Table of Contents
- Basic Computer Skills for Digital Forensics
- Number Systems
- PC Introduction
- Windows Command Line Tutorial
- Linux Command Line Tutorial
- Advanced Linux Command Line Tutorial
- Computer and Digital Forensics (updated on Oct. 2021)
- Introduction to Digital Forensics
- Sleuth Kit Tutorial
- USB Image Acquisition
- Evidence Search – A Pattern Match Game (updated on May 2022)
- Evidence Search – File Metadata
- Data Carving
- Steganography
- Forensic Report Template
- Computer Forensics Case Study
- Investigating NIST Data Leakage (Windows XP)
- Investigating P2P Data Leakage (Windows 10)
- Investigating Illegal Possession of Images (“Networking forensics”)
- Investigating Email Harassment
- Investigating Illegal File Transferring (Memory Forensics)
- Investigating Hacking Case
- Investigating Morris Worm Attack (updated on September 2022)
- Mobile/IoT Forensics Case Study
- Investigating Android 10 (added on 10/24/2021)
- Investigating iPhone iOS 13 (updated on 6/18/2022)
- Investigating Drone (add on 12/07/2021)
- Forensic Intelligence Repository
- Email forensics
- Illegal Possession of Images
A Digital Forensics- Investigation based on Case Study’s from NIST (Lab Exercise)
Basic Computer Skills for Digital Forensics
Topics Covered |
Size of PPTs |
2M |
|
6M |
|
3M |
|
8M |
|
2M |
Computer and Digital Forensics
Topics Covered |
Size of PPTs |
2M |
|
3M |
|
3M |
|
3M |
|
3M |
|
2M |
|
2M |
|
Forensic Report Template |
5M |
Tool Installation
Method 1: Importing customized Kali VM image
The customized Kali VM = Kali (2020.4) + tools used for completing most of the labs listed above (except p2p Data Leakage case)
- Install Virtualbox
- Import the customized Kali 2020.4. Notes: the default harddisk size is 80G.
Method 2: Installing tools using the customized script (the script ONLY is tested on Kali 2020.4)
The following script will install tools needed for completing most of the labs listed above (except p2p Data Leakage case, which has its own script described in PPTs). Please let us know if you need us to add more tools to the script.
- Install Virtualbox
- Install Kali 2020.4. Notes: Suggest You configure the disk size of Kali VM 80G because the size of each leakage cases image is 30G+
- How to run the installation script instructions, or you can simply follow the commands below
wget https://github.com/sajinshivdas/Digital-Forensics-Lab/blob/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh
Installed tools. Note that most of the commands for tools can executed globally. Now you can skip most of tool installation steps in PPTs.
Computer Forensics Case Study
Investigating NIST Data Leakage
The case study is to investigate an image involving intellectual property theft. The study include
- A large and complex case study created by NIST. You can access the Scenario, DD/Encase images. You can also find the solutions on their website.
- 14 hands-on labs/topics in digital forensics
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
2M |
|
Lab 1 |
3M |
|
Lab 2 |
3M |
|
Lab 3 |
3M |
|
Lab 4 |
3M |
|
Lab 5 |
2M |
|
Lab 6 |
2M |
|
Lab 7 |
5M |
|
Lab 8 |
13M |
|
Lab 9 |
4M |
|
Lab 10 |
6M |
|
Lab 11 |
3M |
|
Lab 12 |
3M |
|
Lab 13 |
2M |
Investigating P2P Data Leakage
The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study includes
- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline.
- 10 hands-on labs/topics in digital forensics
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
4M |
|
Lab 1 |
5M |
|
Lab 2 |
15M |
|
Lab 3 |
6M |
|
Lab 4 |
3M |
|
Lab 5 |
9M |
|
Lab 6 |
8M |
|
Lab 7 |
9M |
|
Lab 8 |
11M |
|
Lab 9 |
2M |
|
Lab 10 |
Timeline (Summary) |
13K |
Investigating Illegal Possession of Images
The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
3M |
|
Lab 1 |
6M |
|
Lab 2 |
9M |
|
Lab 3 |
4M |
|
Lab 4 |
Rhion Possession Investigation 3: Extract Evidence from FTP Traffic |
3M |
Lab 5 |
Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic |
5M |
Investigating Email Harassment
The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
Investigating Harassment Email using Wireshark |
3M |
Lab 1 |
t-shark Forensic Introduction |
2M |
Lab 2 |
Investigating Harassment Email using t-shark |
2M |
Investigating Illegal File Transferring
The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
Memory Forensics |
11M |
part 1 |
Understand the Suspect and Accounts |
|
part 2 |
Understand the Suspect’s PC |
|
part 3 |
Network Forensics |
|
part 4 |
Investigate Command History |
|
part 5 |
Investigate Suspect’s USB |
|
part 6 |
Investigate Internet Explorer History |
|
part 7 |
Investigate File Explorer History |
|
part 8 |
Timeline Analysis |
|
Investigating Hacking Case
The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
Hacking Case |
8M |
Investigating Morris Worm Attack
The case study is an investigation of the Morris Worm Attacking. We are using the VM provided by SeedLab. The goal of the lab is to find all evidence related to Morris Worm attacking.
Topics Covered
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
Morris Worm Attack |
2M |
Lab 0 |
Investigating Morris Worm Attack |
2M |
Investigating Android 10
The image is created by Joshua Hickman and hosted by digitalcorpora.
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
3M |
|
Lab 1 |
2M |
|
Lab 2 |
4M |
|
Lab 3 |
5M |
|
Lab 4 |
11M |
|
Lab 5.1.1 |
4M |
|
Lab 5.1.2 |
3M |
|
Lab 5.1.3 |
1M |
|
Lab 5.2.1 |
6M |
|
Lab 5.2.2 |
2M |
|
Lab 5.2.3 |
8M |
|
Lab 5.2.4 |
6M |
|
Lab 5.3.1 |
4M |
|
Lab 5.3.2 |
1M |
|
Lab 5.3.3 |
3M |
|
Lab 6 |
5M |
Investigating iPhone iOS 13.4.1
The image is created by Joshua Hickman and hosted by digitalcorpora.
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
5M |
|
Lab 1 |
5M |
|
Lab 2 |
3M |
|
Lab 3 |
3M |
|
Lab 4 |
2M |
|
Lab 5 |
3M |
|
Lab 6 |
3M |
|
Lab 7 |
2M |
|
Lab 8 |
3M |
|
Lab 9 |
7M |
|
Lab 10 |
5M |
|
Lab 11 |
5M |
|
Lab 12 |
8M |
|
Lab 13 |
12M |
|
Lab 14 |
13M |
|
Lab 14 |
6M |
Investigating Drone DJI
The dataset includes logical files extracted from a DJI controller (mobile device) and a SD card image used by the device. The Drone dataset is created by VTO Labs. The lab covers GPS investigation and cached image retrieval. Note that it is a draft. We will improve the lab later.
Labs |
Topics Covered |
Size of PPTs |
Lab 0 |
13M |
|
Lab 1 |
2M |
|
Lab 2 |
2M |
Tools
- Commands tested
Name |
Command |
Repository |
Installation Method |
Wine |
wine –version |
Custom |
|
Vinetto |
vinetto -h |
Custom |
|
imgclip |
imgclip -h |
apt install |
|
RegRipper |
rip.pl -h |
Customized scirpt |
|
Windows-Prefetch-Parser |
prefetch.py -h |
https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git |
Custom |
python-evtx |
evtx_dump.py -h |
apt install |
|
libesedb-utils |
esedbexport -h |
apt install |
|
libpff |
pffexport -h |
apt install |
|
USN-Record-Carver |
usncarve.py -h |
apt install |
|
USN-Journal-Parser |
usn.py -h |
apt install |
|
time_decode |
time_decode.py -h |
Git clone |
|
analyzeMFT |
analyzeMFT.py -h |
Customized scirpt |
|
libvshadow |
vshadowinfo -h |
Customized scirpt |
|
INDXParse |
INDXParse.py – |
|
Customized scirpt |
carving sqlite .db |
undark -h |
Customized scirpt |
|
stegdetect |
stegdetect -V |
|
Customized scirpt |
stegbreak |
stegbreak -V |
|
Customized scirpt |
stego-toolkit |
jphide |
|
Customized scirpt |
jpsestego-toolkitek |
jpseek |
|
Customized scirpt |
volatility-2 |
vol.py -h |
Customized scirpt |
|
liblnk-utils |
lnkinfo -h |
|
apt install |
JLECmd |
|
https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip |
Git clone |
recentfilecache-parser |
|
|
|
LogFileParser |
|
Git clone |
|
UsnJrnl2Csv |
|
ttps://github.com/jschicht/UsnJrnl2Csv.git |
Git clone |
Other tools installed via apt install python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus