lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL - 1

Aim: Implementation to gather information from any PC’s connected to the LAN using who.is,
port scanners, network scanning, Angry IP scanners etc.
Objective: To know how to gather information about the networks by using different n/w
reconnaissance tools.
Requirements: Laptop, who.is, n map, angry ip scanner
1. Who.is
whois search for an object in a WHOIS database. WHOIS is a query and response protocol that is
widely used for querying databases that store the registered users of an Internet resource, such as
a domain name or an IP address block but is also used for a wider range of other information. Most
modern versions of whops try to guess the right server to ask for the specified object. If no guess
can be made, whops will connect to whops.networksolutions.com for NIC handles or
whops.arin.net for IPv4 addresses and network names.
To use the WHO.IS lookup tool, just enter the domain name whose information you'd like to view
into the search field on the WHOIS main page. You can retrieve key data about a domain in this
way, including availability, domain owner lookup, and creation and expiration details. If you own
multiple domains of your own, it can be helpful to download exportable lists from the tool to
analyze large amounts of domains data.

Step 1: search who.is in web browser

Step 2: open the who.is tool and Enter the Domain name or IP Address of which devices’
information you want to gather

Enrollment No:210303105178 Page.no 1

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

✓ Observation:
Get the information about searched domain name or IP Address

2. Port Scanners:
Nmap is convenient during penetration testing of networked systems. Nmap
provides the network details, and also helps to determine the security flaws present in the system.
Nmap is platform-independent and runs on popular operating systems suchas
Linux, Windows and Mac.
✓ Advantages of Nmap:
Nmap has a lot of advantages that make it different from other network scanning tools. Nmap is
open-source and free to use.
Some other advantages are listed below.
o It is used for auditing network systems as it can detect new servers.
o It will search for subdomain and Domain Name System
o With the help of Nmap Scripting Engine (NSE), interaction can be made with the target
host.
o It determines the nature of the service in the host and performs whether the host is a mail
service or a web server
✓ Port scanning using Nmap:
✓ Implementation:

Enrollment No:210303105178 Page.no 2

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 1: Install Nmap in Windows

Step 2: Open Nmap

Step 3: Open command prompt and give command ipconfig to see local network

Step 4: Paste Ip address in target select scan type and press scan button

Enrollment No:210303105178 Page.no 3

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Nmap Output:

Step 5: Open Command prompt Run as administrator; To see the open ports run:

Enrollment No:210303105178 Page.no 4

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

3. Angry IP Scanner
✓ Implementation:

Once installed, open the application by searching for it in the Start Menu. As you can see, the
home screen of the application is pretty simple and straightforward. By default, Angry IP scanner
will enter your local IP address range and your computer name as the hostname.

Enrollment No:210303105178 Page.no 5

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

The good thing about Angry IP Scanner is that it lets you scan IP addresses in three different
ways. They are, the range you specified, a random IP address or a list of IP addresses from a text
file. You can easily select the scan mode from the drop-down menu next to the IP address field.

As you can see from the above image, the Angry IP Scanner will only include default fetchers
like Ping, Hostname, and Ports. However, you can add more fetchers to get and see more
information about an IP address. To do that, select “Tools > Fetchers.”

Enrollment No:210303105178 Page.no 6

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

In this window, you will see all the current fetchers on the left pane and all the available fetchers
in the right pane. To add a fetcher, select the fetcher on the right pane and then click on the
button that looks like “Less than” sign. In my case, I’ve added new fetchers like MAC address,
NetBIOS info, filtered ports, and Web detectors.

Once you are done configuring the Angry IP Scanner, you can continue to scan. To start off, set
the scan mode to “IP Range,” enter the IP address range in the “IP address” fields and then click
on the button “Start.” For instance, I’ve entered an IP range that is known to have live devices
connected to it.

Enrollment No:210303105178 Page.no 7

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Depending on the number of addresses in the range, it may take some time to complete. Once
completed, the application will show you a summary of the scan. The summary includes the
number of hosts that are alive and the number of hosts that have open ports. Just click on the
button “Close” to continue.

Once you close the summary window, you will see the list of all the IP addresses. You can also
see additional details in different “fetcher” columns. In case you are wondering, here’s what the
colored dots next to each IP address mean.
Red: The IP address is inactive, dead or there is no device connected to this IP address.
Blue: The IP address is either active or busy and not responding to the requests sent by Angry IP
Scanner. This usually will be your own IP Address.
Green: The IP address is active, and the device connected to it is responding to the requests
made by Angry IP Scanner. There may also be open ports.
Enrollment No:210303105178 Page.no 8

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Apart from copying the details of an IP address, you can also perform a range of different
activities on the entries. You can open an IP address in the web browser, do an FTP, trace
routing, etc. For instance, if you want to traceroute an IP address, simply right-click on the target
IP address. After that, select the option Open and click on Traceroute.

Once you are done scanning an IP address or the IP address range, you can save the scan results.
To do that, select the option Scan from the menu bar.

Enrollment No:210303105178 Page.no 9

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL - 2

AIM: Experiments with open source firewall/proxy packages like iptables, squid etc..
IP-tables
✓ Simply put, iptables is a firewall program for Linux. It will monitor traffic from and to
your server using tables. These tables contain sets of rules, called chains, that will filter
incoming and outgoing data packets.
✓ When a packet matches a rule, it is given a target, which can be another chain or one of
these special values:
✓ ACCEPT – will allow the packet to pass through.
✓ DROP – will not let the packet pass through.
✓ RETURN – stops the packet from traversing through a chain and tell it to go back to the
previous chain.
Types of tables in iptables:

How to Install and Use Iptables Linux Firewall

✓ Installing of Iptables
✓ sudo apt-get update
✓ sudo apt-get install iptables
✓ Check the status of your current iptables configuration by running
✓ sudo iptables -L

Enrollment No:210303105178 Page.no 10

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Commands :
✓ Iptables –A INPUT –s your ip –j DROP
✓ Iptables –A INPUT –s your ip –j ACCEPT
✓ to stop https websites
✓ to stop http websites
✓ Iptables –A OUTPUT –p tcp –o eth0 –s your ipaddress -–dport 80 –j DROP

Follow the instructions to create a firewall rule that prevents the communication
between two systems via ping.
STEP -1
CHECK YOUR IPADDRESS IN BOTH OPERATING SYSTEM (KALI LINUX
AND WINDOWS) BY FOLLWING COMMANDS IN THE BELOW PICTURES

Enrollment No:210303105178 Page.no 11

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Attempt to ping both devices to verify whether they are responsive or not

Please create an iptables rule to stop communication between both

devices, as shown in the picture.

Enrollment No:210303105178 Page.no 12

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Now try to ping on both devices its working or not.

Again if you want resume the communication then you have to write another rule
to “ACCEPT” the communication both device by iptable rule. Before you accept
the rule We have to remove the previous rule which we have given the “DROP”
rule.

Enrollment No:210303105178 Page.no 13

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

To remove the rule from iptable as see in picture

To stop https request in our browser by ip address.

Enrollment No:210303105178 Page.no 14

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

To resume the https request in browser by accept rule

Enrollment No:210303105178 Page.no 15

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL - 3

AIM: Implementation of Steganography.

SCOPE:
Encompasses the detection of concealed messages and data within various media
files, emphasizing the application of steganographic methods for security and
forensic purposes.
REQUIREMENTS:
The requirements are Hardware and Devices, Steg software, S-Tools, sample image,
Documentation Templates etc.
THEORY:
Steganography:
✓ The root “steganos” is Greek for “hidden” or “covered,” and the root “graph”
is Greek for “to write.” Steganography is the practice of hiding a secret
message inside of (or even on top of) something that is not secret.
✓ Examples of steganography involve embedding a secret piece of text inside
of a picture. Or hiding a secret message or script inside of a Word or Excel
document. The purpose of steganography is to conceal and deceive. It is a
form of covert communication and can involve the use of any medium to hide
messages.
✓ It’s not a form of cryptography, because it doesn’t involve scrambling data or
using a key. Instead, it is a form of data hiding and can be executed in clever
ways.
Types of Steganography?
❖ 1.TEXT STEGANOGRAPHY
Text steganography conceals a secret message inside a piece of
text. The simplest version of text steganography might use the first letter in
each sentence to form the hidden message. Other text steganography
techniques might include adding meaningful typos or encoding information
through punctuation.
❖ 2.IMAGE STEGANOGRAPHY
In image steganography, secret information is encoded within a
digital image. This technique relies on the fact that small changes in image
color or noise are very difficult to detect with the human eye. For example, one
Enrollment No:210303105178 Page.no 16

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

image can be concealed within another by using the least significant bits of
each pixel in the image to represent the hidden image instead.
❖ 3.VIDEO STEGANOGRAPHY
Video steganography is a more sophisticated version of image
steganography that can encode entire videos. Because digital videos are
represented as a sequence of consecutive images, each video frame can
encode a separate image, hiding a coherent video in plain sight.
❖ 4.AUDIO STEGANOGRAPHY
Audio files, like images and videos, can be used to conceal
information. One simple form of audio steganography is “backmasking,” in
which secret messages are played backwards on a track (requiring the
listener to play the entire track backwards). More sophisticated techniques
might involve the least significant bits of each byte in the audio file, similar
to image steganography.
❖ 5.NETWORK STEGANOGRAPHY
Last but not least, network steganography is a clever digital
steganography technique that hides information inside network traffic. For
example, data can be concealed within the TCP/IP headers or payloads of
network packets. The sender can even impart information based on the time
between sending different packets.
➢ Download Stools :

Enrollment No:210303105178 Page.no 17

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Extract the zip file in particular folder.

EXAMINATION:
Step 1: Write a secret message in .txt format (Ex: evidence a.txt).

Step 2: Open the S tools

Step 3: Drag the original-zebras.bmp file and drop it into S tools

Enrollment No:210303105178 Page.no 18

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 4: Using S-Tools, drag and drop the secret message file on top of image file.

Step 5: Now to encrypt the stego file. Create a new password for the encryption and click on
the “OK” button.

Enrollment No:210303105178 Page.no 19

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 6: generate a new stego image. To save the stego file, right-click on the image and select the
“Save as...” option.

Step 7: Specify the destination to save the stego image and click on the “Save” button in order to
save the file use .BMP extention.

Step 8: Now, to extract the concealed information from the stego image, run the S-Tools and
then drag and drop suspected file into it. Right-click on the image and select the “Reveal” option
from the top-down menu.

Enrollment No:210303105178 Page.no 20

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 9: “Revealed Archive” window displaying the secret message file name.

Step 10 : Now, Right-click on the file name and then select the “Save as…” option to save it in
a location. Next check the extracted file.

Enrollment No:210303105178 Page.no 21

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL – 4

AIM: Implementation of MITM-attack using wireshark / network sniffers.

Wireshark or Ettercap

We’ll need a client machine as well whose network traffic we will

spoof and sniff to get cleartext submission of passwords from certain
vulnerable websites.
Ettercap is GUI based tool built into Kali so need to download and
install anything, so let's get started doing a MiTM attack with Ettercap.

Step #1:
Start ettercap
Let's view the help file forettercap by typing; kali > ettercap –h

As you can see, ettercap has a significant help file for running it from a
command line, but the only thing we need from here is the switch to
run it in graphical mode. In the bottom line of the screenshot (not
the bottom line of the actual help file as I have truncated it in the
interest of space), you can see the -G switch. This after the
command ettercap will launch the ettercap GUI. kali > ettercap –G

Enrollment No:210303105178 Page.no 22

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

➔ The first step in launching our MiTM attach is to start sniffing. Goto
pulldown menu that says "Sniff" and click on "Sniffing at startup".

Enrollment No:210303105178 Page.no 23

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

When we click "OK", ettercap launches it sniffing and loads its plugins.
Our nextstep to find the hosts on the network. Click on the "Hosts"
tab and you will see a menu that includes "Scan for Hosts". Click on
it and ettercap will begin scanning the network for hosts.

➔ Now, select one of the hosts that will be the target of this attack in the
window by clicking on it and then click on "Add to Target 1" at the
bottom of the window. When you do so, ettercap will add that host as
the first target in our MITM attack as seen in the screenshot below.
Next, select the second host in this attack and then click "Add to Target
2".

Enrollment No:210303105178 Page.no 24

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

➔ Select it and it will open a pop window like below. Select "Sniff remote
connections".
When we press OK,ettercap will begin ARP poisoning and you will see
ettercap respond in its main windows with the message below.

Enrollment No:210303105178 Page.no 25

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
Now, we have successfully placed ourselves between the two targets
systems and all their traffic must flow through us. This is where the fun
begins as we can now delete, manipulate, impersonate and view all their
traffic.

WIRESHARK:-
A basic setup is complete and victim network traffic will now pass through the
attacker machine. To listen to these packets, we will use Wireshark.
• Open up a new terminal and type wireshark. Go to the interface which
is capturing all the data flow (here eth0) and start the capture.
• Filter out packets according to what you are looking for. For the
purpose of this demo, the user is logging into a vulnerable website
DVWA which uses HTTP instead of the secure version HTTPS. Filter
protocol as http and search for required data.

Enrollment No:210303105178 Page.no 26

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL – 5
Aim: Implementation of Windows security using firewalls and other tools.
Tools: Windows Defender Firewall
Description:
Windows Firewall is a security feature that helps to protect your device
by filtering network traffic that enters and exits your device. This traffic
can be filtered based on several criteria, including source and destination
IP address, IP protocol, or source and destination port number. Windows
Firewall can be configured to block or allow network traffic based on the
services and applications that are installed on your device. This allows
you to restrict network traffic to only those application and services that
are explicitly allowed to communicate on the network.
The default behavior of Windows Firewall is to:
• block all incoming traffic, unless solicited or matching a rule
• allow all outgoing traffic, unless matching a rule
Firewall rules

Firewall rules identify allowed or blocked network traffic, and the conditions
for this to happen. The rules offer an extensive selection of conditions to
identify traffic, including:
• Application, service or program name
• Source and destination IP addresses
• Can make use dynamic values, like default gateway, DHCP servers, DNS servers
etc.

How Can You Blocked the Program?

➔ Step: 1 Open Windows defender Firewall

Enrollment No:210303105178 Page.no 27

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

➔ Step: 2 Select Advance Settings

➔ Step 3: Select outbound Rules

➔ Step : 4 Select New Rule

➔ Step : 5 Select Program and Click on a next Button

Enrollment No:210303105178 Page.no 28

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

➔ Step : 6 Give the path of Program which you want to Block

➔ Step 7 : Select Block Connection Option

Enrollment No:210303105178 Page.no 29

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Select all 3 boxes and Click on a next button

➔ Step : 8 Give a Name to your Created rule and Click on a finish Button

Enrollment No:210303105178 Page.no 30

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)
 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

➔ You can see that rule is created

Now goto the Chrome Browser and Search your blocked website.

Enrollment No:210303105178 Page.no 31

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL -6

AIM:- Implementation to identify web vulnerabilities, using OWASP project

Tools: OWASP ZAP Proxy (windows and kali)

Description:

Introducing ZAP:-
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the
umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for
testing webapplications and is both flexible and extensible. At its core, ZAP is what is known as a
“man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it
can intercept and inspect messages sent between browser and web application, modify the contents if
needed, and then forward those packets on to the destination. It can be used as a stand-alone
application, and as a daemon process.

If there is another network proxy already in use, as in many corporate environments, ZAP can
beconfigured to connect to that proxy.

ZAP provides functionality for a range of skill levels – from developers, to testers new to security
testing, to security testing specialists. ZAP has versions for each major OS and Docker, so you are not tied
to a single OS. Additional functionality is freely available from a variety of add-ons in the ZAP
Marketplace,

Enrollment No:210303105178 Page.no 32

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

accessible from within the ZAP client. Because ZAP is open-source, the source code can be
examined to see exactly how the functionality is implemented. Anyone can volunteer to work on ZAP,
fix bugs, add features, create pull requests to pull fixes into the project, and author add-ons to support
specialized situations.

Install and Configure ZAP:-

ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker images available on the
download site listed below.

Install ZAP The first thing to do is install ZAP on the system you intend to perform pentesting on.

Download the appropriate installer from ZAP’s download location at https://www.zaproxy.org/download/ and
execute the installer
Note that ZAP requires Java 8+ in order to run. The Mac OS/X installer includes an appropriate version of
Java but you must install Java 8+ separately for Windows, Linux, and Cross-Platform versions.The Docker
versions do not require you to install Java.
Once the installation is complete, launch ZAP and read the license terms. Click Agree if you accept the
terms, and ZAP will finish installing, then ZAP will automatically start.
Persisting a Session When you first start ZAP, you will be asked if you want to persist the ZAP
session. By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default
name and location.
If you do not persist the session, those files are deleted when you exit ZAP.
If you choose to persist a session, the session information will be saved in the local database so you can
access it later, and you will be able to provide custom names and locations for saving the files.

For now, select No, I do not want to persist this session at this moment in time, then click Start.
The ZAP sessions will not be persisted for now.

Enrollment No:210303105178 Page.no 33

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
ZAP Desktop UI:
The ZAP Desktop UI is composed of the following elements:
1. Menu Bar – Provides access to many of the automated and manual tools.
2. Toolbar – Includes buttons which provide easy access to most commonly used features.
3. Tree Window – Displays the Sites tree and the Scripts tree.
4. Workspace Window – Displays requests, responses, and scripts and allows you to edit them.
5. Information Window – Displays details of the automated and manual tools.
6. Footer – Displays a summary of the alerts found and the status of the main automated tools.

Running an Automated Scan

The easiest way to start using ZAP is via the Quick Start tab. Quick Start is a ZAP

add-onthat is included automatically when you installed ZAP.

To run a Quick Start Automated Scan :

1. Start ZAP and click the Quick Start tab of the Workspace Window.

2. Click the large Automated Scan button.

3. In the URL to attack text box, enter the full URL of the web application you want

toattack.

4. Click the Attack button.

Enrollment No:210303105178 Page.no 34

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

• ZAP will proceed to crawl the web application with its spider and passively scan
each page it finds. Then ZAP will use the active scanner to attack all of the
discovered pages, functionality, and parameters.
• ZAP provides 2 spiders for crawling web applications, you can use either or both
of them from this screen.
• The traditional ZAP spider which discovers links by examining the HTML in
responses from the web application. This spider is fast, but it is not always
effective when exploring an AJAX web application that generates links using
JavaScript.
• For AJAX applications, ZAP’s AJAX spider is likely to be more effective.
This spider explores the web application by invoking browsers which then
follow the links that have been generated. The AJAX spider is slower than
the traditional spider and requires additional configuration for use in a
“headless” environment.
• ZAP will passively scan all of the requests and responses proxied through it.
So far ZAP has only carried out passive scans of your web application. Passive
scanning does not change responses in any way and is considered safe.
Scanning is also performed in a background thread to not slow down
exploration.
• Passive scanning is good at finding some vulnerabilities and as a way to get a feel
for the basic security state of a web application and locate where more investigation
may be warranted. Active scanning, however, attempts to find other vulnerabilities by
using known attacks against the selected targets.
• Active scanning is a real attack on those targets and can put the targets at
risk, so do not use active scanning against targets you do not have
permission to test.

Enrollment No:210303105178 Page.no 35

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

See Explored Pages

To examine a tree view of the explored pages, click the Sites tab in the Tree
Window. Youcan expand the nodes to see the individual URLs accessed.
View Alerts and Alert Details
The left-hand side of the Footer contains a count of the Alerts found during
your test, broken
out into risk categories. These risk categories are:

To view the alerts created during your test:

1. Click the Alerts tab in the Information Window.
2. Click each alert displayed in that window to display the URL and the vulnerability
detected in the right side of the Information Window.
3. In the Workspace Windows, click the Response tab to see the contents of the header
and body of the response. The part of the response that generated the alert will be
highlighted.

Here are the Outputs of a Sample bank website follow the images below step by step

Enrollment No:210303105178 Page.no 36

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Enrollment No:210303105178 Page.no 37

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

CHECK THE OUTPUT OF BELOW DASHBORD IN IMAGE

CLICK ON ALERT OPTION TO CHECK VULNERABLITIES IN BELOW IMAGE

Enrollment No:210303105178 Page.no 38

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

SELECT ANY LINK CHECK THAT DESCRIPTION ABOUT VULNERABILITY

Enrollment No:210303105178 Page.no 39

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL -7
Aim: implementation of IT Audit, malware analysis and Vulnerability
assessment and generate the report.
Objective: To know how to find vulnerabilities by using NESSUS
Requirements: Laptop, Kali linux, Nessusd pakage in kali
Malware analysis

Enrollment No:210303105178 Page.no 40

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

NESSUS:

Nessus, developed by Tenable Inc, is a widely-used open-source vulnerability scanner. It offers a

paid subscription, Nessus Professional, as well as a free version, Nessus Essentials, which is
limited to 16 IP addresses per scanner.

Nessus provides a range of services, including vulnerability assessments, network scans, web
scans, asset discovery, and more, to aid security professionals, penetration testers, and other
cybersecurity enthusiasts in proactively identifying and mitigating vulnerabilities in their
networks.

How to install a Nessus in kali

Unlike many security tools, Nessus doesn't come installed on Kali Linux. But it is very easy to

download and install. Follow these steps to install Nessus on your Kali:

Download the Nessus package for Debian on the Nessus website and make sure you set the Platform to Linux-Debian-amd64

Enrollment No:210303105178 Page.no 41

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

2.When it's finished downloading, open your Linux terminal and navigate to the location you downloaded the Nessus file to

Install Nessus using this command:

Enrollment No:210303105178 Page.no 42

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Start the Nessus service with this command:

On your browser, go to https://kali:8834/. It would show a warning page.

Enrollment No:210303105178 Page.no 43

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
Click on Advanced. Then, click on Accept Risk and Continue.
7.Choose the Nessus Product you prefer. If you want the free version of Nessus, click on Register Nessus
Essentials

Enter your name and email address to receive an activation code by email. Paste the activation code
into the space provided and choose a username and password.

You can use emailaddress as temporary you can visit online temporary email address examples below

Enrollment No:210303105178 Page.no 44

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Allow Nessus to download the necessary plugins.

Click on New Scan to begin scanning for vulnerabilities

Enrollment No:210303105178 Page.no 45

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Click on Advance scan

Give name for scaning (e.g test,windows scan..etc)

Give the ip address of your windows that you want to scan for vulnerabilities in
Target box shown in the below

Enrollment No:210303105178 Page.no 46

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Give the credentials of your windows like username and password if you known (OPTIONAL).

NOTE:- Use of giving credential it will help you scan more into your system.
Go down and save the Progress

Click on launch

Wait for Some time to get the Output.

ON RIGHT SIDE CLICK ON REPORT TO GENERATE THE ENTIRE REPORT OF YOUR SYSTEM VULNERABILITY

Enrollment No:210303105178 Page.no 47

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL-8
RAM dumps

A memory dump is the process of taking all information content in RAM and writing it to a
storage drive as a memory dump file (*.RAW format).

Volatile memory, or RAM, is used to store data currently used by a running process: whether
itis a user application or a system service. This type of memory is much quicker than a
regularhard drive but unlike files permanently stored on a drive (unless deleted), data from
RAM may disappear instantly. At the same time, it may store data crucial for your case,
including passwords in raw format without encryption or encoding, decrypted data otherwise
kept encrypted on a drive, decryption keys for various services, apps and WDE, remote sessions
data, chats in social networks, malware code, cryptocurrency transactions, various system info
such as loaded registry branches, and so on. This is why it is not argued that capturing RAM
contents must be one of the first steps in seizing a running computer or laptop.

There are various tools that can be used for memory dump. Some of them are:
1. Autospy
2. Dump-IT

Procedure

Creating RAM dump using Dump-IT

1. Download DumpIT tool from toolwar website

2. Open Dump-IT.exe

Enrollment No:210303105178 Page.no 48

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Autopsy performs operations onto disk images which can be created using tools likeFTK
Imager. Here an already created image is used. You may download Autopsyfrom here and
the disk image used in this article from here.
1. Getting Started
Open Autopsy and create a new case.

Click
on Finish after completing both the steps.
2. Add a data source.
Select the appropriate data source type

• Disk Image or VM file: Includes images that are an exact copy of a hard drive
ormedia card, or a virtual machine image.
• Local Disk: Includes Hard disk, Pendrive, memory card, etc.
• Logical Files. : Includes local folders or files.
Enrollment No:210303105178 Page.no 49

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
• Unallocated Space Image File: Includes files that do not contain a file system
butneed to run through ingest.
The data source used here is a disk image. Add the data source destination.

Configure ingest modules.

The ingest modules determine factors for which the data in the data source is to be
analyzed. Here is a brief overview of each of them.
• Recent Activity: Discover the recent operations performed on the disk, for
example,the files that were last viewed.
• Hash Lookup: Identify files using hash values.
• File Type Identification: Identify files based on their internal signatures rather
thanjust file .extensions.
• Extension Mismatch Detector: Identify files whose extensions are tampered
with/changed possibly to hide evidence.
• Embedded File Extractor: It extracts embedded files such as .zip, .rar, etc.
anduses the derived file for analysis. Another example could be a PNG image saved
inside a doc to make it appear as a document and thus hide crucial information.
• EXIF (Exchangeable Image File Format) Parser: It is used to retrieve metadata
about the files, for example, date of creation, geolocation, etc.
• Keyword Search: Search for a particular keyword/pattern in the data source.
• Email Parser: If the disk holds any form of email database, for example, pst/ost
files of outlook then information from these files can be extracted using an email
parser.
• Encryption Detection: Detects and identifies encrypted / password-protected files.
Enrollment No:210303105178 Page.no 50

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
• Interesting File Identifier: Let’s set custom rules regarding the filtering of
data.Examiner is notified when results pertaining to these rules are found.
• Correlation Engine: Allows saving properties in and then retrieved from the
centralrepository. It helps in displaying correlated properties.
• PhotoRec Carver: Recover files, photos, etc. from the unallocated space.
• Virtual Machine Extractor: Extract and analyze any Virtual machine found on the
data source.
• Data Source Integrity: Calculates the hash values and stores them in the database
in case they aren’t already present. Otherwise, it will verify the hash values
associated with the database.
• Plaso: Extract timestamp for various types of files.
• Android Analyzer: Analyze SQLite and other files retrieved from an Android
device.

Select all that will serve the purpose of your investigation and click Next. Once the data source
is added, click Finish. It will take some buffer time to extract and analyze thedata depending
upon the size of the Data Source.

3. Exploring the data source:

The Data Source information: Here the basic metadata is shown. A detailed analysis is displayed in the
bottom section. These details can be extracted in the form of Hexvalues, Results, File Metadata,etc

Enrollment No:210303105178 Page.no 51

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

The disk image is then broken down based upon its volume partitions.
Each volume can be browsed for its contents, results for which are displayed in the
section at the bottom. For example, the content shown below belongs to Data Sources -
> Mantooth.E01 -> MSOCache-> [Parent Folder].

Views (Determines the factor of file classification)

• File Type: Here the files are categorized based upon their type. The classification
can be done either on the basis of file .extension or MIME type. While both of these
provide a hint about how to deal with a file, file extensions are commonly used
bythe OS to decide what program shall be used to open a file and MIME types are
used by the browser to decide about how to present the data (or by the server on how
to interpret the data received ). Files displayed here also include the deleted files
Enrollment No:210303105178 Page.no 52

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

• Deleted Files: Here information about the files that were specifically deleted can be
found. These deleted files can be recovered as well: Right-click on the file to be
recovered -> click on Extract File(s). -> Save the file in an appropriate destination.

• MB Size Files: Here files are classified based upon their size. The range starts from
50MB. This enables the examiner to determine exclusively large files.
Note: It is usually advised to not scan or extract any suspected files/ disks such as
payload files, etc. in the main system, rather scan them in safe environments such as a virtual
machine, and then extract the data, as they hold the possibility of being corruptand may
infect the examiner’s system with viruses.
Results:
All the extracted data is viewed in Views/ Data Source. In Results, we get the
information about this data.
• Extracted Content: Each Extracted Content displayed below can be further
explored. The following briefly explains each of them.

Enrollment No:210303105178 Page.no 53

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
• EXIF Metadata: It contains all the .jpg images that have EXIF Metadata associated
with them, this Metadata can be analyzed further.
• Encryption Detection: It detects files that are password protected/ encrypted.
• Extension Mismatch Detection: As explained above, it Identifies the files whose
extensions do not match their MIME types and thus they may be suspicious.
• Installed Programs: It gives details about the software used by the user. This
information is extracted with the help of the Software Registry hive.
• Operating System Information: It gives information about the OS with the help of
the Windows Registry hive and the Software Registry hive.
• Operating System User Account: It lists information about all the user accounts,
for example, accounts belonging to the device are extracted from the Software Hive
and the accounts associated with the Internet Explorer using index.data files.
• Recent documents: Lists all the documents that were accessed nearby the time the
disk image was captured.
• Recycle Bin: Files that are temporarily stored on the system before being
permanently deleted are visible here.
• Remote Drive: Shows information about all the remote drives accessed using the
system.
• Shell bags: A shell bag is a set of registry keys that stores details about a
folderbeing viewed, such as its position, icon, and size. All the Shell bags from the
system can be viewed here.
• USB Device attached: All the information about the external devices attached
tothe system is displayed here. This data is extracted from Windows Registry which
is actually a maintained database about all the activities taking place on the system.
• Web Cookies: Cookies saves the user information from the sites and thus provide a
lot of information about the user’s online activities.
• Web History: All the details about the browser history is shown here.
• Web Searches: Details about the web searches made are displayed here.
• Keyword Hits: Here specific keywords can be looked for in the image of the disk.
Multiple data sources can be selected for the lookup. The search can be restricted to
Exact match, Substring match and Regular expression, for example, emails/ IP
Addresses, etc.
• HashSet Hits: Here the search can be made using hash values.
• E-mail Messages: Here all the outlook.pst files can be explored
• Interesting Items: As discussed before, these are the file results based upon
thecustom rules set by the examiner.
• Accounts: Here all the details regarding the accounts present on the disk are
shown.This disk has the following EMAIL accounts.

Enrollment No:210303105178 Page.no 54

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Reports: Reports about the entire analysis of the data source can be generated andexported in
many formats

Enrollment No:210303105178 Page.no 55

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Additional Features:

• Add a Data Source: Each case can hold multiple Data Sources.
• Images/Videos: Images/ Videos in the data source can be viewed in Gallery
View.The information here is displayed in the form of attribute-value pairs.
• Communications: All the communications made using the source device are
displayed here. This device had communications only in the form of emails.

Enrollment No:210303105178 Page.no 56

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

• Geolocation: This window displays the artifacts that have longitude and latitude
attributes as waypoints on a map. Here the data source has no waypoints.
• Timeline: Information about when the computer was used or what events took place
before or after a given event can be found, this greatly helps in investigating events
near about a particular time.

Almost all the basic features and how actually Autopsy works have been discussed inthis
article. However, it is always recommended to go through different sample data sources to
explore even more

Enrollment No:210303105178 Page.no 57

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
PRACTICAL 9
Aim:
1. Update APT: sudo apt update
2. Install docker: sudo apt install docker.io

1. Search github on your web browser.

Enrollment No:210303105178 Page.no 58

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Next, download MobSF Docker image from

https://hub.docker.com/r/opensecurity/mobile-security- framework-mobsf/ with the
following command: docker pull opensecurity/mobile-security-framework-mobsf:latest

Once you issue the command, you would notice the following output on your console:

Enrollment No:210303105178 Page.no 59

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Once done, you would see message “Listening at: http://0.0.0.0:8000”. This signifies the
URL from which one can access MobSF

Enrollment No:210303105178 Page.no 60

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Our MobSF framework is ready for us to conduct static analysis for APK files.

For our testing, we take Facebook Lite’s APK file.

Enrollment No:210303105178 Page.no 61

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Enrollment No:210303105178 Page.no 62

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

You also notice a brief overview of the application you have reviewed. You can also the report for same.

Enrollment No:210303105178 Page.no 63

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

PRACTICAL-10
AIM: Implementation of Cyber Forensics for Disk Imaging, Data acquisition, Data
extraction and Data Analysis and recovery.

1. FTKImager(Data acquisition and DiskI maging)

SCOPE:
The Scope of practical acquisition of digital evidence can encompass a wide range of methods and
devices. Common are as are: Hard Drives, USB, Mobile Devices, Network Forensics, Live system
etc.
REQUIREMENTS:
The requirements are Hardware and Devices, FTK imager software, Forensics work stations, sample
data, Documentation Templates etc.
THEORY: Data Acquisition:
 The gathering and recovery of sensitive data during a digital forensic investigation is known as data
acquisition and collecting and preserving electronic evidence from various sources.
 Digital forensic analysts need to know how to access, recover, and restore that data as well as how to
protect it for future management. This involves producing a forensic image from digital devices and
other computer technologies.
 The data acquisition process involves several steps: Identification, Preservation,
collection, Verification, Documentation.

Disk Imaging:
Disk imaging, also known as forensic imaging or disk cloning, is a crucial process in digital forensics for
cybersecurity. It involves creating a bit-for-bit copy or snapshot of an entire storage device, such as a
hard drive, solid-state drive (SSD), or any other media, to preserve its contents for analysis and
investigation. The purpose of disk imaging is to obtain an exact replica of the original storage device,
including not only the visible files and folders but also the hidden and deleted data.

Types of Disk Imaging:

 Logical Imaging: Logical imaging, also known as file-level imaging or logical acquisition, involves
creating an image or snapshot of the logical structure of a storage device, such as a file system or a
partition.This type of imaging captures the files and directories stored on the disk, along with their
meta data and attributes, without including unallocated space or low-level disk structures.

 Physical Imaging: Physical imaging, also known as bit-for-bit imaging or sector-level imaging, is a
comprehensive process that involves creating an exact copy of the entire storage device, including all
sectors, regardless of whether they are allocated or unallocated. This type of imaging captures not only
the visible files.

and folders but also the hidden data, deleted files, slack space, and all other data present on the disk.
Enrollment No:210303105178 Page.no 64

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
➢ Forensic Significance of Imaging: ➢ Forensic imaging prevents the loss of original data. These
imaging tools and techniques are the only way to ensure that electronic data can be successfully
admitted as evidence in a court or legal
proceeding.

EXAMINATION:
Step 1: open FTK imager software

Step 3:
After clicking Create Disk Image -> select the source of evidence type like Logical Drive, then click next
option.

Enrollment No:210303105178 Page.no 65

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 4: Now select source drive path and then press the finish button.

Step 5: Choose destination image type (Raw(dd))-> Next

Step 6: Now fill the form of Evidence item information.

Enrollment No:210303105178 Page.no 66

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 7: After filling the information -> select image destination, enter Image filename and Image
fragment size then click the finish button.

Step 8: After all the processes now, click in the checkbox of verify images after they are created -> start.

Enrollment No:210303105178 Page.no 67

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 9: Progress for creating image.

Step 10: Verifying the source drive/image.

Enrollment No:210303105178 Page.no 68

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
Step 11: Verify result of source drive/ image from of hash values.

OBSERVATION:

Enrollment No:210303105178 Page.no 69

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester
2. Autopsy (Data Extraction, Data Analysis and Data Recovery)
• Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital
• forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what
• happened on a computer. You can even use it to recover photos from your camera’s memory card.
• Basically, the autopsy is a free open-source tool that supports a wide range of other digital forensics
• modules and tools. The tool is largely maintained by Basis Technology Corp. With the assistance of
• programmers from the community. The Autopsy is computer software that makes it simpler to deploy
• many of the open-source programs and plugins used in The Sleuth Kit.
Features of Autopsy
• Timeline Analysis:- Displays system events in a graphical interface to help identify activity.
• Keyword Search: Text extraction and index searched modules enable you to find files that
• mention specific terms and find regular expression patterns.
• Web Artifacts-: Extracts web activity from common browsers to help identify user activity.
• Registry Analysis:-Uses Reg Ripper to identify recently accessed documents and USB devices.
• Email Analysis: Parses MBOX format messages, such as Thunderbird. EXIF: Extracts geo location and
camera information from JPEG files.
• Robust File System Analysis: Support for common file systems, including NTFS,
FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660(CD-ROM), Ext2/Ext3/Ext4,
• Yaffs2
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages
• File Type Detection based on signatures and extension mismatch detection. Interesting Files Module
will flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.
• Multi-User Cases: Collaborate with fellow examiners on large cases.
• LNK File Analysis:- Identifies shortcuts and accessed documents
EXAMINATION:
Step 1: Download and setup the installation process of Autopsy tool. Open it

Enrollment No:210303105178 Page.no 70

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 2: Create a case file – Open Autopsy and click New Case > enter a case name and choose a directory.

Enrollment No:210303105178 Page.no 71

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 4: Select data source – Now, add the data source windows pops ups > select Logical disk
from the drop-down list > choose the targeted drive image.

Enrollment No:210303105178 Page.no 72

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Enrollment No:210303105178 Page.no 73

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

Step 5: Click next to proceed.

Step 6: Wait for the analysis to complete, and the data will be displayed in different categories.

Enrollment No:210303105178 Page.no 74

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)

 lOMoARcPSD|52730535

FACULTY OF ENGINEERING AND TECHNOLOGY

Subject Name: - CYBER SECURITY
Subject Code: - 203105327
B. Tech. 3rd year 6th Semester

OBSERVATION:
Data Restoration – Open the folder of the files, Right click on it to restore and select export. Choose a location to
export the data, click here

Enrollment No:210303105178 Page.no 75

Downloaded by Divyraj Gohil (divyraj1302gohil@gmail.com)