Professional Documents
Culture Documents
Forensic
Forensic
TECHNOLOGY
FACULTY OF ENGINEERING
Windows Forensic
Image Case Study
MAY 2024
Presented by:
Anthony Debbas
Jamal El Jari
Mohamad Taleb
Submited to:
Dr. Elie Nassr
Introduction
Objectives
Image Acquisition
Analysis of Evidence
Conclusion
• The primary objective of this project is to demonstrate proficiency in conducting forensic analysis on a
Windows system image. Through a systematic approach, we aim to extract, analyze, and interpret various
artifacts present within the system, shedding light on user activities, system events, and potential security
incidents.
FTK Imager, a free tool, ensures the integrity of digital evidence by analysing
drive images without modifying their original state. It supports all operating
systems, recovers deleted files, parses XFS files, and generates file hashes for
data integrity checks. Therefore, it is a crucial tool for forensic investigations .
Wireshark
Wireshark is the world’s most-used network protocol analysis tool, trusted by
governments, corporations, and academic institutions worldwide. It provides
microscopic-level visibility into network activity by capturing and analyzing network
traffic. With a user-friendly interface available on multiple operating systems,
Wireshark aids in detecting and investigating malicious activity. It supports various
data sources and allows exporting of output in multiple formats.
Autopsy
Autopsy is a modular and user-friendly digital forensics platform used by investigators to
assess computer and phone data. It offers timeline analysis, hash filtering, keyword search, web
artifact extraction, file recovery, and rapid identification of indicators of compromise.
Background jobs run in parallel, providing quick results for targeted keywords. Autopsy also
allows for creating a centralized repository and is an open-source solution. It is currently
available for Windows only.
FTK Imager is a powerful forensic imaging tool used to acquire disk images and perform various
forensic tasks. Here are the steps to create an image using FTK Imager:
Step2:
Step1: Choose Source
Choose Destination: Next,
Drive: In the "Select
you'll need to specify the
Source" window, choose
destination where you
the drive or device you
want to save the image
want to create an image
file. Click on the "Add"
of. This could be a
button to select the
physical disk, a partition,
destination folder and
or a logical drive.
provide a name for the
image file.
Step6:
Step7 :
Start Imaging: Once you've
Monitor Progress: You can
configured the settings, click
monitor the progress of the
on the "Start" button to begin
imaging process in the FTK
the imaging process. FTK
Imager interface. Depending on
Imager will start creating the
the size of the disk and the
disk image.
options you've selected, this
process may take some time.
In this section, we'll display a list of all the software that has been downloaded and installed on this machine.
Registry Path:HKEY_LOCAL_MACHINE\SOFTWARE
EXIF (Exchangeable Image File Format) metadata in Windows 7 refers to the additional information
embedded within image files captured by digital cameras or created by image editing software.
Recycle Bin
Registry Path:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
This key contains information about USB controllers and hubs on the system. Each subkey represents a USB
controller or hub and may contain information about attached devices.
Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Web browsers like Internet Explorer, Google Chrome, Mozilla Firefox, etc., may store cookies, passwords, and
other account-related information in their respective locations within the registry. These locations may vary
depending on the browser and its version.
User account information, including user profiles, login credentials, and account settings, is stored in the
Windows Registry loction of the path.
Registry Path: Sam\Domains\Account\Users\Names
In summary, this Windows forensic project has provided valuable insights into the intricate world of digital
investigations within the Windows environment. Through meticulous analysis and examination of digital
artifacts, we've uncovered a wealth of evidence crucial for understanding past events and behaviors on the
system..