PRESIDENCY UNIVERSITY

Itgalapura, Rajankunte, Yelahanka, Bengaluru 560064

SCHOOL OF COMPUTER SCIENCE ENGINEERING &
INFORMATION SCIENCE
CSE 2037 – CYBER FORENSICS

LABORATORY RECORD BOOK

Name :
Roll No :
Section :
Branch :
Semester :

ACADEMIC YEAR 2023-24

1
 PRESIDENCY UNIVERSITY
Itgalapura, Rajankunte, Yelahanka, Bengaluru 560064
SCHOOL OF COMPUTER SCIENCE ENGINEERING &
INFORMATION SCIENCE

BONAFIDE CERTIFICATE

This is to certify that Mr. / Ms.

bearing the Roll number of semester – V
and “Section-5CCS-01” has satisfactorily completed the course
“CSE2037- CYBERFORENSICS” prescribed for B. Tech
programme by the PRESIDENCY UNIVERSITY during the
academic year 2023-24.

DATE: FACULTY IN-CHARGE

(Mr. J JOHN BENNET)
2
 INDEX

EX.
DATE EXPERIMENT NAME SIGNATURE
NO

STUDY OF COMPUTER FORENSICS AND

1 DIFFERENT TOOLS USED FOR FORENSIC
INVESTIGATION

LIVE FORENSICS CASE INVESTIGATION

2 USING AUTOPSY

HOW TO RECOVER DELETED FILES USING

3 FORENSICS TOOLS

FIND LAST CONNECTED USB ON YOUR

4 SYSTEM (USB FORENSICS)

5 HOW TO VIEW LAST ACTIVITY OF YOUR PC

HOW TO EXTRACTING BROWSER

6 ARTIFACTS
COMPARISON OF TWO FILES FOR
7 FORENSICS INVESTIGATION BY COMPARE
ITSOFTWARE
HOW TO COLLECT EMAIL EVIDENCE IN
8 VICTIM PC
STUDY THE STEPS FOR HIDING AND
EXTRACT ANY TEXT FILE BEHIND AN
9 IMAGEFILE/ AUDIO FILE USING COMMAND
PROMPT
HOW TO EXTRACT EXCHANGEABLE IMAGE
FILE FORMAT (EXIF) DATA FROMIMAGE
10 FILES USING EXIFREADER SOFTWARE

3
 INTRODUCTION TO COMPUTER FORENSICS AND BASIC
EX. NO: 1
FORENSIC INVESTIGATION TOOLS

Aim:
Introduction to Computer Forensics and Basic Forensic Investigation Tools
Objective:
The objective of this lab experiment is to introduce students to the field of computer forensics
and familiarize them with some commonly used tools for conducting forensic investigations. By the
end of the experiment, participants should be able to understand the principles of computer forensics
and apply basic forensic tools for evidence collection and analysis.
Materials:
1. A computer with a suitable operating system (Windows or Linux) for forensic analysis.
2. A storage device (USB drive or external hard disk) containing sample evidence files.
3. Access to various computer forensic tools, such as Autopsy, FTK Imager, and Volatility.
Procedure:
Part 1: Introduction to Computer Forensics
1. Begin the lab by providing a brief introduction to the field of computer forensics. Explain
its importance in legal investigations, cybersecurity incidents, and data recovery
scenarios.
2. Discuss the core principles of computer forensics, including the need for accurate and
reliable evidence collection, preservation, and analysis while maintaining the integrity of
the original data.
Part 2: Understanding the Forensic Investigation Process
1. Explain the steps involved in a typical forensic investigation:
a. Identification and isolation of the evidence.
b. Preservation of the evidence to avoid contamination.
c. Examination and analysis of the evidence.
d. Documentation and reporting of findings.
2. Discuss the legal and ethical considerations in computer forensics, such as obtain in
proper authorization and maintaining chain of custody.
Part 3: Basic Forensic Investigation Tools
1. Introduce the participants to some commonly used forensic investigation tools:
a. Autopsy: An open-source digital forensics platform that aids in analyzing and
visualizing evidence in a user-friendly interface.
b. FTK Imager: A popular tool for creating forensic images and analyzing disk
images.

4
 c. Volatility: A memory analysis tool used to examine volatile memory dumps for
signs of malicious activity.
2. Demonstrate how to install and set up the selected tools on the lab computers.
Part 4: Practical Forensic Investigation
1. Divide the participants into groups and provide each group with a storage device
containing sample evidence files.
2. Instruct each group to perform the following tasks using the forensic investigation tools
they have learned about:
a. Use Autopsy or FTK Imager to create a forensic image of the storage device.
b. Examine the evidence files using Autopsy to identify potential evidence of
interest.
c. Use Volatility to analyze memory dumps of the operating system (provided by
the instructor) and look for any suspicious processes or network connections.
3. Encourage participants to document their findings and prepare a brief report on their
observations.
Output:

Conclusion:
Gather the participants back together and discuss the results of their investigations. Review
the importance of following proper forensic procedures and maintaining the integrity of the evidence.
Emphasize the significance of computer forensics in various scenarios, including law enforcement
investigations, corporate cybersecurity incidents, and data recovery efforts. Finally, encourage further
exploration and study of computer forensics to enhance their knowledge and skills in this crucial field.

5
EX. NO: 2 LIVE FORENSICS INVESTIGATION USING AUTOPSY

Aim:
Live Forensics Investigation using Autopsy
Objective:
The objective of this lab experiment is to provide participants with hands-on experience in
conducting a live forensics investigation using Autopsy, a powerful open-source digital forensics
tool. By the end of the experiment, participants will be able to navigate Autopsy's features, perform
live analysis, and identify potential evidence of suspicious activities on a live system.
Materials:
1. Computer with Autopsy installed
2. Sample evidence files or a simulated scenario with suspicious activities
Procedure:
1. Introduction to Live Forensics and Autopsy:
Begin the lab by explaining the significance of live forensics in real-time incident
response scenarios. Highlight the benefits and challenges of conducting live analysis as
opposed to post-mortem analysis. Introduce Autopsy as a versatile tool for live forensics
investigations and showcase its features.
2. Setting up Autopsy and Booting the Target System:
Instruct participants to set up Autopsy on their investigator's computer and boot the
target system, whether it's a virtual machine or a physical machine, for live analysis.
3. Initiating Live Analysis and Initial Triage:
Guide participants on how to initiate the live analysis in Autopsy and establish a
connection to the target system. Instruct them to perform an initial triage to identify potential
areas of interest on the live system.
4. Acquiring Volatile Data and Analysis:
Instruct each group to begin acquiring volatile data from the live system using
Autopsy's live acquisition feature. Participants should analyze the acquired data, paying
attention to running processes, network connections, and browser history to identify any
suspicious activities or potential evidence.
5. Documenting and Preparing a Detailed Report:
Emphasize the importance of documenting every step taken during the live forensics
investigation to maintain a proper chain of custody and ensure the integrity of the evidence.
Instruct participants to prepare a detailed report summarizing their investigation, including
their findings, analysis, and conclusions.

6
 Output:

Conclusion:
Gather the participants together to discuss their experiences and findings during the live
forensics investigation using Autopsy. Encourage them to reflect on the challenges faced and the
lessons learned. Highlight the significance of live forensics in real-world scenarios, where timely
response is crucial. Remind participants to adhere to ethical considerations and legal requirements
when handling sensitive data during forensic investigations. Finally, inspire them to further explore
the field of digital forensics and develop their skills as digital investigators.

7
EX. NO: 3 DELETED FILE RECOVERY USING FTK IMAGER

Aim:
Deleted File Recovery using FTK Imager
Objective:
The objective of this lab experiment is to familiarize participants with the process of
recovering deleted files using FTK Imager, a popular digital forensics tool. Participants will learn
how to acquire an image of the storage device, conduct deleted file recovery, and preserve the
integrity of the evidence.
Materials:

1. A computer with FTK Imager installed.

2. A storage device (USB drive or external hard disk) containing sample data with
intentionally deleted files.
Procedure:
1. Introduction:
a. Start the lab by providing an overview of deleted file recovery in digital forensics and
its importance in investigations and data recovery.
b. Introduce FTK Imager and explain its features, focusing on deleted file recovery
capabilities.
2. Setting up the Lab Environment:
a. Instruct participants to install and set up FTK Imager on their investigator's computer.
b. Connect the storage device containing the sample data with intentionally deleted files
to the investigator's computer.
3. Acquiring an Image of the Storage Device:
a. Guide participants on how to create a forensic image of the storage device using FTK
Imager.
b. Instruct them to choose the appropriate acquisition options to ensure a verified and
exact copy of the original data is preserved.
4. Initiating FTK Imager and Opening the Forensic Image:
a. Demonstrate how to open FTK Imager on the investigator's computer.
b. Show participants how to navigate to the location of the acquired forensic image
and open it.

8
 5. Conducting Deleted File Recovery:
a. Instruct participants on how to search for deleted files within the file system using
FTK Imager.
b. Guide them on using filters or specific search terms to narrow down the results to
deleted files.
6. Recovering Deleted Files:
a. Show participants how to select the deleted files they want to recover from the
search results.
b. Instruct them to specify a destination folder for the recovered files, ensuring it is
different from the original forensic image.
7. Verification and Review:
a. Allow participants to review the recovered files to ensure they have been restored
successfully.
b. Verify that the recovered files match the expected contents and correspond to the
deleted data.
8. Documentation and Reporting:
a. Emphasize the importance of documenting every step of the deleted file recovery
process, including date, time, and actions taken.
b. Instruct participants to prepare a report summarizing their experience, challenges
faced, and lessons learned during the deleted file recovery using FTK Imager.
Output:

Conclusion:
Gather the participants back together to discuss their experiences in recovering deleted files
using FTK Imager. Reinforce the significance of deleted file recovery in digital forensics
investigations and data recovery scenarios. Encourage further exploration of FTK Imager's
capabilities and ethical considerations when handling recovered files. Remind participants of the
criticality of maintaining the integrity of the original data during forensic analysis.

9
 USB FORENSICS: FINDING THE LAST CONNECTED USB ON YOUR
EX. NO: 4
SYSTEM USING USBDEVIEW

Aim:
USB Forensics: Finding the Last Connected USB on Your System using USBDeview
Objective:
The aim of this lab experiment is to introduce participants to USB forensics and demonstrate
how to find the details of the last connected USB device on their computer system using USBDeview.
Participants will learn how to use USBDeview, a specialized USB forensics tool, to examine and
extract information about the most recent USB device connection on their system.
Materials:

1. A computer with a compatible operating system (Windows).

2. USBDeview software (freely available from NirSoft).

3. Sample USB devices for connecting and disconnecting during the experiment.
Procedure:
1. Introduction to USB Forensics and USBDeview:
a. Provide an overview of USB forensics, explaining its importance in digital
investigations and incident response.
b. Introduce USBDeview as a specialized tool for USB forensics, designed to analyze
and display detailed information about connected USB devices.
2. Setting up the Lab Environment:
a. Instruct participants to install USBDeview on their investigator's computer.
b. Ensure that the computer has administrative privileges to access USB device
information.
3. Connecting and Disconnecting Sample USB Devices:
a. Instruct participants to connect and disconnect sample USB devices (e.g., USB
drives) to their computer during the experiment.
b. These actions will create a history of USB device connections for analysis.
4. Launching USBDeview and Analyzing USB Device History:
a. Demonstrate how to open USBDeview on the investigator's computer.
b. Instruct participants to refresh the list to display the most up-to-date USB device
information.
5. Identifying the Last Connected USB Device:
a. Guide participants on how to sort the USB device list based on the "Last
Plug/Unplug Date" column.

10
 b. Show them how to identify the most recent USB device connection by locating the
device with the latest timestamp.
6. Extracting USB Device Information:
a. Instruct participants to select the last connected USB device entry.
b. Demonstrate how to extract detailed information, such as device name, serial
number, vendor ID, product ID, and connection timestamp.
7. Documentation and Reporting:
a. Emphasize the importance of documenting the steps taken during the investigation,
including the date and time of USB device connections.
b. Instruct participants to prepare a comprehensive report summarizing their findings,
including details of the last connected USB device.
Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
USBDeview for USB forensics. Reinforce the significance of USB forensics in digital investigations
and cybersecurity incident response. Encourage participants to further explore USBDeview's
capabilities and other digital forensics tools to enhance their skills in analyzing USB device
connections and conducting comprehensive forensic examinations. Remind them of the ethical
considerations and legal implications when conducting digital forensics investigations.

11
 VIEWING LAST ACTIVITY OF YOUR PC USING LAST ACTIVITY
EX. NO: 5
VIEW

Aim:
Viewing Last Activity of Your PC using LastActivityView
Objective:
The aim of this lab experiment is to demonstrate how to use LastActivityView, a system utility,
to view the last activity of a computer. Participants will learn how to analyze and interpret the
information provided by LastActivityView to understand the recent events and actions performed on
their PC.
Materials:
1. A computer running a Windows operating system.
2. LastActivityView software (freely available from NirSoft).
Procedure:
1. Introduction to Last Activity and LastActivityView:
a. Provide an overview of last activity on a computer, which includes events such as
application launches, system shutdowns, user logins, etc.
b. Introduce LastActivityView as a tool designed to retrieve and display detailed
information about the recent activities on a Windows PC.
2. Setting up the Lab Environment:
a. Instruct participants to download and install LastActivityView on their computer.
b. Ensure that participants have administrative privileges to access system activity
information.
3. Launching LastActivityView and Retrieving Activity History:
a. Demonstrate how to open LastActivityView on the participant's computer.
b. Instruct them to allow the tool to scan the system and retrieve the recent activity
history.
4. Analyzing Last Activity Information:
a. Guide participants on how to explore the retrieved data in LastActivityView.
b. Explain the various categories of activities, such as application events, system
events, network activity, and user logins.
5. Identifying the Last Activity on the PC:
a. Show participants how to sort the activity list based on timestamps to identify the
most recent event.
b. Instruct them to focus on the latest event to understand the last activity performed
on the PC.
12
 6. Understanding Activity Details:
a. Assist participants in interpreting the details of the last activity, including the event
description, date, time, and associated process or user.
7. Documentation and Reporting:
a. Emphasize the importance of documenting the last activity findings, including date,
time, event description, and any notable observations.
b. Instruct participants to prepare a report summarizing their last activity analysis
using LastActivityView.
Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
LastActivityView to view the last activity of their PC. Reinforce the significance of last activity
analysis in digital investigations and system monitoring. Encourage participants to further explore
LastActivityView's capabilities and other system utility tools to enhance their skills in analyzing
computer activity.

13
 EXTRACTING BROWSER ARTIFACTS USING CHROME
EX. NO: 6
HISTORY VIEW

Aim: Extracting Browser Artifacts using Chrome History View

Objective:
The aim of this lab experiment is to demonstrate how to use Chrome History View, a forensic
tool, to extract browser artifacts from Google Chrome. Participants will learn how to analyze and
interpret the information from Chrome's browsing history, downloads, and cookies to gain insights
into a user's web browsing activities.
Materials:
1. A computer with Google Chrome browser installed.
2. Chrome History View software (freely available from NirSoft).
Procedure:
1. Introduction to Browser Artifacts and Chrome History View:
a. Provide an overview of browser artifacts, which include browsing history,
downloads, cookies, and other browsing-related data.
b. Introduce Chrome History View as a specialized tool designed to extract and
display browsing artifacts from Google Chrome.
2. Setting up the Lab Environment:
a. Instruct participants to download and install Chrome History View on their
computer.
b. Ensure that Google Chrome is the default browser and has browsing history and
download records.
3. Launching Chrome History View and Loading Chrome Data:
a. Demonstrate how to open Chrome History View on the participant's computer.
b. Instruct them to load the Chrome data by clicking on the "Load History from
Chrome" button.
4. Extracting Browsing History:
a. Guide participants on how to navigate to the "Browsing History" tab in Chrome
History View.
b. Show them how to view the list of visited websites, including URLs, visit times,
and visit durations.
5. Analyzing Downloads and File Metadata:
a. Instruct participants to switch to the "Downloads History" tab in Chrome History
View.
14
 b. Demonstrate how to access the list of downloaded files, including file URLs, and
file sizes.
6. Examining Cookies and Web Sessions:
a. Guide participants on how to explore the "Cookies History" tab in Chrome History
View.
b. Show them how to interpret information about cookies, their domains, creation
times, and expiration times.
7. Identifying Patterns and User Activity:
a. Assist participants in identifying patterns or significant browsing activities based
on the extracted browser artifacts.
b. Explain how browsing history, downloads, and cookies can be valuable in digital
investigations and user behavior analysis.
8. Documentation and Reporting:
a. Emphasize the importance of documenting the findings, including notable URLs,
downloaded files, and any observed patterns.
b. Instruct participants to prepare a comprehensive report summarizing their analysis
using Chrome History View.

Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
Chrome History View to extract browser artifacts. Reinforce the significance of browser artifact
analysis in digital forensics and cybersecurity investigations. Encourage participants to further
explore Chrome History View's capabilities and other forensic tools to enhance their skills in
analyzing web browsing activities. Remind them of the ethical considerations and legal requirements
when handling and analyzing browser artifacts.
15
 COMPARISON OF TWO FILES FOR FORENSICS INVESTIGATION
EX. NO: 7
USING COMPARE IT SOFTWARE

Aim: Comparison of Two Files for Forensics Investigation using Compare IT Software

Objective:
The aim of this lab experiment is to demonstrate how to use Compare IT, a file comparison
software, for digital forensics investigation. Participants will learn how to compare two files to
identify differences and similarities, aiding in the examination of potential evidence during forensic
analysis.
Materials:
1. A computer with Compare IT software installed.
2. Two sample files with known differences and similarities for comparison.
Procedure:
1. Introduction to File Comparison in Forensics:
a. Provide an overview of file comparison in digital forensics and its significance in
identifying potential evidence.
b. Explain how comparing files can help investigators detect changes, data
manipulations, or similarities between different versions of files.
2. Setting up the Lab Environment:
a. Instruct participants to install Compare IT software on their investigator's computer.
b. Ensure that the two sample files with known differences and similarities are
available for comparison.
3. Launching Compare IT and Loading Files:
a. Demonstrate how to open Compare IT on the participant's computer.
b. Instruct them to load the two sample files to be compared using the "Open" or "Drag
and Drop" features.
4. Performing File Comparison:
a. Guide participants on how to navigate through Compare IT's interface and options.
b. Show them how to initiate the file comparison process and analyze the results.
5. Identifying Differences and Similarities:
a. Instruct participants to focus on the sections of the compared files where differences
are highlighted.
b. Demonstrate how to identify similarities and common content between the two
files.

16
 6. Analyzing Metadata and Hex View:
a. Show participants how to access metadata information about the compared files
(e.g., file size, dates).
b. Instruct them on how to use the hex view feature to analyze the binary content of
the files.
7. Interpreting Results for Forensics Investigation:
a. Assist participants in interpreting the results of the file comparison, particularly in
the context of forensic investigation.
b. Explain how file comparisons can help identify tampering, data manipulation, or
file version discrepancies.
8. Documentation and Reporting:
a. Emphasize the importance of documenting the file comparison process, including
the files compared, date, and time.
b. Instruct participants to prepare a report summarizing their findings from the file
comparison using Compare IT.
Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
Compare IT for file comparison in digital forensics investigation. Reinforce the significance of file
comparison in detecting alterations or similarities in potential evidence. Encourage participants to
further explore Compare IT's capabilities and other forensic tools to enhance their skills in digital
forensics analysis. Remind them of the ethical considerations and legal requirements when handling
and analyzing digital evidence.
17
 MEMORY ACQUISITION AND EMAIL EVIDENCE COLLECTION
EX. NO: 8
USING DUMPIT TOOL

Aim:
Memory Acquisition and Email Evidence Collection using DumpIt Tool
Objective:
The objective of this lab experiment is to demonstrate the technical process of using DumpIt,
a memory acquisition tool, to collect email evidence from a victim's PC. Participants will learn how
to acquire the volatile memory of a running system and extract potential email artifacts, which can be
valuable in digital forensics investigations involving email-related incidents.
Materials:
1. A victim's computer or a virtual machine with an operating system.
2. DumpIt tool (freely available memory acquisition tool).
Procedure:
1. Introduction to Memory Acquisition and Email Evidence:
a. Explain the importance of memory acquisition in digital forensics and its role in
capturing volatile data from a live system.
b. Emphasize the significance of email evidence in cybercrime investigations, data
breaches, and unauthorized access cases.
2. Setting up the Lab Environment:
a. Instruct participants to download the DumpIt tool and copy it to a removable media.
b. Prepare the victim's computer or virtual machine, ensuring it is running and
accessible for memory acquisition.
3. Running DumpIt for Memory Acquisition:
a. Instruct participants to insert the removable media containing DumpIt into the
victim's computer or virtual machine.
b. Guide them on running DumpIt from the command prompt or command-line
interface, specifying the destination for the memory dump file.
c. Participants should initiate the memory acquisition process by executing DumpIt to
capture the RAM.
4. Extracting Email Artifacts from Memory Dump:
a. Instruct participants to access the memory dump file obtained by DumpIt.
b. Introduce forensic tools like Volatility and guide them on how to analyze the
memory dump for email.
c. Demonstrate how to use Volatility plugins to identify email addresses, subject lines,
message bodies, and attachments.
18
 5. Identifying Email Data:
a. Participants should search for email artifacts within the memory dump using
Volatility.
b. Assist them in interpreting the extracted email data to recognize potential evidence
for the investigation.
6. Documenting and Preservation:
a. Emphasize the importance of documenting the memory acquisition process,
including the date, time, and location of the memory dump.
b. Instruct participants to ensure the integrity and preservation of the memory dump
file for further analysis, if required.
7. Analyzing Email Evidence for Forensics Investigation:
a. Assist participants in interpreting the email artifacts and identifying any relevant
information for the investigation.
b. Explain the significance of email evidence in digital forensics and how it can
contribute to building a strong case.
8. Documentation and Reporting:
a. Participants should prepare a comprehensive report summarizing their email
evidence collection using DumpIt and the findings from the memory dump analysis.
b. The report should include details about the memory acquisition process, identified
email artifacts, and any insights gained from the investigation.
Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
DumpIt to collect email evidence from a victim's PC. Reinforce the significance of memory
acquisition in digital forensics and its role in gathering valuable evidence. Encourage participants to
further explore memory forensics techniques and other forensic tools to enhance their skills in
acquiring and analyzing volatile data. Remind them of the ethical considerations and legal
requirements when handling digital evidence from a live system.

19
 HIDING AND EXTRACTING TEXT FILE BEHIND AN
EX. NO :9
IMAGE/AUDIO FILE USING COMMAND PROMPT

Aim:
Hiding and Extracting Text File behind an Image/Audio File using Command Prompt
Objective:
The aim of this lab experiment is to study the process of hiding and extracting a text file
behind an image or audio file using the Command Prompt. Participants will learn how to merge a
text file into an image or audio file to create a steganographic container, and then extract the hidden
text file from the container using basic Command Prompt commands.
Materials:
A computer with Command Prompt or Terminal access.
1. An image file (e.g., .jpg, .png) or an audio file (e.g., .wav, .mp3) to use as the container.
2. A text file to hide inside the container.
Procedure:
Here's the technical process of hiding and extracting a text file behind an image or audio file
using Command Prompt:
1. Preparation:
a. Place the image or audio file (container) and the text file (payload) in the same
directory or location on your computer.
2. Hiding the Text File inside the Container (Image/Audio):
 On Windows:
a. Open Command Prompt by typing "cmd" in the search bar and pressing Enter.
b. Use the "cd" command to navigate to the directory where the files are located.
c. To hide the text file inside the image or audio file, use the "copy /b" command as
follows:
```
copy /b container.jpg + payload.txt output.jpg
```
Replace "container.jpg" with the name of your image or audio file, and "payload.txt" with the
name of your text file. The output will be saved as "output.jpg."
 On Linux/Mac:
a. Open Terminal by searching for "Terminal" in the applications or using the shortcut
(Ctrl+Alt+T).
b. Use the "cd" command to navigate to the directory where the files are located.

20
 c. To hide the text file inside the image or audio file, use the "cat" command as follows:
```
cat container.jpg payload.txt > output.jpg
```
Replace "container.jpg" with the name of your image or audio file, and "payload.txt" with the
name of your text file. The output will be saved as "output.jpg."
 Verification:
a. Check the size and content of the new "output.jpg" file to verify that the text file has
been successfully hidden inside the container. It should be larger than the original
image or audio file.
3. Extracting the Hidden Text File:
 On Windows:
a. Open Command Prompt and navigate to the directory where the "output.jpg" file is
located.
b. To extract the hidden text file from the container, use the "copy /b" command as
follows:
```
copy /b output.jpg extracted.txt
```
The hidden text file will be extracted and saved as "extracted.txt."
 On Linux/Mac:
a. Open Terminal and navigate to the directory where the "output.jpg" file is located.
b. To extract the hidden text file from the container, use the "cat" command as follows:
```
cat output.jpg > extracted.txt
```
The hidden text file will be extracted and saved as "extracted.txt."
4. Verification and Decryption:
a. Open the "extracted.txt" file to verify that it matches the original text file used for
hiding. The extracted text file should contain the same content as the original payload
file.
5. Understanding the Limitations and Security Implications:
a. Basic steganography techniques like this have limitations, such as low capacity and
vulnerability to detection.

21
 b. For sensitive information, use stronger encryption and more advanced
steganographic tools to ensure security.

Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in hiding and
extracting text files behind image or audio files using Command Prompt. Reinforce the significance
of steganography in data concealment and its applications in digital security. Encourage participants
to further explore advanced steganographic techniques and encryption methods to enhance their
knowledge of secure data hiding.
22
 EXTRACTING EXCHANGEABLE IMAGE FILE FORMAT (EXIF)
EX. NO :10
DATA FROM IMAGE FILES USING EXIFREADER SOFTWARE

Aim:
Extracting Exchangeable Image File Format (EXIF) Data from Image Files using Exifreader
Software
Objective:
The objective of this lab experiment is to demonstrate the technical process of using
Exifreader, a specialized software, to extract Exchangeable Image File Format (EXIF) data from
image files. Participants will learn how to view and interpret the metadata stored in digital images,
including camera settings, date, time, and GPS coordinates, which can be valuable in digital forensics
investigations and photography analysis.
Materials:

1. A computer with Exifreader software installed.

2. Sample image files with EXIF data for analysis.

Procedure:
1. Introduction to EXIF Data:
a. Explain that EXIF data is embedded in digital images and contains valuable
information about the image's creation.
b. Detail how EXIF data includes camera settings, exposure, aperture, ISO, focal
length, date, time, and GPS coordinates (if available).
2. Setting up the Lab Environment:
a. Instruct participants to download and install Exifreader software on their
investigator's computer.
b. Provide them with sample image files (JPEG format) that have EXIF data
embedded for analysis.
3. Launching Exifreader and Loading Image Files:
a. Demonstrate how to open Exifreader on the participant's computer.
b. Instruct them to load the sample image files into Exifreader to view their EXIF data.
4. Viewing and Analyzing EXIF Data:
a. Guide participants on navigating and exploring the EXIF data within Exifreader.
b. Show them how to interpret the camera settings, such as shutter speed, aperture,
ISO, and focal length, from the EXIF data.

23
 5. Extracting GPS Coordinates:
a. Instruct participants on identifying GPS coordinates, if available, in the EXIF data.
b. Demonstrate how to convert the GPS coordinates (latitude and longitude) into a
readable location using mapping services like Google Maps.
6. Understanding Timestamps:
a. Explain the significance of timestamps in EXIF data, including the date and time
the photo was taken.
b. In digital forensics, timestamps can be essential in establishing the timeline of
events.
7. Documentation and Reporting:
a. Emphasize the importance of documenting the EXIF data extracted from the sample
image files.
b. Instruct participants to prepare a comprehensive report summarizing their findings,
including camera settings, timestamps, GPS coordinates, and any other relevant
information.
Output:

Conclusion:
Gather the participants back together to discuss their experiences and findings in using
Exifreader to extract EXIF data from image files. Reinforce the significance of EXIF data in digital
investigations and its applications in photography analysis and geolocation. Encourage participants
to further explore advanced EXIF analysis techniques and other digital forensics tools to enhance
their skills in extracting and analyzing metadata from digital images. Remind them of the ethical
considerations and privacy aspects when handling images and their associated metadata.
24