Adobe Scan 25 Nov 2023

T.Y.B.
Sc Computer Science
PRACTICAL LAB MANUAL FOR
CYBER FORENSICS
COMPILED BY :
https://www.profajaypashankar.com
1|Page K.M.AGRAWAL COLLEGE

PRACTICAL 1
Aim :Creating a Forensic Image using FTK Imager/Encase Imager :

-Creating Forensic mage
- Check Integrity of Data
- Analyze Forensic Image
> Creating Forensic Image
1. Click File, and then Create Disk Image, or click the button on the
tool bar.
X
PAccecData FTKImager 34.2.6
le ylew Mode Heb
Add EVdence Iam...
S Add AJ Attached Derices File Lit
Date Moditied
Ige Mounting.. Name Sze Type
A Ramove Evidance Item
Reove Al Edence Ts
a ceate Disk Irege..
Bxoort Dek Irage..
EDrt Logical Iaga (AD1).
Add to Custom Content Iage (ADL)
Ceate Custom Content Iraçe (AD1)...
Decypt ADI mage.
YerfY Diive/ ITage..
Capure Nemory...
btain Protected Fies...
Datect EFS En crypton
| E t Fles
Expot Fle Hasth ist.
Exoot Directory Listing..
Ext
Ne Edr Bomove Rarcve al Craao Inage

propartiS Hox V3ue Iht.. Oustom Conte...
Creates a new dsk imege
Save
2. Select the source evidence type you want to make an image of and
click Next.
Select Source X
Please Select the Source Evidence Type

C Physical Drive
C Logical Dive
C mage File
C Corterts af a Folder
logical file 4evel analysis only: excludes deleted, unallocated, etc.)
CFermico Device (mutiple CD/DVD)
<Back Next > Cancel Help
3. Select the source evidence file with path.

Select File X
-Evidence Source Selection
Please erter the source path:

Dtycs'inspractical
Browse...
<Back Fnish Cancel Help

Click on "add" to add image destination
Create Image X
Image Source
D:\bysnslpractcal
Start1ng Evidence tlumber:
Image Destinabon(s)
Add... Edt... Renoe
Add Overflow Locaton
M Verify images after they are reated MPrecalaulate Progress Statistics

Create directory listings ofall files in the image after they are reated
Start Cancel
Evidence Item Information
Case Nunber: 1
Evidence Number:
Unique Description: prac1|

Examiner.
Notes:
(Back Net Cancel Help
4. In the Image Destination Folder field, type the location path where
you want to save the image file, or click Browse to find to the desired
location.
4 | Page K.M.AGRAWAL COLLEGE

Note: If the destination folder you select is on a drive that does not have
sufficient free space to store the entire image file, FTK Imager prompts for
a new destination folder when all available space has been used in the first
location.In the Image Filename field, specify a name for the image file but
do not specify a file extension.
Select Image Destination
Image De stination Folder

G: Browse
mage Flename (Excudng Etension)

cfprac1l
Image Fragment Sze (MB) 1500
For Raw. E01. and AFFfomats: 0 =do not fragmert
Compression (0-None, 1-Fastest, 9-Smallest) 6
Uge AD Encryption
Fker by File Owner
Back Fnish Cancel Help
5. After adding the image destination path click on finish and start the
image processing.
Creating Image X
Image Source: D: bycsinspracical

Destination: G:kfprac1
Status: Image reated successfuly
Progress
Elapsed time:
Estimated time left:
Image Summary.. Oose
6. After the images are successfully created, click Image Summary to

view detailed file information, including MDS and SHAI
checksums.
5|Page K.M. AGRAVWAL COLLEGE
|ImageSummary X
Geated By AccessData FIK Imager 3.4.2.6

Case Information:
Acquired using: ADI3.4.2.6
Case Number: 1
Evidence Number: 1
Unique Desription: prac1
Examiner:
Notes:
Information for G:\çfprac1.ad1:

Co IHashes]
MD
as4234)db34db9df8d861eaefbf17e
SHA1 hedsum: d411000 1f3e03038e 52dca 5le0e Sceece4e30ced
Image informaion:
Acquiaition star ted: Fri Mar 01 17:17:15 2019
Acquisibon finished: Fri Mar 01 17:17:15 2019
Segment ist:
G:cfpracl.ad1
Image Verification Results:
Verificabon started: Fri Mar 01 12:17:15 2019
OK
Analyze Forensic Inmage:

Click on Add Evidence Item to add evidence from disk, image file or folder.
AAcceData FTK Imager 34.2.6
Ele Yiew Mode Helo
Add Evidence Item...
Add Al Attach ed Devices File List
Irage Mountng. Narme Size Type Date Modified
Rernove Evdence Iten
Romove Al Evidenco terns
S Create Disk Irrage.
Export Disk Irag...
| Export Logika Iaga (AD1 )..
4 Adc to Custom Content Imce (ADI?
Ceate Cstom Content Image (AD1)...
Decrypt AD1 mage..
Verty Drve Iege.
Capture Nermory...
E Obtain Protected Fies..
Detect EFS Encypton
1 Eport £les
Export fie Hash Lst
Fxport Duectory Listing.
Ext
Custorn Conte...
Adds evidence from disk, image fie, or foder
6| Page K.M.AGRAWAL COLLEGE

Now select the source evidence type as image file.
Select Source X
Please Seled the Source Evidence Type
C Physical Dive
CLogjcal Dive
C Image Fle
CContents of a Folder
logical fle level analysis only: excudes deleted, unallocated, ctc)
Back Net > Cancel Help
Open the created evidence image file

Select File
Evidence Source Seletion
Please erter the source path:

Gcf\cpracl ad1
Browse..
<Back Finish Cancel Help

Now select Evidence Tree and analyze the image file.
9AccessData FTK Inmager 3.42 6 X
Ele View Mode Heb
Evidence Tree xFieLst
B dorac1 ad1 Name Size Type Date Modified

DtycrVnt \pracical [AD1] 0 Reqular File 12-09-2018 10...
CoesarCipherProgram.. 2 Regular File 12-09-2018 10...
CaesarCipherProgram.. 1 Regular Fle 12-09-2018 09:.
NSfnaldocument.docx 241 Regular File 23-09-20018 10..
MDSHashclass 2 Regular File 23-09-2018 10..
MDSHashjava 1 Regular File 23-09-2018 10..
|]RSAcass 2 Reguar File 12-09-2018 10...
]RSAjava 2 Regular File 12-09-2D18 10:..
Custom Content Sources
Eviderce:File System Path Fle ptos

00D CA E DA BE 00 00 00 34-00 56 0A 0D 16 00 25 00 £ p 4 a
OLD 00 26 07 00 27 07 00 28-09 00 29 0D 2A OA 00 0 4 ·
c20 00 2B CA 00 03 00 2C D9-00 29 00 2D 03 00 2£ CA +
c30 00 2F CO 30 CA 00 03 D0-31 0A 00 32 0D 33 OA 00/-0-.. 1
C40 32 00 34 (A CO 32 00 35-07 D0 36 0A 09 OF 00 25 242-5
C50 0A 00 CE 00 37 0A 00 OF-00 38 OA 09 0F 09 39 OA7.. .*
cED 00 2F CO 3A 07 00 38 D7-00 3c 01 0D 06 3C 69 ¬E/ ..
C70 69 74 E 01 0 03 2e z9-5e 01 00 04 43 ¬E 64 es 1t>)V
Ceo o1 00 CF 4c ¬9 ¬E 65 4E-75 6D 62 65 72 54 E1 62 LineNu
c9D 6C ¬5 C1 00 C4 ¬D 61 65-6E 01 00 16 25 53 4C ¬A le nain
CaD 61 76 61 2F C 61 6E 67-2F 53 74 72 69 6E 67 3B ava/lang/
Hew Edt cnove Fenove al Creote Insge|
Froperties Hex Value Int.. Custom Conte...Cursor pos -0
For User Guide, press F1

Adobe Scan 25 Nov 2023

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Adobe Scan 25 Nov 2023

Uploaded by

Copyright:

Available Formats

T.Y.B.

PRACTICAL LAB MANUAL FOR

1|Page K.M.AGRAWAL COLLEGE

Aim :Creating a Forensic Image using FTK Imager/Encase Imager :

> Creating Forensic Image

Ne Edr Bomove Rarcve al Craao Inage

Please Select the Source Evidence Type

<Back Next > Cancel Help

3. Select the source evidence file with path.

-Evidence Source Selection

Please erter the source path:

<Back Fnish Cancel Help

Add... Edt... Renoe

Add Overflow Locaton

M Verify images after they are reated MPrecalaulate Progress Statistics

Evidence Item Information

Unique Description: prac1|

(Back Net Cancel Help

4 | Page K.M.AGRAWAL COLLEGE

Select Image Destination

Image De stination Folder

mage Flename (Excudng Etension)

Back Fnish Cancel Help

Image Source: D: bycsinspracical

Image Summary.. Oose

6. After the images are successfully created, click Image Summary to

Geated By AccessData FIK Imager 3.4.2.6

Information for G:\çfprac1.ad1:

Analyze Forensic Inmage:

6| Page K.M.AGRAWAL COLLEGE

Please Seled the Source Evidence Type

Back Net > Cancel Help

Open the created evidence image file

Evidence Source Seletion

Please erter the source path:

<Back Finish Cancel Help

7|Page K.M.AGRAWAL COLLEGE

Ele View Mode Heb

Evidence Tree xFieLst

B dorac1 ad1 Name Size Type Date Modified

Custom Content Sources

Eviderce:File System Path Fle ptos

8|Page K.M.AGRAWAL COLLEGE

You might also like