Hacking Articles|Raj Chandel's Blog

How to identify any Suspicious changes to files or directory (Disk Drive Signature)

at 1:16 AM Friday, May 29, 2015 0 comments

By OSForensics

Creating a signature generates a snapshot of the directory structure of the drive at the point of creation. This information includes data about a file's directory path, file size and file attributes.

How to Create Signature

First of all download the OSForensics from here.

Select Create Signature Option. Click on Config.

Now browse the desired Directory from Directory list management, in my case I am selecting h: Drive which specifies Pen drive. Click on Add to list Option to include the directory. Click OK.

Now in start folder option, it will show us the selected Drive i.e. H: Drive. Click on the Start Option.

It will ask for the File Name, enter the File Name & click on Save. So signature for data drive will be created.

Now does some modification in data drive and repeat the same steps to create another signature after modifications in data drive.

Now click on Compare Signature Option.

Browse both files in Old Signature as well as in New Signature Option.

Click on Compare option .It will start the process. Now it will show us the files with their modification status as well as their creation and modification date. We can select show option to see only modified or deleted files.

By Clicking on the modified file, it will show the file differences by showing old as well as new signature path, its creation and modification date.

Forensics Investigation of RAW Image using OS Forensics Tool

at 12:00 AM Saturday, May 23, 2015 0 comments

OS Forensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data.

It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.

Features

· Discover Forensic Evidence Faster

· Find files faster, search by filename, size and time

· Search within file contents using the Zoom search engine

· Search through email archives from Outlook, ThunderBird, Mozilla and more

· Recover and search deleted files

· Uncover recent activity of website vists, downloads and logins

· Collect detailed system information

· Password recovery from web browsers, decryption of office documents

· Discover and reveal hidden areas in your hard disk

· Browse Volume Shadow copies to see past versions of files

· Identify Suspicious Files and Activity

· Verify and match files with MD5, SHA-1 and SHA-256 hashes

· Find misnamed files where the contents don't match their extension

· Create and compare drive signatures to identify differences

· Timeline viewer provides a visual representation of system activity over time

· File viewer that can display streams, hex, text, images and meta data

· Email viewer that can display messages directly from the archive

· Registry viewer to allow easy access to Windows registry hive files

· File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images

· Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images

· Web browser to browse and capture online content for offline evidence management

· ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system

· SQLite database browser to view the and analyze the contents of SQLite database files

· ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications

· Prefetch viewer to identify the time and frequency of applications that been runnning on the system, and thus recorded by the O/S's Prefetcher

First Download OS Forensic from here and install in your pc then open OS Forensic and click on create case button to create a new forensic case.

Now enter the details such as Case Name, Investigator Name, Default Drive, and Acquisition Type.

To specify the case folder, click on browse & select the Location where you want to save your Evidence Report.

Now it will show us the registered case in this tool. Now to manage this case, click on Add Device option available in Manage Current Case.

Now select Image File option in Select Device to add option. Now assign the path of the folder where image file exists and also give the Display Name which is compulsory. Click on OK Button.

Now it will show us the details of the Image File.

Now to search the file based on file type click on the option File Name Search .Browse the forensic Image file in Start Folder. Select Preset Popup Menu to specify the type of the file such as images, audio, or video etc. It will show the file list.

Now to get the recent activity which is helpful to see the latest trends and activities of the user, click on Recent Activity Option and select the Scan Drive option and then click on Scan Option.

To find the Deleted File from User System, Click on Deleted File Search. Select Forensic Image File and click on Search option. It will show all the deleted files in the Forensic Image File. To see the working of other options in this tool wait for the article which is coming soon?

How to Create and Convert RAW Image in Encase and AFF Format

at 12:56 AM Friday, May 22, 2015 0 comments

Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats:

· DD /RAW (Linux “Disk Dump”)

· AFF (Advanced Forensic Format)

· E01 (Encase®)

Program Functions

Forensic Image provides three separate functions:

· Acquire: The acquire option is used to take a forensic image (an exact copy) of the target media into an image file on the investigators workstation;

· Convert: The convert option is used to copy an existing image file from one image format to another, e.g. DD to E01;

· Hash or verify: The hash or verify option is used to calculate a hash value, MD5, SHA1 or SHA256, for a device or an existing image file.

Includes the option to SHA256 sector hash a device so that known sectors can be located within an image files (e.g. a single sector of a jpeg file left in unallocated clusters can be identified by its sector hash).

First Download Forensics Imager from here and install in your pc then open Forensics Imager and click on Acquire option.

It will show you all drives. Select the desired Drive whose image to be created. Click on next.

Now select image type from drop down menu and select the output filename in Folder option where you want to save your Evidence Image and fill the details such as Case Name, Evidence Number, and Examiner etc. And click on start.

Now it will show you the Acquisition Progress. After the completion of this progress, it will create a raw image in the specified folder.

Now we will proceed further to Convert RAW File in to Encase Format.

Now again open forensics imager click on add image and select your desired image which is to be converted. Then click on next.

Now we will select image type from Drop Down Menu now select your desired format you want to be converting and select the output file in the folder Option where you want to save your Raw image in Encase format. Click on Start Option.

Now it will show us Conversion Progress & after the completion of this progress a Encase formatted file will be created in the specified folder

How to mount Forensics image as a Drive using P2 eXplorer Pro

at 12:35 AM Wednesday, May 20, 2015 0 comments

P2 eXplorer Pro is a specialized component of P2C that allows you to virtually mount forensic images such as raw DD, E01, and even virtual machine images Free with any puchase of P2C. as local drive letters

P2 eXplorer Pro can mount the following image formats: Encase (E01), Forensic Replicator (PFR), SafeBack 1, 2, & 3, SMART, FTK DD & E01, Raw DD, WinImage, Paraben's Forensic Containers (P2S), vmWare, VirtualPC, & VirtualBox (VDI).

First of all, we are clicking on My Computer option & it will show us all physical drives and removable storage drives.

First Download P2 eXplorer from here and install in your pc then open P2 eXplorer and click on Mount Storage button.

Now load the Evidence Disk Image by clicking on Browse Option

How to create Disk Image read this article

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

Now it will show the mounted Image.

Now click on My Computer. It will show you the Mounted Image as a Drive.

How to Convert Encase, FTK, DD, RAW, VMWare and other image file as Windows Drive

at 11:43 PM Tuesday, May 19, 2015 0 comments

Mount Image Pro mounts EnCase, FTK, DD, RAW, SMART, SafeBack, ISO, VMWare and other image files as a drive letter (or physical drive) on your computer.

Features of Mount Image Pro

It enables the mounting of forensic images including:

· EnCase .E01, EX01, .L01, .LX01

· AccessData .AD1

· DD and RAW images (Unix/Linux)

· Forensic File Format .AFF

· NUIX .MFS01

· ProDiscover

· Safeback v2

· SMART

· XWays .CTR

And other common image formats including: