DIGITAL FORENSICS LABFAT

Name: Trinav Rattan

Reg. No.: 19BCE0493

Course Title: Digital Forensics

Course Code: CSE4004
Slot: L5 + L6
Class Number: VL2021220502610
Semester: Winter Semester 2021 – 2022
Date: 25th April 2022
Time: 11:40 to 13:20
Faculty: Prof. Jayakumar Sadhasivam
1. What is the MD5 for this evidence file?

MD5 of the evidence file: 7193a0dbafbc5b70dd47edf6b661a54d

 2. On what date was it acquired?

It was created on 2007-07-25 00:26:10 IST

And modified on 2008-03-10 13:41:27 IST

3. What was the operating system used to acquire this image?

Details that acquired the image:

Operating system: Windows_NT
Source Name: System
4. List the user account names and last accessed date.
5. Find the hash of the image and all the files extracted
6. What is the hex code of the image file which does not open correctly?
7. Check if there are any emails, pictures, and office documents.

8. What is the size of the allocated and unallocated drive?

 9. Include the screenshot of the autopsy report.

Generating the report:

1. Find the hostname, IP address, and MAC address for the sender and receiver.
Mac address and IP address:
 2. If a packet is highlighted in black and red color, what does it mean for the packet?

if Wireshark detects potential problems, it colors them with red text on a black field. It might
indicate a problem, but then again it might not.

3. Check the emails, attachments, chat ports

Emails:
Ports:
Attachments: Edit → Find Packet

4. What is the filter command for listing all outgoing HTTP traffic?

Command: http
 5. Establish a timeline and explain what is happening in the .pcap file.

To capture PCAP files you need to use a packet sniffer. A packet sniffer captures packets and
presents them in a way that's easy to understand. When using a PCAP sniffer the first thing you need
to do is identify what interface you want to sniff on. If you're on a Linux device these could be eth0
or wlan0.
Timelines of some the packets:

Using the following tools to analyse the header file:

1. What is the Email ID of the Sender and Receiver?
Sender email: therealdonaldtrump@whitehouse.gov
Receiver email: smartprof@unomaha.edu

2. What is the IP address of the Sender, Receiver, and Server of the email?

Sender IP address: 137.48.187.123

Receiver IP address: 137.48.187.123
Server IP address: 42.111.10.36

3. What is the Reply-to address? Is it different from the sender?

The Reply-to address is Robin Gandhi smartprof@unomaha.edu

No, it is from the same sender.

4. What country did the email originate from?

Country: United States

State: Nebraska

City: Omaha (Central Omaha)

Zip Code: 68182

5. What is the Date and Time of the email?

Date and Time: Wed, 12 Jul 2017 17:49:14 -0500

6. What is the DKIM Signature of the email?

DKIM: none

7. What is the Message-ID of the email?

Message-ID: 20170712224914.958031E5EE0@loki.ist.unomaha.edu

8. What is the spam score and status of the email?

Spam Score: 1.1

Spamassassin prediction: No Spam = Good!