Module 4 & 5

List and explain different types of computer forensic tools.

There are various types of computer forensic tools available to assist in digital investigations.
Here are some of the commonly used types:
1. Imaging and Data Acquisition Tools: These tools are used to create a forensic image of the
suspect drive or storage media. Some examples include FTK Imager, EnCase, and DD.
2. Analysis Tools: These tools are used to analyze the acquired data and extract evidence.
Some examples include Autopsy, Encase, and X-Ways Forensics.
3. File Carving Tools: These tools are used to extract individual files from the forensic image.
Some examples include Scalpel and Foremost.
4. Registry Analysis Tools: These tools are used to analyze the Windows registry to extract
evidence. Some examples include Registry Viewer and Registry Recon.
5. Network Forensic Tools: These tools are used to analyze network traffic and detect any
suspicious activities. Some examples include Wireshark and tcpdump.
6. Steganography Detection Tools: These tools are used to detect hidden data within files.
Some examples include Stegdetect and Gargoyle.
7. Password Recovery Tools: These tools are used to recover passwords and encryption keys.
Some examples include ElcomSoft and Cain & Abel.
It is important to note that the use of these tools should be in compliance with legal and
ethical standards, and in a manner that preserves the integrity of the evidence being analyzed.

Forensic Duplicates as Admissible Evidence?

Forensic duplicates are admissible as evidence in legal proceedings as long as they meet
certain criteria. These criteria ensure that the integrity of the evidence has been maintained
throughout the forensic process. The criteria include:
1. Authentication: The forensic duplicate must be verified as an exact copy of the original
evidence.
2. Chain of Custody: The forensic duplicate must have a documented chain of custody that
shows who had control of the evidence and what was done with it at every step.
3. Verification of Tools and Techniques: The forensic tools and techniques used to create the
duplicate must be verified as reliable and accurate.
4. Preservation of Metadata: The forensic duplicate must preserve all metadata associated
with the original evidence, including creation and modification dates, file size, and other
relevant information.
5. Admissibility Standards: The forensic duplicate must meet the admissibility standards of
the jurisdiction in which the legal proceedings are taking place.
If the forensic duplicate meets these criteria, it can be considered admissible evidence in legal
proceedings. However, it is important to note that the admissibility of evidence is ultimately
up to the judge overseeing the case, who may have additional requirements or standards that
must be met.
Express forensic duplication techniques.
Forensic duplication techniques are used in digital forensics to create an exact copy of digital
evidence for analysis without altering the original data. Some common techniques of forensic
duplication include:
1. Bit-stream Imaging: This is a method of creating a bit-by-bit copy of the original storage
device, including unallocated space and deleted files.
2. Live Duplication: This technique involves copying active data on a running system to a
separate storage device or destination, without shutting down the system.
3. Logical Duplication: This technique involves copying only the relevant data files,
directories, or partitions of a storage device to a separate storage device or destination.
4. Remote Duplication: This technique involves remotely copying data from a system or
storage device over a network to a separate storage device or destination.
5. Targeted Duplication: This technique involves copying only specific files or data that are
relevant to the investigation.
Tools commonly used for forensic duplication include dd, FTK Imager, and EnCase Imager.

Express the differences between static acquisition and live acquisition?

Discuss the 6 standard procedures for network forensics?
The six standard procedures for network forensics are:
1. Identification: This involves identifying the network devices and systems that are relevant
to the investigation.
2. Preservation: This involves preserving the state of the network devices and systems to
prevent further loss of evidence. This may involve disconnecting the device from the
network or isolating the device.
3. Collection: This involves collecting the relevant data from the network devices and
systems. This may involve capturing network traffic, collecting system logs, or collecting
data from network devices.
4. Examination: This involves examining the collected data to identify relevant information
that is related to the investigation.
5. Analysis: This involves analyzing the data that has been collected and examined to identify
patterns, anomalies, or other indicators of suspicious activity.
6. Presentation: This involves presenting the findings of the investigation in a clear and
concise manner that is suitable for the intended audience, such as law enforcement or
legal professionals.
These procedures are designed to ensure that the investigation is conducted in a thorough
and systematic manner, and that all relevant evidence is identified, collected, and preserved
in a manner that is admissible in court if necessary.

Figure out the Network forensics tools? List any 5 network forensics tools.
Network forensics tools are designed to capture and analyze network traffic for investigating
security incidents, identifying network vulnerabilities, and monitoring network activity. Here
are five popular network forensics tools:
1. Tcpdump: Tcpdump is a command-line network packet analyzer that captures and displays
packets from a network interface. It can be used to capture and analyze network traffic in
real-time and to store packets for later analysis.
2. Wireshark: Wireshark is a popular GUI-based network packet analyzer that can capture
and analyze network traffic in real-time. It supports hundreds of protocols and has
advanced features for filtering, searching, and exporting captured data.
3. Network Miner: Network Miner is a network forensic analysis tool that can capture and
analyze network traffic, extract files, and analyze metadata. It can identify operating
systems, services, and devices on a network, and can be used for incident response and
threat hunting.
4. Splunk: Splunk is a powerful log management and security information and event
management (SIEM) tool that can be used for network forensics. It can ingest, store, and
analyze log data from network devices and other sources, and can be used to detect
anomalies, investigate security incidents, and generate reports.
5. Snort: Snort is a popular open-source network intrusion detection system (IDS) that can
be used for network forensics. It can detect and alert on network-based attacks and
anomalies and can generate logs and alerts that can be used for forensic analysis.
Each of these tools has different features and capabilities and can be used in different ways
depending on the specific needs of a network forensic investigation.
Illustrate Investigating Registry Files.
Registry files contain important information related to the configuration settings, user
accounts, and installed applications on a Windows operating system. Investigating registry
files can provide valuable insights during a digital forensics’ investigation. Here are the steps
to investigate registry files:
1. Identify the registry hives: Registry hives are files that store the configuration settings for
a particular part of the Windows operating system. The main hives are located in the
C:\Windows\System32\Config folder. The main hives are named SAM, SYSTEM,
SOFTWARE, SECURITY, and DEFAULT.
2. Acquire the registry hives: In order to investigate the registry hives, they must first be
acquired using a forensic imaging tool. This ensures that the original registry hives are not
modified during the investigation.
3. Analyze the registry hives: Once the registry hives are acquired, they can be analyzed using
a registry analysis tool such as Registry Viewer or Registry Explorer. These tools allow
investigators to search for specific registry keys, values, and data.
4. Examine specific registry keys: Investigators should examine specific registry keys that are
commonly used by attackers to persist on a system, such as the Run key, which contains a
list of programs that are executed when the system starts up.
5. Look for evidence of malicious activity: Investigators should look for evidence of malicious
activity in the registry hives. This could include the presence of suspicious registry keys or
values, such as those associated with malware or remote access tools.
6. Document findings: Finally, investigators should document their findings in a report that
summarizes the evidence found in the registry hives and any conclusions that can be
drawn from the evidence.
Overall, investigating registry files can provide valuable information during a digital forensics’
investigation, and should be a standard part of the investigative process.

Demonstrate the basic investigative steps for formal Examination of windows systems.
The following are the basic investigative steps for the formal examination of Windows systems:
1. Identification: Identify the system(s) to be examined and gather all available
documentation about the system(s), including network diagrams, system specifications,
and system logs.
2. Collection: Collect all relevant data from the system(s) to be examined, including files,
directories, registry keys, and system logs.
3. Preservation: Preserve the collected data in a secure manner to prevent any alterations,
modification, or destruction of the data.
4. Analysis: Analyze the preserved data using forensic tools and techniques to identify any
evidence of unauthorized access, malware, or other security breaches.
5. Reporting: Document all findings in a detailed report, including the methods used, the
data analyzed, and the conclusions drawn.
6. Presentation: Present the report to the appropriate stakeholders, such as management,
legal counsel, or law enforcement, as required.
It is important to follow a systematic and structured approach to ensure the integrity and
admissibility of the collected evidence. Additionally, all steps should be thoroughly
documented and carefully documented to ensure that the findings can be presented
accurately and effectively in a court of law, if necessary.

Demonstrate the basic investigative steps for formal Examination of Linux systems.
The basic investigative steps for formal examination of Linux systems are as follows:
1. Identification: Identify the system and collect information about the operating system,
hardware, and software installed on the system.
2. Data Acquisition: Acquire data from the system using forensically sound methods, such as
creating a forensic image of the hard drive or using a write blocker to prevent changes to
the data.
3. Data Recovery: Recover data that may have been deleted or hidden on the system using
specialized forensic tools and techniques.
4. Analysis: Analyze the acquired data to identify any potential evidence related to the
investigation. This may include searching for specific files, analyzing network traffic, and
examining system logs.
5. Reporting: Document the findings of the investigation in a report that outlines the
methodology used, the evidence collected, and the conclusions reached. This report may
be used in legal proceedings or to guide further investigation.
It is important to note that these steps should be performed in a forensically sound manner
to ensure that the integrity of the evidence is preserved and that any findings can be relied
upon in legal proceedings.

Explore Data Carving.

Data carving is a technique used in computer forensics to recover files and folders from
storage media that has been damaged or deleted, or from fragmented files that have been
partially overwritten. It involves the systematic search and extraction of file fragments from
unallocated clusters, slack space, or other parts of a storage device.

Data carving can be done using a variety of tools that can read and analyze file system
structures and data patterns. These tools typically search for file signatures, or magic
numbers, that identify the type of file being recovered. For example, a JPEG file typically starts
with the signature "FF D8 FF E0" and ends with "FF D9", while a PDF file starts with "%PDF"
and ends with "%%EOF".

Advantages: Disadvantages:
• Recovery of deleted files • Incomplete recovery
• File integrity • False positives
• Flexibility • Time-consuming

Overall, data carving is a powerful technique that can be used to recover important files and
folders from damaged or corrupted storage media and is an essential tool in the field of
computer forensics.