CYBER FORENSICS VALIA C.L. COLLEGE OF COMMERCE & VALIA L.C. COLLEGE OF ARTS (Affiliated to University of Mumbai) D.N. NAGAR, ANDHERI (WEST), MUMBAI 400 053 DEPARTMENT OF INFORMATION TECHNOLOGY CERTIFICATE This is to certify that the Journal of "Cyber Forensics" is Bonafide work of Shaikh Sadiya Mohd Saqib bearing Seat No: 1314179 submitted in partial fulfilment of the requirements for the award of P.G of MASTERS OF SCIENCE IN INFORMATION TECHNOLOGY from University of Mumbai. Internal Guide External Examiner Co-Ordinator Sign: Sign: Sign: Date: Date: Date: Name: Name: Name: Aarti Patkar College Seal: INDEX Practical No Name Page Sign Practical 1 (A) Recovering Data Using EaseUS Data Recovery Wizard Practical 1 (B) Performing Hash, Checksum, or HMAC Calculations using the HashCalc. Practical 1 (C) Creating a Disk Image File of a Hard Disk Partition using the R-drive Image Tool. Practical 2 (A) Analyzing File System Types Using the Sleuth Kit(TSK). Practical 2 (B) Analyzing Raw image using Autopsy. Practical 3 (A) Creating a dd image file Practical 3 (B) Investigating NTFS Drive Using DiskExplorer for NTFS. Practical 3 (C) Viewing Content of Forensic Image Using Access Data FTK Imager Tool Practical 4 (A) Cracking Application Password Practical 4 (B) Detecting Steganography Practical 5 (A) Performa a Practical collect volatile information from a host computer running on a Windows OS by using tools PsTools, LogonSessions, and NetworkOpenedFiles. Practical 5 (B) Performa a Practical for Discovering and Extracting Hidden Forensic Material on Computers Using OSForensics Practical 6 (A) Investigating Network Traffic Using Wireshark Practical 7 (A) Analyzing Domain and IP Address Queries Using SmartWhois Tool Practical 8 (A) Perform Static Analysis of the Suspicious File Practical 8 (B) Performing dynamic analysis of a malicious file to find the processes It starts, network operations, file changes and other activities. Practical 9 (A) Recovering Deleted Emails Using the Recover My Email utility. Practical 10 (A) Analyzing the Forensic Image and Carving the Deleted Files Using Autopsy General Computer Forensics Terminologies Term Description Digital Forensics The process of collecting, preserving, analyzing, and presenting digital evidence. Chain of Custody A documentation process to ensure evidence integrity from acquisition to courtroom. Evidence Any digital data that can prove or disprove a fact in a legal investigation. Bitstream Image A sector-by-sector copy of a storage medium (e.g., using dd ). Metadata Data about data (e.g., file creation time, modification time, etc.). Hash Value A unique fixed-length output (e.g., MD5, SHA-256) used to verify data integrity. Volatile Data Temporary data stored in memory (RAM) that is lost when power is turned off. Non-Volatile Data Data stored on disk or permanent storage (e.g., HDD, SSD). Static & Dynamic Malware Analysis Terminologies Term Description Static Analysis Analyzing a file without executing it (e.g., using PEStudio, Hex Editor). Dynamic Analysis Executing the suspicious file in a controlled environment (sandbox/VM) to observe its behavior. Packer Software that compresses/obfuscates executables to hide their true functionality. Hex Editor A tool used to view/edit the binary contents of a file. API Call Function requests made by programs to the OS (e.g., CreateFile , RegOpenKey ). Signature-based Detection Detection using known malware patterns or hashes. Heuristic Analysis Rule-based approach to detect unknown or new threats based on behavior. Sandbox An isolated environment where files can be safely executed for observation. Disk & File System Forensics Terms Term Description Partition A logical division of a hard disk (e.g., NTFS, ext4). File Carving Recovering files without metadata by identifying file headers/footers. Slack Space Unused space in a disk cluster that may contain remnants of deleted data. Unallocated Space Disk space not currently assigned to any file or partition; often searched for deleted files. Master File Table (MFT) Stores metadata about files in NTFS file systems. File Allocation Table (FAT) A file system table used in older Windows systems. Disk Image A forensic copy of a disk (e.g., .img , .E01 , .dd ). Network Forensics Terms Term Description Packet Basic unit of data in network communication. PCAP File Packet capture file created by tools like Wireshark. MAC Address Unique identifier for a network interface card. IP Address Numerical label assigned to a device in a network. Protocol A set of rules (e.g., TCP, UDP, HTTP, DNS). Sniffing Capturing network traffic for analysis. Session Hijacking Taking over a user session after intercepting session tokens. Port Scanning Identifying open ports on a system using tools like Nmap. Memory Forensics Terminologies Term Description RAM Dump A snapshot of a system’s memory contents. Volatility Framework A tool for analyzing memory dumps. Process Injection A technique used by malware to insert code into another process. DLL Injection Injecting a Dynamic Link Library into the address space of another process. Artifact A piece of data left by system or user activity (e.g., browser history, recent documents). Email & Mobile Forensics Terms Term Description PST/OST Files Microsoft Outlook email storage files. Header Analysis Checking the email header to trace its origin. IMEI Unique identifier for mobile devices. SIM Card Forensics Extracting call logs, SMS, contacts from SIM. ADB (Android Debug Bridge) Command-line tool to interact with Android devices. Logical Extraction Pulling visible data from a mobile device. Physical Extraction Bit-by-bit copy of all data from the device, including deleted data. Bonus: Useful Abbreviations Abbreviation Full Form IoC Indicator of Compromise TTPs Tactics, Techniques, and Procedures APT Advanced Persistent Threat OSINT Open-Source Intelligence DFIR Digital Forensics and Incident Response Practical no 01: Computer Forensics Investigation Process A. Recovering Data Using EaseUS Data Recovery Wizard To understand and apply data recovery techniques using EaseUS Data Recovery Wizard , simulating a cyber forensic investigation for deleted or lost data. 1. Preparation Phase: Step Task Description 1.1 Download EaseUS Visit https://www.easeus.com and download the EaseUS Data Recovery Wizard Free/Trial version 1.2 Install the Software Follow installation steps. Do not install on the same drive from where you want to recover data. 1.3 Create a Test Scenario (Optional) Format a USB drive or delete some files manually to simulate accidental data loss. 2. Investigation Phase (Forensics Process) Step Task Description 2.1 Launch EaseUS Open the application as Administrator. 2.2 Select the Location to Scan Choose the drive or partition from which the data was deleted/lost (e.g., USB Drive D:). 2.3 Quick Scan Starts Automatically EaseUS first performs a quick scan to find recently deleted files. 2.4 Deep Scan (Automatic) Automatically begins if quick scan does not find all files. This will take more time but is more thorough. 2.5 Preview Files After scanning, EaseUS shows files in folders like Deleted Files , Lost Files , RAW , etc. You can preview documents, images, videos. Install the Software Select the Location to Scan Quick Scan Starts Automatically Deep Scan (Automatic) Preview Files B. Performing Hash, Checksum, or HMAC Calculations using the HashCalc. To demonstrate how to generate cryptographic hash values, checksums, and HMACs for verifying file integrity or forensic evidence validation. 1. Preparation Phase Step Task Description 1.1 Download HashCalc Download from a trusted source like https://www.slavasoft.com/hashcalc/ 1.2 Install the Software Follow the on-screen installation instructions. It’s a lightweight tool. 1.3 Prepare Files for Hashing Choose a sample file (e.g., document.txt , image.jpg , etc.) for which you’ll compute the hash. 2. Performing Hash Calculation Step Task Description 2.1 Launch HashCalc Open the application from the Start Menu. 2.2 Select Data Type Choose File (you can also select Text , Hex String , etc.). 2.3 Browse for the File Click on ... button and locate your file for hash calculation. 2.4 Select Hash Algorithms Tick the checkboxes for algorithms you want (e.g., MD5, SHA-1, SHA-256, CRC32, etc.). 2.5 Click Calculate Press the Calculate button. The hashes will be generated in a few seconds. 3. Validation & Reporting Step Task Description 4.1 File Integrity Check Later, re-run HashCalc on the same file. If the hash matches, file integrity is confirmed. 4.2 Tampering Simulation (Optional) Modify the file and recalculate the hash — the new hash will differ, proving tampering. 4.3 Document Results Record algorithm used, hash values, file names, date, and screenshot results. Launch HashCalc Select Data Type & Browse for the File Select Hash Algorithms Click Calculate C. Creating a Disk Image File of a Hard Disk Partition using the R-drive Image Tool. To safely create a forensic disk image of a hard drive or partition using the RDrive Image tool , preserving data for analysis without altering the original. 1. Preparation Phase Step Task Description 1.1 Download R-Drive Image Tool Visit: https://www.drive-image.com/ and install the trial version (supports full imaging). 1.2 Choose Source Disk or Partition Select the internal or external hard disk/partition you want to image. 1.3 Prepare Destination Storage Have another drive (e.g., D:, E:, external HDD) ready with sufficient space to store the image file. 1.4 Name the Case Create a folder with a case name and date to store the disk image and logs (e.g., Case_001_May25 ). 2. Creating the Disk Image Step Task Description 2.1 Launch R-Drive Image Run as Administrator. Choose "Create an Image" from the main menu. 2.2 Select the Source Choose the disk or partition (e.g., Disk 1 → Partition C:) that needs to be imaged. 2.3 Choose Destination Path Select location (e.g., D:\Case_001_May25) and name the image file (e.g., disk1_partitionC.rdr ). 2.4 Image Compression Select "Normal" or "None" to ensure readability. High compression may affect recovery. 2.5 Split Image (Optional) Choose to split image into parts (e.g., 4 GB each) if using FAT32 destination drive. 2.6 Create Image Confirm and click "Proceed" . Imaging will begin. Time depends on the size of the partition. 2.7 Completion Wait for the process to complete. Save the logs and confirm that the image file is created successfully. Launch R-Drive Image Select the Source Choose Destination Path Image Compression Create Image Completion Practical no 2: Understanding Hard Disks and File Systems A. Analyzing File System Types Using the Sleuth Kit (TSK). To analyze and identify the file system types on a disk image using The Sleuth Kit (TSK), and to understand the structure and layout of different file systems (e.g., FAT, NTFS, EXT). 1. Install The Sleuth Kit Windows: Download from: https://www.sleuthkit.org/sleuthkit/download.php 2. Get a Sample Disk Image You can use freely available images from: • https://digitalcorpora.org • Or create your own .dd file using tools like dd or FTK Imager 3. Use TSK to Analyze File System Types Step 1: Confirm File Exists Step 2. Now, take the Start value of the partition (e.g., 63 or 2048) and use it in fsstat.