Digital_Forensics_CSE_4004

Digital Forensics - CSE4004

Setup

The setup procedure followed here is a Windows 7 Professional edition with a list of tools installed which have been stated within the corresponding lab directory. This Operating system in my case is run inside a virtual box environment. You can do the same process, or follow any other version of the Windows operating system.

There are also certain virtual machines available which can be used for a maximum of 90 days, and depending on the version they can be renewed for another term too.

• Windows 10 virtual machines to test Microsoft Edge
• Get a Windows 10 development environment

There is also a slew of softwares, and web applications which are required to complete the labs. The links to each of those are given below. As specfied above, some of these are trial version, and thus have their own duration of trial. So check them out before installing the tools.

1. An online Hashing Web Application
2. Microsoft’s Log Parser Tool
3. Microsoft Event Viewer
4. Event Log Explorer
5. Strings utility
6. Event Log Explorer
7. 7Zip
8. Winhex Hexadecimal Editor
9. Streams utility
10. Disk Explorer
11. Windows Disk Management Tool
12. Test Disk
13. PhotoRec
14. EaseUS
15. Active UnDelete
16. Disk Drill
17. Windows Registry Editor
18. Microsoft Diskpart
19. Hxd Hex Editor
20. Hex Workshop
21. Bitlocker
22. Autopsy
23. Dcode

List of Programs

1. Hash functions for verifying the integrity of files or messages

We here deal with the concept of hashing text, files of different formats using various hashing algorithms, their properties, and also the general necessary qualifications and qualities of a good hash function, and also we have seen what makes a hash function have collisions. We also demonstrate a hash collision of the MD5 hashing algorithm.

• An online Hashing Web Application

2. File analysis tools

We have in this experiment, analysed directories on the hard disk using Microsoft’s Log Parser Tool, and performed tasks like knowing the top 10 largest or smallest files in a directory, etc.

• Microsoft’s Log Parser Tool

3. Event log analysis

In this exercise, we will use this tool to find the events like log in log out and an attempt to query the existence of blank password user account, etc.

• Microsoft Event Viewer
• Event Log Explorer

4. File forensics

In this exercise, we analyse the properties of word (DOCX) files, like viewing it under different circumstances, using different tools and performing date encodings.

• Strings utility
• Event Log Explorer
• 7Zip
• Dcode

5. Windows Command Line

In this exercise, we have dealt with and seen how the command line tools and the shell commands are run, a few examples of how powerful they are, and also seen how such commands can be grouped together and executed at once like executing scripts using batch files.

6. Identifying file types

In this exercise, we analyse the various file extensions and formats available and popularly used.

7. Comparing file structures using a Hex editor

In this exercise, we analyse the file formats namely how they are identified by the file management system and also thus by the operating systems.

We have also dealt with hidden data streams in the NTFS file systems, and have discussed ways in which to track them and also to open them.

• Winhex Hexadecimal Editor
• Streams utility

8. Investigating NTFS / FAT/ Linux drives

In this exercise, we analyse the forensic image of the drives of FAT, GPT or NTFS file formats.

• Disk Explorer

9. File Signature Analysis

In this exercise, we analyse the file formats namely how they are identified by the file management system and also thus by the operating systems.

• Winhex Hexadecimal Editor

10. Recovering Deleted Partitions and Deleted Files

In this exercise, we deal with the recovering and restoring files from deleted partitions of a hard disk drive and also from partitions which are invisible in standard disk management tools, or are visible as unallocated region due to various reasons ranging from it being corrupted to a suspect hiding confidential data in such regions..

• Windows Disk Management Tool
• Test Disk
• PhotoRec
• EaseUS
• Active UnDelete

11. File Carving

In this exercise, we analyse the file and data carving to recover hidden files from within other files, or to recover files from partitions or disk images which are invisible in standard disk management tools, or are visible as unallocated region due to various reasons ranging from it being corrupted to a suspect hiding confidential data in such regions.

• Winhex Hexadecimal Editor
• Disk Drill

12. Windows Registry Forensics

In this exercise, we analyse the various keys associated with the Windows operating system, namely how we can use this internal data tool to explore the various scenarios which is done during a forensic investigation.

• Windows Registry Editor

13. Data hiding techniques

In this exercise, we analyse the possible methods for hiding data, and also discussed on how such hidden data can be identified and even retrieved for that matter. We have also shown these with appropriate evidence in execution.

• Microsoft Diskpart
• Windows Disk Management Tool
• Hxd Hex Editor
• Hex Workshop
• Encryption / Decryption Web Tools
• Bitlocker

14. Email forensics

In this exercise, we analyse email headers which provide useful functionalities for ease of forensic analysis. This is especially a booming field of digital forensics, as we humans rely on emails and other such forms of such communications.

Listed below are a few online web applications which can be used to perform analysis on email headers.

• https://dnschecker.org/email-header-analyzer.php
• https://toolbox.googleapps.com/apps/messageheader/analyzeheader
• https://mailheader.org/

15. Applications

In this exercise, we refresh over the previous topics to have a better grasp on the concepts.

• Test Disk
• Active UnDelete
• Autopsy