Scribd
Upload
784 views

Digital and Mobile Forensics Laboratory - Experiment 1

Uploaded by

Arsath Ahamed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
784 views

Digital and Mobile Forensics Laboratory - Experiment 1

Uploaded by

Arsath Ahamed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

‭CCS343 -‬‭Digital and Mobile Forensics‬

‭Laboratory Experiments‬

‭1.‬ I‭ nstallation‬ ‭of‬‭Sleuth‬‭Kit‬‭on‬‭Linux.‬‭List‬‭all‬‭data‬‭blocks.‬‭Analyze‬‭allocated‬‭as‬‭well‬‭as‬


‭unallocated blocks of a disk image.‬

‭2.‬ ‭Data extraction from call logs using Sleuth Kit.‬

‭3.‬ ‭Data extraction from SMS and contacts using Sleuth Kit.‬

‭4.‬ ‭Install Mobile Verification Toolkit or MVT and decrypt encrypted iOS backups.‬

‭5.‬ ‭Process and parse records from the iOS system.‬

‭6.‬ ‭Extract installed applications from Android devices.‬

‭7.‬ ‭Extract diagnostic information from Android devices through the adb protocol.‬

‭8.‬ ‭Generate a unified chronological timeline of extracted records.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭Experiment 1‬

I‭ nstallation‬‭of‬‭Sleuth‬‭Kit‬‭on‬‭Linux.‬‭List‬‭all‬‭data‬‭blocks.‬‭Analyze‬‭allocated‬
‭as well as unallocated blocks of a disk image.‬

‭Procedure & Commands:‬

‭Pre - Requisites:‬
‭1.1 Sleuthkit‬

‭ .2 Disk Image File (Raw file (.dd) format recommended)‬


1
‭We‬‭need‬‭a‬‭disk‬‭image‬‭file‬‭on‬‭which‬‭we‬‭are‬‭going‬‭to‬‭perform‬‭our‬‭experiment,‬‭i.e.‬‭we‬
‭are‬‭going‬‭to‬‭use‬‭the‬‭disk‬‭image‬‭to‬‭analyse‬‭the‬‭disk‬‭and‬‭the‬‭contents‬‭inside‬‭to‬‭gather‬
‭information about it.‬

‭●‬ U ‭ se‬‭a‬‭Pendrive‬‭(Physical‬‭disk)‬‭to‬‭create‬‭a‬‭disk‬‭image‬‭so‬‭that‬‭we‬‭have‬‭an‬‭image‬
‭of a physical disk.‬
‭●‬ ‭Using‬‭the‬‭image‬‭of‬‭a‬‭partition‬‭of‬‭the‬‭disk‬‭in‬‭the‬‭computer‬‭itself‬‭may‬‭result‬‭in‬
‭creation‬ ‭of‬ ‭a‬ ‭logical‬ ‭disk‬ ‭image‬ ‭which‬ ‭my‬ ‭not‬ ‭help‬ ‭us‬‭with‬‭the‬‭experiment.‬
‭(Commands like‬‭mmls‬‭may not produce proper output for us to understand.)‬
‭●‬ ‭So,‬ ‭we‬ ‭are‬ ‭going‬ ‭to‬ ‭investigate‬ ‭a‬ ‭pendrive‬ ‭(‬ ‭a‬ ‭physical‬ ‭disk)‬ ‭using‬ ‭it’s‬ ‭disk‬
‭image.‬

‭Create a disk image:‬


‭a)‬ ‭Insert‬ ‭a‬ ‭pendrive.‬ ‭(‬‭A‬‭pendrive‬‭of‬‭4GB/8GB‬‭is‬‭preferred‬‭as‬‭the‬‭disk‬‭image‬
‭creation time depends on the size of the pendrive)‬

‭ )‬ ‭Use‬‭the‬‭command‬‭lsblk‬‭to‬‭list‬‭all‬‭the‬‭disk‬‭blocks‬‭and‬‭to‬‭know‬‭block‬‭name‬
b
‭ f the pendrive.‬
o

‭Here,‬‭sdb‬‭is the block of my pendrive‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


c‭ ) Now run the command:‬
‭$ sudo dd if=‬‭/dev/sdb‬‭of=‬‭diskimage.dd‬‭bs=4M‬
‭(- Replace /dev/sdb with your pendrive’s block name (It could be the same in‬
‭most of the cases.‬
‭-‬‭diskimage.dd‬‭is the image file that will be created.)‬

‭This will create the disk image for the pendrive. (This may take a while)‬

‭Now, we are ready to proceed with our experiment.‬

‭1. Get image information‬‭-‬‭img_stat‬

‭2. List all data blocks (Allocated and Unallocated)‬‭-‬‭mmls‬

‭ ere,‬‭Start‬‭and‬‭End‬‭denote the offsets.‬


H
‭For example, the The‬‭Empty‬‭partition starts from the offset‬‭64‬‭and ends at‬‭7660227.‬
‭The next partition starts from 7660228.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭3. Analyzing an allocated partition‬‭-‬‭fsstat‬‭and‬‭-fls‬
‭We are going to analyze the partition named‬‭“Empty”.‬ ‭You can choose any partition.‬
‭●‬ ‭File system information of the partition‬

‭●‬ ‭Looking into the file system (Files and directories inside it)‬

‭Here,‬‭64‬‭denotes the starting of the partition‬‭“Empty”.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭●‬ ‭Looking into a directory inside the partition.‬
‭I am going to look inside the directory named “‬‭manjaro”.‬‭We have to mention‬
‭the‬‭inode‬‭of the directory for that, which is‬‭6.‬

‭Here,‬‭x86_64‬‭is a directory which is present inside the‬‭“manjaro”‬‭folder.‬

‭●‬ ‭Expand all the directories inside the partition.‬

‭All the directories and their subdirectories and files inside the partition are shown.‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬


‭4. Analyzing an unallocated partition‬
‭Perform the same operations for an unallocated partition.‬

‭Here, I have used the offset starting point‬‭7668420‬‭which is of an unallocated partition.‬


‭(Refer the output of‬‭mmls‬‭command above)‬

‭5. Recover the files in the image file.‬


‭This will recover all the files in the disk image to your computer.‬

‭ ere,‬‭test_recover‬‭is just the name of the folder in which the recovered files will be‬
H
‭stored. You can give any name.‬

‭Check for the recovered files using‬‭ls‬‭command.‬

‭Thus, we have all the files in the disk recovered.‬

‭*******‬

‭P. Amal Prasad, CSE, UCE BIT Campus‬

You might also like