SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-6

→ Memory Acquisition for Forensic Analysis using Magnet Ram Capture

Magnet RAM Capturer is a specialized forensic tool designed to capture volatile memory
(RAM) from a computer system. This is crucial for digital forensics investigations as RAM
often contains sensitive and time-sensitive data that can be easily lost or altered if not acquired
promptly.
1. Preparation and Setup:
• Physical Access: Gain physical access to the device whose memory needs to be
acquired.
• Power Isolation: Disconnect the device from the network to prevent data tampering.
• Connect Capturer: Connect the Magnet RAM Capturer to the device's USB port.
• Configure Settings: Configure the capturer's settings according to the specific device
and operating system.
2. Acquisition Process:
• Initiate Capture: Start the memory acquisition process using the Magnet RAM
Capturer's software interface.
• Memory Dump: The tool will create a complete snapshot of the device's RAM,
capturing all active processes, data, and system information.
• Verification: The software will typically verify the integrity of the captured memory
image using checksums or other validation methods to ensure data accuracy.
3. Image Preservation:
• Secure Storage: Save the captured memory image to a secure location, such as a write-
protected external drive or a network-attached storage (NAS) device.
• Hashing: Calculate a hash value (e.g., SHA-256) of the memory image to ensure its
integrity and prevent tampering.
• Documentation: Document the acquisition process, including the date, time, location,
and any relevant details.
4. Analysis and Investigation:
• Forensic Analysis: Use specialized forensic tools to analyze the captured memory
image and extract relevant evidence.

ENROLLMENT NO.:210410107069 Page|15

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

• Data Recovery: If necessary, attempt to recover deleted or overwritten data from the
memory image.
• Correlation with Other Evidence: Correlate the findings from the memory analysis
with other evidence collected from the device or the crime scene.

Here are some steps for using Magnet RAM Capture:

1. Run the software on the device being analyzed. Investigators often store the software
on a removable drive.
2. Open the application and click Browse.
3. Choose a location to save the memory capture.
4. Click Save.
5. Click the Start button to begin the capture.
6. The capture will save as a dump file in the location you chose.

ENROLLMENT NO.:210410107069 Page|16

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

ENROLLMENT NO.:210410107069 Page|17

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-7

→ Browser Forensics using Browser History Examiner Tool.

Browser History Examiner is a powerful forensic tool designed to extract and analyze browsing
history data from various web browsers. It can be used to investigate online activities, identify
visited websites, track user behavior, and uncover potential evidence in digital forensics
investigations.

Steps Involved in Using Browser History Examiner:

1. Acquire the Device: Obtain physical access to the device containing the browser history
data. This could be a computer, laptop, tablet, or smartphone.
2. Isolate the Device: Disconnect the device from the network to prevent data tampering
or deletion. If possible, use a write-blocker to prevent any changes to the device's
storage.
3. Launch Browser History Examiner: Install and launch the Browser History Examiner
tool on a separate system. Ensure that the tool is compatible with the operating system
and browser version of the device being examined.
4. Select the Data Source: Choose the appropriate data source based on the device and
browser type. This might involve connecting the device directly or accessing a disk
image created from the device.
5. Extract Browsing History: The tool will scan the selected data source and extract
relevant browsing history data, including:
o Visited URLs
o Download history
o Search history
o Form data
o Cookies
o Cache
6. Analyze the Extracted Data: Use the tool's filtering and search capabilities to analyze
the extracted data and identify relevant information. You can search for specific
keywords, time ranges, or website domains.

ENROLLMENT NO.:210410107069 Page|18

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

7. Identify Patterns and Anomalies: Look for unusual patterns or anomalies in the
browsing history, such as frequent visits to suspicious websites or unusual search
queries.
8. Correlate with Other Evidence: Compare the browsing history data with other digital
evidence collected from the device or the crime scene to identify connections and
patterns.

ENROLLMENT NO.:210410107069 Page|19

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-8

→ Digital Forensics Investigation using Autopsy Tool.

Autopsy is an open source digital forensics tool It is quite efficient tool for hard drive
investigation with features like multi-user cases, timeline analysis, registry analysis, keyword
search, email analysis, media playback, EXIF analysis, malicious file detection and much
more.

ENROLLMENT NO.:210410107069 Page|20

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

ENROLLMENT NO.:210410107069 Page|21

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

ENROLLMENT NO.:210410107069 Page|22

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-9

→ Forensics Analysis using Windows Powershell.

PowerShell is a powerful tool for performing Windows forensic analysis. Here are some
useful PowerShell commands for forensic investigations:
1) Get-ChildItem
This command enumerates all files and directories on a specified drive or path. It can help
you identify suspicious files or analyze the file system.
Get-ChildItem -Path C:\ -Recurse
2) Get-EventLog
This command allows you to retrieve events from the event logs on a system. You can use it
to identify anomalies or investigate security incidents.
Get-EventLog -LogName System
3) Get-ItemProperty
This command allows you to retrieve information about a file, including its creation time, last
access time, and later write time.
Get-ItemProperty -Path C:\Windows\System32\[Link]
4) Get-Process
This command allows you to view running processes on a system, which can help identify
suspicious or malicious processes.
Get-Process
5) Get-Service
This command lets you view the services installed on a system, including their current status
and startup type.
Get-Service
6) Get-UserProfile
This command allows you to view user profiles on a system, including their SID, path, and
last use time.
Get-UserProfile

ENROLLMENT NO.:210410107069 Page|23

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

7) Get-WinEvent
This command allows you to retrieve events from the event logs on a system using more
advanced filtering options than Get-EventLog.
Get-WinEvent -FilterHashtable @{Logname="System";ID=6005}
These commands can be used individually or combined in scripts to automate forensic tasks
and analyze Windows systems more efficiently.

1. Incident response scripts

Use scripts like DFIR Script, CollectWindowsEvents, and CollectWindowsSecurityEvents to
respond to cyber attacks
[Link] activity
Use PowerShell to retrieve network activity, which can be a first step in triaging a machine
[Link]-Analyzer
Use MemProcFS-Analyzer to perform automated forensic analysis

ENROLLMENT NO.:210410107069 Page|24

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-10

→ Windows Event Log Analysis

Windows event log analysis is the process of reviewing a computer's event log to identify
potential threats, errors, and other issues
Here are some tools for Windows event log analysis:
• EventLog Analyzer: A log management tool that can collect, analyze, and archive
event logs from multiple sources
• Event log monitoring tools: Can help system engineers avoid the manual process of
going through event logs
• Eventlogxp: Offers filtering options to refine events at various stages of loading

Event logs record information about a computer's system, applications, providers, services,
and more. This information can include:
event type, user data, date and time, source, username, computer, and level.
To export event viewer logs, you can:
1. Open Event Viewer by running [Link]
2. Locate the log to be exported
3. Select the logs to export
4. Right-click on them and select Save All Events As

ENROLLMENT NO.:210410107069 Page|25

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

ENROLLMENT NO.:210410107069 Page|26

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-11
(BEYOND SYLLABUS)

→ PDF File Forensic Analysis using PDF- Parser Tool.

This tool will parse a PDF document to identify the fundamental elements used in the
analyzed file. It will not render a PDF document.

ENROLLMENT NO.:210410107069 Page|27

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

→Pdfid
This tool is not a PDF parser, but it will scan a file to look for certain PDF keywords,
allowing you to identify PDF documents that contain (for example) JavaScript or execute an
action when opened. PDFiD will also handle name obfuscation.

ENROLLMENT NO.:210410107069 Page|28

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

ENROLLMENT NO.:210410107069 Page|29

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

PRACTICAL-12
(BEYOND SYLLABUS)

→ Windows Registry Forensics

The Windows Registry also holds information regarding recently accessed files and
considerable information about user activities, besides configuration information. Hence, this
article serves the purpose is to provide you with a depth understanding of the Registry and
Wealth of information it holds. Today most administrators and forensic analysts, the registry
probably looks like the entrance to a dark.

The system was largely managed by several files-specifically, [Link], [Link],

[Link] (on windows) and [Link]. When the administrator or Forensics expects opens
[Link], he sees a tree-like structure with five root folders, or
“hives”. HKEY_CLASSES_ROOT hive contains configuration information relating to
which application is used to open various files on the system.

• HKEY_CURRENT_USER − loaded user profile for the currently logged-on-user.

• HKEY_LOCAL_MACHINE−contains a vast configuration information for the
system, including hardware settings and software settings.
• HKEY_USERS− contains all the actively loaded user profile for that system
• HKEY_CURRENT_CONFIG−contains the hardware profile the system uses at
startup.

ENROLLMENT NO.:210410107069 Page|30

 SARDAR VALLABHBHAI PATEL INSTITUTE OF TECHNOLOGY

SUB NAME:DIGITAL FORENSICS SUBJECT CODE:3170725

Registry Forensic
Suppose your computer lies in the hand of a malicious person without your consent. Then
how can you determine, what exactly he would have done to your computer. You can track
his activity through inspecting the registry as follows –

[Link] Recent User list

(HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMRU)
It contains with the information provided from the RunMRU key, an examiner can gain better
understanding fo the user they are investigating and the application that is being used. In this
above figure, you can see the user has opened cmd, Notepad, MSPaint etc.
[Link] Connection
(HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR.)
This key stores the contents of the product and device ID values of any USB devices that
have ever been connected to the system.
[Link] Software Running − (HKEY_CURRENT_USER\Software\ )
This information will be quite informatic for Forensics Examiner as it could see the hacker
used VPN such as CyberGhost which is used for being anonymous.
[Link] Applications Used−
(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Currentversion\Search\RecentApps)
By navigating to the said key will give information for last accessed applications list by the
user.
[Link] Explorer information
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs.)
Internet Explorer is the native Web browser in Windows operating system. It utilizes the
Registry extensively in the storage of data, like many applications. From the said key, we can
obtain such information.

ENROLLMENT NO.:210410107069 Page|31