Experiment 2: Installing a Firewall on a

Network
1. Objective

The objective of this experiment is to:

● Understand the role of a firewall in network security.

● Learn how to install and configure a firewall to protect a network
from unauthorized access.
● Analyze firewall logs for potential cyber threats.

2. Prerequisites

● Basic knowledge of networking concepts (IP addresses, ports,

protocols).
● A working computer with administrative privileges.
● Access to a firewall software/hardware solution (e.g., pfSense,
Windows Firewall, iptables, Cisco ASA).
● A virtual or physical lab network setup (optional for advanced
testing).

3. Equipment and Software Required

● Firewall Software:
o pfSense (Open-source firewall)
o Windows Defender Firewall (Built-in for Windows)
o iptables (Linux-based firewall)
o Cisco ASA (Enterprise-grade firewall, if available)
● Network Devices:
o Router/Switch (for lab setup)
o Two or more computers (attacker and victim machines for
testing)
● Virtualization Software (Optional):
o VMware / VirtualBox (for virtual lab setup)

4. Theory

A firewall is a network security device or software that monitors and

controls incoming and outgoing network traffic based on predetermined
security rules. It acts as a barrier between a trusted internal network and
untrusted external networks (e.g., the internet).

Types of Firewalls:

1. Packet-Filtering Firewall – Examines packets and allows/blocks

them based on IP/port rules.
 2. Stateful Inspection Firewall – Tracks active connections and
makes decisions based on context.
3. Proxy Firewall – Acts as an intermediary between users and the
internet.
4. Next-Generation Firewall (NGFW) – Includes deep packet
inspection (DPI), intrusion prevention (IPS), and application
awareness.

5. Procedure

Part A: Installing and Configuring a Firewall

Option 1: Installing pfSense (Open-Source Firewall)

1. Download and Install pfSense:

o Download the ISO from https://www.pfsense.org/download/.
o Install it on a dedicated machine or a virtual machine
(VMware/VirtualBox).
2. Initial Setup:
o Boot into pfSense and follow the installation wizard.
o Assign network interfaces (WAN for external, LAN for internal).
o Set up a static IP or DHCP as required.
3. Basic Firewall Rules:
o Access the web interface (https://[LAN_IP]).
o Navigate to Firewall > Rules.
o Create rules to:
▪ Block incoming ICMP (ping) requests.
▪ Allow HTTP/HTTPS traffic.
▪ Deny traffic from specific IP ranges.

Option 2: Configuring Windows Defender Firewall

1. Open Windows Defender Firewall:

o Go to Control Panel > System and Security > Windows
Defender Firewall.
2. Enable/Disable Firewall:
o Click Turn Windows Defender Firewall on or off.
o Enable for both private and public networks.
3. Add Inbound/Outbound Rules:
o Go to Advanced Settings > Inbound Rules.
o Click New Rule and block/allow specific ports (e.g., block port
22 for SSH).

Part B: Testing Firewall Security

1. Perform a Port Scan (Using Nmap or Zenmap):

o From an external machine, run:
 nmap -sS <Target_IP>
o Check if blocked ports (e.g., 22, 3389) are filtered.
2. Attempt Unauthorized Access:
o Try accessing a blocked service (e.g., SSH, RDP).
o Verify that the firewall denies the connection.
3. Analyze Firewall Logs:
o In pfSense: Status > System Logs > Firewall.
o In Windows: Event Viewer > Windows Logs > Security.

6. Observations and Results

Expected Observed
Test Case
Result Result
Ping Request
Blocked
(ICMP)
HTTP Traffic (Port
Allowed
80)
SSH Access (Port
Blocked
22)

7. Precautions

● Ensure backup before modifying firewall rules.

● Do not lock yourself out by blocking all administrative access.
● Test rules in a controlled lab environment before applying them in
production.

8. Conclusion

This experiment demonstrated the installation and configuration of a

firewall to enhance network security. By analyzing firewall logs and
testing rule effectiveness, we learned how firewalls mitigate cyber threats.

Experiment 11:
Aim:File type detection using Network miner.

Tools:Networkminer.

NetworkMiner is a popular network forensic analysis tool used for

analyzing network

traffic and extracting information from captured packets. It is primarily

designed to assist

in the analysis of PCAP files, which contain recorded network traffic data.

key features and capabilities of NetworkMiner:

1. Packet Capture: NetworkMiner can capture network traffic in real-time

or analyze

existing PCAP files. It supports various capture methods like network

interface sniffing,

pcap files, or even log files.

2. Network Traffic Analysis: It parses captured packets and displays

detailed information

about each packet, such as source and destination IP addresses, ports,

protocols, and

packet content. This analysis helps identify network protocols in use and
detect any

anomalies or suspicious activities.

3. File Extraction: NetworkMiner has the ability to extract files transferred

over the

network. It can reconstruct and save various file types, including images,
documents,

audio, video, and other data files. This feature is especially useful in
digital forensics

investigations.

4. Metadata Extraction: It can extract metadata from network traffic,

including

information like URLs, email addresses, hostnames, user agents, and

more. This can

be helpful in understanding the communication patterns and identifying

potential threats
or malicious activities.

5. DNS Analysis: NetworkMiner provides DNS analysis capabilities,

allowing you to view

DNS queries and responses. Itcan also perform reverse DNS lookups to
map IP

addresses to hostnames.

6. Geolocation: The tool can determine the geographical location of IP

addresses and

display them on a world map, providing insights into the geographical

distribution of

network traffic.

7. Protocol Identification: NetworkMiner can automatically identify

protocols used

Procedure;

step-by-step procedure for detecting file types using NetworkMiner:

1. Download and Install NetworkMiner: Visit the official NetworkMiner

website

(www.netresec.com/?page=NetworkMiner) and download the latest

version of the tool.

Follow the installation instructions provided to install NetworkMiner on

your computer.

2. Capture or Open PCAP File: Launch NetworkMiner and either capture

network traffic

in real-time using a network interface or open an existing PCAP file

containing captured

network traffic. To open a PCAP file, click on "File" in the menu bar and
select "Open

PCAP."

3. Analyze Network Traffic: Once the network traffic is loaded,

NetworkMiner will

automatically start analyzing the packets. It will display various details

about the
packets, including source and destination IP addresses, protocols, ports,
and more.

4. Locate Files of Interest: Look for packets that indicate file transfers or
downloads.

These packets may contain file-related information such as filenames,

MIME types, or

content types. You can typically find this information in the "Info" or
"Protocol" column of the packet list.

5. Extract Files: To extract files from the captured network traffic, select
the packets that

correspond to the desired file transfer or download. Right-click on the

selected packetsand choose "Export Selected Objects." NetworkMiner will
prompt you to specify a

destination folder to save the extracted files.

6. Identify File Types: Once the files are extracted, you can determine
their types by

examining their file extensions or by using additional tools like file

command-line utility

or file signature analysis. The file extensions can often give you a good
indication of the

file types (e.g., .pdf for PDF files, .jpg for JPEG images, etc.).

7. Analyze Extracted Files: Open and examine the extracted files using
appropriate

software or tools relevant to their file types. For example, open image files
with an

image viewer, documents with the respective applications (e.g., Microsoft

Word for

.docx files), etc. This step allows you to further investigate the content
and metadata of

the extracted files.

By following these steps, you can use NetworkMiner to detect and extract
different file

types from captured network traffic, aiding in network forensic analysis

and
investigation.

Experiment 8:
:To Perform registry analysis and boot time looging using process monitor tool.

Tool:Process monitor.
Procmon, short for Process Monitor, is a powerful Windows utility developed by Microsoft
Sysinternals. It allows users to monitor and capture real-time file system, registry, and
process/thread activity. Here are some key points about ProcmonProcmon captures a vast
array of file system activity, including file opens, closes, reads, writes, and deletions. This
functionality covers roughly 80% of the typical monitoring needs, as file system operations
are central to many system processes and applications. Procmon also monitors registry
operations, such as key and value creations, deletions, and modifications. While not as
frequently accessed as the file system, the registry remains critical for system configuration
and application settings, covering about 15% of monitoring requirements. Procmon tracks
process and thread creations and terminations, along with associated activities like module
loading and unloading. This aspect, though less common, is vital for understanding system
behaviour and diagnosing issues, addressing the remaining 5% of monitoring needs:

1. Real-Time Monitoring: Procmon captures events as they occur in real time, providing a
live feed of system activity.
2. File System Activity: It logs all file system activity, including file open/close operations,
reads/writes, and file creation/deletion.
3. Registry Activity: Procmon monitors registry operations, such as key and value creation,
deletion, modification, and registry key access.
4. Process and Thread Activity: It tracks process and thread creations and terminations, along
with their associated activities.
5. Filtering and Highlighting: Users can apply filters to focus on specific types of activity or
processes. Additionally, highlighting can be used to visually differentiate between different
types of events.
6. Comprehensive Logging: Procmon logs a wide range of system events, providing detailed
information such as process ID, operation type, result, and timestamp.
7. Exporting Data: Captured data can be exported in various formats, including CSV, XML,
and TXT, for further analysis or sharing.
8. Troubleshooting Tool: Procmon is commonly used for troubleshooting application
compatibility issues, diagnosing system performance problems, and investigating malware
activity.
9. User-Friendly Interface: Despite its powerful capabilities, Procmon features a relatively
userfriendly interface, making it accessible to both novice and experienced users.
10. Integration with Other Sysinternals Utilities: Procmon can be used in conjunction with
other Sysinternals utilities, such as Process Explorer and Autoruns, to provide comprehensive
system monitoring and troubleshooting capabilities.

Overall, Procmon is an invaluable tool for system administrators, software developers, and
power users alike, offering deep insight into system activity and facilitating the diagnosis and
resolution of a wide range of system-related issues.
Steps to perform: steps on how to perform Registry analysis and get boot time logging using
Process Monitor tool:
Here's a step-by-step guide to using Procmon:
1. Download and Install Procmon: - Visit the Microsoft Sysinternals website to download the
latest version of Procmon. - Once downloaded, run the installer and follow the on-screen
instructions to install Procmon on your system.
2. Launch Procmon: - After installation, launch Procmon from the Start menu or by double-
clicking the executable file.
3. Start Capturing Events: - Upon launching Procmon, it immediately starts capturing events
by default. - You can pause capturing by clicking on the magnifying glass icon in the toolbar
or by pressing Ctrl+E. Click again or press Ctrl+E to resume capturing.
4. Configure Filters (Optional): - To filter captured events, click on the filter icon (funnel) in
the toolbar or press Ctrl+L to open the Filter dialog.
- Here you can set filters based on process name, operation, result, path, and more to
focus on specific types of events.
- Click "Add" to add a filter condition and "OK" to apply the filters.
5. Customize Columns (Optional):
- You can customize the columns displayed in the event list to include additional
information by right-clicking on any column header and selecting "Select Columns."
- Choose the columns you want to display and click "OK" to apply the changes.
6. Interact with Captured Events:
- As events are captured, they are displayed in the main Procmon window.
- You can sort events by clicking on the column headers.
- Double-clicking on an event opens a detailed Properties window, providing additional
information about the selected event.
7. Save Captured Data (Optional):
- To save the captured data, go to File > Save or press Ctrl+S.
- Choose the desired format (e.g., CSV, XML) and specify the file name and location
to save the data.
8. Stop Capturing Events: - When you're finished monitoring, you can stop capturing events
by clicking on the
magnifying glass icon in the toolbar or by pressing Ctrl+E.
9. Exit Procmon:
- To exit Procmon, go to File > Exit or simply close the Procmon window.
By following these steps, you can effectively use Procmon to monitor and analyze
system activity on your Windows system.
Once you have saved the Process Monitor log file, you can open it in a text editor or a
spreadsheet program to view the details of the Registry changes that occurred during
the boot process. This information can be helpful for troubleshooting problems with your
computer's startup process.
.
By analyzing the Process Monitor log file, you can gain valuable insights into the
behavior of your computer's startup process. This information can be helpful for
troubleshooting problems and improving the performance of your computer.
Process Monitor is a powerful tool that can be used for a variety of purposes, including
Registry analysis and boot time logging. By following the steps above, you can learn
how to use Process Monitor to troubleshoot problems with your computer's startup
process and improve its performance.

Output:-

Experiment 6:
The aim of this experiment is to perform browser history analysis and extract downloaded
content, history, saved logins, searches, websites visited, etc. using the Foxton Forensics tool
and lastviewactivity tool from nirsoft. Tool used : Browserhistoryview and browsercapture
are free tools developed by Foxton Forensics that allows for the extraction of various types of
information from web browsers. This tool can be used to extract data from Firefox, Chrome,
and Edge browsers. The tool can extract information such as browsing history, downloads,
saved logins, cookies, and more .Browsercapture tool is used to capturebrowser data and keep
it in one folder in desktop.Browserview tool is used view all data captured using
Browserhistoryview.Lastview activity tool is from nirsoft.You can download this also,Both
have similar kind of operation. Procedure: Here are the steps on how to perform browser
history analysis and extract downloaded content, history, saved logins, searches, websites
visited, etc. using the browser history view: Download Browserhistorycapture and
Browserhistoryview from download site of WWW.FOXTONFORENSICS.COM by giving
your emailids.You will get download Link in your inbox for downloading. 1. Open the
browser history capturer.You will get screen like this: Downloaded by Sharadha Goranti
(gorantisharadha@gmail.com) CCIDF 2024 Fig:1 2. Please check the marks as mentioned
below as seen in below picture(admin,chrome,history ).Create one folder on c folder desktop
on your system and name it xyz .I have created JYO in the destination text box. You can
create your own name. Like xyz and use it in the Destination text box. Once you upload the
destination path of the created folder, Click on capture button. It will take some time. All
details of browser will be in capture folder for further forensics. Fig 2: Downloaded by
Sharadha Goranti (gorantisharadha@gmail.com) lOMoARcPSD|46617447 lOMoARcPSD|
46617447 CCIDF 2024 3. Now your xyz Folder on Desktop Contains All browser data. 4.
Click on second tool browser history view tool now. You will get window like this. Select
radio button (load history) as mentioned below and upload the folder path you have given in
previous tool. You can see the down figure to fill the things. You can also set dates .Click on
load button after you give details as in the screen and wait for some time. Fig3 . Downloaded
by Sharadha Goranti (gorantisharadha@gmail.com) CCIDF 2024 5. In the browser history
view, you will see a list of all the websites that the user has visited. 6. You can filter the list
of websites by date, time, or keyword. 7. To view more information about a website, click on
the website name. 8. You will see a list of all the information that the browser has stored
about the website, including the website address, the date and time that the website was
visited, the number of times the website was visited, and the amount of time that was spent
on the website. 9. You can also view the downloaded content, history, saved logins, searches,
and websites visited for a specific website. 10. To do this, click on the "Downloaded
Content" tab, the "History" tab, the "Saved Logins" tab, the "Searches" tab, or the "Websites
Visited" tab. 11. You will see a list of all the information that the browser has stored for the
selected website as follows.

Experiment 10:
Perform data analysis history about open file and folder,and view folder actions
using lastview activity.
About tool
LastActivityView collects information from various sources on a running system and
displays a log of actions
made by the user and events that occurred on the machine. Events include running .exe files,
any open/save
dialog-boxes, opening file/folder from Explorer or other software, software installation,
system shutdown/start,
application or system crash, network connection/disconnection and more.
You can easily export this information into csv/tab-delimited/xml/html file or copy it to the
clipboard and then
paste into Excel or other software.
is a tool for Windows operating system that collects information from various sources on a
running system, and
displays a log of actions made by the user and events occurred on this computer. The activity
displayed by
LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening
file/folder from
Explorer or other software, software installation, system shutdown/start, application or
system crash, network
connection/disconnection and more. LastActivityView collects information from various
sources on a running
system and displays a log of actions made by the user and events that occurred on the
machine. Events include
running .exe files, any open/save dialog-boxes, opening file/folder from Explorer or other
software, software
installation, system shutdown/start, application or system crash, network
connection/disconnection and
more.You can easily export this information into csv/tab-delimited/xml/html file or copy it to
the clipboard and
then paste into Excel or other software.
Procedure:
Step 1: Download and Install LastActivityView
1. Go to the [LastActivityView download
page](https://www.nirsoft.net/utils/computer_activity_view.html).
2. Download the LastActivityView utility.
3. Run the installer and follow the prompts to install the tool on your computer.
Step 2: Run LastActivityView
1. Locate the LastActivityView executable in your installed directory.
2. Double-click the executable to run the tool.
Step 3: Scan for Activity
1. Once the tool is running, it will automatically scan your computer for various types of
activity logs.
2. This process may take a few seconds to complete.
Step 4: View Activity Log
1. After the scan is complete, the tool will display a list of all the activity logs it found.
2. You can view the details of each log entry by selecting it and clicking on the "Details"
button.
Step 5: Export or Copy Activity Log
1. To save the activity log for later reference, you can export it to a file in various formats
(CSV, tab-delimited, XML,
HTML).
- To export, select the entries you want to save and press `Ctrl+S` to save them in the desired
format.
- Alternatively, you can copy the selected entries to the clipboard (`Ctrl+C`) and then paste
them into a spreadsheet or
other software.
Step 6: Optional: Delete Activity Log Entries
1. If you want to delete specific activity log entries, you can do so manually.
2. However, be aware that deleting certain entries may cause problems with the normal
functioning of your Windows
operating system.
Step 7: Manage Language
1. If you need to change the language of LastActivityView, you can download the appropriate
language zip file.
2. Extract the `lastactivityview_lng.ini` file from the zip and place it in the same folder where
you installed
LastActivityView.

Experiment 7:
Aim:Mobile forensic analysis using droid kit to perform call logs,contact,sms .
Tool :Droid kit-opensource. DroidKit emerges as a comprehensive toolkit designed to
empower Android users with the tools and functionalities they need to manage, recover, and
optimize their devices effectively. From data recovery to system repair, device unlocking to
battery optimization, DroidKit encompasses a diverse array of features aimed at addressing
various user needs and challenges. By offering a seamless user experience, intuitive interface,
and robust functionality suite, DroidKit stands out as a versatile solution tailored to cater to
the evolving demands of Android users worldwide. Whether preserving precious memories,
restoring device functionality, or enhancing security and performance, DroidKit remains a
reliable companion for Android device management, reaffirming its position as a go-to
toolkit for optimizing the Android user experience.
Procedure: DroidKit is a comprehensive mobile forensic tool developed by imyfone. It
provides various features and capabilities for Android device data extraction, analysis, and
recovery. Here's a general overview of the mobile forensics process using DroidKit: 1. Install
DroidKit: Download and install DroidKit on your computer. Ensure that you have the
necessary system requirements and permissions to run the software. 2. Connect Android
Device: Connect the Android device you want to perform forensics on to your computer
using a USB cable. Make sure USB debugging is enabled on the device. DroidKit should
recognize the connected device. 3. Device Recognition and Unlock: DroidKit will identify
and recognize the connected Android device. If the device is locked with a passcode or
pattern, DroidKit provides options to bypass the lock screen using methods like ADB or root
access (if available and applicable). 4. Data Extraction: DroidKit offers various extraction
methods to acquire data from the Android device. It can perform full backups, selective
backups of specific data categories (e.g., contacts, messages, call logs, photos, etc.), and even
deep scans for deleted data. Downloaded by Sharadha Goranti (gorantisharadha@gmail.com)
lOMoARcPSD|46617447 5. Data Analysis: Once the data extraction is complete, DroidKit
provides an interface to analyze the extracted data. It allows you to view and explore different
types of data, such as messages, contacts, call logs, photos, videos, app data, and more. You
can examine the content, metadata, timestamps, and other relevant information. 6. Recover
Deleted Data: If you're specifically interested in recovering deleted data, DroidKit offers
tools and techniques to scan for and recover deleted files, messages, contacts, or other types
of data. It can help in reconstructing deleted content and metadata for further analysis. 7.
Report Generation: DroidKit enables you to generate comprehensive reports based on the
analyzed data. These reports can include details of extracted data, recovered files,
timestamps, locations, and other relevant information. Reports can be exported in various
formats like PDF, HTML, or CSV for further documentation and presentation. It's important
to note that mobile forensics requires proper authorization and adherence to legal and ethical
guidelines. Always ensure that you have the necessary permissions and legal basis to perform
forensic analysis on mobile devices.
Output: