SMT.

SUSHILADEVI DESHMUKH COLLEGE OF ARTS,

SCIENCE AND COMMERCE, Airoli, Sector-4, Navi Mumbai-400 708

Date:

CERTIFICATE

This is to Certify that Mr.Amitkumar Virendrakumar Mishra seat no.21 of

TYBSC CS Semester V has completed the practical work in the subject of “Cyber
Forensics” during the academic year 2024-25 under the guidance of Asst.Prof
Minakshi Umate being the partial requirement for the fulfilment of the
curriculum of Degree of Bachelor of Computer Science, University of Mumbai.

Signature of Internal Guide Signature of HOD

Signature of External Principal

College Seal
 Cyber Forensic 2024-25

INDEX
Sr.No. Topic Date Sign
1 Creating a Forensic Image using FTK
Imager/Encase Imager :
- Creating Forensic Image
- Check Integrity of Data
- Analyze Forensic Image

2 Data Acquisition
3 Analyze the memory dump of a running computer
system.
 Extract volatile data, such as open
processes, network connections, and
registry information.
4 Capturing and analyzing network packets using
Wireshark (Fundamentals) :
- Identification the live network
- Capture Packets
Analyze the captured packets
5 Using Sys internals tools for Network Tracking and
Process Monitoring:
- Check Sys internals tools
- Monitor Live Processes
- Capture RAM
- Capture TCP/UDP packets
- Monitor Hard Disk
- Monitor Virtual Memory
Monitor Cache Memory
6 Recovering and Inspecting deleted files

7 Steganography detection
8 Email detection
9 Web Browser Forensics

Practical 1
Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

AIM: Creating a Forensic Image using FTK Imager.

 Creating Forensic Image

 Check Integrity of Data Analyze Forensic Image
 Creating Forensic Images FTK
 Imager allows you to write an image file to a single destination or to simultaneously write
multiple image files to multiple destinations.
To create a forensic image:

Click File, and then Create Disk Image, or click the button on the tool bar.

Select the source you want to make an image of and click Next.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

If you select Logical Drive to select a floppy or CD as a source, you can check the Automate
multiple removable media box to create groups of images. Imager will automatically increment
the case numbers with each image, and if something interrupts the process, you may assign case
number manually.

Select the drive or browse to the source of the image you want, and then click Finish.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

In the Create Image dialog, click Add.

You can compare the stored hashes of your image content by checking the Verify images after
they are created box. If a file doesn‟t have a hash, this option will generate one.

You can list the entire contents of your images with path, creation dates, whether files were
deleted and other metadata. The list is saved in a tab-separated value format
Select the type of image you want to create, and then click Next.
Note: If you are creating an image of a CD or DVD, this step is skipped because all
CD/DVD images are created in the IsoBuster CUE format.

In the Image Destination Folder field, type the location path where you want to save the image
file, or click Browse to find to the desired location.
Note: If the destination folder you select is on a drive that does not have sufficient free space to
store the entire image file, FTK Imager prompts for a new destination folder when all available
space has been used in the first location.

In the Image Filename field, specify a name for the image file but do not specify a file extension.
In the Image Fragment Size field, specify the maximum size in MB for each fragment of the
image file. The s01 format is limited by design to sizes between 1 MB and 2047 MB (2 GB).
Compressed block pointers are 31-bit numbers (the high bit is a compressed flag), which limits
the size of any one segment to two gigabytes.
Tip: If you want to transfer the image file to CD, accept the default fragment size of 650 MB.
Click Finish. You return to the Create Image dialog.

Click Finish. You return to the Create Image dialog.

To add another image destination (i.e., a different saved location or image file type), click
Add, and repeat steps 5– 10. To make changes to an image destination, select the destination you
want to change and click Edit.To delete an image destination, select the destination and click
Remove.
Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

Click Start to begin the imaging process. Aprogress dialog appears that shows the following:
The source that is being imaged
The location where the image is being saved
The status of the imaging process
A graphical progress bar

The amount of data in MB that has been copied and the total amount to be copied
Elapsed time after the imaging process began
Estimated time left until the process is complete
After the images are successfully created, click Image Summary to view detailed file
information, including MD5 and SHA1 checksums.
Note: This option is available only if you created an image file of a physical or logical drive.

When finished, click Close

Note that the image file (*.001) as well as the image summary file from above (*.txt) have been

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

saved onto the „Drive‟. The .001 extension may be left as is, or can be changed to .dd. The .001
extension is used due to the fact that many times the file to be imaged is very large and must be
split into multiple chunks. In that case, you would have *.001, *.002, etc.

Analyze Forensic Image:

Click on Add Evidence Item to add evidence from disk, image file or folder.

Now select the source evidence type as physical drive, logical drive or image file. We have
selected image file and click on next.

Select vi the source path and click on finish.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Now select Evidence Tree and analyze the virtual disk as physical disk.
virtual drive image & click on open option.Select the source path and click on finish.

Similarly to add raw image select again add evidence item and click on image file and click on
open option.
Click on finish.
Now raw image will be added as physical drive to analyze.

CONCLUSION:- We successfully created forensic image, checked integrity of that

image and analyzed the image using FTK Toolkit.
Practical 2
Data Acquisition

We are using Autopsy to solve the case study (image file).

Start Autopsy and Select “Create New Case”.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Enter Case Information

Enter Case Number and Examiner & Click Finish

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

The case is created and displayed

Add Data source details. Select data source type as Disk Image. Browse and select 'WinXp3.iso' file for an
image file then Click 'Next'.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Click Next.

Data Source will be added. Click Finish.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

You can see the data source added in our case

To generate reports, Click on Generate Report & select Report module. We selected HTML

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Select which data to report on, We selected All Results

Report will be generated

The

generated report can be displayed as follows

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

CONCLUSION:- We successfully analyzed the forensic image file using Autopsy

Practical 3
Analyze the memory dump of a running computer system.
Extract volatile data, such as open processes, network connections, and registry information.
Practical:
Open Process
Go to Sysinternal Suite ProcMon Click on it and Open As Administrator

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Network Connections
Go to SysinternalSuiteTCPview

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Click on Search Bar on the Taskbar Type Regedit Click on Registry Editor

View the desired registries to be analyzed

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Practical 4
Aim :- Capturing and analyzing network packets using Wireshark (Fundamentals) : -
-Identification the live network
-Capture Packets
-Analyze the captured packets
Step 1:-
Start Wireshark and Double click on Local Area Connections.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Step 2:-
To Know the Meanings of Colours Go to View Colouring Rules

Step 3:-
To Analyse captured packet
Select any Process Apply as filter Selected

Step 4:- Now here are some filter commands:-

Source Packets :- It displays packets coming from specific IP Address. Eg :- ip.src ==104.102.246.37

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Destination Packets :-
It displays packets having specific IP Address as Destination. Eg :- ip.dst ==225.0.0.252

http Packets :-

It displays packets which are having http protocol. Eg :- http

TCP Packets:-It displays packets having TCP protocol.
Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

http.request Packets :-
It displays packets which are using http request. Eg :- http.request.method==POST

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

TCP and UDP Packets :-

To capture TCP & UDP packets on same port. Eg :- For Port 80 tcp.port ==80 || udp.port ==80
Packets Containing Keyword :-
It display packets which contain some keyword. Eg :- For Google tcp contains google

http.response Packets :-
It displays packets having number o

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

AIM: Analyze the packets provided in lab and solve the questions using Wireshark
What web server software issued by www.snopes.com?
Analysis – The domain name be found from host header so we will set host header column where we will see
all domain name. Select any HTTP request and expand the Hypertext Transfer Protocol then right click on
Host header and then Apply as Column.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Now we can see our host www.snopes.com in host column.

Right click on the selected packet and then select Follow TCP stream.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Now we can see the webserver name in server header it is Microsoft IIS 5.0

About what cell phone problem is the client concerned?

Analysis – Client talking about cell so we search for cell keyword in whole packets. We will use
regular express for searching the cell keyword. Apply frame matches “(?!) cell”
After applying the filter now, we will start to check every HTTP request. We noticed in the first
HTTP request cell keyword is in URL and it was about cell phone charging issue.
Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

According to Zillow, what instrument will Ryan learn to play?

Analysis – As we did in the last challenge, we will apply a regular express filter for the Zillow keyword.
Apply frame matched “(?!) zillow”

After applying the filter, we found only one packet with the Zillow keyword

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Select the packet and expand the Hypertext Transfer Protocol tab right click on it go to Protocol
Preferences and check Allow subdissector to resemble TCP stream.

Now go to file and select Export Objects > HTTP. It will save all objects from the packet.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Click on save all.

After saving all files in a directory and we found a swf file with name Zillow. After opening the flash file, we
saw that Zillow was trying to learn saxophone.
Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

How many web servers are running Apache?

Analysis – The web server name can be retrieved from HTTP response header. So will apply filter http.
response and we can see all http response packets.

Now we will set the server header as column select any packet and right click on it then select Apply as
Column.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Now can see the server column where all server name is showing.

Now we have to check how many Apache packets are there we can‟t count manually for each packet so we
will apply another filter http.server contains “Apache”

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

After applying filter go to Statistics > Endpoints

It will show all connections

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Check the limit to display filter then it will show the actual Apache connections. Now there are
showing 22 connections but will exclude 192.168.1.71 because it is client‟s IP not a server IP so
there are actual 21 Apache servers.

CONCLUSION:- We successfully captured and analyzed network packets using Wireshark

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Practical 5
Using Sysinternals tools for Network Tracking and Process Monitoring:
Check Sysinternals tools

=>
Windows Sysinternals tools are utilities to manage, diagnose, troubleshoot, and monitor a Microsoft
Windows environment.
The following are the categories of Sysinternals Tools:
File and Disk Utilities
Networking Utilities
Process Utilities
Security Utilities
System Information Utilities
Miscellaneous Utilities

Monitor Live Processes (Tool: ProcMon)

=>
To Do:
Filter (Process Name or PID or Architecture, etc)
Process Tree
Process Activity Summary
Count Occurrences

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Output:

Time ... Process Name PID Operation Part Resur Detail

11.09.... chrome.exe 5236 Creae°ile C. .Users COM 3 Up Data LocaI'GoogI...SUCCESS Desired Access: Read Dataz’Ust Drectory. Synchonize. Osgosition: Open. Odions: Directory. Synchronous 10 Non-Alert. Sri.
11:09:... chrome.exe 5236 Queiy0rectory C.'.Users’£0M 3 &pDaa LocaI‘GoogI...SUCCESS Filter: -. 1:
11:09:... chrome.exe 5236 Oueiy0rectory C.‘ Usen’£0M 3‘&pDaa’.Local Googl...SUCCESS 0:...1:000119Idb. 2: 000140tdb. 3:000195.Idb. 4:000199.log. 5:24fa877f-e72a-4b32-9312/114d8b06a50.tmp.6: 4ea16cb...
11:09:. chrome.exe 5236 Oueiyorectory C‘ Usen COM-1‘6pDaa .Local' Googl...NO MORE FILES
11:09:... chrome.exe 5236 OoseFIe C:‘.Users .COM -3‘6pData’ .Local Googl...SUCCESS
11:0S:... chrome.exe 5236 CreaeFIe C:’.Users .COM -3’/\opData .Local’ Googl...SUCCESS Desired Access: Read Daa.'ua oreooy, Synchronize. OsgosJtion: Open, ootion : Direaoy. synchonous IO Non-AIe‹t, Atri...
11:0S:... chrome.exe 5236 @QueryOrectory C:’.Users .COf'd-3’6pData .Local'*GoogI...SUCCESS

11:09:... chrome.ae 5236 '@QueiyDirectory C:‘.Users .COIL-3'*•AopData .LocaI’*GoogI...NO MORE FILES

B Count Values Occurrences

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Capture RAM (Tool: RAMCapture)

=>
To Do:
Click Capture
Creates a .mem file of the system memory (RAM) utilized.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Capture TCP/UDP packets (Tool: TcpView)

=>
To Do:
Save to .txt file.
Whois

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Monitor Hard Disk (Tool: DiskMon)

=>
To Do:
Save to .log file.
Check operations performed in the disk as per time and sectors affected.
Output:

Monitor Virtual Memory (Tool: VMMap)

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS
 Cyber Forensic 2024-25

=>
To Do:
Options – Show Free & Unusable Regions

File-> Select Process e.g. chrome.exe

Save to .mmp file.
Output:

Monitor Cache Memory (Tool: RAMMap)To Do:

Save to .RMP file.
Output:

CONCLUSION:- We successfully used Sysinternals tools for Network Tracking and Process
Monitoring

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Practical 6
Aim :- Recovering And Inspecting Deleted Files Using Access Data FTK.
Step 1:-
Create any demo text file and save it .

Step 2:-
Open Access Data FTK. It will look as below :-

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Step 3:-
Click on Evidence Tree ,Select Logical Drive & Click Next.

Step 4:-
Select Source Drive.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Step 5:-
Go to the path where you have stored the file. The File will Display in the file list.

Step 6:-
Now go to the folder again and delete the saved file.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Step 7:-
Open Access File FTK and walk through the path where you have stored the file. The File will be Displayed
with a Cross mark.

Step 8:-
To Restore File Right Click on it And Select Export File Option.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Step 9:-
Select the path where the file to be exported.

Step 10:-
File Will Be Restored.

CONCLUSION:- We successfully recovered and analyzed deleted data using FTK

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

PRACTICAL NO. 7
Aim:Steganography Detection
Detect hidden information or files within digital images using steganography analysis
tools.
Extract and examine the hidden content.
Create a folder to keep the image and message file and store the txt file and image:

Open the SteganPEG and give a password and browse the path of the image

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

First we are going to add some files in the captured image

Save the stegged image

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Open the saved image with the assigned password and view the image with hidden files

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Now we are going to do the stegging process using Command Prompt and viewing the Image using the
WinRAR
Make a zip file of the text file

Go to Command Prompt and Type the Syntax

:\Users\ROYAL\Desktop\New Folder>copy/b stegprac.jpg + stegpractxt.rar

Then create a shortcut for WinRAR on the desktop

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Then open the image using the shortcut

Right Click on the image Open with Choose another app

Select Choose another app choose an app on your pc

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Then Desktop Shortcut created of WinRAR and Select Just Once

View the Extracted File

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Practical 8

Email Forensics

You First Required a .pst file in Your Computer As Evidence

A .pst file is A Backup of Your Microsoft Outlook Account Mails

To Perform Recovery of Deleted Mails From .pst file required FTK (Forensic Toolkit)
Install Access Data FTK and Open it
Enter Details

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Enter Forensic Examiners Information

Refine Case Select Email Emphasis & Click Next

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Click Add Evidence And Select Evidence File Type

Select Evidence File

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Selected File Will Be Displayed In Access Data FTK

Click on Email Messages To See Emails Deleted Emails Are Shown In Red Cross Symbols

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Right Click On Deleted Mails And Select Launch Associated Programs

Or To Export Deleted Mail as an Individual File Right Click and Select Export File

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Select Path For File To Be Exported.

Select Any Program to View File We Selected WordPad.

CONCLUSION:- We successfully did Email Forensics using FTK

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Practical 9
Aim:- Examine Browser History Session Cache files using Browser History Examiner.
You must need a .NET framework and administrative access to the PC.
Open Browser History Examiner.

Go to File --> Capture History and Select Capture history from this Computer option and click Next.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Select User Profile, Browser & Data. Also Choose Destination for Results and Click on capture Button.

A popup will appear asking to load the history captured as below:-

The History will be loaded in Browser History Examiner Window with Different types of Data such as
Cache files, Bookmarks, Searches, etc.
The Following Window will appear

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Searches ;-

Bookmarks:-

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

Session Tabs:-

To Generate Report Of Browser History We go to File → Report. You can choose Both the Operations as a
pdf file or as html File.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS

 Cyber Forensic 2024-25

The Report Will Be Showed As:-

Browser History using MyActivity

CONCLUSION:- We successfully examined Browser History Session Cache files using

Browser History Examiner.

Name : Amitkumar Virendrakumar Mishra Roll No: 21 Class: TYCS