Enrollment No.

: 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 1
Aim: To study the overview of Digital Forensics.

Introduction:

Digital forensics or digital forensic science is the branch of forensic science

which is focused on the recovery and investigation of material found in
digital devices and cybercrimes. Digital forensics is concerned with the
identification, preservation, examination and analysis of digital evidence
which uses scientifically accepted and validated processes to be used in and
outside of the court of law.

Purpose:

The most common purpose of digital forensics is to support or refute a

hypothesis in a criminal or civil court:

 Criminal cases: It involves the alleged breaking of laws and law

enforcement agencies and their digital forensic examiners.

 Civil cases: It involves the protection of rights and property of

individuals or contractual disputes between commercial entities
where a form of digital forensics called electronic discovery ( also
known as eDiscovery) may be involved.

Tools used in Digital Forensics:

There are several tools which are used for digital forensics. Here are a few
popular and most used digital forensics tools :

 The Sleuth Kit:

The Sleuth Kit concentrates on the hard drive. It is not the only place
where artefacts and forensic data can get stored on a machine.
Critical forensic information is stored in RAM. For this reason,
analysts must first collect artefacts from this volatile memory. It is
the case since it must be forensically useful and valid. This tool can
show a point-by-point rundown of deleted and hidden files. It also
bolsters different kinds of partitions. For example : Sun, Mac, BSD,

SSAIET, Computer Department, Navsari Page 1

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

DOS, etc. The only drawback of this tool is that you need to remember
all the commands.

 Autopsy:
It is an open-source digital forensic software which is put to use
heavily for carrying out hard drive investigations. Corporate
investigators and government agencies use it to conduct digital
investigations. The military and law enforcement agencies leverage
this tool as well. While it is available for both Linux and Windows, it
comes pre-installed in Kali Linux. Autopsy can examine various sorts
of data configurations. For example, FAT, Ext2/Ext3, NTFS etc

 ProDiscover Basic:
Like Autopsy, ProDiscover Basic has a GUI (graphical user interface)
as well. Also, it is a free digital forensic tool. Without modifying any
data, the tool intends to make replicas of the hard disk. It also allows
to preview and search suspect files, reading the entire drive byte-by-
byte and without altering any data or metadata. A user can analyse
the evidence in detail as soon as the image is ready.

 SANS SIFT:
The SANS SIFT (Investigative Forensic Toolkit) is an Ubuntu-based
live CD. It covers all the tools required to carry out an in-depth
incident response investigation or forensic. It supports analysis of
Advanced Forensic Format (AFF), RAW (dd) evidence formats, and
Expert Witness Format (E01). SIFT incorporates tools such as
log2timeline as well. It helps generate a timeline from system logs,
Rifiuti for examining the recycle bin, Scalpel for data file carving, etc.

 Volatility:
For the analysis of volatile memory, Volatility is the most well-known
tool. Identical to the Sleuth Kit, Volatility is also open-source, free,
and supports third-party plugins. The Volatility Foundation conducts
a yearly contest to develop the most innovative and useful extension
to users’ framework.

SSAIET, Computer Department, Navsari Page 2

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 2
Aim: - How to recover deleted files or data from the storage or
storage devices using Forensics Tools

Introduction: In this practical we will be recovering a deleted file using

Digital Forensic tools i.e. Access Data FTK and RecoverMyFiles.

Steps to recover a file:

1. Delete the file:

Delete the demo file which you are planning to recover.

2. Create an image:
 The first step in recovering the file would be creating a bit by
bit image of the whole hard disk. There are multiple tools we
can help us perform this task, but for this practical we will be
using Access Data Forensic Toll Kit or Access Data FTK.

SSAIET, Computer Department, Navsari Page 3

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

 From the file menu select create image. Once you did that it will
ask for various details such as for a case number, evidence
number, examiner name, etc. Obviously, this software was
designed for law enforcement and all evidence needs to be
categorized and labelled.

 Once done it will ask for a location of the physical drive you
want to image, a destination directory and a name for the
image file. When you are done with all these administrative
tasks, FTK Imager will begin the process of creating a
forensically sound bit-by-bit image of your drive.

3. Recover the deleted file:

 Once you have created the image now you need to start the file
recovery process. There are a lot of tools available for recovery
but we will using the simplest one of them which is
RecoverMyFiles. Select the Start Recovery icon in the upper left
corner. It will ask you to select either Recover Files or Recover
Drive. Select Recover a Drive. It will then search and display all
your drives like that in the screenshot below. Since we are

SSAIET, Computer Department, Navsari Page 4

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

using a forensic image, select Add Image button to the right.

You will need to provide a path to your image file created with
the FTK.

 Once you select an image file, start the automatic file recovery.

 After that select the File Type tab above the Explorer window
to categorize the files by type. As you can see, there are
numerous file types recovered from this hard disk. Once done
that you will see your demo files within the list.

SSAIET, Computer Department, Navsari Page 5

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

Now we have successfully recovered our file.

SSAIET, Computer Department, Navsari Page 6

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 3
Aim : To study the steps for hiding and extracting any text file
behind an image file/ Audio file using Command Prompt.
Procedure :
To Hide The File :
Step 1 : Convert the text file into .rar file.

Step 2 : In the command prompt type the code “Copy /b imagename.jpg +

filename.rar finalnameofimage.jpg”

SSAIET, Computer Department, Navsari Page 7

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

Step 3 : Press Enter and you have successfully hidden the text file behind
the image file.

SSAIET, Computer Department, Navsari Page 8

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

To Retrieve The File :

Step 1 : To view the file right click and select open with notepad.

Step 2 : At the bottom of the text file you will see your content along with
the text file name. Since my file was empty only file name is visible.

Successfully file retrieved.

SSAIET, Computer Department, Navsari Page 9

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 4
Aim : How to Extract Exchangeable image file format (EXIF) Data
from Image Files using Exifreader Software.
Procedure :
Step 1 : Download the Extract Exchangeable image file format (EXIF)
from the link https://exif-reader.en.softonic.com/ and install it on your PC.
Open it.

Step 2: Click on open and select the image you want the data about.

SSAIET, Computer Department, Navsari Page 10

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

You will see all the information related to image.

SSAIET, Computer Department, Navsari Page 11

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 6
Aim : How to Collect Email Evidence in Victim PC.
Procedure :
To collect evidence we must first setup dumpit tool.

Press “y” to continue. Once done it will start processing and then finally a
success message will come.

SSAIET, Computer Department, Navsari Page 12

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

The output file would be at the same location as the .exe file of dumpit.

To view this file download bulk extractor viewer. Make sure your system
has java installed otherwise the program won’t run.
Once done click on generate report.
Select the file and output directory.

SSAIET, Computer Department, Navsari Page 13

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

The output will be as follows:

Hence we have successfully got the evidence.

SSAIET, Computer Department, Navsari Page 14

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 7
Aim : How to Extracting Browser Artefacts.
Introduction :
These artefacts are files stored inside of specific folders in the operating
system. Each browser stores its files in a different place than other
browsers and they all have different names, but they all store (most of the
time) the same type of data (artefacts).

Finding the artefacts :

The browser artefacts of a computer are usually stored is appdata on one’s
PC.
The path “C:\Users\XXX\AppData\Local” when we open the folder we find
our data

Once inside it will can find all our records.

SSAIET, Computer Department, Navsari Page 15

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

SSAIET, Computer Department, Navsari Page 16

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 8
Aim : How to View Last Activity of Your PC.
Introduction : What is activity on PC?
The Activity by Computer report shows the total time spent on PC in
applications and on websites. ... This way, you can see what document was
opened, what site URLs were visited and so forth.
How to view :
To view activity on your PC in start menu type in Event

Open it and you will see all the logs and information regarding the activities
on your PC.

SSAIET, Computer Department, Navsari Page 17

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

SSAIET, Computer Department, Navsari Page 18

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 9
Aim : Find Last Connected USB on your system (USB Forensics).
USBDeview is a small utility that lists all USB devices that currently
connected to your computer, as well as all USB devices that you previously
used.
For each USB device, extended information is displayed: Device
name/description, device type, serial number (for mass storage devices),
the date/time that device was added, VendorID, ProductID, and more…
USBDeview also allows you to uninstall USB devices that you previously
used, disconnect USB devices that are currently connected to your
computer, as well as to disable and enable USB devices.

SSAIET, Computer Department, Navsari Page 19

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 11
Aim : Comparison of two Files for forensics investigation by
Compare IT software.
Introduction :
Compare It is a software that displays 2 files side by side, with colored
differences sections to simplify analyzing. You can move changes between
files with a single mouse click or keystroke, and of course, you have the
ability to edit files directly in comparison window. It can make colored
printout of differences report, exactly as it’s on the screen.

Select the two files you want to compare. Open the files and you will see the
difference between the files side by side.

SSAIET, Computer Department, Navsari Page 20

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

SSAIET, Computer Department, Navsari Page 21

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

PRACTICAL : 12
Aim : Live Forensics Case Investigation using Autopsy.

Select new case and fill in the details.

Once done.

SSAIET, Computer Department, Navsari Page 22

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

Select the file you want to analyse.

The details regarding the file are provided as below.

SSAIET, Computer Department, Navsari Page 23

Enrollment No. : 181230107036 [DIGITAL FORENSICS (3170725)]

This can be also found in the folder.

SSAIET, Computer Department, Navsari Page 24