H.

Laboratory Activity on Analyzing image dump (recover

and view deleted file) using FTK imager
I. Course Content I. Laboratory Activity on examining/ producing Metadata
of Photo, video, or Images using the Exif tool
A. How to Install Incident Response tool on your laptop or J. Laboratory activity to check for file mismatch extension
computer using autopsy and examining/producing metadata of
• Magnet Ram Capture photo, video, and document file.
• FTK imager K. Practical exercises on how to conduct cybercrime
• Exif Tool incident response
• Dumpit
• EDD II. Course Outcomes:
• Hash Generator
• Autopsy At the end of the course the student will be able:
B. Laboratory activity on Capturing the RAM using Magnet
RAM Capture 1. Apply Dumpit, Magnet Ram Capture, FTK imager, and
C. Laboratory Activity on Imaging the RAM using FTK autopsy on memory forensic
Imager 2. Understand the importance of forensic imaging
D. Laboratory Activity on Imaging the RAM using Dumpit 3. Learn how to use these forensic tool kits in Imaging the
E. Laboratory Activity to check for encryption using EDD RAM, and hard drive and producing a hash value
F. Laboratory Activity on Imaging the computer hard 4. Perform file carving and examination of metadata
drive/USB Flash drive using FTK Imager 5. Perform forensic imaging on RAM and hard drive
G. Laboratory Activity on generating the hash value using 6. Learn how to execute cybercrime incident respons
hash Generator

Cybercrime Incident Response Types of Digital Evidence

What is a digital device? 1. Web-based - refers to something that is relating to or done using the
Web
Physical unit of equipment that contains a computer or microcontroller.
2. Computer Generated digital evidence.
What is digital evidence? • File Transfer Protocol (FTP) log - An FTP log is a record of all
activities and transactions that occur during file transfers using the
Digital evidence is information stored or transmitted in binary form that may File Transfer Protocol (FTP). These logs are essential for
be relied on in court. It can be found on a computer hard drive, a mobile monitoring, troubleshooting, and ensuring the security of file
phone, among other places. transfers. The File Transfer Protocol (FTP for short) is a set of

1
 rules that tell computers how to transfer files between The golden rule of investigation applies also to digital forensics “Never
different systems online. FTP can be used within an internal touch, change, or alter anything until it has been documented, identified,
network of computers, or online between different web servers. measured, and photographed.”
• Internet Service Provider (IPS) - any company that provides
Internet access to consumers and businesses. The Internet is After gaining a hard drive forensic imaging is frequently required to validate
provided through a variety of channels, including cable, DSL, fiber the integrity of the image on the original media. Law Enforcement authorities
optics, dial-up, and wireless, with most ISPs offering all options. usually performed this for court presentation, after the creation of a forensic
Most large telecommunication companies, such as mobile and image its integrity can be checked to verify that it has not been tampered.
cable companies, are ISPs.
• Registry Files (Computer) - a text file with a .reg file extension. It One of the most critical steps involved in digital forensic investigation is
is used to update the Windows Registry by adding, editing, or forensic imaging which is the process of making an archival or backup copy
removing keys and values. This part of Windows stores much of of the entire hard drive. The storage file is the one that contains all the
the information and settings for software programs, hardware necessary information to boot the operating system. However, this imaged
devices, user preferences, and operating system configurations. disk needs to be applied to the hard drive to work.
• GPS records (location) - is a network of satellites and receiving
devices used to determine the location of something on Earth. Thus, Forensic Imaging is the processes and tools used in copying
electronic media such as a hard-disk drive for conducting investigations and
gathering evidence that will be presented in a court of law
Live forensic – Examination of powered on/live computer’s entire running
system. This copy not only includes files that are visible to the operating system but
• is a forensic activity performed on a running system every bit of data, every sector, partition, files, folders, master boot records,
• Some data is only stored in memory, and never saved to files on deleted files, and unallocated spaces. The image is an identical copy of all
the storage devices, so it must be captured from memory while the the drive structures and contents.
system is live •
• Both ephemeral and persistent data are present in memory. “Cardinal Rule of Digital Investigation”

The original data must never be touched. The standard rule is that a
- also known as Volatile Data Collection, is the process where data
forensically sound copy of the original must be made and the examination
is collected from a system in real-time while the system is still
running. It can capture data such as running processes, network and analysis of data be performed on the forensic copy.
connections, logged-on users and memory, that would otherwise be Image types
lost if the system is shut down.
Two types of images can be created.
Dead box forensic - A forensic technique where practitioners capture an ▪ physical image or;
entire image of a system and analyze the contents offline. ▪ logical image.
What is a Forensic Image? Physical Image

2
A physical image is a complete image of all the contents of a storage device,
a so-called bitstream copy. A Bitstream copy involves the copy of all areas ▪ The lack of any metadata,
of a storage device. ▪ Without the text file there is no way to determine the source of the
▪ It includes unallocated space for storage device
▪ Can perform data recovery on this copy image.
▪ It also lacks any form of compression making the images as large
Logical Image
as the source drive, even if only a few GB’s have been used.
A logical image is a file system-level image.
▪ created when unable to create a physical image (e.g. device E01 (Encase Evidence File)
limitations) or; ▪ Most used imaging format.
▪ when only to image a certain folder (e.g. a user’s mailbox, or a user ▪ Comprises a physical bitstream copy stored in a single or multiple
directory on a server). files enriched with metadata. This metadata includes:
▪ Creating a logical image is the best technique to capture the data in ✓ Case information,
a folder. ✓ Examiner name,
▪ a logical image does not capture any unallocated data ✓ notes,
✓ checksums and;
Imaging formats ✓ an MD5 hash.
▪ It also offers compression and password protection.
The most common options offered by tools are:
Advantages of this file format:
Raw (DD) ✓ compression,
✓ password protection and
The RAW image format is basically a bit-for-bit copy of the RAW data of ✓ per file checksum.
either the disk or the volume stored in a single or multiple files.
▪ No metadata stored in the image files.
▪ Most tools create a separate text file containing all the details Disadvantage of this file format:
regarding the image file including the used hardware/software,
source and destination details and hash values. ✓ it’s an undocumented closed format.

Advantage of RAW Image Format SMART

▪ Mainly used by the SMART tool for Linux.

▪ The files only contain unmodified source data
▪ The image is stored in a single or multiple segment file each with
▪ This means almost every tool supports raw images. metadata.
▪ The image format is not commonly used anymore.

Disadvantage of the RAW image format AFF (Advanced Forensics Format)

3
 ▪ An open format for the storage of forensic images. • It can be used to recover photos from the camera’s memory card.
▪ Its goal is to offer a disk imaging format that is not tied to
proprietary software. It is computer software that makes it simple to deploy many of the open-
▪ This image format is not used anymore. source programs and plugins used in The Sleuth Kit. The graphical user
interface displays the results from the forensic search of the underlying
Essential for a Forensic Image volume making it easier for investigators to flag pertinent sections of data.

1. In cybercrime, additional evidence may be discovered other than The Sleuth Kit is a group of command-line tools and a C library that permits
what is available through an operating system in the form of the analysis of disk images and the recovery files from them. It is used
incriminating data that has been deleted to prevent discovery. behind the scenes in Autopsy and many other open sources and
Unless the data is deleted securely and overwritten, it can often be commercial forensics tools.
recovered with forensic or file recovery software.
Features
2. One of the advantages includes the prevention of the loss of critical
files.
• Multi-User Cases: Collaborate with fellow examiners on large
3. When you suspect a custodian of deleting or altering files. A
cases.
complete forensic image will, to a certain extent, allow you to
• Timeline Analysis: Displays system events in a graphical interface
recover deleted files. It can also potentially be used to identify files
to help identify activity.
that have been renamed or hidden.
• Keyword Search: Text extraction and index searched modules
4. When you expect that the scope of your investigation could increase
enable you to find files that mention specific terms and find regular
later. If you aren’t sure about the scope of your project, ALWAYS
expression patterns.
OVER COLLECT. It’s better to have too much data than not
enough, and you can’t get much more data than a forensic image. • Web Artifacts: Extracts web activity from common browsers to help
identify user activity.
5. When you expect that you or someone in your organization may
need to certify or testify to the forensic soundness of the collection. • Registry Analysis: Uses RegRipper to identify recently accessed
documents and USB devices.
In most cases, this need will never arise, but will almost certainly
come into play in any criminal or potential criminal proceedings. • LNK File Analysis: Identifies shortcuts and accessed documents
6. The Imaging of random-access memory (RAM) can be enabled by • Email Analysis: Parses MBOX format messages, such as
using Live imaging. Live imaging can bypass most encryption. Thunderbird.
• EXIF: Extracts geolocation and camera information from JPEG
Forensic imaging tools for incident Response files.
• Media Playback and Thumbnail viewer.
• Robust File System Analysis: Support for common file systems,
Autopsy/the Sleuth Kit (Disk analysis)
including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660
(CD-ROM), Ext2/Ext3/Ext4, Yaffs2,
An autopsy is a digital forensics platform and graphical interface to The
• Unicode Strings Extraction: Extracts strings from unallocated
Sleuth Kit and other digital forensics tools. space and unknown file types in many languages
• It is used by law enforcement, military, and corporate examiners to • File Type Detection is based on signatures and extension
mismatch detection.
investigate suspected computers.

4
 • Interesting Files Module will flag files and folders based on name • Encryption is one of the most popular and effective data security
and path. methods used by organizations.
• Android Support: Extracts data from SMS, call logs, contacts, • The purpose of data encryption is to protect digital data
Tango, Words with Friends, and more. confidentiality as it is stored on computer systems and transmitted
using the internet or other computer networks.\

Encrypted Disk Detector (EDD) is a free command-line tool that checks

the local physical drives on a system for encrypted volumes created by;
Dumpit • TrueCrypt,
• PGP,
DumpIt is a convenient memory tool from Comae Technologies that • Bitlocker,
provides a convenient way of obtaining a memory image of a Windows • and other full disk encryption products.
system even if the person in front of the affected computer isn't technical.
To quickly and non-intrusively check for encrypted volumes on a live system
Simply double-click the DumpIt executable and allow the tool to run. DumpIt during incident response. Once a volume is encrypted it allows the
will then take the snapshot of the host’s physical memory and save it to the investigator to decide whether to perform a live acquisition and avoid losing
folder where the DumpIt executable was located. evidence from pulling the plug.

Once a snapshot has been captured, many important facts can be

ascertained by the investigator, such as: Exiftool (image)
• Processes running
• Executable files that are running ExifTool is a free and open-source software program for reading, writing,
• Open ports, IP addresses, and other networking information and manipulating image, audio, video, and PDF metadata.
• Users that are logged into the system, and from where
• Files that are open and by whom FTK imager (Image creation)

All this information can help the investigator to seek out system anomalies, FTK Imager is an imaging and data preview tool used to acquire data
and by being able to capture the volatile information inside the system’s evidence forensically by creating copies of data without alteration to the
memory, they were able to create a permanent record of the system’s state original evidence.
as it was.
The advantage of analyzing an image (rather than a live drive) it allows the
investigator to prove that they have not made any modifications to the drive
EDD that could affect the forensic results.

Data encryption translates data into another form, or code so people with
access to a secret decryption key or password can read it. MAGNET RAM Capture
• Encrypted data is commonly referred to as ciphertext, while
unencrypted data is called plaintext.

5
MAGNET RAM Capture is a free imaging tool designed to capture the • author,
physical memory of a suspect’s computer, allowing investigators to recover • date created,
and analyze valuable artifacts that are often only found in memory.
• date modified and file size
Evidence that can be found in RAM includes;
• processes and programs running on the system, In addition to document files, metadata is used for:
• network connections, evidence of malware intrusion, • computer files
• registry hives, • images
• usernames and passwords, • relational databases
• decrypted files and keys,
• spreadsheets
• and evidence of activity not typically stored on the local hard disk.
• videos
• audio files
Volatility (Memory forensics)

Important forensic information can be stored in RAM, and this volatile Hash Value
memory must be collected quickly and carefully to be forensically valid and
useful. Hash value refers to the result of a calculation (hash algorithm) that can be
performed on a string of text, electronic file, or entire hard drive contents.
Volatility is the most well-known and popular tool for the analysis of volatile Also defined as a checksum, hash code, or hashes.
memory. It is an open-source memory forensics framework for incident
response and malware analysis. Hash values are used to recognize and pass through a filter duplicate files
(i.e. email, attachments, and loose files) from an Electronically Stored
Metadata, what is it? Information (ESI) collection or verify that a forensic image or clone was
captured successfully.
Metadata is data or information about data.
Significance of Hashing in Data Forensic:
• Metadata helps us understand the structure, nature, and context of Hashing is a primary tool in digital forensic investigations in which hash
the data. values are being used to check the integrity of any data file but, in digital
• Metadata facilitates easy search and retrieval of data. forensics, it is used to check the reliability of evidence disk data.
• Metadata helps keep a check on the quality and reliability of data.
• Metadata is the key to unlocking the value of your data. The image of a disk is created in digital forensics for analysis it is important
that the image must have an exact or replica of the evidence disk. The hash
Metadata summarizes basic information about data, which can make it value generated during imaging should match when that image of the
easier to find, use and reuse particular instances of data. evidence disk is extracted for final detailed analysis. In digital forensic hash
value is generated for whole disk data not only single or multiple files with
Examples: the help of clever design.

6
Hashing algorithms such as MD5 and SHA1are used by Digital forensic MD5 and SHA1 Hashing
professionals, to generate hash values of the original files used in an
investigation. MD5 and SHA1 are the two most popular hashing algorithms used by digital
forensics professionals today. These are used in digital forensic tools to
• To ensure that the information isn’t altered during the investigation calculate and analyze to verify that a data set has not been altered or
since various tools and techniques are involved in data analysis and manipulated, due to the application of various evidence collection and
evidence collection that can affect the data’s integrity. analysis tools and procedures.
• Electronic documents are shared with legal professionals and other
MD5 is primarily used to authenticate files. It is easier to use the MD5 hash
parties during investigation, and it is important to ensure that
to check a copy of a file against an original than to check bit by bit to see if
everyone has identical copies of the files.
the two copies match.

The use of MD5 and SHA1 hash algorithms is a standard practice in digital
How do Hash Values help in Verifying Data in Digital Forensics?
forensics. These algorithms allow investigators to preserve digital evidence
A sample string in MD5 function and obtain its hash value: from the moment they acquire it, till the time it’s produced in court.

• String Input: Sam is eating apple Windows File System

• Hash Value: 387f51d0ccbab6be677275c9933c250e
File systems represent how data is stored on a storage device. They are
Modification of the string by just one character:
pieces of software that help an OS organize data and use space more
• String Input: Sam is eating apples efficiently. In computing, the file system controls how data is stored and
• Hash Value: c77426fb082c588cfe5583f7eee73309 retrieved. It is the method and data structure that an operating system
You can see that appending just one character to the input string changes uses to keep track of files on a disk or partition.
the entire hash value. This demonstrates the security quotient of hash The file system separates the data we put in the computer into pieces and
functions. gives each piece a name, so the data is easily isolated and identified.
Hash Function Without a file system, the information saved in a storage media would be
one large body of data with no way to tell where the information begins and
The algorithm used in hashing is called the hash function. The value ends.
returned by this function is called a message digest or hash value. The
following are some characteristics of hash functions: When a movie or a video game, is saved on a storage device, the
computer knows where the file. File systems keep everything tidy and
• Hash functions are one-way functions, which means that you minimize loss of storage space by logically organizing data.
cannot reverse a hashing process to extract original data from a
hash value. Thus, the File system;
• The size of the hash value is always fixed and it’s independent of • Provides a vast amount of digital evidence or artifacts.
the size of input data. • A forensic investigator can expect more windows OS to be
• Two different input files cannot produce the same hash value. examined in connection with cybercrime.

7
File systems are simply how data is organized and retrieved on a computer Clusters – smallest unit of the file systems which can be used in saving data.
drive, and each piece of data is called a file. Different operating systems use It is composed of 4 sectors with 2048 bytes.
different file systems. Microsoft Windows simply uses two types of files
system FAT and NTFS. While Macs require internal storage devices to be Partitioned drive - a section of the hard drive that is divided.
formatted in Mac OS Extended File System or HFS+. Unpartitioned space - a section of the hard drive that has not divided.

Unallocated space - any physical space on a hard drive that doesn't belong
File Allocation Table (FAT) to a partition as unallocated

- a file system developed for personal computers in 1977 for use on Allocated space - the area on a hard drive where files already reside
floppy disks. Slack space - the leftover storage that exists on a computer's hard disk drive
- is the simplest file system type. It consists of a boot sector, a file when a computer file does not need all the space it has been allocated by
allocation table, and plain storage space to store files and folders. the operating system.
- it was adapted for use on hard disks and other devices.
- Three major variants: FAT12, FAT16, and FAT32. This is due to New Technology File System (NTFS)
the increase in disk drive capacity.
In 1993 Microsoft developed the NTFS to overcome the limitations of
- But no longer the default file system for Microsoft Windows
FAT32. For example, FAT32 only allows supports a maximum file size of
computers. However, the default for removable media such as
32GB, and NTFS supports a max file size of 16 EB (exabytes).
floppy disks, super-floppies, memory and flash memory cards, or
USB flash drives - NTFS is the default type for file systems over 32GB. This file system
supports many file properties, including encryption and access
FAT files are commonly found:
control.
• floppy disks - The primary file system used in Microsoft's Windows 11, Windows
• flash and other solid-state memory cards and modules (including 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows
USB flash drives), as well as many portable and embedded devices. 2000, and Windows NT operating systems.
• FAT is the standard file system for digital cameras per the DCF
Benefits of NTFS over FAT32.
specification.
1. NTFS can keep track of changes made to a file. In the event of a
sudden power outage or file corruption, NTFS prevents data loss.
One of the simplest file system and available in Microsoft systems. 2. NTFS also supports encryption and read-only permissions for files.
So, you can encrypt your files with a password or set them to read-
The disk or volume is broken up into clusters of a specific size only status to prevent any changes.
Sector – is the smallest physical storage unit on a drive and is composed of Extended File Allocation Table (exFAT)
512 bytes.
In 2006 Microsoft introduced the Extended File Allocation Table (exFAT). It
was intended to replace FAT32 for high-capacity flash drives and SD cards.

8
 - exFAT does away with the file size limitations of FAT32 while - Many filesystems do not zero out the data when they delete it.
maintaining excellent OS compatibility. - Instead, it removes the knowledge of where it is.
- It supports a max file size of 16EB, unlike FAT32, a transfer of a
4GB file or larger will not run into an error. File carving is the process of reconstructing files by scanning the raw bytes
- Because it supports a limitless max file capacity and is compatible of the disk and reassembling them. This is usually done by examining the
with a wide range of operating systems, exFAT is the default file header (the first few bytes) and footer (the last few bytes) of a file.
system for SDXC cards that you use in cameras. • File carving is a great method for recovering files and fragments of
- All SDXC cards come formatted with exFAT. files when directory entries are corrupt or missing.
File Carving strength • This is used by forensics experts in criminal cases for recovering
evidence. Like in cases related to child pornography, law
The origin of file carving is the idea that nothing is deleted on a computer enforcement agents are often able to recover more images from the
until that memory has been written over or wiped. File carving is often suspect’s hard disks by using carving techniques.
referred to as memory reallocation. This means that even if a file is deleted
on your computer, file carving can be used to reconstruct that file until that Thus, File Carving is a process to recover or reconstruct the deleted or
memory is reallocated to save other data. formatted files on the computer. It is the process of searching a file in a data
stream and carving out deleted files.
It is a process used in computer forensics to extract data from a disk drive
or other storage media without the assistance of the file system that created This process is very important in Digital Forensics, as the forensics expert
the file. has to investigate all the system files and they also have to check for any
deleted or formatted files for further investigation.
It is a method that recovers files in unallocated space without any file
information and is used to recover data and execute a digital forensic The most common file carving techniques are:
investigation. A. Header-footer or header-“maximum file size” carving—Recover
• File carving is called “carving,” a generic term for extracting files based on known headers and footers or maximum file size
structured data out of raw data, based on format-specific • JPEG—”xFFxD8″ header and “xFFxD9” footer
characteristics present in the structured data. • GIF—”x47x49x46x38x37x61″ header and “x00x3B” footer
• It is a forensics technique that recovers files based merely on file • If the file format has no footer, maximum file size is used in the
structure and content and without any matching file system meta- carving program.
data.
• file carving is most often used to recover files from the unallocated B. File structure-based carving
space in a drive. • This technique uses the internal layout of a file
• Elements are header, footer, identifier strings, and size information
Unallocated space refers to the area of the drive which no longer holds any
file information as indicated by the file system structures like the file table. C. Content-based carving
In the case of damaged or missing file system structures, this may involve • Content structure is loose (MBOX, HTML, XML)
the whole drive. • Content characteristics

9
 • Character count
• Text/language recognition
• White and black listing of data
• Statistical attributes (Chi^2)
• Information entropy
Data recovery tools play an important role in most forensic
investigations because smart malicious users will always try to
delete evidence of their unlawful acts.

Tools widely used for file carving:

1. Scalpel • File signature is data used to identify or verify the content of a file.
2. FTK
3. Encase
4. Foremost
5. PhotoRec
5. Photo Rec Also known as magic numbers or Magic Bytes. The file signature
6. Revit also shows what type of file it is. Example: JPG, PDF, word
7. TestDisk document
8. Magic Rescue
File Signature
9. F-Engrave
A file signature is a unique identification number seen at the beginning of a
File Structure file. This number identifies the type of file, giving information about the data
contained within the actual file. This information can be used to determine
For us to fully understand what is file carving all about, let us know also what
what type of file is being read when the file extension or user error has
is file structure. It talks about what is the structure of the file. It has the
misidentified the file as an incorrect type. The file signature also can contain
presence of a file header and file footer.
information that ensures the original data that was stored in the file is still
• File header – the first few bytes that mark the beginning of a file. intact and has not been modified. The combination of these elements allows
- A file header is a block of data seen at the start of a file that defines a file signature to serve as an important form of verification, especially
how information is stored in it. Part of the header information is a against computer viruses.
sequence of bytes or numbers that specifies the file’s type.
• File footer/trailer – the last few bytes that marks the end of a file. The benefits of digital forensics from file signatures

File signatures aid investigators to speed -up the search for digital evidence.
Like if several files without extensions in their names were found on the
suspect computer. Forensic investigators have to open them one by one to
see if they’re possibly connected to the crime. However, if the investigator

10
 is familiar with file headers and file signatures, especially if they know the type structure. There is an ascii encoding of "JFIF" which comes after a
types of files they’re looking for. If they’re searching for videos, for instance, length code, but that is not necessary to identify the file. The first 4 bytes do
they can collate all files with the following headers for deeper scrutiny later that uniquely.
on:
Sample file signature Table

Application Sample common files and their file

Signature File Type
Needed signature
HEX ISO 8859- OFFS FILE DESCRIPTION
SIGNATU 1 ET EXTENS
Windows Media
00 00 00 14 66 74 79 70 3GPP multimedia files RE ION
Player FF D8 FF ÿØÿà 0 jpg JPEG raw or in the
E0 JFIF or Exif file
Windows Media format[14]
00 00 00 20 66 74 79 70 3GPP2 multimedia files 00 00 00 ␀␀␀␌jP␠␠␍ 0 jp2 JPEG 2000 format
Player 0C 6A 50 ␊‡␊ j2k
20 20 0D jpf
VLC Media 0A 87 0A jpm
00 00 00 18 66 74 79 70 MPEG-4 video files FF 4F FF ÿOÿQ jpg2
Player j2c
51
jpc
VLC Media jpx
52 49 46 46 4X movie video mj2
Player
Photoshop Document
38 42 50 file, Adobe
30 26 B2 75 8E 66 CF Windows Media Audio/Video Windows Media 8BPS 0 psd
53 Photoshop's native file
11 File Player format
52 49 46
46 ?? ?? ? Audio Video
RIFF????
File Magic Numbers ? ?? 0 avi Interleave video
AVI␠ format[32]
41 56 49
Magic numbers are the first bits of a file that uniquely identify the type of file.
20
This makes programming easier because complicated file structures need
not be searched to identify the file type. FF FB ÿû MPEG-1 Layer 3 file
FF F3 ÿó 0 mp3 without an ID3 tag or
For example, a jpeg file starts with ff d8 ffe0 0010 4a46 4946 0001 0101 FF F2 ÿò with an ID3v1 tag
0047 ......JFIF.....G ffd8 shows that it's a JPEG file, and ffe0 identifies a JFIF

11
 (which is appended at FF D8 FF
the end of the file)
E1 ?? ??
MP3 file with an ID3v2 ÿØÿá??Exi
49 44 33 ID3 0 mp3 45 78
container f␀␀
66 74 79 69 66 00
ISO Base Media file 00
70 69 73 ftypisom 4 mp4
(MPEG-4)
6F 6D
00 00 00
00 00 00 Laboratory Activity No. 1:
00 00
00 00 00 ␀␀␀␀␀␀␀␀ How to Install the following forensic tool kits on your computer
PalmPilot Database/D
00 00 00 ␀␀␀␀␀␀␀␀ 11 PDB
ocument File
00 00 ␀␀␀␀␀␀␀␀
00 00 00 • Magnet Ram Capture
00 00 00 • Access data FTK imager
00 00 • Exif Tool
89 50 4E ‰PNG.... PNG portable Network • DUMPIT
47 0D 0A Graphics file • EDD
1A 0A • Hash Generator
25 50 44 46 %PDF PDF Adobe Portable • Autopsy
%PDF Document Format and
Forms Document file
FF D8 FF 0 jpg JPEG raw or in Materials needed:
ÿØÿÛ the JFIF or Exif file
DB
format[14]
FF D8 FF • Magnet Ram Capture Free Software
• Access data FTK imager free software
E0 00 10
ÿØÿà␀␐JF • Exif Tool free software
4A 46
IF␀␁ • DUMPIT free software
49 46 00 • EDD free software
01 • Hash Generator free software
FF D8 FF • Autopsy free software
ÿØÿî
EE • Laptop or Desktop Computer

12
 3) Click install and wait to finish the installation. Create Short in the
Learning Outcomes: desktop/laptop
4) Once Installed Screenshot your computer display screen, showing
At the end of the lesson the student will be able to: Access data FTK imager Application.

1. Recognize different incident response tool How to submit

2. Illustrate the use of Magnet RAM, FTK imager, EDD, DUMPIT,
autopsy, and Exif tool. 1) Copy the screenshot in the MS word Document, encircle Access
3. Learn how to install Magnet RAM, FTK imager, EDD, DUMPIT, data FTK imager Application
2) Double click Access data FTK imager Application shortcut to open
autopsy, Exif tool
3) Once open, screenshot Access data FTK imager Application
4) Make a printed copy and submit it to your instructor as a laboratory
How to install magnet RAM capture
activity
Direction:
How to install Autopsy Free Software
1) Download Magnet RAM version 120
1) Download autopsy Free software
2) Install on your laptop or Desktop, Click Run Administrator
2) Install on your laptop or Desktop, Click Run Administrator
3) Click install and wait to finish the installation. Create Short in the
3) Click install and wait to finish the installation. Create Short in the
desktop/laptop
desktop/laptop
4) Once Installed Screenshot your computer display screen, showing
magnet RAM Application. 4) Once Installed Screenshot your computer display screen, showing
the autopsy shortcut Application.
How to submit
How to submit
1) Copy the screenshot in the MS word Document, encircle Magnet
Ram Application shortcut 1) Copy the screenshot in the MS word Document, encircle the
2) Double click the Magnet RAM Application shortcut to open Autopsy Application shortcut
2) Double click the Autopsy Application shortcut to open
3) Once open, screenshot Magnet RAM Application, paste the
3) Once open, screenshot the Autopsy Application, Copy and paste in
screenshot in MS Word
MS word Document
4) Make a printed copy and submit it to your instructor as a laboratory
4) Make a printed copy and submit it to your instructor as a laboratory
activity
activity.
How to install Access Data FTK Imager
How to install the Exif tool. exe
1) Download Access Data FTK imager Application
1) Download the Windows Executable from the Exif Tool home page
2) Install on your laptop or Desktop, Click Run Administrator

13
 2) Extract "Exif tool(-k).exe" from the ".zip" file, and place it on your Direction:
Desktop.
3) (Double-click on "ExifTool-12.33.zip" to open the archive, then drag 1) To open>Double Click Magnet Ram Capture, click Yes.
"Exif tool(-k).exe" to your Desktop.) 2) Click Browse, Then, select where to save file/save IR folder
4) Double-click on "Exif tool(-k).exe" to read the application
documentation or drag-and-drop files and folders to run the Exif tool 3) Click start and wait to finish
on selected files
How to submit
5) Once Installed Screenshot your computer display screen, showing
Exif tool exe. Application. 1) Screenshot the step-by-step process of capturing the RAM
How to submit

1) Copy the screenshot in the MS word Document, encircle Exif tool

Application shortcut
2) Double-click on "Exif tool(-k).exe" to read the application
documentation
3) Once open, screenshot the Exif tool Application
4) Make a printed copy and submit it to your instructor as a laboratory
activity
2) Copy and paste the screenshot into the MS word Document
Laboratory Activity No. 2 3) Make a printed copy and submit it to your instructor as a laboratory
activity
Capturing the RAM using Magnet RAM Capture

Materials Needed:

• Magnet RAM software v.12.0

• Laptop/Desktop Computer

Learning Outcomes:

At the end of the lesson the student will be able to:

1. Execute Magnet RAM to capture a memory

2. Illustrate the use of Magnet RAM for RAM imaging
3. Perform RAM Capture using Magnet RAM

14
 Laboratory Activity No. 3

Capturing the RAM using FTK Imager

3. Choose the destination path and the destination file name, and
Materials Needed: click on capture memory.

• Access Data FTK Imager

• Laptop/Desktop Computer

Learning Outcomes:

At the end of the lesson the student will be able to:

4. Execute FTK imager to capture Memory

5. Illustrate the use of FTK imager for RAM imaging
6. Perform RAM Capture using FTK imager

Direction:

1) To open>Click Access data

2) Click on File > Capture Memory.

4. Wait for a few minutes till the ram is captured.

5.

15
 Direction:

How 1) To open Double click Dumpit.exe, then, click yes

to

submit

1) Screenshot the step-by-step process of capturing the RAM

2) Copy and paste the screenshot into the MS word Document
3) Make a printed copy and submit it to your instructor as a laboratory
activity

Laboratory Activity No. 4

2) Once programming running, to capture memory, Type letter Y to
Imaging the RAM using Dumpit proceed, N if not

Materials Needed:
3) Wait to Generate…… memory capture
• DUMPIT exe. software
• Laptop/Desktop Computer

Learning Outcomes:

At the end of the lesson the student will be able to:

1. Apply Dumpit to capture the Memory of the computer

2. Illustrate the use of Dumpit for RAM imaging
3. Perform RAM Capture using Dumpit

16
How to submit 1. To open the program, Click EDD Free software

1) Screenshot the step-by-step process of capturing the RAM using

Dumpit
2) Copy and paste the screenshot into the MS word Document
3) Make a printed copy and submit it to your instructor as a laboratory
activity

Laboratory Activity No. 5

Check for encryption using the Encryption Disk Detector (EDD)

Materials needed:

• EDD free software

• Laptop/desktop computer

Learning Outcomes:
2. No encrypted files, the Red Color of the text will appear, if there is
At the end of the lesson the student will be able to: encryption yellow color of the text

1. Recognize the use of EDD to check for any encrypted files in the
computer.
2. Illustrate how EDD function
3. Apply EDD to check for encrypted files

Direction:

17
How To Submit
1) Screenshot the process of detecting encryption using EDD
2) Copy and paste the screenshot into the MS word Document
3) Make a printed copy and submit it to your instructor as a laboratory
activity.

Laboratory Activity No. 6

Imaging the computer hard drive/ USB flash drive using FTK Imager

Materials needed:

• Access Data FTK imager free software

• Laptop/desktop computer
Step 2. Choose the source based on the drive. It can be physical or
Learning Outcomes: logical. Then, click next.

At the end of the lesson the student will be able to:

1. Recognize the use of FTK imager in imaging computer hard drive /

USB flash drive.
2. Illustrate how FTK imager works in forensic imaging
3. Apply FTK imager in making a forensic copy of the hard drive/USB
flash drive.

Direction:

Creating a Forensic Image

Step 1. Click on File > Create Disk Image.

Step 3. choose the source of your drive that you want to create an image
copy. Then, click finish.

18
Step 4. Add the Destination path of the image that is going to be created

Step 6. Now, add the details of the image to proceed.

Step 7. Finally, add the destination of the image file, name the image file
Step 5. Select the format of the image that you want to create. Then, click
and then click on Finish.
next.

19
 Step 9. Wait for a few minutes for the image to be created.

Step 8. Add the destination path, and also click on the verify option to
Step 10. After the image is created, a Hash result is generated which
generate a hash. Click start.
verifies the MD5 Hash, SHA1 Hash, and the presence of any bad sector.

20
How to submit

1) Screenshot the step-by-step process of creating a forensic image

of a hard drive
2) Copy and paste the screenshot into the MS word Document
3) Make a printed copy and submit it to your instructor as a laboratory
activity.

Laboratory Activity No. 7

3. Select file location, click the folder icon
Generating the hash value using the hash Generator

Materials needed:

• Hash Generator software

• Laptop/desktop computer

Learning Outcomes:

At the end of the lesson the student will be able to:

4. Once a file is selected, click generate a hash and wait for the result
1. Recognize the use of Hash generator to check for the Genuity of
computer files
2. Illustrate how to check for a hash value of computer files

Direction:

1. To open the program, click Hash Generator Software

2. Select hash Input Type (File / Text)

How to submit

1) Screenshot the step-by-step process in Generating the Hash

21
 2) Copy and paste the screenshot into the MS word Document
3) Make a printed copy and submit it to your instructor as a laboratory
activity.

Laboratory Activity No. 8

Analyzing image dump (recover and view deleted file) using FTK imager

Materials needed:
Step 2. Select the source of the dump file that you have already created.
• Access Data FTK imager
Select the image file option, and click on Next.
• Laptop/desktop computer

Learning Outcomes:

At the end of the lesson the student will be able to:

1. Perform analysis of Image dump

2. Explain the procedure of analyzing image dump

Direction:

Analyzing Image Dump

To start with analysis

Step 1. click on File> Add Evidence Item.

Step 3. Choose the path of the image dump that you have captured by
clicking on Browse. Then, after, click finish.

22
Step 4. Once the image dump is attached to the analysis part, you will see
How to submit
an evidence tree that has the contents of the files of the image dump.
1) Screenshot the step-by-step process of analyzing the image dump
2) Copy and paste the screenshot into the MS word Document
including the recovered file
3) Write a narrative description of the file
4) Make a printed copy and submit it to your instructor as a
laboratory activity.

Laboratory Activity No. 9

Examining/ producing Metadata of Photo, video, or Images using the Exif

tool

Materials needed:

Step 5. To analyze other things. remove this evidence item by right- • Exif Tool.exe software
clicking on the case and clicking on Remove Evidence Item • Laptop/desktop computer
• Soft copy of a photo/Video

Learning Outcomes:

At the end of the lesson the student will be able to:

23
 1. Analyze the metadata of video, photo, or document
2. Explain the procedure of analyzing image dump Materials needed:

Direction: • Autopsy 4.193 software

• Laptop/desktop computer
1. OPEN COMMAND PROMPT
2. TYPE Cd space C:\exiftool Then, click enter
Learning Outcomes:

At the end of the lesson the student will be able to:

3. Analyze the metadata of video, photo, or document

4. Explain the procedure of analyzing image dump
3. Drag and Drop file/picture, then bring cursor after the word Exif
tool Direction:
4. Then, type Exif tool space, click enter
1. To open, Click the Autopsy application, Click New case

5. Wait for the Generated Result

How to submit

1) Screenshot the step-by-step process of producing Metadata

2) Copy and paste the screenshot into the MS word Document.
3) Write a narrative report of the produced metadata
4) Make a printed copy and submit it to your instructor as a laboratory
activity. 2. Enter the case Name, Then, click browse, select where to save
the file
3. Click Next
Laboratory Activity No. 10

Check for file extension mismatch using autopsy and examine/produce

metadata of a file.

24
 5. Select host, type hostname and click next

4. Type Case Number, and other optional information, then click

Finish to generate the data source

6. Click Data Source Type, then, click next

25
 8.

7. Click browse, select file, click open, click next

9. Click Select all and click deselect all, click extension mismatch
detector, then click next,

26
 How to submit

10. Click Finish, open autopsy case 1) Screenshot the step-by-step process of analyzing file extension
11. Click data source, look for yellow to detect extension mismatch and producing Metadata
mismatch 2) Copy and paste the screenshot into the MS word Document.
3) Write a narrative description of file extension mismatch (if any) and
the produced metadata.
4) Make a printed copy and submit it to your instructor as a laboratory
activity.

12. To look for metadata, Click file metadata

27
 Laboratory Activity No. 11 https://tinyurl.com/2p92w9yz
https://tinyurl.com/5a376dab
Simulation exercises on how to conduct cybercrime incident response https://tinyurl.com/yc325b7c
https://tinyurl.com/42yb266x
Materials needed: https://tinyurl.com/3mdc6cxn
https://tinyurl.com/45ds69mj
• Magnet RAM Free Software https://tinyurl.com/m4cbwbmt
• EDD free Software https://tinyurl.com/3n3n5djz
https://tinyurl.com/2k863bjz
• Access Data FTK imager
https://tinyurl.com/2auv5kdz
• Laptop/desktop computer

Learning Outcomes:

At the end of the lesson the student will be able to:

1. Perform cybercrime incident response

2. Explain the procedure for conducting cybercrime incident response
3.

Direction:

1. A case scenario will be provided to the group as a basis for applying

for a cyber warrant.
2. A mock cybercrime scene will be set.
3. The class will be divided into three groups
4. Each group will only have 45 minutes to conduct a cybercrime
scene investigation (incident response)

References:

https://atlan.com/what-is-metadata/
https://www.cybervie.com/blog/file-carving-in-digital-forensics-best-tools-
for-it/
https://tinyurl.com/2p95db7z

28