Project Report On

Implementation of Forensics tool to identify

digital evidence

Cyber Forensics - Laboratory

[Course Code: CAP 797]

Lovely Professional University

Phagwara, Punjab (India)

Submitted By
Anish Raj, Alaukik Deep, Vivek Kumar
12110401, 12111271, 12107030

Submitted To
Dr Yasir Afaq
Asst. Professor, SCA
 Content

Activity 1: Introduction ................................................................................. 5

1.1. What is Cyber Forensics ................................................................ 5
1.2. Why is cyber forensics important .................................................... 7
1.3. How it works ................................................................................... 7

Activity 2 Tools used in Cyber Forensics .................................................... 9

1.4. Kali Linux........................................................................................ 9
1.5. FTK Imager .................................................................................... 9
1.6. Wireshark ..................................................................................... 10
1.7. Autopsy ........................................................................................ 11

Activity 3 Implementation of dcfldd, dc3dd ................................................ 12

1.8. Process Panel .............................................................................. 12
1.9. Output .......................................................................................... 13
1.10. Statistics ....................................................................................... 14
1.11. Visualization ................................................................................. 14
1.12. Interpretation of results ................................................................. 15

Activity 4 Analysis of Data ......................................................................... 18

1.13. FTK Imager .................................................................................. 18
1.14. Output .......................................................................................... 19
 Activity 1: Introduction

Cybercrime is a growing concern in today's world, and it is critical to have

effective mechanisms in place to investigate and prosecute those responsible.
Digital forensic analysis is a crucial tool in investigating cybercrime. The purpose
of this project is to implement a forensic tool that can identify digital evidence.
Therefore, Cyber Forensics play a major role in cyber investigation.

What is Cyber Forensics?

Cyber forensics, referred to as digital forensics or computer forensics, is the use

of investigation and analytical techniques to collect and preserve electronic
evidence for the purpose of looking into and prosecuting cybercrime or other forms
of digital occurrences. In cyber forensics, digital evidence from computer systems,
networks, storage devices, and other electronic devices is gathered, preserved,
examined, analyzed, and presented in order to find digital traces of crimes or other
illegal activity.
 Based on their findings, investigators can potentially be obliged
to offer expert testimony in court. Cyber forensics is used to look into a variety of
digital incidents, including online fraud, data breaches, and theft of intellectual
property and computers. It is an essential tool for organizations, enterprises, and
law enforcement to guarantee the security of their digital assets and defend against
online attacks.

Why is Cyber Forensics important?

Cyber forensics is important in cyber investigation for several reasons:

➢ Digital Evidence: In today's world, most crimes leave digital traces. Cyber
forensics helps to extract and analyze digital evidence from devices such as
computers, smartphones, and other electronic devices. This digital evidence
can be used to establish the identity of suspects, their location at the time of
the crime, and their motives.

➢ Admissible in court: The digital evidence collected through cyber forensics

is admissible in court as evidence. Cyber forensic experts follow proper
chain-of-custody procedures to ensure that the evidence is not tampered
with, which makes it more reliable and acceptable in court.

➢ Identify the source of the attack: Cyber forensics can help to identify the
source of an attack or a breach. This information can be used to prevent
similar attacks in the future and to take appropriate action against the
perpetrators.

➢ Incident Response: Cyber forensics can be used as a tool for incident

response, to identify the scope and extent of a breach or an attack. It can
help organizations to identify the systems and data that have been
compromised and to take appropriate action to contain the damage.

➢ Security Improvement: Cyber forensics can help organizations to improve

their security posture by identifying vulnerabilities and gaps in their security
systems. It can also help to identify areas for improvement in policies and
procedures.
Overall, cyber forensics plays a critical role in cyber investigation, as it helps to
identify the perpetrators, establish the facts of the case, and provide evidence that
can be used in court.

How it works?
Cyber forensics works in cyber investigation through a well-defined process that
involves the following steps:

1. Identification: The first step in cyber forensic investigation is to identify the

scope of the investigation, the devices or systems that need to be analyzed,
and the type of digital evidence that needs to be collected.

2. Preservation: Once the scope has been identified, the next step is to
preserve the digital evidence. This involves taking steps to prevent any
further damage to the system or device, such as shutting down the device,
disconnecting it from the network, or isolating it from other devices.

3. Collection: The next step is to collect the digital evidence. This involves
using specialized tools and techniques to extract data from the device or
system. The data is collected in a forensically sound manner, to ensure that
it is admissible in court.

4. Analysis: After the data has been collected, the next step is to analyze it.
This involves using specialized software to search for patterns and
anomalies in the data. The goal of the analysis is to identify any relevant
information that can help to establish the facts of the case.

5. Reporting: The final step in cyber forensic investigation is to report the

findings. The report should include a summary of the investigation, a
description of the digital evidence that was collected, the results of the
analysis, and any conclusions that can be drawn from the data.

Overall, cyber forensic investigation is a complex process that requires specialized

skills and knowledge. It is important to follow a well-defined process to ensure that
the evidence is collected and analyzed in a forensically sound manner, and that
the results are admissible in court.

Activity 2: Tools used in Cyber Forensics

1. Kali Linux

For advanced penetration testing, digital forensics, and

security auditing, there is a Linux distribution called
Kali. It has pre-installed tools for many different
categories, including data collection, vulnerability
analysis, web applications, password attacks, wireless
attacks, and more. By adding or removing tools and
packages, Kali Linux can be modified to meet unique
needs.

Without the requirement for installation on the computer, Kali Linux can be run
immediately from a USB drive or DVD, enabling users to test the software without
modifying their current operating system. Additionally, it contains built-in security
features including automated upgrades, full disc encryption, and secure defaults
for network services.
In general, Kali Linux is a well-liked and frequently used tool for security experts
and researchers, but it should only be used by qualified experts who have a solid
grasp of computer security principles and procedures.

2. FTK Imager

FTK Imager is a powerful and widely used tool for digital forensics investigations.
It allows the examiner to create forensic images of hard drives, logical drives, and
 other storage media. This report will focus on the analysis of data
using FTK Imager, and the output that can be obtained from this
tool.

FTK Imager is a free tool that is used to create forensic images of

hard drives and other digital storage devices. It allows investigators to create a bit-
for-bit copy of the digital device and analyze it without altering the original data.
FTK Imager is also useful in the investigation of cyber crimes such as hacking,
malware, and cyber espionage.

3. Wireshark

Wireshark: Wireshark is a network protocol analyzer that is used

to capture and analyze network traffic. It is an important tool in
the investigation of cybercrimes such as hacking and data theft.
Wireshark allows investigators to capture and analyze network
traffic in real-time and can also be used to analyze previously
captured network traffic.

4 Autopsy

Autopsy is a widely used digital forensics platform that is commonly used in cyber
forensics investigations. It is an open-source tool that provides a user-friendly
interface for analyzing and investigating digital evidence. Autopsy offers a wide
range of features and capabilities that allow investigators to analyze and
investigate digital evidence in detail.

It is used by cyber forensics investigators to conduct in-depth analysis of digital

evidence in order to identify and preserve evidence related to cybercrimes.
Autopsy provides a range of features that allow investigators to analyze a variety
of digital media, including hard drives, memory cards, and other storage devices
 Activity 3: Implementation of DCFLDD and DC3DD

DCFLDD and DC3DD

dcfldd and dc3dd are two open-source command-line tools used for copying and
imaging data. They are enhanced versions of the classic dd command and
provide features such as on-the-fly hashing, progress bars, and error handling.
The main difference between the two tools is that dc3dd includes additional
features such as pattern writing and verification, support for simultaneous
imaging of multiple disks, and an extended set of hash algorithms.

Process: The basic process of using dcfldd or dc3dd involves several process
from updating the kali linux to specifying the input and output files of devices and
then running the command. The tools will read data from the input file or device
and write it to the output file or device. During this process, the tools can also
perform hashing, verify the data, and display progress information.

Fig. 1: Update Kali Linux

Fig.2: Install dc3dd & dcfldd

Fig.3: Listing all the available parameters in dc3dd tool
 Fig.4- list information about all the available hard drives

Output

The output of dcfldd and dc3dd is the copied or imaged data that is written to the
output file or device. The output can also include log files that contain information
about the copying process, such as the number of bytes copied and any errors
encountered.

Fig. 5: To create a hash and bit by but copy of hard drive

Statistics:

Both tools provide statistics about the copying process, such as the number of
bytes copied, the transfer rate, and the estimated time remaining. The tools can
also display progress bars that show the percentage of the copy process that is
completed.

Fig. 6: Creating a split image of 50M size using DCFLDD tool

Fig.7: Using ls command to split output files in numerical format

Visualization:
Both tools can display progress bars that show the percentage of the copy process
that is completed. In addition, dc3dd can display a graphical representation of the
data being copied, which can be helpful for detecting patterns or anomalies in the
data.
 Fig. 8: For avoiding the integrity of data

Fig. 9 Visualization f hash files generated using dcfldd tool

Interpretation of Result

The result of using dcfldd or dc3dd is a copy or image of the input data. The output
can be compared to the input to ensure that the copy was successful and that no
data was lost or corrupted during the process. The hashing feature of both tools
can be used to verify the integrity of the copied data by comparing the hash of the
input to the hash of the output.
The log files produced by the tools can also be used to identify any errors or issues
that occurred during the copying process. Overall, the result of using dcfldd or
dc3dd is a reliable copy or image of the input data that can be used for forensic
analysis, data recovery, or other purposes.
Now that we have successfully created bitstream copies of the evidence, let's look
at verifying the integrity of the forensic acquisitions using hash verification

Fig. 10- Creation of log files to identify errors

Fig. 11- Verifying integrity of the forensic acquisitions using hash verification
Then, We will be analyzing acquired forensic images using various tools. However,
the image can also be copied or directly cloned to another device if the investigator
wishes. Example, we could clone the forensic image acquired previously onto a
new drive recognized like sda/sdb.

Activity 4: Analysis of Data

FTK Imager

FTK Imager is a powerful and widely used tool for digital forensics investigations.
It allows the examiner to create forensic images of hard drives, logical drives, and
other storage media. This report will focus on the analysis of data using FTK
Imager, and the output that can be obtained from this tool.

FTK Imager is a tool used for forensic imaging and data analysis.
It can be used to acquire and analyze data from various sources,
such as hard drives, memory, and mobile devices. FTK Imager is
a user-friendly tool that provides a wide range of features for
forensic investigators.

Once the forensic image has been created using FTK Imager, the examiner can
begin the analysis process. FTK Imager provides a number of tools and features
that allow the examiner to analyze the data in great detail.

Some of the features that can be used for data analysis in FTK Imager include:

1. File Type Identification: FTK Imager can be used to identify the file types that
are present in the forensic image. This can be useful in determining the type
of data that has been stored on the device.
2. Keyword Search: FTK Imager allows the examiner to search for specific
keywords or phrases within the forensic image. This can be useful in
identifying important information that may be relevant to the investigation.

3. Hash Value Verification: FTK Imager can be used to verify the hash value of
files within the forensic image. This can help to ensure that the data has not
been tampered with.

4. Timeline Analysis: FTK Imager provides a timeline analysis feature that allows
the examiner to view the activity on the device over a specific period of time.
This can be useful in identifying patterns of behavior or activity that may be
relevant to the investigation.

Output of FTK Imager

The output of FTK Imager will depend on the type of analysis that is conducted.
Some of the possible outputs include:

Fig. 12- Selection of evidence to analyze the data.

Fig. 13- Browse the source path of evidence

Fig. 14- Give the information of evidence

Fig. 12- Visualize the data in hex format
 Fig. 13- Visualize the data in text format

Fig. 14- Visualize the data in visual format

 Conclusion:

Digital forensics is a critical tool in investigating cybercrime. Implementing a

forensic tool that can identify digital evidence is essential to ensure that those
responsible for cybercrime are prosecuted. The project aims to develop an
understanding of digital forensics and to implement a forensic tool that can identify
digital evidence. The expected outcomes of the project are a clear understanding
of digital forensics, identification of a suitable forensic tool, successful
implementation of the selected tool, and effective identification of digital evidence
using the implemented tool.