IMPLEMENTATION TO GATHER INFORMATION FROM ANY PC’S CONNECTED

TO THE LAN USING WHOIS, PORT SCANNERS, ANGRY IP SCANNER

WHOIS:

Whois is a widely used Internet record listing that contains the details of who owns a domain
name and how to get in touch with them. The contact details can be for either the domain’s
registrar or the web hosting company providing space or storage for that specific website.

Syntax: whois [-v] domainname [whois.server]

Example: whois google.com

To get the full list of valid commands and parameters we may use the command whois --help
Whois can also be used to get the information about specific IP Addresses. In that case we issue
the command as whois <ip address>

Similarly, whois can be used to find out the information about the registered domain by issuing
the command whois <domain name>
NMAP:

Nmap, short for Network Mapper, is a free and open source tool used for vulnerability checking,
port scanning and, of course, network mapping. Uses of nmap are:

1. Find security issues – It warns users against external attackers. Nmap scans the server
and finds out the path that hackers might use to attack their server.
2. Identify open ports– port scanning of target hosts is very easy with the help of Nmap.
3. Detect Vulnerabilities – To detect security vulnerabilities in the network, Nmap is the
best choice.
4. Host discovery – Live hosts in the network can be discovered using Nmap.
5. OS Version Detection – Operating system and version detection are also possible through
this network mapper.
6. Provide crucial information – Nmap also provides additional information such as
devices types, reverse DNS (Domain Name System) names, MAC addresses, and IP
addresses of all active hosts.

There are many advantages that set nmap apart from the other Network scanning tool. To start
with, it is open source and available free of cost. The other advantages are listed below:

1. It can be used for auditing the Network system as it can detect the new servers.
2. It can search subdomain and Domain Name system queries
3. With the help of the Nmap scripting engine (NSE), interaction can be made with the
target host.
4. It can determine the nature of the service that the host is performing, like whether the
host is a mail service or a web server or so on.

Nmap comes preinstalled in Kali Linux. But to use it on windows we have to install it.

NMAP COMMANDS

To scan the entire IP range use the command nmap <IP range>

For example, if we were to scam a range of IP addresses we may do nmap 162.16.121.125-135

To scan a specific port or entire port range we may sue the command nmap -p <numeric value>
<IP>. Performing port scans will provide you with details about port services and states. And not
just that Nmap also provides options to scan popular ports and discover open ports for example:

To run a Host detection scan or Ping scan we may use the command nmap -sP <IP>. A host
detection scan returns which hosts are running in your network. This command only provides the
IP address and MAC address of available hosts but provides no information about ports.

An example of this scan can be seen in the below picture:

To scan the fixed number of most popular ports we use the command nmap –top-ports
<numeric value> <IP address>. Here the top ports option provides us the top 15 commonly
open ports by default. For example:

To detect the services and their versions running on the open ports we use the command nmap –
sV <IP>
We can also combine multiple options to get more informative results like:

 A SYN scan with OS detection(in the picture, -sS stands for SYN scan and –O stands for
OS detection)

 An aggressive scan with service version detection(in the picture, -A stands for aggressive
scan)
NOTE: Aggressive scan is not recommended for doing reconnaissance for legitimate
websites or domains since it sends a lot of requests to the target which may seem like a DoS
attack to network administrators.

ZENMAP

Zenmap is the official Nmap Security Scanner GUI. It is a multiplatform (Linux, Windows, Mac
OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners
to use while providing advanced features for experienced Nmap users. Zenmap is not meant to
replace Nmap, but to make it more useful. Here are some of the features of this program:

 Interactive and graphical results viewing – Zenmap can display Nmap’s normal
output, but you can also arrange its display to show all ports on a host or all hosts running
a particular service. It summarizes details about a single host or a com scan in a
convenient display. You can even use Zenmap to draw a topology map of discovered
networks.
 Comparison – you can use Zenmap to graphically show the differences between two
scans. This can help you to track new hosts or services appearing on their networks, or
existing ones going down.
 Repeatability – you can use Zenmap’s command profiles to run the same scan more than
once.
  Ease of use – Zenmap is easy to use and is especially useful for people without much
experience in Linux shell.

Zenmap, just like nmap, comes preinstalled in Kali Linux.

After running zenmap, we should see this type of GUI:

To run your first scan with ZENMAP and visualize the scan output follow these steps in order:

1. Target: here is where you put your target IP or IP range, e.g., 192.168.130.129 as a
single target or 192.168.130.120-140 as a multi-target.
2. Profile: this field presents us with a drop-down menu where we can select pre-
customized NMAP commands for various scans such as Quick scan, Regular scan,
intense scan, etc.
3. Scan: triggers the scanning process for the target IP(s). Depending on the type of scan
you use or how many targets, the scanning process might take a while though it is usually
fast.
4. Command: This field is showing you the NMAP command for the scan you performed
above. You can further add NMAP command flags/options in this field to find additional
details on a target machine- if needed. The below capture shows the NMAP command
and flags used for the Intense scan.
5. Host/Services: This section will list the hosts and services discovered during a ZENMAP
scanning session.
 Click on the Hosts button to list all the “alive” discovered hosts. In the capture below
I ran a ZENMAP scan for a range of IPs [192.168.130.120-140] in my network and
discovered three hosts that are alive.

 Click on Services button to list the services discovered as seen in below.

  The Nmap Output tab shows the output for all operations performed during a scan.
This is basically the output you would receive when running an NMAP command in a
Terminal

The Ports / Hosts show the list of open ports and services discovered during a ZENMAP
scanning session. If you scan multiple targets, you can browse through the hosts’ section and
check which ports and services were discovered on the selected target.

The Topology tab is a very cool ZENMAP feature that provides you a visual map of all the
targets discovered during a scan and how they are interconnected. This is probably one of the
features that make ZENMAP such a powerful tool. You can zoom in and out [mouse wheel],
rearrange the nodes [click a node], get target details [right-click a node], and choose layouts,
save the graphic on your local machine – to say the least.
The Hosts Details tab provides an “ergonomic” alternative to the Nmap Output tab. Here the
information is structured in a visual way to help you understand better the scanning results.

To save your Topology as an image on your disk, simply click on the Save Graphics button, give
it a name, choose a location and click Save.

The Scans tab provides a list of all the ZENMAP scans [NMAP commands] you performed
during a session. Here you can Append, Remove or Cancel an ongoing scan – if needed. Please
note that once you close ZENMAP, the Scans list will be cleared.

NETCAT

Netcat functions as a back-end tool that allows for port scan and port listening. In addition, you
can actually transfer files directly through Netcat or use it as a backdoor into other networked
systems.

Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a network.
It can be used for both attacking and security. It helps us to debug the network along with
investing it. It runs on all operating systems.

Netcat comes preinstalled on Kali Linux.

To start, we may use the command nc –h to see all the options. This command will print a list of
all of the available commands you can use in Netcat. It will come in handy if you run into any
errors while writing a script or are unsure of how to proceed.
To run a basic port scan we may us the command nc -z -v <IP/Domain>. This will run a basic
port scan of the specified website or server. Netcat will return verbose results with lists of ports
and statuses. Keep in mind that you can use an IP address in place of the site domain.

ANGRY IP SCANNER

Angry IP scanner is a very fast IP address and port scanner. It can scan IP addresses in any range
as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it
can be freely copied and used anywhere. Angry IP scanner simply pings each IP address to check
if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans
ports, etc. The amount of gathered data about each host can be extended with plug-ins.

It supports Linux, Windows, MAc OSX and other platforms. It has designed to be fast and
simple to use. It has been used by Network administrators on almost all organizations.

Features

o Lightweight and cross-platform.

 o Scans ip addresses in any range.
o Doesn’t require any installation
o Check for ip address if it is alive.
o Resolves hostnames, determines ip addresses and scans ports.
o Multi-threaded support to speed up scanning process.

Download and Install For Windows:

Angry IP Scanner is provided as 32-bit and 64-bit installers for Windows operating systems. 64-
bit is more popular than the 32-bit version.

https://angryip.org/download/#windows

We can download the 64-bit Angry IP Scanner from the following link and start the Angry IP
Scanner file named ipscan-win64-3.5.5.exe.

https://github.com/angryip/ipscan/releases/download/3.5.5/ipscan-win64-3.5.5.exe

After installation the GUI should look something like this:

We can start a simple scan by specifying the IP range values like Start IP address and End IP
address which are 192.168.0.0 and 192.168.0.255 in this example. Change the display type to
‘Display: Alive only’. Then we will click to the ‘Start’ button where the scan will start.
After the scan is completed we will see the following screen where Scan statistics are provided.
Following general information is provided.

o ‘Total time’ about the scan which is “3.81”seconds example.

o ‘IP Range’ is the scanned IP address range.
o ‘Hosts Scanned’ is the total number of addresses in the scan IP address range.
o ‘Hosts alive’ is the total number of hosts that are up or alive which is 10 in this example.

We can also see that scan results are listed in the main windows. Live or up systems are colored
as blue and down IP addresses are colored as red.

o Ping is the transmission time takes to ping to IP address. If the IP address is not live it
will be shown as N/A.
o Hostname is the hostname of the given IP address.
o Ports are the ports that are listening for connection and open.

In a default scan information like Ping, Hostname and Ports are provided. If we want to get more
information like Mac Address etc. we need to use Fetchers. To open the Fetchers menu, go to
Tools then Fetchers.

We can see Selected fetchers on the left side of the panel and Available fetchers on the right side
of the panel and can be selected accordingly. Some fetchers are:

o Filtered Ports are used to print blocked ports.

o Web detect is for web servers
o HTTP Sender
o Comments
 o NetBIOS Info
o MAC Address
o MAC Vendor
o Packet Loss

We can specify the ports we want to scan. We will open the Ports tab from the Tools-
>Preferences->Ports menu. We will put the ports we want to scan by delimiting with comma. For
example:
Scan results are listed in the main panel. We can get more information about the specific IP
address by double click on it. In this example, we will double click on the line 192.168.0.102
which will open the IP Address Details windows like below:
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark
What is MITM attack?
A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a
conversation between a user and an application—either to eavesdrop or to impersonate one of the
parties, making it appear as if a normal exchange of information is underway.
The goal of an attack is to steal personal information, such as login credentials, account details and
credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-
commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft,
unapproved fund transfers or an illicit password change.

ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution
Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address
with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC
address is connected to an authentic IP address, the attacker will begin receiving any data that is
intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even
stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the
Address Resolution Protocol.

ARP Spoofing Attacks

The effects of ARP spoofing attacks can have serious implications for enterprises. In their most basic
application, ARP spoofing attacks are used to steal sensitive information. Beyond this, ARP spoofing
attacks are often used to facilitate other attacks such as:

 Denial-of-service attacks: DoS attacks often leverage ARP spoofing to link multiple IP
addresses with a single target’s MAC address. As a result, traffic that is intended for many
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark
different IP addresses will be redirected to the target’s MAC address, overloading the target
with traffic.

 Session hijacking: Session hijacking attacks can use ARP spoofing to steal session IDs,
granting attackers access to private systems and data.

 Man-in-the-middle attacks: MITM attacks can rely on ARP spoofing to intercept and modify
traffic between victims.

For futher information visit the sites: https://www.fortinet.com/resources/cyberglossary/man-in-the-

middle-attack

https://www.veracode.com/security/arp-spoofing/

Requirements:

Attacker Machine: Kali Linux

Victim Machine: Windows

Tools: Ettercap & Wireshark

What is Wireshark?

Wireshark is a widely used, open source network analyzer that can capture and display real-time
details of network traffic. It is particularly useful for troubleshooting network issues, analyzing
network protocols and ensuring network security.

Networks must be monitored to ensure smooth operations and security. Popular with academic
institutions, government agencies, corporations and nonprofits, Wireshark is one such tool that can
offer an in-depth view into network activities, diagnose network performance issues or
identify potential security threats.

For futher information visit the site: https://www.techtarget.com/whatis/definition/Wireshark

Ettercap was developed by Albert Ornaghi and Marco Valleri. It basically a suite of tools to simplify
MiTM attacks. It can be used either from the command line (CLI) or the graphical user interface
(GUI). In this lesson, we will use the GUI.

Ettercap enables us to place ourselves in the middle between two machines and then;

 infect the traffic with malware

 delete traffic

 sniff passwords

 provide fake certificates for HTTPS

 DNS spoof
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark
For futher information visit the site: https://www.hackers-arise.com/post/2017/08/28/mitm-
attack-with-ettercap

First go on the start button of the victim machine and open poweshell type ipconfig command to
know the IP address and default gateway. As you can see from the below picture now you know the
IP address and default gateway of the device.

Next we have to check the ARP cache by typing arp -a in the command prompt. From the cache you
can see the IP and MAC address associated to gateway.
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark
Now go to the Kali linux and open terminal and type ifconfig command to know the IP address of the
attacker machine as we do earlier on victim machine. 192.168.1.2 is the IP address of Kali linux.

Go to the kali menu drag down to sniffing and spoofing then select Ettercap type the root password
and click authenticate to start the console.
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark

Firstly we have to setup our primary interface eth0 is the default so leave it as it is hit the tick button
and Ettercap will start up. So now let’s find out the target which are connected to our network. Go
on to search button for hosts it will show all the active hosts in the network.

It will find 2hosts to see the list of the host click on the host list option(as the above picture)
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark
The first IP address is the victim machine and the another one is Router, after that select the victim
computer as target 1 but to work this attack properly we have to trick the Router to send back the
traffic to the attacker not to the real sender.

After that select the attack in this case man in the middle select the globe option on the console as
shown in the below figure from there select the ARP poisioning option.
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark

Once selected see on the bottom if the attack is started or not,while that’s running open wireshark
for capturing some traffic select the interface by double click on it.

Now go to victim machine terminal again type arp -a after hitting enter the MAC address of default
gateway changed to the attacker machine’s address as shown below.
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark

Open the web browser in the windows and type vulnweb.com click enter you will redirect to the
website select the acuart link and go to the signup page.

For sign up the default username and password will be test & test hit enter.
 CYBER SECURITY LAB (CFS)
LAB NO. 3 – Man In The Middle(MiTM) using Ettercap and
Wireshark

Finally go back to the kali machine see the packets that are captured by wireshark and from that you
can see the login credentials that are entered by the user. Also Ettercap filters the credentials which
are entered by the user.
 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition
Memory dump analysis is a crucial aspect of digital forensics, offering a snapshot of a system's
volatile memory at a specific point in time. This can uncover critical evidence such as running
processes, open network connections, and in-memory malware execution that disk analysis might
miss.

Memory acquisition also known as a memory dump, is the process of dumping volatile memory
(RAM) from a specific to non-volatile storage (disk) for the purpose of analysis.

A memory dump could contain valuable forensics data about the state of the system before, during
and after the compromise.

The forensic data that can be used to identify the cause of an incident and other key details about
the tools and techniques used by the attacker or adversary, ultimately giving you a clearer picture of
what transpired on the system.

What is LiME?

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-
based devices, such as Android. This makes LiME unique as it is the first tool that allows for full
memory captures on Android devices. It also minimizes its interaction between user and kernel space
processes during acquisition, which allows it to produce memory captures that are more forensically
sound than those of other tools designed for Linux memory acquisition.

Why is Memory Dump Analysis Important?

Memory dump analysis is vital in digital forensics for several reasons:

Uncovering Hidden Data: RAM contains transient data not stored on disk, such as encryption keys
and in-memory malware.

Understanding System State: Memory dumps provide a snapot of active processes, open files, and
network connections.

Detecting Malicious Activity: Analysis can reveal the presence and behavior of malware that
operates primarily in memory.

Installing and Setting Up LiME

Open the Ubuntu machine and setup the LiME . LiME is work on Linux and any linux dependencies To
use LiME, you'll need to build it from source. Follow these steps to install and set up LiME:

Clone the LiME Repository: To clone into LiME Repository, you can use git clone:

git clone https://github.com/504ensicsLabs/LiME.git

 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition

Open the terminal and type git clone <repository_name> and hit enter….

Ensure you have the Linux kernel headers and build tools installed.

To install build essentials, you can use: sudo apt-get install make gcc build-essential -y

Now, navigate into src subdirectory under Lime directory:

 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition
cd LiME/src

Now in the src we can see all the c files required here and we have to make a file for that type make
but before that we have to look at the current distribution release version. For that type , cat
/etc/*release

So the version is Ubuntu 24.04 LTS and the kernal version in this case 6.11.0
Compile the LiME Module: Now, use make to compile the LiME module: Let’s try perform the
building in the src just type make in the src directory

As you see we shouldn’t get any errors here and we successfully compile the LiME module (LiME
kernel object) and renamed it based on the version of the Linux kernel running on the system.
 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition
After that if we perform lsmod so firstly we have to know lsmod command is essentially shows the
status of the modules within the Linux kernel

So type lsmod | grep lime

But any changes will not happen on the terminal now follow the below steps…

Load the Module:

Use insmod to load the module into the kernel. Specify the path and format for the memory dump

sudo insmod lime.ko "path=/path/to/dump.mem format=raw"

specify the path and set the format into raw or you can set into lime format too but in this case just
set into raw format for extracting information from the dump file using tools like Volatility.
 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition

The actual mem file will be approximately of 5 gigabyte, If we navigate to the root of the C drive or
by going to path directory, we will see a .mem file. Type ls -la for all to find all the lsit of files in the
system. As you can see the .mem file which consists of 5 gigabytes size
 CYBER SECURITY LAB (CFS)
LAB – 4 Memory Dump Analysis: Using LiME for Acquisition
The command du -sh * is used in Unix-like operating systems to display the total disk space used by
each file and directory within the current directory in a human-readable format. Therefore, when
you run du -sh * in a directory, you will get a list where each line shows:

1. The total disk space used by a specific file or directory (including the space used by all files
and subdirectories within a directory).

2. The name of that file or directory. (as shown in the above image)
 IMPLEMENTATION OF CYBER FORENSICS TOOLS FOR DISK
IMAGING, DATA ACQUISITION, DATA EXTRACTION AND DATA
ANALYSIS AND RECOVERY

We can do Disk Imaging by these following two ways-

 By using the software FTK Imager

 And using dd command in Linux

Disk Imaging using the Software FTK Imager

To create a forensic image with FTK imager, we will need the following:
1. FTK Imager from Access Data, which can be downloaded using the
following link: FTK Imager from Access Data
2. A Hard Drive that you would like to create an image of.

Method:

Step 1: Download and install the FTK imager on your machine.

Installation of FTK Imager
Go to your browser and search for “Download FTK imager”
Go to the link https://www.exterro.com/ftk-imager
Click on Download FTK@IMAGER
Fill up the form and submit. The download will automatically begin.
The installation is pretty simple. Just click next after next to install. You may change
the installation directory if you want.
The GUI of FTK imager will be something like this:

Step 2: Click and open the FTK Imager, once it is installed. You should be greeted
with the FTK Imager dashboard.
Step 3: In the menu navigation bar, you need to click on the File tab which will give
you a drop-down, like given in the image below, just click on the first one that
says, Add Evidence Item.
Step 4: After that, there will be a pop-up window that will ask you to Select the
Source of the Evidence. If you have connected a physical hard drive to the
laptop/computer you are using to make the forensic image, then you will select
the Physical Drive here. Click Next. Now, Select the Physical Drive that you would
like to use. Please make sure that you are selecting the right drive, or you will waste
your time exporting a forensic image of your own OS drive.

Step 5: Source Drive Selection: Based on our selection of physical drive, we then
have a choice of the current physical drives we can see, so we select the drive
corresponding to the flash drive.
Step 6: Create Image: Here is where you can specify where the image will be
created. We also always choose Verify images after they are created as a way to run a
hash value check on the image file. You can also create directory listings of all files
in the image after they are created, but be prepared that this will be a huge listing for a
typical hard drive with hundreds of thousands of entries.

Step 7: Select Image Type: This indicates the type of image file that will be created –
Raw is a bit-by-bit uncompressed copy of the original, while the other three
alternatives are designed for use with a specific forensics program. We typically use
Raw or E01, which is an EnCase forensic image file format. In this example, we’re
using Raw.
Step 8: Evidence Item Information: This is where you can enter key information
about the evidence item you are about to create to aid in documenting the item. This
information will be saved as part of the image summary information once the image is
complete.

Step9: Select Image Destination: We’ll browse to a folder that I’ve created
called “FTKImage” on the C: drive and give the image a file name. Image Fragment
Size indicates the size of each fragment when you want to break a larger image file
into multiple parts. Compression indicates the level of compression of the image file,
from 0 (no compression) to 9 (maximum compression – and a slower image creation
process). For Raw uncompressed images, compression is always 0. Use AD
Encryption indicates whether to encrypt the image – we don’t typically select that,
instead choosing to put an image on an encrypted drive (when encryption is
desired). Click Finish to begin the image process and a dialog will be displayed
throughout the image creation process. Because it is a bit-by-bit image of the device,
it will take the same amount of time regardless of how many files are currently stored
on the device.
Step 10:Drive/Image Verify Results: When the image is complete, this popup
window will appear to show the name of the image file, the sector count, computed
(before image creation) and reported (after image creation) MD5 and SHA1 hash
values with a confirmation that they match and a list of bad sectors (if any). The hash
verification is a key check to ensure a valid image and the hash values should be the
same regardless which image type you create.

Disk Imaging using the dd Command in LINUX:

Whenever it comes to wiping, backing up, or restoring Linux files, you have few tools.
Although there is one alternative that still works, regardless of the Linux distribution
you’re using, and that is the DD command. Creating an image of a partition or cloning
a complete hard disk drive are simply the acts of making a copy of the whole disk or
partition, and it is very simple with the dd command. The DD command is good for
cloning disks, backups, and restoration, among other things. In this guide, we will see
how to make a disk image using the DD command. Make sure you have the Ubuntu
Linux system installed.

DD circumvents this by making an identical replica of the whole hard drive or

partitions. So if you recover this backup, your machine will be restored to its original
state. You’ll regain access to your folders, games, browser history, and sometimes
even device settings. We’ll want another drive with more capacity than the one we’re
cloning to replicate your drive. There would most probably be a big hard drive for this
purpose.

Installation of LSSCSI Utility

Open the command-line terminal of the Ubuntu 20.04 Linux system. Make sure to
have the “lsscsi” utility installed on your system. If it is not installed, try to install it
using the below “apt” command followed by the keyword “install” and “lsscsi”. It
will take not more than 5 minutes to get installed, and you are good to go.

After installing the “lsscsi” utility, now it’s time to use it for listing all the storage
devices of our Linux system. To list the storage drives and DVD’s execute the below
command. You can see we have one disk drive and one CD/DVD device in our
system.

Check Disk Information

Firstly, we have to find out some information regarding the disk drive “/dev/sda”.
And for this reason, we have to use the “fdisk” instruction in our command-shell with
sudo privileges as below.
It will navigate to its command theme. Type “p” to check the information of disks as
shown below. You can see it shows the total memory of the “/dev/sda” drive, its
sectors, and bytes. It is showing the disk type as DOS. On the other hand, the last
three lines of the snapshot show the partitions of the /dev/sda drive and their further
information.

Create a Clone Disk Image

Now you have almost every piece of information regarding the “/dev/sda”
drive. Press “q” to exit the commanding theme. Now, you are ready to make a disk
image using the DD command. So, make yourself clear that the DD command always
needs “sudo” privileges to execute. As we already know from the above image, the
“/dev/sda” has three partitions, and we will make an image of one of them. So, we
choose “sda1” for making its clone. You have to execute the below “DD” command
followed by the “if” path and “of” path. The “if” path is of the input disk drive, which
is meant to be cloned and the “of” path is for the output device disk, where it would
be copied as an image. So, from this, you can understand that “sda1.img” is the
cloned file for disk and sda1 is the actual drive. We have specified the bytes per
second to be copied from one location to another. We assigned it a value of 1000. The
command is as follows:

The output shows the number of records inputted and outputted from two locations,
e.g., source and destination. It also shows the number of bytes with time seconds,
copied into a destination in MB’s. This means that the clone has been effectively done.
Let’s check the destination image file to see if all the data from the source drive has
been cloned into it properly or not. Use the below list command along with the path of
an image file of the drive as:

The output shows the rights assigned to this image file, its size, and location. You can
say that it has similar rights and size as the original disk drive has.

To see some more information regarding the disk image file, you have to try the
below “fdisk” command followed by the flag “-l” as below.

The output shows the exact same information regarding this image file as we have
seen for the original disk drive before creating this image file. It shows the size of the
image drive, its total number of bytes, and total sectors.

Restore the Drive from Clone Image

Now, if you want to restore your original disk drive along with all the data it has, you
have to use the DD command again to do so. While using the DD command, there is a
little change in it. You have to swipe the input and output paths this time. This means
you have to place the image disk file path into the “if” path, and in the “of” output
path, you have to mention the location where you want to restore the image file data.
Here is the command to restore the drive data from the image file:

The output shows the transfer of backup files into their actual destination. You can
see the input and output number of total records and some further information
regarding the numbers of bytes transferred the total size of the disk image, and the
time taken to transfer it.

Conclusion

Indeed, the method discussed before is the easiest and simplest way to clone a disk
into an image file and restore the backup to get all the files and folders back.
Data Analysis and Recovery using Autopsy

The Sleuth Kit is a library and a collection of command-line tools used to investigate
disk images. Autopsy is the GUI program for TSK. The results of the forensic search
carried over the images are displayed here. These results help the investigator to
locate relevant sections of data in their investigation. It is used by law enforcement,
military, and corporate examiners to investigate the actions taken place on the
evidence computer; however, it can be used to recover deleted data from digital
devices too.

1. Getting Started
Open Autopsy and create a new case.

Click on Finish after completing both the steps.

2. Add a data source.
Select the appropriate data source type.

 Disk Image or VM file: Includes images that are an exact copy of a hard
drive or media card, or a virtual machine image.
  Local Disk: Includes Hard disk, Pendrive, memory card, etc.
 Logical Files: Includes local folders or files.
 Unallocated Space Image File: Includes files that do not contain a file
system but need to run through ingest.
The data source used here is a disk image. Add the data source destination.

Configure ingest modules.

The ingest modules determine factors for which the data in the data source is to be
analyzed. Here is a brief overview of each of them.

 Recent Activity: Discover the recent operations performed on the disk, for
example, the files that were last viewed.
 Hash Lookup: Identify files using hash values.
 File Type Identification: Identify files based on their internal signatures
rather than just file .extensions.
  Extension Mismatch Detector: Identify files whose extensions are tampered
with/changed possibly to hide evidence.
 Embedded File Extractor: It extracts embedded files such as .zip, .rar, etc.
and uses the derived file for analysis. Another example could be a PNG image
saved inside a doc to make it appear as a document and thus hide crucial
information.
 EXIF (Exchangeable Image File Format) Parser: It is used to retrieve
metadata about the files, for example, date of creation, geolocation, etc.
 Keyword Search: Search for a particular keyword/pattern in the data source.
 Email Parser: If the disk holds any form of email database, for example,
pst/ost files of outlook then information from these files can be extracted using
an email parser.
 Encryption Detection: Detects and identifies encrypted / password-protected
files.
 Interesting File Identifier: Let’s set custom rules regarding the filtering of
data. Examiner is notified when results pertaining to these rules are found.
 Correlation Engine: Allows saving properties in and then retrieved from the
central repository. It helps in displaying correlated properties.
 PhotoRec Carver: Recover files, photos, etc. from the unallocated space.
 Virtual Machine Extractor: Extract and analyze any Virtual machine found
on the data source.
 Data Source Integrity: Calculates the hash values and stores them in the
database in case they aren’t already present. Otherwise, it will verify the hash
values associated with the database.
 Plaso: Extract timestamp for various types of files.
 Android Analyzer: Analyze SQLite and other files retrieved from an Android
device.

Select all that will serve the purpose of your investigation and click Next. Once the
data source is added, click Finish. It will take some buffer time to extract and analyze
the data depending upon the size of the Data Source.

3. Exploring the data source:

The Data Source information: Here the basic metadata is shown. A detailed analysis is
displayed in the bottom section. These details can be extracted in the form of Hex
values, Results, File Metadata, etc.

The disk image is then broken down based upon its volume partitions.

Each volume can be browsed for its contents, results for which are displayed in the
section at the bottom. For example, the content shown below belongs to Data Sources
-> Mantooth.E01 -> MSOCache-> [Parent Folder].
Views (Determines the factor of file classification)

 File Type: Here the files are categorized based upon their type. The
classification can be done either on the basis of file .extension or MIME type.
While both of these provide a hint about how to deal with a file, file
extensions are commonly used by the OS to decide what program shall be
used to open a file and MIME types are used by the browser to decide about
how to present the data (or by the server on how to interpret the data received).
Files displayed here also include the deleted files.

 Deleted Files: Here information about the files that were specifically deleted
can be found. These deleted files can be recovered as well: Right-click on the
file to be recovered -> click on Extract File(s). -> Save the file in an
appropriate destination.

 MB Size Files: Here files are classified based upon their size. The range starts
from 50MB. This enables the examiner to determine exclusively large files.

Note: It is usually advised to not scan or extract any suspected files/ disks such as
payload files, etc. in the main system, rather scan them in safe environments such as a
virtual machine, and then extract the data, as they hold the possibility of being corrupt
and may infect the examiner’s system with viruses.

Results:

All the extracted data is viewed in Views/ Data Source. In Results, we get the
information about this data.

Extracted Content: Each Extracted Content displayed below can be further explored.
The following briefly explains each of them.

 EXIF Metadata: It contains all the .jpg images that have EXIF Metadata
associated with them, this Metadata can be analyzed further.
 Encryption Detection: It detects files that are password protected/ encrypted.
 Extension Mismatch Detection: As explained above, it Identifies the files
whose extensions do not match their MIME types and thus they may be
suspicious.
 Installed Programs: It gives details about the software used by the user. This
information is extracted with the help of the Software Registry hive.
 Operating System Information: It gives information about the OS with the
help of the Windows Registry hive and the Software Registry hive.
 Operating System User Account: It lists information about all the user
accounts, for example, accounts belonging to the device are extracted from the
Software Hive and the accounts associated with the Internet Explorer using
index.data files.
 Recent documents: Lists all the documents that were accessed nearby the
time the disk image was captured.
 Recycle Bin: Files that are temporarily stored on the system before being
permanently deleted are visible here.
 Remote Drive: Shows information about all the remote drives accessed using
the system.
 Shell bags: A shell bag is a set of registry keys that stores details about a
folder being viewed, such as its position, icon, and size. All the Shell bags
from the system can be viewed here.
 USB Device attached: All the information about the external devices attached
to the system is displayed here. This data is extracted from Windows Registry
which is actually a maintained database about all the activities taking place on
the system.
 Web Cookies: Cookies saves the user information from the sites and thus
provide a lot of information about the user’s online activities.
 Web History: All the details about the browser history is shown here.
 Web Searches: Details about the web searches made are displayed here.
 Keyword Hits: Here specific keywords can be looked for in the image of the
disk. Multiple data sources can be selected for the lookup. The search can be
restricted to exact match, Substring match and Regular expression, for
example, emails/ IP Addresses, etc.

 HashSet Hits: Here the search can be made using hash values.
 E-mail Messages: Here all the outlook.pst files can be explored.

 Interesting Items: As discussed before, these are the file results based upon
the custom rules set by the examiner.
 Accounts: Here all the details regarding the accounts present on the disk are
shown. This disk has the following EMAIL accounts.

 Reports: Reports about the entire analysis of the data source can be generated
and exported in many formats.
Additional Features:

 Add a Data Source: Each case can hold multiple Data Sources.
 Images/Videos: Images/ Videos in the data source can be viewed in Gallery
View. The information here is displayed in the form of attribute-value pairs.

 Communications: All the communications made using the source device are
displayed here. This device had communications only in the form of emails.
  Geolocation: This window displays the artifacts that have longitude and
latitude attributes as waypoints on a map. Here the data source has no
waypoints.
 Timeline: Information about when the computer was used or what events took
place before or after a given event can be found, this greatly helps in
investigating events near about a particular time.

Almost all the basic features and how actually Autopsy works have been discussed in
this article. However, it is always recommended to go through different sample data
sources to explore even more.