Awesome
Digital Forensics Lab & Shared Cyber Forensic Intelligence Repository
<img src="https://upload.wikimedia.org/wikipedia/commons/3/3c/BJA_Logo.png" width="150"> <img src="https://www.nist.gov/sites/default/files/images/2017/06/16/dsh-st.jpg" width="150"><img src="https://www.nsf.gov/news/mmg/media/images/bitmaplogo_nolayers_f_e50fcd0b-607b-4271-a808-914d9c2f65dc.png" width="110">
Features of Repository
- Interactive Digital Forensics Labs: Tailored for students and faculty engagement
- Linux-Centric Lab Environment: Utilizes Kali Linux exclusively for all labs
- Visual Learning Support: Each lab includes PowerPoint presentations, associated files, and instructional screenshots
- Holistic Coverage: Encompasses a wide array of topics within the field of digital forensics
- Open Source Tools: All tools utilized are freely available and open-source
- Ongoing Updates: Supported by grants from the DOJ, DHS, and NSF, the team is committed to regularly updating the repository
- Forensic Intelligence Integration: Two structured forensic intelligence datasets in JSON format derived from real case studies
For feedback or to express your usage of the course materials, please reach out via email at wxu at ubalt dot edu. Your collaboration is sincerely valued
Please cite our paper:
W. Xu, L. Deng, and D. Xu, "Towards Designing Shared Digital Forensics Instructional Materials," in <em>Proceeding of the 46st Annual International Computer Software and Applications Conference (COMPSAC 2022),</em> pp. 117-122, July 2022. (Video Presentation)
or in BibTeX
@inproceedings{xu2022forensics,
title={Towards Designing Shared Digital Forensics Instructional Materials},
author={Xu, Weifeng and Deng, Lin, and Xu, Dianxiang},
booktitle={46st Annual International Computer Software and Applications Conference (COMPSAC 2022)},
volume={1},
pages={117--122},
year={2022},
organization={IEEE}
}
Table of Contents (new release Oct 15, 2024: Eufy investigations)
-
Basic Computer Skills for Digital Forensics
- Number Systems (add Python code for data conversion 1/2023)
- PC Introduction
- Windows Command Line Tutorial
- Linux Command Line Tutorial
- Advanced Linux Command Line Tutorial
-
Basic Networking Skills for Digital Forensics (added 3/17/2023. Use Paython Scapy and netfilterqueue libraries.)
-
Computer and Digital Forensics (updated on Oct. 2021)
-
Computer Forensics Case Study
- Investigating NIST Data Leakage (Windows XP)
- Investigating P2P Data Leakage (Windows 10)
- Investigating Illegal Possession of Images ("Networking forensics")
- Investigating Email Harassment (updated on Feb 2023)
- Investigating Illegal File Transferring (Memory Forensics)
- Investigating Hacking Case
- Investigating Morris Worm Attack (updated on Jan 2023, POSTER)
-
Mobile/IoT Forensics Case Study
- Investigating Eufy Doorbell (added on 10/15/2024)
- Investigating Echo Show 8 (added on 12/25/2023)
- Investigating Android 10 (added on 10/24/2021)
- Investigating iPhone iOS 13 (updated on 6/18/2022)
- Investigating Drone (add on 12/07/2021)
-
Forensic Intelligence Repository
-
AI for Forensics
Tool Installation
Method 1: Importing customized Kali VM image
The customized Kali VM = Kali (2021.4) + tools used for completing most of the labs listed above (except p2p Data Leakage case)
- Install Virtualbox
- Import the customized Kali 2021.4. Notes: the default harddisk size is 80G.
Method 2: Installing tools using the customized script (the script ONLY is tested on Kali 2021.4)
The following script will install tools needed for completing most of the labs listed above (except p2p Data Leakage case, which has its own script described in PPTs). Please let us know if you need us to add more tools to the script.
-
Install Virtualbox
-
Install Kali 2021.4. Notes: Suggest You configure the disk size of Kali VM 80G because the size of each leakage cases image is 30G+
-
Run a tool installation script instructions, or you can simply follow the commands below
wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh
- Installed tools. Note that most of the commands for tools can executed globally. Now you can skip most of tool installation steps in PPTs.
Method 3: Using a Docker container based on Ubuntu 22.04 LTS (added in 09/23, may need more testing, report any issues please)
- The host machine of the Docker container is Ubuntu 22.04 LTS.
- The container is built on top of Ubuntu 22.04 LTS as well.
- All tools are pre-install on the Ubuntu container.
- You can follow the tuturial Docker for Digital Forensic Investgiation
Investigating NIST Data Leakage
The case study is to investigate an image involving intellectual property theft. The study include
- A large and complex case study created by NIST. You can access the Scenario, DD/Encase images. You can also find the solutions on their website.
- 14 hands-on labs/topics in digital forensics
Topics Covered
Labs | Topics Covered (Command Line) | Python Version |
---|---|---|
Lab 0 | Environment Setting Up | |
Lab 1 | Windows Registry | |
Lab 2 | Windows Event and XML | Python version |
Lab 3 | Web History and SQL | Python version |
Lab 4 | Email Investigation | Python version |
Lab 5 | File Change History and USN Journal | |
Lab 6 | Network Evidence and shellbag | |
Lab 7 | Network Drive and Cloud | |
Lab 8 | Master File Table ($MFT) and Log File ($logFile) Analysis | |
Lab 9 | Windows Search History | |
Lab 10 | Windows Volume Shadow Copy Analysis/SQL database carving | |
Lab 11 | Recycle Bin and Anti-Forensics | |
Lab 12 | Data Carving | |
Lab 13 | Crack Windows Passwords |
Investigating P2P Data Leakage
The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study includes
- A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
- Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline.
- 10 hands-on labs/topics in digital forensics
Topics Covered
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Lab Environment Setting Up | 4M |
Lab 1 | Disk Image and Partitions | 5M |
Lab 2 | Windows Registry and File Directory | 15M |
Lab 3 | MFT Timeline | 6M |
Lab 4 | USN Journal Timeline | 3M |
Lab 5 | uTorrent Log File | 9M |
Lab 6 | File Signature | 8M |
Lab 7 | Emails | 9M |
Lab 8 | Web History | 11M |
Lab 9 | Website Analysis | 2M |
Lab 10 | Timeline (Summary) | 13K |
Investigating Illegal Possession of Images
The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.
Topics Covered
Investigating Email Harassment
The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.
Topics Covered
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Investigating Harassment Email using Wireshark | 3M |
Lab 1 | t-shark Forensic Introduction | 7M |
Lab 2 | Investigating Harassment Email using t-shark | 2M |
Investigating Illegal File Transferring
The case study aims to examine computer memory to reconstruct a timeline of unauthorized data transfers. The scenario involves the illicit transfer of sensitive files from a server to a USB device.
Topics Covered
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Memory Forensics | 11M |
part 1 | Understand the Suspect and Accounts | |
part 2 | Understand the Suspect’s PC | |
part 3 | Network Forensics | |
part 4 | Investigate Command History | |
part 5 | Investigate Suspect’s USB | |
part 6 | Investigate Internet Explorer History | |
part 7 | Investigate File Explorer History | |
part 8 | Timeline Analysis |
Investigating Hacking Case
The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.
Topics Covered
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Hacking Case | 8M |
Investigating Morris Worm Attack
The case study is an investigation of the Morris Worm Attacking. We are using the VM provided by SeedLab. The goal of the lab is to find all evidence related to Morris Worm attacking.
Topics Covered
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Morris Worm Attack | 7M |
Lab 1 | Investigating Morris Worm Attack | 2M |
Investigating Eufy Doorbell
This case study examines the forensic analysis of a Eufy doorbell and HomeBase system using advanced extraction techniques, including the chip-off method. The process starts with disassembly, chip-off, image acquisition, and concludes with analysis. Key directories, such as those containing camera footage, SQLite databases, and various logs, are analyzed to extract evidence. This approach helps reconstruct timelines, identify evidence of user interactions and system activity, and provides valuable insights for security investigations. Note that this study focuses on HomeBase 2, but the latest version is HomeBase 3.
eMMC Images
Topics Covered
Investigating Echo Show 8
The case study outlines the use of the chip-off technique to extract evidence from an Amazon Echo Show device. Different types of evidence are produced and inserted into the Echo Show 8 (2nd generation). The investigative process includes the utilization of a reverse engineering approach to retrieve the implanted evidence from the embedded MultiMediaCard (eMMC) of the Echo Show device.
eMMC Images
Topics Covered
Labs | Topics Covered | Lab Data |
---|---|---|
Lab 0 | Echo Show Introduction | |
Lab 1 | Echo Show Evidence Planting | |
Lab 2 | Device Teardown and eMMC Chip-off | |
Lab 3 | Image Acquisition and Mounting | |
Lab 4.1.1 | Specifications: Device and OS Info | link |
Lab 4.1.2 | Specifications: User info | link |
Lab 4.1.3 | Specifications: Network Connectivity Info | link |
Lab 4.2.1 | Web Activity | link |
Lab 4.2.2 | Phone Communication | link |
Lab 4.3.1 | Multimedia: Photos and related Data | link |
Lab 4.3.2 | Multimedia: Videos and related Data | link |
Lab 4.3.3 | Multimedia: Audio and related Data | link |
Investigating Android 10
The image is created by Joshua Hickman and hosted by digitalcorpora.
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Intro Pixel 3 | 3M |
Lab 1 | Pixel 3 Image | 2M |
Lab 2 | Pixel 3 Device | 4M |
Lab 3 | Pixel 3 System Setting | 5M |
Lab 4 | Overview: App Life Cycle | 11M |
Lab 5.1.1 | AOSP App Investigations: Messaging | 4M |
Lab 5.1.2 | AOSP App Investigations: Contacts | 3M |
Lab 5.1.3 | AOSP App Investigations: Calendar | 1M |
Lab 5.2.1 | GMS App Investigations: Messaging | 6M |
Lab 5.2.2 | GMS App Investigations: Dialer | 2M |
Lab 5.2.3 | GMS App Investigations: Maps | 8M |
Lab 5.2.4 | GMS App Investigations: Photos | 6M |
Lab 5.3.1 | Third-Party App Investigations: Kik | 4M |
Lab 5.3.2 | Third-Party App Investigations: textnow | 1M |
Lab 5.3.3 | Third-Party App Investigations: whatapp | 3M |
Lab 6 | Pixel 3 Rooting | 5M |
Investigating iPhone iOS 13.4.1
The image is created by Joshua Hickman and hosted by digitalcorpora.
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | Intro Intro iPhone iOS 13 | 5M |
Lab 1 | iOS 13.4.1 Image | 5M |
Lab 2 | iPhone Device investigation | 3M |
Lab 3 | iOS System Settings | 3M |
Lab 4 | Overview of App Life Cycle | 2M |
Lab 5 | Messages Investigations | 3M |
Lab 6 | Contacts Investigations | 3M |
Lab 7 | Calender Investigations | 2M |
Lab 8 | Safari Investigations | 3M |
Lab 9 | Photo Investigations | 7M |
Lab 10 | KnowledgeC Investigations | 5M |
Lab 11 | Health_ Investigations | 5M |
Lab 12 | Location Investigations | 8M |
Lab 13 | Cellebrite Investigations | 12M |
Lab 14 | Magnet Axiom Investigations | 13M |
Lab 14 | Jailbreak Investigations | 6M |
Investigating Drone DJI
The dataset includes logical files extracted from a DJI controller (mobile device) and an SD card image used by the device. The Drone dataset is created by VTO Labs. The lab covers GPS investigation and cached image retrieval. Note that it is a draft. We will improve the lab later.
Labs | Topics Covered | Size of PPTs |
---|---|---|
Lab 0 | DJI Mavic Air Mobile | 13M |
Lab 1 | DJI Mavic Air MicroSD Raw | 2M |
Lab 2 | DJI Mavic Air MicroSD Encase Format | 2M |
Political Insight Analysis Leveraging LLMs
The case study demonstrates how to Leverage Large Language Models to gain political insight based on an email dataset. The dataset we have used in the case study is a set of leaked emails obtained from Hillary Clinton's private email server.
The background of the leaked emails is a significant chapter in recent U.S. political history, involving questions of transparency, security, and the handling of sensitive information. During Hillary's tenure as U.S. Secretary of State from 2009 to 2013, Hillary Clinton used a private email server for her official communications instead of the official State Department email system. She stated that this was done for convenience, allowing her to use a single device for both personal and official emails.
The leaked email dataset from Hillary Clinton's private email server is a comprehensive collection of communications covering her entire tenure as Secretary of State from 2009 to 2013. It includes approximately 30,000 emails with a wide range of topics from official diplomatic communications to personal correspondences. The release and subsequent analysis of these emails have played a crucial role in political debates, legal inquiries, and public discussions about transparency and security in government communications.
Our dataset: a set of email summaries. Each email summary is a summarization of an email generated by Gemini from an original email in the original leaked email dataset. We are only interested in emails containing the keyword "israel".
Our results: Code in Jupyter Notebook.
Here are some political insights based on the leaked email summaries obtained from Hillary Clinton's private email server that are related to Israel: <img src="/AI4Forensics/CKIM2024/HillaryEmails/political_insight_2024-05-31_10-29-52.jpg">
Tools
Name | Command | Repository | Installation Method |
---|---|---|---|
Wine | wine --version | https://source.winehq.org/git/wine.git/ | Custom |
Vinetto | vinetto -h | https://github.com/AtesComp/Vinetto | Custom |
imgclip | imgclip -h | https://github.com/Arthelon/imgclip | apt install |
RegRipper | rip.pl -h | https://github.com/keydet89/RegRipper3.0 | Customized scirpt |
Windows-Prefetch-Parser | prefetch.py -h | https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git | Custom |
python-evtx | evtx_dump.py -h | https://github.com/williballenthin/python-evtx | apt install |
libesedb-utils | esedbexport -h | https://github.com/libyal/libesedb | apt install |
libpff | pffexport -h | https://github.com/libyal/libpff | apt install |
USN-Record-Carver | usncarve.py -h | https://github.com/PoorBillionaire/USN-Record-Carver | apt install |
USN-Journal-Parser | usn.py -h | https://github.com/PoorBillionaire/USN-Journal-Parser | apt install |
time_decode | time_decode.py -h | https://github.com/digitalsleuth/time_decode | Git clone |
analyzeMFT | analyzeMFT.py -h | https://github.com/dkovar/analyzeMFT | Customized scirpt |
libvshadow | vshadowinfo -h | https://github.com/libyal/libvshadow | Customized scirpt |
INDXParse | INDXParse.py - | Customized scirpt | |
carving sqlite .db | undark -h | https://github.com/inflex/undark.git | Customized scirpt |
stegdetect | stegdetect -V | Customized scirpt | |
stegbreak | stegbreak -V | Customized scirpt | |
stego-toolkit | jphide | Customized scirpt | |
jpsestego-toolkitek | jpseek | Customized scirpt | |
volatility-2 | vol.py -h | https://github.com/volatilityfoundation/volatility.git | Customized scirpt |
liblnk-utils | lnkinfo -h | apt install | |
JLECmd | https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip | Git clone | |
recentfilecache-parser | https://github.com/prolsen/recentfilecache-parser | ||
LogFileParser | https://github.com/jschicht/LogFileParser.git | Git clone | |
UsnJrnl2Csv | ttps://github.com/jschicht/UsnJrnl2Csv.git | Git clone |
- Other tools installed via apt install python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus
Contribution
- PIs of the project
- Dr. Frank Xu (Email: fxu at ubalt dot edu)
- Dr. Debra L. Stanley
- Dr. Lin Deng; Twoson University
- Students:
- Eric Xu: University of Maryland (LLM for Digital Forensics)
- Sarfraz Shaikh: University of Baltimore (Echo Show, Eufy Doorbell)
- Danny Ferreira (iPhone)
- Harleen Kaur (Partial of Android)
- Malcolm Hayward (P2P Leakage)
- Richard (Max) Wheeless (Hacking case)
- Chimezie Onwuegbuchulem (Docker for Digital Forensics)
- Etinosa Osawe (AI for Forensics - Identifying IPs with a Fine-tuned Language Model)