Practical No.

1 (A)

Aim: Perform live data acquisition using PSTools and ListDLLs.

Theory:

PSTools:

PStools is a command line tool package, that has some tools like the, psexec, pslist, psservice,
psloggedon and some more (standard not built in) PSTools let you manage local AND remote
systems.

Step 1: Create folder in C:\ drive with your name, Download and extract PSTools.

Step 2: Use following commands to fetch live data acquisition

PsLoggedOn

PsLists

PsInfo

1
Step 3: PsLoggedOn

PsLoggedOn is an applet that displays both the locally logged on users and users logged on via
resources for either the local computer, or a remote one. If you specify a user name instead of a
computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the
user is currently logged on.

Go to your created folder in C:\  PSTools  Open cmd and enter the PsLoggedon.exe

2
Step 4: PsLists

Process status, list information about processes running in memory.

3
Step 5: PsInfo

PsInfo is a command-line tool that gathers key information about the local or remote Windows
NT/2000 system, including the type of installation, kernel build, registered organization and
owner, number of processors and their type, amount of physical memory, the install date of the
system, and if it’s a trial version, the expiration date.

4
Step 6: ListDLLs

ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs
loaded into all processes, into a specific process, or to list the processes that have a particular
DLL loaded. ListDLLs can also display full version information for DLLs, including their digital
signature, and can be used to scan processes for unsigned DLLs.

Download and extract ListDLLs in PSTools folder

5
Step 7: listdlls > test.txt this command is used for saving data in text file.

6
Step 8: We can perform all commands at a time by using batch file.

To create bat file  Open notepad  Enter the all commands  save as .bat extension in C:\
drive, PSTools folder

Running the batch file:

7
8
Step 9: Saving the file in notepad.

Conclusion: Hence, we successfully perform live data acquisition using PSTools and ListDLLs.

9
 Practical No. 1 (B)

Aim: Perform integrity verification and validation using MD5.

Theory:

MD5:

MD5 (Message-Digest algorithm 5) is a well-known cryptographic hash function with a 128-bit

resulting hash value. MD5 is widely used in security-related applications, and is also frequently
used to check the integrity of files.

WinMD5: WinMD5 is a lightweight and portable software application that calculates the MD5
signature of a file. It comes in handy when you plan on downloading large-sized files, since you
can verify their integrity beforehand and make sure they are not fake.

Step 1: Install and open WinMD5.

10
Step 2: Select a file by browsing and note down the hash key.

Step 3: Close and again open the file to check integrity.

11
Step 4: Click on verify to check whether the file is alter or not.

Step 5: Open the same file and make the changes in it.

12
Step 6: Open the file again in WinMD5 to check integrity.

MD5SUM:

md5sum is a computer program that calculates and verifies 128-bit MD5 hashes, as described
in RFC 1321. The MD5 hash functions as a compact digital fingerprint of a file. As with all such
hashing algorithms, there is theoretically an unlimited number of files that will have any given
MD5 hash.

Step 1: Download and install MD5SUM

13
Step 2: Open the cmd  Give the path path for file  Generate the hash value for single file as
below.

Step 3: Use “ \ “ for generating hash value for entire folder.

E:\CF>md5sums C:\Yogesh\PSTools\ >> yogesh.txt

14
Conclusion: Hence, we successfully perform integrity verification and validation using MD5.

15
 Practical No. 2

Aim: Perform live data acquisition using remote system

Theory:

Netcat is a useful tool for transferring the contents of files and other computer information from
computer to computer. It doesn’t create a file on the computer and has very minimal impact on
the memory so it is a good tool to use during live analysis.Net cat is already installed on most
Linux machines so you shouldn’t have to install it. To use it on a Windows machine, download
the portable version from the website.

Step 1: Download and extract netcat in your system.

16
Step 2: Determine open ports

17
Step 3: Creating batch file at terminal 2.

Step 4: Listening

The first terminal is set to listening mode and the port number is set to 5355, the same as that of
terminal 2.

The output of the .bat file is stored in the newly created .txt file on terminal 1.

18
Step 5: Running batch file on terminal 2 and redirecting output to terminal 1.

The batch file is run on terminal 2 and the output is stored in the text file on the specified ip
address mentioned.( i.e. on terminal 1 )

Step 6: Output of batch file on terminal 1

Conclusion: Thus we have successfully implemented Netcat to save the output of a batch file on
a different system.

19
 Practical No. 3 (A)

Aim: Creating forensics images by live data acquisition using FTK Imager.

Tool Used : AccessData FTK Imager

Theory:

Forensic Toolkit, or FTK

• FTK, is a computer forensics software made by AccessData. It scans a hard drive,

RAM to looking for various information.

• It can, for example, locate deleted emails and scan a disk for text strings to use them as
a password dictionary to crack encryption.

FTK Imager

• The toolkit also includes a standalone disk imaging program called FTK Imager. The
FTK Imager is a simple but concise tool.

• It saves an image of a hard disk in one file or in segments that may be later on
reconstructed.

• It calculates MD5 hash values and confirms the integrity of the data before
closing the files.

• The result is an image file(s) that can be saved in several formats, including DD
raw.

20
Step 1: Run FTK Imager.exe to start the tool.

Step 2: From the File menu, select Capture Memory to perform live data acquisition.

21
Step 3: Give the path and filename and click on Capture Memory. File will store with .mem
extension.

Step 4: Memory capturing will start. It’s capture all data present in RAM.

22
Step 5: After successfully memory capture, you can use that file for future investigation.

Conclusion: Hence, we successfully perform live data acquisition using FTK Imager.

23
 Practical No. 3 (B)

Aim: Creating forensics images by static data acquisition using FTK Imager.

Tool Used : AccessData FTK Imager

Theory:

Forensic Toolkit, or FTK

• FTK, is a computer forensics software made by AccessData. It scans a hard drive,

RAM to looking for various information.

• It can, for example, locate deleted emails and scan a disk for text strings to use them as
a password dictionary to crack encryption.

FTK Imager

• The toolkit also includes a standalone disk imaging program called FTK Imager. The
FTK Imager is a simple but concise tool.

• It saves an image of a hard disk in one file or in segments that may be later on
reconstructed.

• It calculates MD5 hash values and confirms the integrity of the data before
closing the files.

• The result is an image file(s) that can be saved in several formats, including DD
raw.

24
Step 1: Run FTK Imager.exe to start the tool.

Step 2: From the File menu, select Create a Disk Image.

25
A) By taking Logical Drive

Step 3: Choose the type and Drive.

26
Step 4: Click Add... to add the image destination. Check Verify images after they are created
so FTK Imager will calculate MD5 and SHA1 hashes of the acquired image.

Step 5: Select the image type.

The type you choose will usually depend on what tools you plan to use on the image. The dd
format will work with more open source tools, but you might want SMART or E01 if you will
primarily be working with ASR Expert Witness or EnCase, respectively.

27
Step 6: Enter the evidence item information.

Step 7: Select the Image Destination folder and file name. You can also set the maximum
fragment size of image split files. Click Finish to complete the wizard.

28
Step 8: Click Start to begin the acquisition

Step 9: A progress window will appear.

29
Step 10: Once the acquisiton is complete, click on image summary for detail information with
verification result.

30
B) By taking Image file

Step 1: Run FTK Imager.exe to start the tool.

Step 2: From the File menu, select Create a Disk Image.

31
Step 3: Choose the type and source path.

32
Step 4: Click Add... to add the image destination. Check Verify images after they are created so
FTK Imager will calculate MD5 and SHA1 hashes of the acquired image.

Step 5: Select the image type.

The type you choose will usually depend on what tools you plan to use on the image. The dd
format will work with more open source tools, but you might want SMART or E01 if you will
primarily be working with ASR Expert Witness or EnCase, respectively.

33
Step 6: Enter the evidence item information.

Step 7: Select the Image Destination folder and file name. You can also set the maximum
fragment size of image split files. Click Finish to complete the wizard.

34
Step 8: Click Start to begin the acquisition

Step 9: A progress window will appear.

35
Step 10: Once the acquisition is complete, click on image summary for detail information with
verification result.

Conclusion: Hence, we successfully perform static data acquisition on image file and logical
drive by using FTK Imager.

36
 Practical No. 4

Aim: Perform data analysis using sleuth kit.

Tool Used: Autopsy 4.0.0

Theory:

Slueth Kit

• Sleuth Kit is a C library and collection of command line file and volume system forensic
analysis tools.

• The file system tools allow you to examine file systems of a suspect computer in a non-
intrusive fashion.

• Because the tools do not rely on the operating system to process the file systems, deleted
and hidden content is shown. It runs on Windows and Unix platforms.

• http://www.sleuthkit.org/

Autopsy

• Autopsy is an open source forensics tool that can be compared to FTK or EnCase and is
able to assist investigators when working on cases.

• The Autopsy is a graphical interface to the command line digital investigation tools in
The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a
computer.

• http://www.sleuthkit.org/autopsy/

37
Step 1: Upon starting Autopsy, a window will open with three selections to make: create a new
case, open existing case, or to open a recent case.

Step 2: Select the “Create New Case” option and be directed to a new window that will have
information to fill in. Fill in appropriate information and click Next.

38
Step 3: Next window will allow the investigator to fill in the case number and examiner name.
This is for the purpose of creating better documentation and logging. After the information is
filled in select the finish button to continue.

Step 4: The next step in the investigation will be to add an image file to the case.
The image file can be chosen from a wide variety of formats including: img, dd, 001, aa, and
e01.
Use the browse button to find the image that is desired to work with and select add.
Options to choose the time zone of where the image came from as well as to ignore orphan files
in FAT file systems are available to be selected based on the investigators preference and
situation.
Since we have image file we will choose “Image File Option”, then browse and load
“Precious.img” and click on Next.

39
Step 5: Click on Next.

Step 6: Click on Next and wait for process to be finished.

40
Step 7: You can explore the data from left pane expand data source, view etc.

Step 8: Click on keyword list and select all check boxes to configure list.

41
Step 9: Check for directory listing this will show all files, deleted files etc.

Step 10: To make keyword search click on Keyword Search and type the keyword to search,
select the radio buttons for options and press Enter. This will result in all the occurrences of
keyword.

42
Step 11: Select any file you want to analyze, and you can see details related to that file
in below tabs.

Step 12: You can also extract file just by right clicking the file and select the option
Extract File. Browse the location to save that file and save with appropriate extension.

43
Step 13: Now browse to the location where you saved the file and open it with suitable
application and you can now view the file details.
This extraction is useful in conditions where you need to show the proof or print it to present
legally.

44
Step 14: In the left pane, you can select Recent Documents under Results to see the recently
accessed files and documents by the suspect, with the date and time of access.

Step 15: Go to Deleted Files under View Option in left Pane to check for the file those were
deleted by the suspect. Such files can be extracted but cannot be recovered. You can use any
other tool to recover such files only if the memory location where it resided didn’t override.

45
Step 16: To generate reports, click on Generate Report Option. It gives you a wizard to generate
report.
Select the type you want to save results and click Next.

Step 17: Select All Results and click Finish.

46
Step 18: The report generation is completed and results are stored in link specified. Click Close.

Step 19: Browse through path and open index.html file.

47
Conclusion: Hence, we successfully perform data analysis using sleuth kit.

48
 Practical No. 5

Aim: Perform forensics disk analysis using AccessDataFTK.

Tool Used: AccessData Forensic ToolKit

Theory:

Forensic Toolkit® (FTK®)

• Recognized around the World as the Standard Digital Forensic Investigation Solution.

• FTK is a court-cited digital investigations platform built for speed, stability and ease of
use.

• Furthermore, because of its architecture, FTK can be setup for distributed processing and
incorporate web-based case management and collaborative analysis.

• Following are the various features available in the latest release : -

1. Visualize Big Data, Find the Relevant Evidence Faster

FTK’s database-driven, enterprise-class architecture allows you to handle massive data
sets, as it provides stability and processing speeds not possible with other tools.

2. Automated Malware Triage and Analysis

Available as an option to FTK, Cerberus is one tool in your malware arsenal and helps
you identify potentially malicious files.

3. AccessData’s Decryption Solutions are the Key to Crack it!

AccessData has developed other industry-leading solutions to assist in password
recovery. These solutions are used in many different environments to provide specific,
password-cracking related functions.

4. Rainbow (Hash) Tables

Rainbow Tables are pre-computed, brute-force attacks.

5. Portable Office Rainbow Tables (PORT)

This takes far less space than the Hash Tables, but also takes somewhat more time and
costs a small percentage in accuracy.

49
Step 1: On startup, AccessData FTK Startup Wizard gives you 4 options, select Start a new
case. As we’ll inspect a new case. Click Ok.

Step 2: Fill details as per the case and click Next.

50
Step 3: In the Case Information dialog box, enter your investigator information, and then click
Next.

Step 4: In next window log options are provide. The FTK automatically generates log files.
Select those files for which you want the logs to generate. In this, we’ll select all the log options.

51
Step 5: These are the various processes which can be performed on evidence. Select all and click
next.

Step 6: While refining this window eliminates already relevant data from evidence to save time.
For this, select Include All Items and click Next.

52
Step 7: Depending on previously chosen option, few more Refine options are included. Simply
click Next.

Step 8: Here comes the Wizard where you can add your evidence. Click on Add Evidence.

53
Step 9: You can choose the relevant option to provide as evidence depending on what you what
to analyze for. We’ll select Acquired Image of Drive and click Continue.

Step 10: Browse the location where the image is stored. Select and click Open.

54
Step 11: Give details about the acquired Image and click Ok.

Step 12: The details about the provided evidence is displayed. Click Next.

55
Step 13: The setup summary is provided. Review and click Finish.

Step 14: After processing is finished the results are shown as below.

56
• The statistics for each category are automatically listed. Click the category button to its
associated file list.

Sr. No. Category Description

a) Actual Files Filters out parsed files and lists only actual files in the case. An
actual file is one that existed on the original hard drive as a file:
documents, zip files, executables, logs, etc. For example, a file
extracted from a Zip archive is filtered out.

b) All Items All items in the case. This includes files as well as embedded
items such as e-mail attachments, files within Zip archives, and
so forth.

c) Checked Items All items that are checked in any of the FTK windows.

d) Evidence Item A physical drive, a logical drive or partition, or drive space no

included in any partitioned virtual drive.

e) File Item Individual items added to the case such as text files, documents
graphics, OLE items, drive images, and so forth.

57
Total File Items

Total items in the case which is not necessarily the number of files in the case because multiple
items can be parsed out of one file.
For example, a Zip archive can contain many items. Total File Items is the total items in the case
unless Filtered is selected.

Sr. No. Category Description

a) Unchecked Items All Items that are left unchecked .

b) Unfiltered A filter that overrides normal filters. This filter is specific to the
Overview window.

c) File Status File Status covers a number of file categories that can alert you
to problem files or help you narrow down a search. The statistics
for each category are automatically listed. Click the category
button to the file list associated with it.

d) KFF Alert Files Files identified by the HashKeeper Website as contraband or

illicit files.

e) KFF Ignorable Files identified by the HashKeeper and NIST databases as

common, known files such as program files.

f) OLE Subitems Items or pieces of information that are embedded in a file, such
as text, graphics, or an entire file. This includes file summary
information (also known as metadata) included in documents,
spreadsheets, and presentations.

58
File Category

File Category itemizes the files by function, for example, a word processing document, graphics,
e-mail, executable(program file), or folder.
The statistics for each category are automatically listed. Click the category button to the file list
associated with it.

Sr. No. Category Description

a) Archives Archive files include e-mail archive files, Zip, Stuffit,

Thumbs.db thumbnail graphics, and other archive formats.

b) Databases Includes databases from Access, Quicken, Microsoft Money,

QuickBooks, and others.

c) Documents Includes most word processing, HTML, WML, HDML, or text

files.

d) Category Description

e) E-mail Message Includes e-mail messages from Outlook, Outlook Express,

AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN.

f) Executables Includes executables from Win32 executables and DLLs, OS/2,

Windows VxD, Windows NT, JavaScript, and other executable
formats.

g) Folders Folders or directories that are located in the evidence.

h) Graphics Includes the standard graphic formats like .tif, .gif, .jpeg, and
.bmp.

i) Multimedia Includes the multimedia formats such as: MP3, Flash,

QuickTime, WAV, and MIDI.

59
 j) Other Known A miscellaneous category that includes audio files, help files,
Type dictionaries, clipboard files, link files, etc.

k) Slack/Free Space Fragments of files that have not been completely overwritten.

l) Spreadsheets Includes spreadsheets from Lotus, Microsoft Excel, Quattro

Pro, and others.

m) Unknown Type File types that FTK cannot identify.

Explore Window

The Explore window displays all the contents of the case files and drives.

• The Explore window contains the following:

a) Tree view: Lists directory structure of each evidence item, similar to the way one would
view directory structure in Windows Explorer. An evidence item is a physical drive, a
logical drive or partition, or drive space not included in any partitioned virtual drive. The
List All
Descendant option on the Tree View toolbar displays all the currently selected
folder’s files in the File List.

60
 b) Viewer: Displays the contents of the currently selected file. The Viewer toolbar allows
you to choose different view formats.

c) File List: Displays information about a file, such as filename, file path, and file type.

Graphics Window

• Beneath each thumbnail image is a button that can be clicked red or green. Flagging a
graphic red or green is only relevant to the case report.

• When creating a report, you can choose to include all of the graphics in the case or only those
graphics that are flagged green.

• To automatically mark all the thumbnails green, click the green button in the Tree View
toolbar. Conversely, click the red button in the Tree View toolbar to automatically mark all
the thumbnails red.

• In the Graphics window, only graphic files appear in the File List. This simplifies the process
of working with graphics.

61
• You can view the image in Hex format also

62
E-mail Window

The E-mail window displays e-mail mailboxes, including Web e-mail, and their associated
messages and attachments. The display is a coded HTML format.

View e-mail in different viewers

63
Search Window
Through the Search window, you can conduct an indexed search or a live search. An indexed
search is fast. A live search is more flexible.
Indexed Search
The following table describes the interface options.

Sr. No. Description

Add Adds the search term to Search Items. You can add multiple terms to one
search.

Count The number of times the indexed word is found in the case.

Cumulative
Operator This operator is specific to multi-term searches. FTK looks for items

And That contain all the search terms listed in the search list.

Or That contains any of the search terms listed in the search list.

Edit Item Allows you to edit the currently selected search term.

Files The number of files the search term is found in.

Hits The number of times the search term is found in the case.

Import Imports search terms from text files.

Indexed This column displays the index. When a search term is entered in the search
Words field, this column scrolls to display the term in the index.

Options Options that allow you to broaden or narrow the search.

64
Remove All Removes all search terms from the search list.

Remove Item Removes the currently selected search term from the search list.

Search Items Lists the search terms.

Search Term
field The field in which you enter the term you want to search for.

View
Cumulative Initiates a multi-term search.
Results

View Item Initiates a single term search.

Results

• You can add search items by typing words in search terms and click add to add in search
items.

65
Live Search

Interface Option Description

Add Adds the search term to the search list. You can add multiple terms
to one search.

ASCII Searches any text in the same single-byte character set that your
Windows version natively uses.

Case Sensitive Searches for the term exactly as it is typed in the Search Term field.

Delete Item Deletes the currently selected search term from the search list.

Edit Item Allows you to edit the currently selected search term.

• In a live search tab type name in the search box and click add and then click search.

66
67
Bookmark Window
The following table describes the interface options specific to the Bookmark window.

Interface Option Description

Bookmark Comment Displays comments included with a bookmark.

Bookmark Name Displays the name given to a bookmark when it was created.

Bookmarked Files Number of bookmarked files.

Resets the Include in Report and Export Files settings in the current
Clear Changes bookmark.

Export Files If checked, the files included in the bookmark are exported when a
report is generated.

File Path Displays the paths of bookmarked files.

Filename Displays the bookmarked files’ filenames.

Include in Report If checked, includes the bookmark and its files in case reports.

68
• On the Bookmark window, you can view all the items you have bookmarked as important
items in the case.

Viewing File Properties

To view a file’s properties:

1. Highlight a file in the File List.
2. Select Tools, and then File Properties.

69
• The File Properties menu is organized into five information windows:
 General
 File Source
 File Content
 Case-specific
 E-mail (appears only when viewing file properties for e-mail messages and
attachments)
• Click on the corresponding tab to access each window. Each window contains the following
file information:

70
Using the Case Log
To view the case log: Select Tools, and then View Case Log.

Generate the Report

Go to File and click on Report Wizard

71
Fill the details and click next till Report Location Window and click finish.

72
After clicking on finish report will generate and open in browser.

Conclusion: Hence, we successfully perform forensics disk analysis using AccessDataFTK.

73
 Practical No. 6

Aim: Perform data hiding technique using steganography.

Tool Used: S-Tools

Theory:

• Steganography tool which provides hide ASCII information within 24-bit Bitmap images

• A steganography software tool allows a user to embed hidden data inside a carrier file,
such as an image or video, and later extract that data.

• It is not necessary to conceal the message in the original file at all. Thus, it is not
necessary to modify the original file and thus, it is difficult to detect anything.

• If a given section is subjected to successive bitwise manipulation to generate the cipher

text, then there is no evidence in the original file to show that it is being used to encrypt a
file.

• Steganography tools aim to ensure robustness against modern forensic methods, such as
statistical steganalysis. Such robustness may be achieved by a balanced mix of:

 a stream-based cryptography process

 a data whitening process
 an encoding process.

• If the data is detected, cryptography also helps to minimize the resulting damage, since
the data is not exposed, only the fact that a secret was transmitted.

• The sender may be forced to decrypt the data once it is discovered, but deniable
encryption can be leveraged to make the decrypted data appear benign.

• Strong steganography software relies on a multi-layered architecture with a deep,

documented obfuscation process.

74
Step 1: Open the S-Tools.

Step 2: Drag and drop .bmp image in S-tools.

75
Step 3: Create a text file and write some data and drag this file over the image. It will then ask
for passphrase and encryption algorithm to hide the file. After entering passphrase click on OK.

76
Step 4: Right click on image and save as .bmp format.

77
Step 5: To reveal the hidden file, drag and drop the encrypted image in the tool. Right click on
the image and click on the Reveal option.

Step 6: Enter the passphrase and select the same encryption algorithm as previous and you can
see the revealed text file.

78
Step 7: Right click the file and select save as option to extract the file.

79
Step 8: Browse to the location and save the file.

Here you can see the extracted file.

Conclusion: Hence, we successfully perform data hiding technique using steganography.

80
 Practical No. 7

Aim: Study and implementation of e-mail forensics using AccessDataFTK.

Tool Used: AccessDataFTK.

Theory:

Forensic Toolkit® (FTK®)

• Recognized around the World as the Standard Digital Forensic Investigation Solution.

• FTK is a court-cited digital investigations platform built for speed, stability and ease of
use.

• Furthermore, because of its architecture, FTK can be setup for distributed processing and
incorporate web-based case management and collaborative analysis.

• FTK can filter or find files specific to e-mail clients and servers. You can configure these
filters when you enter search parameters. In this section, we will learn how to use FTK
and a hexadecimal editor to recover e-mails.

• To recover e-mail from Outlook and Outlook Express, AccessData integrated dtSearch
(www.dtsearch.com) into FTK 1.x. dtSearch builds a B*-tree index of all text data in a
drive, an image file, or a group of files.

• One unique feature is its capability to read .pst and .dbx files and index all text
information, including attached files.

E-mail Window

• The E-mail window displays e-mail mailboxes, including Web e-mail, and their
associated messages and attachments. The display is a coded HTML format.

81
Step 1: When the AccessData FTK Startup dialog box opens, click Start a new case, and then
click OK.

Step 2: Fill details as per the case and click Next.

82
Step 3: In the Case Information dialog box, enter your investigator information, and then click
Next.

Step 4: Click Next until you reach the Refine Case - Default dialog box. Click the Email
Emphasis button, and then click Next.

83
Step 5: Click Next until you reach the Add Evidence to Case dialog box, and then click the Add
Evidence button.

Step 6: In the Add Evidence to Case dialog box, click the Individual File option button, and then
click Continue.

84
Step 7: Select the Jim_Shu’s.pst and click on open.

Step 8: In the Evidence Information dialog box, click OK.

85
Step 9: When the Add Evidence to Case dialog box opens, click Next. In the Case summary
dialog box, click Finish.

86
Step 10: When FTK finishes processing the file, in the main FTK window, click the E-mail
Messages button, and then click the Full Path column header to sort the records.

Step 11: Click the E-Mail tab. In the tree view, click to expand all folders, and then click the
Inbox folder. If necessary, to view all messages, click the List all descendants check box.

87
Step 12: Right-click Message0010 in the File List pane and click Export File. In the Export Files
dialog box, click OK. Click OK again in the Export Files message box.

88
Step 13: To view the exported Message0010 file, go to your work folder.

Conclusion: Hence, we successfully perform e-mail forensics using AccessDataFTK on

Jim_Shu’s.pst.

89
 Practical No. 8

Aim: Generating forensics report using sleuth kit.

Tool Used: Autopsy.

Theory:

Autopsy

• Autopsy is an open source forensics tool that can be compared to FTK or EnCase and is
able to assist investigators when working on cases.

• The Autopsy is a graphical interface to the command line digital investigation tools in
The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a
computer.

Why Reporting is important?

• Documentation is an ongoing process throughout the examination. It is important to

accurately record the steps taken during the digital evidence examination.

• The examiner is responsible for completely and accurately reporting his or her findings
and the results of the analysis of the digital evidence examination.

Whether you are doing a forensic report that simply states facts coming from testing, or an expert
report that expresses expert opinion

90
Step 1: To generate reports, click on Generate Report Option which opens up Generate Report
Wizard Select the type you want to save results and click Next.

Step 2: Select All Results and click Finish.

91
Step 3: The report generation is completed and results are stored in link specified. Click Close.

Step 4: Browse through path given and open index.html file.

92
Step 5: The reports are generated in html file.

93
94
Step 6: To generate reports in Excel Format. Follow the same steps and select the option Results
– Excel and click next.

95
Step 7: Browse through path given and open Excel file.

Step 8: Go through various pages to see the report.

96
97
Conclusion: Hence, we successfully generate forensics reports in html and excel file using
sleuth kit.

98
 Practical No. 9

Aim: Generating forensics report using AccessDataFTK.

Tool Used: AccessDataFTK.

Theory:

Forensic Toolkit® (FTK®)

• Recognized around the World as the Standard Digital Forensic Investigation Solution.

FTK is a court-cited digital investigations platform built for speed, stability and ease of use.

Why Reporting is important?

• Documentation is an ongoing process throughout the examination. It is important to

accurately record the steps taken during the digital evidence examination.

• The examiner is responsible for completely and accurately reporting his or her findings
and the results of the analysis of the digital evidence examination.

• With the report on hand the investigator will have an idea of what to expect as well as a
list of programs that are installed on the machine.

• This can help investigators gather all the evidence they need to perform a complete
investigation.

Whether you are doing a forensic report that simply states facts coming from testing, or an expert
report that expresses expert opinion.

99
Step 1: Go to File and click on Report Wizard.

Step 2: Fill the details and click next until you reach Report Location Window.

100
Step 3: Click yes and the reports will be displayed in browser.

101
102
Conclusion: Hence, we successfully generate forensics report using AccessDataFTK.

103
 Practical No. 10

Aim: Analysis of network traffic and password cracking using wireshark.

Tool Used: Wireshark.

Theory:

Wireshark

• Wireshark is a free and open source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development, and
education.

• Originally named Ethereal, the project was renamed Wireshark in May 2006 due to
trademark issues.

• Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement

its user interface, and using pcap to capture packets.

• It runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and
Microsoft Windows.

There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other
programs distributed with it such as TShark, are free software, released under the terms of the
GNU General Public License.

104
Step 1: Upon starting, the Wireshark window will open up with network options. Click on
appropriate connection.

Step 2: Wireshark will capture all packets as below.

105
Step 2: You can filter the packet by typing in display filter.

 HTTP Packets

 TCP Packets

106
Step 3: Data from FORM can be sent with two methods POST or GET, we will be filtering the
POST method feature for password cracking.

Enter in display bar http.request.method == "POST"

107
Step 4: Now search for appropriate POST packet with the IP address you want to search for.

When you have found the POST packet, select that packet by clicking on it and Expand HTML
Form URL Encoded tab at the bottom window.

After clicking on HTML Form URL Encoded tab, expand this for cracked password.

108
Conclusion: Hence, we successfully analysis of network traffic and perform password cracking
using wireshark.

109
 Practical No. 11

Aim: Perform password cracking technique using cain and abel.

Tool Used: Cain and abel.

Theory:

Cain and Abel

• Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy
recovery of various kind of passwords by sniffing the network, cracking encrypted
passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP
conversations, decoding scrambled passwords, recovering wireless network keys,
revealing password boxes, uncovering cached passwords and analyzing routing
protocols.

• Cain & Abel has been developed in the hope that it will be useful for network
administrators, teachers, security consultants/professionals, forensic staff, security
software vendors, professional penetration tester and everyone else that plans to use it for
ethical reasons.

• The latest version is faster and contains a lot of new features like APR (Arp Poison
Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks.

• The sniffer in this version can also analyze encrypted protocols such as SSH-1 and
HTTPS, and contains filters to capture credentials from a wide range of authentication
mechanisms.

• The new version also ships routing protocols authentication monitors and routes
extractors, dictionary and brute-force crackers for all common hashing algorithms and for
several specific authentications, password/hash calculators, cryptanalysis attacks,
password decoders and some not so common utilities related to network and system
security.

110
Step 1: First make sure your firewall is disabled then Open Cain & Abel software.

Step 2: Click on Start Sniffer and Start APR to start sniffing packets in network. These are the
icons present in the left corner of the window.

111
Step 3: Sniffing Details from Network
a) Click on sniffer tab and then click on ‘+’ icon.

Select ‘All hosts in my subnet’ and select ‘All tests’.

112
Step 4: Resolving host name

a) Right click on an ip address and click on resolve host name option. This will give you a list
of resolved host names.

113
Step 5: Cracking Password
a) Click on Cracker tab then click “+” icon on the window.

114
In the next wizard simple click next with default selected. This will give

115
Right click on the username, and select type of attack to be performed.

Select Predefined and click on Start

116
Conclusion: Hence, we successfully perform password cracking technique using cain and abel.

117