SANTOKU Linux- Overview of Mobile Forensics Operating System

Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform.

First Download Santoku ISO image from here

After having started the Santoku boot loader, you will see a screen with several boot options. Now click on Install – start the installer directly then press Enter

You will see this screen, then click on Continue

Click Continue here as well

Select first option – Erase disk and install Santoku, then click on Install Now

Now you will see a Map which shows your location, and then click on Continue

You will see the form, please fill all the fields like Name, Password etc and then click Continue

You will get a Pop up on your computer screen says Installation Complete, please restart your Computer. Click on Restart Now

Once the computer is ready to use it will ask you for the login details. Please enter your password to login.

Now you are on the Home screen of SANTOKU, click on bottom left of your computer screen. You will get couple of options, please select SANTOKU and click on Development Tools; here you can find all available development tools in SANTOKU.

Click on Device Forensics, here you can find all available Device Forensics tools in SANTOKU

Click on Penetration Testing, here you can find all available Penetration Testing tools in SANTOKU.

Click on Reverse Engineering, here you can find all available Reverse Engineering tools in SANTOKU.

Click on Wireless Analyzers, here you can find all available Wireless Analyzers tools in SANTOKU.

How to Recover Deleted from RAW Image using FTK Imager and Recover My File

How to create Disk Image read this article

 http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

After installing the program, run it. In the window that shall appear, click on the option “File” and “Image Mounting.

Now select the image file to mount image to drive.

In the window “Mount Image to Drive”, choose the forensic image that shall be mounted and select

The Drive letter and click on mount option

Now it will show the mounted image as G:  Drive in your system.

Now, download Recover my file from here after installing, run the program. In the window let´s choose the option “Recover files” and click on next.

 In the next window l choose the option “In a specific location” and indicate the mounted drive  through FTK Imager. Now click on “Next”.

Now select search for deleted files option and click on start.

Now it will show all the deleted files, which are recovered and now select your desired deleted file and save in your pc.

Forensics Analysis of Pagefile, hibersys File

In forensic investigation, Memory dump, pagefile and hiberfil files can provide us a lot of data. Memory dump is the file which contains the   information about the cause of the system crash.

From Forensics wiki

Pagefile.sys: Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 paging files, in practice normally only one is used.

Hiberfil.sys: hiberfil file stores the data when Microsoft windows computer system is on Hibernate mode.

These files are very useful for digital investigation because these files are not stored in physical Hard Disk.

First of all download Access Data FTK Imager from here so to capture the memory dump, click on capture memory option.

A new window will pop up. Click on browse button to select destination path. Select the option Include Pagefile & click on Capture Memory.

After completion of process, two files will be carved in the specified folder.

To Extract the Hiberfil  file, click on add all attached devices

 Now click on the directory where windows are installed.  Select Root Folder and click on hiberfil.sys file.

Now right click on Hiberfil file & click on Export files.

Select the folder

After process completion, it will show the message about exported file

Now to analyze the Live RAM image file, we will use Belkasoft Evidence Center.

Now open Belkasoft Evidence Center.  Click on New Option. Click ok.

Enter all the details as well as root folder. 

Now select the option Live RAM Image.

Now select the specified path to mount an image file. In File Name option select All Files (*) It will show the files.  Select Pagefile .sys.

Now select the option Analyze Data Source click on Next.

 To select the supported data types to curve, Click on Select All option and click on Finish.

To analyze visited URL. Click on Chrome Live Ram

Similarly Click on Opera Live Ram.

Click on Found Pictures to see the images.

Same method use for hibersys file

Step by Step Tutorial of FTK Imager

FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Access Data® Forensic Toolkit® (FTK) is warranted. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence. With FTK Imager, you can:

·         Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or  individual files from various places within the media.

·         Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs, and DVDs

·         Preview the contents of forensic images stored on the local machine or on a network drive

·         Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive

·         Export files and folders from forensic images.

·         See and recover files that have been deleted from the Recycle Bin, but have not yet been overwritten on  the drive.

·         Create hashes of files using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)

First Download FTK Imager From here and install in your pc.

ADD Evidence Item

Click on Add Evidence Item to add evidence from disk, image file or folder.

Now select the source evidence type as physical drive, logical drive or image file. We have selected image file and click on next.

Select virtual drive image & click on open option.

Select the source path and click on finish.

Now select Evidence Tree and analyze the virtual disk as physical disk.

Similarly to add raw image select again add evidence item and click on image file and click on open option.

Click on finish.

Now raw image will be added as physical drive to analyze.

Mounting an Image as a Local Drive

To mount an image file, click on Image Mounting option.

Select virtual drive image.

Select Mount Type, Drive Letter and Mount Method and click on mount option.

Now it will show the virtual drive.

Now select the image file to mount image to drive.

Capture Memory

Click on button “Capture Memory” how the picture below:

On the next window choice the directory to storage the extracted files, and click on the button “Capture Memory”

Wait for the process finish.

A memory dump file will be created on the source directory.

Create RAW Image

Now open the FTK Imager and Click on Create Disk Image

Now a “Select source” box will open and choose “Physical Drive” click NEXT  

Now choose the drive of the Suspect Evidence you want to make image.

After choosing the Drive Click on finish to Start Creating Image of Suspect Evidence

(Note: choose option “Verify images after they are created”)

Now in Select Image Type Choose “Raw (dd)” and click on NEXT

Now In” Evidence Item Information” Fill the Following attributes, as you can see some random information given can be random as per the Suspects Evidence. Click NEXT

Now choose the location of the image you want to create and Name the Image Filename. And click on FINISH

Now in final Step Click START button to start Creating Image.

Successfully the Suspects Evidence Image Is Created .Now you can audit the Suspects evidence from the image Created from FTK Image.