How to Mount RAW Image and ISO Image as a Drive using OSF Mount

OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter. You can then analyze the disk image file with PassMark OSForensics™ by using the mounted volume's drive letter.

First of all, we are clicking on My Computer option & it will show us all physical drives and removable storage drives.

First Download OSFMount from here and install in your pc then open OSFMount and click on Mount new button.

Now load the Evidence Disk Image by clicking on Browse Option

Now it will show the mounted Image.

Now click on My Computer. It will show you the Mounted Image as a Drive.

Forensics Investigation of Facebook, Skype, and Browsers in RAW Image using IEF (Internet Evidence Finder)

Internet Evidence Finder is designed to find Internet-related data or files on a hard drive as part of a digital forensics investigation. In this regard, the purpose of this application really contrasts the simplicity of its design.

Features

·         Browser Activity

·         Instant Messaging

·         Chat Apps

·         Social Networking

·         P2P File Sharing

·         Web Search

·         Search Toolbar

·         Media Files

·         Webmail

·         Cloud Drive Mapping

First Download IEF from here and install the IEF & open the tool IEF. Now click images first.

Select the image file to load & click on open option.

It will show the image file. Click on Next.

Click on ok.

Now it will show the location and search type .Click on next.

Select the items which are to be investigated. Click on next

Click on browse to select the destination folder. Assign the case Name, case no. & Examiner’s name.Click on find evidence.

Now it will show us the processing status.

After process completion, IEF report. Now click on FaceBook URLs. It will show all the FaceBook URLs with date and time.

By clicking on Google Analytics URLs, it will show the details of URLs with page title and host name.

 Now click on Google search, it will show the URLs with original search query.

By selecting Skype Chat Message, it will show the Message and identifier.

Now select FaceBook Chat Option. It will show the FaceBook chat message.

By selecting FaceBook status update. It will show the updated status.

By clicking on any one of the Browser activity option such as opera/360 safe browser. It will show opera history.

By selecting IE inPrivate/Recovery URLs. It will show IE history.

How to Create Drive Image for Forensic Purpose using Forensic Replicator

Forensic Replicator is a bit-stream forensic image creation tool. Forensic Replicator is a Windows based tool that creates bit-by-bit raw DD images of hard drives and related media. You can also create images in PFR format to encrypt the image, compress it, or break it up into smaller pieces. Forensic Replicator gives you everything you would expect in a forensic imaging tool. 

Features

·         Drive to Drive image option

·         Creates bit-stream images of removable media, partitions, or an entire physical hard drive

·         Creates images of USB micro drives

·         New explore function allows for preview of active FAT files--tree and detail view available

·         Allows for reprocessing of image files from Raw to Split or add compression as a new image file

·         Compresses image files on the fly

·         Encrypts data for secure storage of evidence-128 bit

·         Splits images into segments for portability

·         Generates self-extracting images

·         Formats and copies DMF/1.68 MB floppy

·         Creates ISO CDRom images and allows immediate browsing of data

·         Automates floppy imaging with convenient Batch Assistant mode

 First Download Forensic Replicator from here and install the Forensic Replicator.

Now click on file option & select create physical drive image  

It will show creating physical drive image window. Click on next.

Now choose the drive of the Suspect Evidence you want to make image.

Now browse location and name of physical image file to create. Select save in raw format option.

 Click on next.

Select the file format such as Text File, Html File or Xml File. Select information for inclusion in the report   i.e.  Image information, Time and Date of Acquisition, Export Partition structure & Add report header & click on Next

Now enter the details such as case no. , Evidence No. , Company /Agency etc. Click on Finish.

Now it will ask for File Name. Enter the file name & select the folder where report file is to be saved. Click on save.

Now it will create the raw image.

Outlook Forensics Investigation using E-Mail Examiner

Forensically examine hundreds of email formats including Outlook (PST and OST), Thunderbird, Outlook Express, Windows mail, and more. Paraben's Email Examiner is one of the most comprehensive forensically sound email examination tools available. Email Examiner allows you to analyze message headers, bodies, and attachments. Email Examiner doesn't just recover email in the deleted folders; it recovers email deleted from deleted items.

·         Microsoft Outlook (PST)

·         Microsoft Outlook Offline Storage (OST)

·         America On-line (AOL)

·         The Bat! (version 3.x and higher)

·         Thunderbird

·         Outlook Express

·         Eudora

·         Email file - RFC 833 Compliant(EML)

·         Windows mail databases

·         Maildir

·         Plain Text mail

·         Support for more than 750 MIME Types

First Download the E-Mail Examiner from here and install in victim pc and open E-Mail Examiner Click on ‘Create a New Case’ option.

New Case window will be open. Then click on next to proceed to next step.

Here in next step you have to enter the case name as DEMO and description details and click on finish to proceed to next step.

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step.

Then it will ask for the file name to save your case in your specified location. Click on save option.

Now select MS Outlook Image option from source type which will add the outlook image evidence.

After selecting the evidence outlook Image, click on Open.

 Now you have to select both option and click on ok to proceed next step.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence outlook image. Now it will allow you to analyze the message header, bodies and attachments.

How to Preserve Forensics Image file Timestamp

Forensicopy is designed to copy evidence files from one location to another while maintaining the original timestamps (MAC Times). It also creates a hash of all the files before and after the copy process and verifies that the file has been copied accurately. A extensive logfile is generated during the copy process in order to maintain the chain of custody.

Please note:

Forensicopy is designed to copy evidence files. It’s not a substitute for a forensic image. If possible you should always create a full forensic drive image. Only in situations where it’s not possible to create a forensic image it’s recommended to make a forensic copy with a tool like Forensicopy.

First of all we are copying a file from one location to another, while copying the timestamp will change.

As you will see below.

So copying forensic file, the timestamp should remain the same. To do so we are using Forensicopy tool.

In Forensicopy tool, browse the file which is to be copied in source directory.

Browse the path for folder where file will be copied and click on start.

It will show the message for copy completion and ask for log file to be exported.

Now we will see the properties of the copied file. Its timestamp will remain the same.

After log file creation, we will open the log file; it will show us the timestamp of start copy, finish copy, source, and destination of all the Files in that folder. The timestamp will remain the same.