of file
5. File system type
Once a partition has been selected and validated with Search , Photorec needs to know how the data blocks are allocated. Unless it is an ext2/ext3/ext4 file system, choose other .
Figure 5: File system type
6. Carve the partition or unallocated space only
PhotoRec can search files from
from the whole partition (useful if the file system is corrupted) or From the unallocated space only (available for ext2/ext3/ext4,
FAT12/FAT16/FAT32 and NTFS). With this option only deleted files are recovered.
Figure 6: Carve the partition
7. Select where recovered files to be written
Figure 7: Choose the directory where the recovered files should be written.
8. Recovery in progress
Figure 8: Recovery in progress
9. Recovery is completed
Figure 9: Recovery completed
EXPERIMENT – 9
MICROSOFT SYSINTERNALS
REFERENCE: https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
1. MICROSOFT SYSINTERNALS- NETWORKING UTILITIES
Link:https://technet.microsoft.com/en-us/sysinternals-> Networking Utilities
Introduction about networking utility
S.NO
UTILITIES DESCRIPTION
1. PsFile See what files are opened remotely.2. PsPing Measures network performance.3. ShareEnum Scan file shares on your network and view their security
settings to close security holes.4. PsTools The PsTools suite includes command-line utilities for listing
the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
5. TCPView Active socket command-line viewer.
Table 1: Networking Utilities and their description
Detailed Description:
1. PsFile
The "net file" command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn't let you see that information for remote systems. PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier.
Figure 1: PsFile
2. PsPing
PsPing implements Ping functionality, TCP ping, latency and bandwidth measurement
Figure 2: PsPing
3. ShareEnum
An aspect of Windows NT/2000/XP network security that's often overlooked is file shares. A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. There are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network.
Figure 3: ShareEnum
Figure 4: Security
Information of IP Domains
Figure 5: Security Information of All Domains
4. PsTools
The Windows NT and Windows 2000 Resource Kits come with a number of command-line tools that help you administer your Windows NT/2K systems.
Figure 6: Process Information Lister
5. TCPView
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
2. MICROSOFT SYS INTERNALS- PROCESS UTILITIES
Link: https://technet.microsoft.com/en-us/sysinternals -> Process Utilities
Introduction about security utility
S.NO
UTILITIES DESCRIPTION
1.Autoruns
See what programs are configured to Startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
2. Process Explorer Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
3. Process Monitor Monitor file system, Registry, process, thread and DLL activity in real-time...
4. VMMap See a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Identify the sources of process memory usage and the memory cost of application features...
5. PortMon Monitor serial and parallel port activity with this advanced monitoring tool. It knows about all standard serial and parallel IOCTLs and even shows you a portion of the data being sent and received. Version 3.x has powerful new UI enhancements and advanced filtering capabilities.
Table 1: Utilities and their description
Detail Description:
1. Autoruns
This utility, which has the most comprehensive knowledge of auto-starting locations of any Startup monitor, shows you what programs are configured to run during system boot up or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your Startup folder, Run, Run Once, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
Figure 1: Autoruns
2. Process Explorer
Process Explorer shows you information about which handles and DLLs processes have opened or loaded
Figure 2: Process Explorer
3. Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
Figure 3: Process Monitor
Figure4: Process Monitor
4. VMMap
VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. VMMap also shows summary information and a detailed process memory map.
Figure 5: VMMap
Figure 6: VMMap
5. PortMon
Portmon is a utility that monitors and displays all serial and parallel port activity on a system.
Figure 7: PortMon
3. MICROSOFT SYS INTERNALS- SECURITY UTILITIES
Link:https://technet.microsoft.com/en-us/sysinternals -> Security Utilities
Introduction about security utility
S.NO
UTILITIES DESCRIPTION
1. Access Enum This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
2. Autologon Bypass password screen during logon.3. Process Explorer Find out what files, registry keys and other objects processes
have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
4. Autoruns See what programs are configured to Startup automatically when your system boots and you log in. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
5. SDelete Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
Table 1: Utilities and their description
Detail Description:
1. Access EnumWhile the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult.
Figure 1: AccessEnum
2. Autologon
Autologon enables you to easily configure Windows’ built-in Autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically.
Figure 2: Autologon
Figure 3: Autologon
3. Process Explorer
Process Explorer shows you information about which handles and DLLs processes
have opened or loaded.
Figure 4: Process Explorer
Figure5: Process Explorer
4. Autoruns
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
Figure 6: Autoruns
5. SDelete
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specified.
Figure 7: SDelete Command
4. MICROSOFT SYSINTERNALS – SYSTEM INFORMATION UTILITIES
Link: https://technet.microsoft.com/en-us/sysinternals/
Brief introduction:
S.No UTILITY DISCRIPTION1 Autoruns See what programs are configured to Startup automatically when
your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
2 ClockRes View the resolution of the system clock, which is also the maximum timer resolution.
3 Coreinfo Coreinfo is a command-line utility that shows you the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside, as well as the cache’s assigned to each logical processor.
4 Handle This handy command-line utility will show you what files are open by which processes, and much more.
5 LiveKd Use Microsoft kernel debuggers to examine a live system.
6 LoadOrder See the order in which devices are loaded on your WinNT/2K system.
7 LogonSessions List the active logon sessions on a system.8 PendMoves Enumerate the list of file rename and delete commands that will
be executed the next boot.9 Process
ExplorerFind out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
10 Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.
11 ProcFeatures This applet reports processor and Windows support for Physical Address Extensions and No Execute buffer overflow protection.
12 PsInfo Obtain information about a system.13 PsLoggedOn Show users logged on to a system14 PsTools The PsTools suite includes command-line utilities for listing the
processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
15 RAMMap An advanced physical memory usage analysis utility that presents usage information in different ways on its several different tabs.
16 WinObj The ultimate Object Manager namespace viewer is here.
Table 1: List of Security Information Utilities
Five of these utilities are described in detail:
1. Load Order
This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers.
Figure 1: Load Order
2. Process Explorer
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Figure 2: Process Explorer
3. Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity
Figure 3: Process Monitor
4. Win Obj
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
Figure 4 : Win Obj
5. RamMap
RAMMap is an advanced physical memory usage analysis utility for Windows Vista and higher. It presents usage information in different ways on its several different tabs:
Figure 5 : Ram Map
5. MICROSOFT SYS INTERNALS- MISCELLANEOUS UTILITIES
Link: https://technet.microsoft.com/en-us/sysinternals -> Security Utilities
S.NO
UTILITIES DESCRIPTION
1. ZoomIt v4.5 Presentation utility for zooming and drawing on the screen.2. Desktops This new utility enables you to create up to four virtual
desktops and to use a tray interface or hotkeys to preview what’s on each desktop and easily switch between them.
3. BgInfo This fully-configurable program automatically generates desktop backgrounds that include important information about the system including IP addresses, computer name, network adapters, and more.
4. Registry usage View the registry space usage for the specified registry key.
Table 1: Utilities and their description
Detail Description:
1. Zoom ItZoomIt is a screen zoom and annotation tool for technical presentations that include application demonstrations. ZoomIt runs unobtrusively in the tray and activates with customizable hotkeys to zoom in on an area of the screen, move around while zoomed, and draw on the zoomed image. The first time you run ZoomIt it presents a configuration dialog that describes ZoomIt's behaviour, let's you specify alternate hotkeys for zooming and for entering drawing mode without zooming, and customize the drawing pen colour and size. I use the draw-without-zoom option to annotate the screen at its native resolution, for example. ZoomIt also includes a break timer feature that remains active even when you tab away from the timer window and allows you to return to the timer window by clicking on the ZoomIt tray icon.
Figure 1: ZoomIt
2. Desktops
Desktops allows you to organize your applications on up to four virtual desktops. Read email on one, browse the web on the second, and do work in your productivity software on the third, without the clutter of the windows you're not using.
Figure 2: Desktop
Figure 3: Four desktop
3. BgInfo
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. You can edit any field as well as the front and background colours, and can place it in your start up folder so that it runs every boot, or even configure it to display as the background for the logon screen.
Figure 4: BgInfo
Figure 5: Initial Configuration
5. Registry Usage
Ru (registry usage) reports the registry space usage for the registry key you specify. By default it recuses sub keys to show the total size of a key and its sub keys.
Figure 7: RU options
5. Microsoft Sysinternals-File and Disk UtilitiesLink:https://technet.microsoft.com/enus/sysinternals->File and Disk Utilities
1. AccessEnum : This simple yet powerful security tool shows you who has what access to
Directories, files and Registry keys on your systems. Use it to find holes in your permissions.
2. CacheSet: CacheSet is a program that allows you to control the Cache Manager's working set size using functions provided by NT. It's compatible with all versions of NT.
3. PsTools: The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
Introduction:
AccessEnum
While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult.
Figure 1: Access Enum
CacheSet
CacheSet is an applet that allows you to manipulate the working-set parameters of the system file cache. Unlike CacheMan, CacheSet runs on all versions of NT and will work without modifications on new Service Pack releases
Figure 2: Cache set
PsTools
The Windows NT and Windows 2000 Resource Kits come with a number of command-line tools that help you administer your Windows NT/2K systems. These tools apart is that they all allow you to manage remote systems as well as the local one.
PsLogList
Figure 3: PsLog List
PsService
Figure 4: PsService