Home

Awesome

Digital Forensics Lab & Shared Cyber Forensic Intelligence Repository

<img src="https://upload.wikimedia.org/wikipedia/commons/3/3c/BJA_Logo.png" width="150"> <img src="https://www.nist.gov/sites/default/files/images/2017/06/16/dsh-st.jpg" width="150"><img src="https://www.nsf.gov/news/mmg/media/images/bitmaplogo_nolayers_f_e50fcd0b-607b-4271-a808-914d9c2f65dc.png" width="110">

Features of Repository

For feedback or to express your usage of the course materials, please reach out via email at wxu at ubalt dot edu. Your collaboration is sincerely valued


Please cite our paper:

W. Xu, L. Deng, and D. Xu, "Towards Designing Shared Digital Forensics Instructional Materials," in <em>Proceeding of the 46st Annual International Computer Software and Applications Conference (COMPSAC 2022),</em> pp. 117-122, July 2022. (Video Presentation)

or in BibTeX

@inproceedings{xu2022forensics,
 title={Towards Designing Shared Digital Forensics Instructional Materials},
 author={Xu, Weifeng and Deng, Lin, and Xu, Dianxiang},
 booktitle={46st Annual International Computer Software and Applications Conference (COMPSAC 2022)},
 volume={1},
 pages={117--122},
 year={2022},
 organization={IEEE}
}


Table of Contents (new release Oct 15, 2024: Eufy investigations)

Tool Installation

Method 1: Importing customized Kali VM image

The customized Kali VM = Kali (2021.4) + tools used for completing most of the labs listed above (except p2p Data Leakage case)

Method 2: Installing tools using the customized script (the script ONLY is tested on Kali 2021.4)

The following script will install tools needed for completing most of the labs listed above (except p2p Data Leakage case, which has its own script described in PPTs). Please let us know if you need us to add more tools to the script.

wget  https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh

Method 3: Using a Docker container based on Ubuntu 22.04 LTS (added in 09/23, may need more testing, report any issues please)


Investigating NIST Data Leakage

The case study is to investigate an image involving intellectual property theft. The study include

Topics Covered

LabsTopics Covered (Command Line)Python Version
Lab 0Environment Setting Up
Lab 1Windows Registry
Lab 2Windows Event and XMLPython version
Lab 3Web History and SQLPython version
Lab 4Email InvestigationPython version
Lab 5File Change History and USN Journal
Lab 6Network Evidence and shellbag
Lab 7Network Drive and Cloud
Lab 8Master File Table ($MFT) and Log File ($logFile) Analysis
Lab 9Windows Search History
Lab 10Windows Volume Shadow Copy Analysis/SQL database carving
Lab 11Recycle Bin and Anti-Forensics
Lab 12Data Carving
Lab 13Crack Windows Passwords

Investigating P2P Data Leakage

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study includes

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Lab Environment Setting Up4M
Lab 1Disk Image and Partitions5M
Lab 2Windows Registry and File Directory15M
Lab 3MFT Timeline 6M
Lab 4USN Journal Timeline3M
Lab 5uTorrent Log File 9M
Lab 6File Signature 8M
Lab 7Emails 9M
Lab 8Web History 11M
Lab 9Website Analysis 2M
Lab 10Timeline (Summary)13K

Investigating Illegal Possession of Images

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 1Review HTTP Analysis using Wireshark (text)3M
Lab 2Rhion Possession Investigation 1: File recovering9M
Lab 3Rhion Possession Investigation 2: Steganography4M
Lab 4Rhion Possession Investigation 3: Extract Evidence from FTP Traffic3M
Lab 5Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic5M

Investigating Email Harassment

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Investigating Harassment Email using Wireshark3M
Lab 1t-shark Forensic Introduction7M
Lab 2Investigating Harassment Email using t-shark2M

Investigating Illegal File Transferring

The case study aims to examine computer memory to reconstruct a timeline of unauthorized data transfers. The scenario involves the illicit transfer of sensitive files from a server to a USB device.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Memory Forensics11M
part 1Understand the Suspect and Accounts
part 2Understand the Suspect’s PC
part 3Network Forensics
part 4Investigate Command History
part 5Investigate Suspect’s USB
part 6Investigate Internet Explorer History
part 7Investigate File Explorer History
part 8Timeline Analysis

Investigating Hacking Case

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Hacking Case8M

Investigating Morris Worm Attack

The case study is an investigation of the Morris Worm Attacking. We are using the VM provided by SeedLab. The goal of the lab is to find all evidence related to Morris Worm attacking.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Morris Worm Attack7M
Lab 1Investigating Morris Worm Attack2M

Investigating Eufy Doorbell

This case study examines the forensic analysis of a Eufy doorbell and HomeBase system using advanced extraction techniques, including the chip-off method. The process starts with disassembly, chip-off, image acquisition, and concludes with analysis. Key directories, such as those containing camera footage, SQLite databases, and various logs, are analyzed to extract evidence. This approach helps reconstruct timelines, identify evidence of user interactions and system activity, and provides valuable insights for security investigations. Note that this study focuses on HomeBase 2, but the latest version is HomeBase 3.

eMMC Images

Topics Covered

LabsTopics Covered
Lab 0Doorbell Introduction
Lab 1Doorbell Scenario Simulation
Lab 2Doorbell Teardown Chip-off Image Acquisition
Lab 3Doorbell Image Analysis and Mounting
Lab 4Doorbell Evidence Extraction
Lab 5Doorbell p2p Communication Log
Lab 6Doorbell Daily(Sec) Logo
Lab 7Doorbell Analysing Camera Directory
Lab 8Doorbell Analysing sqliteDirectory

Investigating Echo Show 8

The case study outlines the use of the chip-off technique to extract evidence from an Amazon Echo Show device. Different types of evidence are produced and inserted into the Echo Show 8 (2nd generation). The investigative process includes the utilization of a reverse engineering approach to retrieve the implanted evidence from the embedded MultiMediaCard (eMMC) of the Echo Show device.

eMMC Images

Topics Covered

LabsTopics CoveredLab Data
Lab 0Echo Show Introduction
Lab 1Echo Show Evidence Planting
Lab 2Device Teardown and eMMC Chip-off
Lab 3Image Acquisition and Mounting
Lab 4.1.1Specifications: Device and OS Infolink
Lab 4.1.2Specifications: User infolink
Lab 4.1.3Specifications: Network Connectivity Infolink
Lab 4.2.1Web Activitylink
Lab 4.2.2Phone Communicationlink
Lab 4.3.1Multimedia: Photos and related Datalink
Lab 4.3.2Multimedia: Videos and related Datalink
Lab 4.3.3Multimedia: Audio and related Datalink

Investigating Android 10

The image is created by Joshua Hickman and hosted by digitalcorpora.

LabsTopics CoveredSize of PPTs
Lab 0Intro Pixel 33M
Lab 1Pixel 3 Image2M
Lab 2Pixel 3 Device4M
Lab 3Pixel 3 System Setting5M
Lab 4Overview: App Life Cycle11M
Lab 5.1.1AOSP App Investigations: Messaging4M
Lab 5.1.2AOSP App Investigations: Contacts3M
Lab 5.1.3AOSP App Investigations: Calendar1M
Lab 5.2.1GMS App Investigations: Messaging6M
Lab 5.2.2GMS App Investigations: Dialer2M
Lab 5.2.3GMS App Investigations: Maps8M
Lab 5.2.4GMS App Investigations: Photos6M
Lab 5.3.1Third-Party App Investigations: Kik4M
Lab 5.3.2Third-Party App Investigations: textnow1M
Lab 5.3.3Third-Party App Investigations: whatapp3M
Lab 6Pixel 3 Rooting5M

Investigating iPhone iOS 13.4.1

The image is created by Joshua Hickman and hosted by digitalcorpora.

LabsTopics CoveredSize of PPTs
Lab 0Intro Intro iPhone iOS 135M
Lab 1iOS 13.4.1 Image5M
Lab 2iPhone Device investigation3M
Lab 3iOS System Settings3M
Lab 4Overview of App Life Cycle2M
Lab 5Messages Investigations3M
Lab 6Contacts Investigations3M
Lab 7Calender Investigations2M
Lab 8Safari Investigations3M
Lab 9Photo Investigations7M
Lab 10KnowledgeC Investigations5M
Lab 11Health_ Investigations5M
Lab 12Location Investigations8M
Lab 13Cellebrite Investigations12M
Lab 14Magnet Axiom Investigations13M
Lab 14Jailbreak Investigations6M

Investigating Drone DJI

The dataset includes logical files extracted from a DJI controller (mobile device) and an SD card image used by the device. The Drone dataset is created by VTO Labs. The lab covers GPS investigation and cached image retrieval. Note that it is a draft. We will improve the lab later.

LabsTopics CoveredSize of PPTs
Lab 0DJI Mavic Air Mobile13M
Lab 1DJI Mavic Air MicroSD Raw2M
Lab 2DJI Mavic Air MicroSD Encase Format2M

Political Insight Analysis Leveraging LLMs

The case study demonstrates how to Leverage Large Language Models to gain political insight based on an email dataset. The dataset we have used in the case study is a set of leaked emails obtained from Hillary Clinton's private email server.

The background of the leaked emails is a significant chapter in recent U.S. political history, involving questions of transparency, security, and the handling of sensitive information. During Hillary's tenure as U.S. Secretary of State from 2009 to 2013, Hillary Clinton used a private email server for her official communications instead of the official State Department email system. She stated that this was done for convenience, allowing her to use a single device for both personal and official emails.

The leaked email dataset from Hillary Clinton's private email server is a comprehensive collection of communications covering her entire tenure as Secretary of State from 2009 to 2013. It includes approximately 30,000 emails with a wide range of topics from official diplomatic communications to personal correspondences. The release and subsequent analysis of these emails have played a crucial role in political debates, legal inquiries, and public discussions about transparency and security in government communications.

Our dataset: a set of email summaries. Each email summary is a summarization of an email generated by Gemini from an original email in the original leaked email dataset. We are only interested in emails containing the keyword "israel".

Our results: Code in Jupyter Notebook.

Here are some political insights based on the leaked email summaries obtained from Hillary Clinton's private email server that are related to Israel: <img src="/AI4Forensics/CKIM2024/HillaryEmails/political_insight_2024-05-31_10-29-52.jpg">


Tools

NameCommandRepositoryInstallation Method
Winewine --versionhttps://source.winehq.org/git/wine.git/Custom
Vinettovinetto -hhttps://github.com/AtesComp/VinettoCustom
imgclipimgclip -hhttps://github.com/Arthelon/imgclipapt install
RegRipperrip.pl -hhttps://github.com/keydet89/RegRipper3.0Customized scirpt
Windows-Prefetch-Parserprefetch.py -hhttps://github.com/PoorBillionaire/Windows-Prefetch-Parser.gitCustom
python-evtxevtx_dump.py -hhttps://github.com/williballenthin/python-evtxapt install
libesedb-utilsesedbexport -hhttps://github.com/libyal/libesedbapt install
libpffpffexport -hhttps://github.com/libyal/libpffapt install
USN-Record-Carverusncarve.py -hhttps://github.com/PoorBillionaire/USN-Record-Carverapt install
USN-Journal-Parserusn.py -hhttps://github.com/PoorBillionaire/USN-Journal-Parserapt install
time_decodetime_decode.py -hhttps://github.com/digitalsleuth/time_decodeGit clone
analyzeMFTanalyzeMFT.py -hhttps://github.com/dkovar/analyzeMFTCustomized scirpt
libvshadowvshadowinfo -hhttps://github.com/libyal/libvshadowCustomized scirpt
INDXParseINDXParse.py -Customized scirpt
carving sqlite .dbundark -hhttps://github.com/inflex/undark.gitCustomized scirpt
stegdetectstegdetect -VCustomized scirpt
stegbreakstegbreak -VCustomized scirpt
stego-toolkitjphideCustomized scirpt
jpsestego-toolkitekjpseekCustomized scirpt
volatility-2vol.py -hhttps://github.com/volatilityfoundation/volatility.gitCustomized scirpt
liblnk-utilslnkinfo -hapt install
JLECmdhttps://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zipGit clone
recentfilecache-parserhttps://github.com/prolsen/recentfilecache-parser
LogFileParserhttps://github.com/jschicht/LogFileParser.gitGit clone
UsnJrnl2Csvttps://github.com/jschicht/UsnJrnl2Csv.gitGit clone

Contribution


Star History

Star History Chart

<a href="https://trackgit.com"> <img src="https://us-central1-trackgit-analytics.cloudfunctions.net/token/ping/ksb44j1gmfoc4ht18prk" alt="trackgit-views" /> </a>