How to Create Drive Image for Forensic Purpose using Forensic Replicator

Forensic Replicator is a bit-stream forensic image creation tool. Forensic Replicator is a Windows based tool that creates bit-by-bit raw DD images of hard drives and related media. You can also create images in PFR format to encrypt the image, compress it, or break it up into smaller pieces. Forensic Replicator gives you everything you would expect in a forensic imaging tool. 

Features

·         Drive to Drive image option

·         Creates bit-stream images of removable media, partitions, or an entire physical hard drive

·         Creates images of USB micro drives

·         New explore function allows for preview of active FAT files--tree and detail view available

·         Allows for reprocessing of image files from Raw to Split or add compression as a new image file

·         Compresses image files on the fly

·         Encrypts data for secure storage of evidence-128 bit

·         Splits images into segments for portability

·         Generates self-extracting images

·         Formats and copies DMF/1.68 MB floppy

·         Creates ISO CDRom images and allows immediate browsing of data

·         Automates floppy imaging with convenient Batch Assistant mode

 First Download Forensic Replicator from here and install the Forensic Replicator.

Now click on file option & select create physical drive image  

It will show creating physical drive image window. Click on next.

Now choose the drive of the Suspect Evidence you want to make image.

Now browse location and name of physical image file to create. Select save in raw format option.

 Click on next.

Select the file format such as Text File, Html File or Xml File. Select information for inclusion in the report   i.e.  Image information, Time and Date of Acquisition, Export Partition structure & Add report header & click on Next

Now enter the details such as case no. , Evidence No. , Company /Agency etc. Click on Finish.

Now it will ask for File Name. Enter the file name & select the folder where report file is to be saved. Click on save.

Now it will create the raw image.

Outlook Forensics Investigation using E-Mail Examiner

Forensically examine hundreds of email formats including Outlook (PST and OST), Thunderbird, Outlook Express, Windows mail, and more. Paraben's Email Examiner is one of the most comprehensive forensically sound email examination tools available. Email Examiner allows you to analyze message headers, bodies, and attachments. Email Examiner doesn't just recover email in the deleted folders; it recovers email deleted from deleted items.

·         Microsoft Outlook (PST)

·         Microsoft Outlook Offline Storage (OST)

·         America On-line (AOL)

·         The Bat! (version 3.x and higher)

·         Thunderbird

·         Outlook Express

·         Eudora

·         Email file - RFC 833 Compliant(EML)

·         Windows mail databases

·         Maildir

·         Plain Text mail

·         Support for more than 750 MIME Types

First Download the E-Mail Examiner from here and install in victim pc and open E-Mail Examiner Click on ‘Create a New Case’ option.

New Case window will be open. Then click on next to proceed to next step.

Here in next step you have to enter the case name as DEMO and description details and click on finish to proceed to next step.

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step.

Then it will ask for the file name to save your case in your specified location. Click on save option.

Now select MS Outlook Image option from source type which will add the outlook image evidence.

After selecting the evidence outlook Image, click on Open.

 Now you have to select both option and click on ok to proceed next step.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence outlook image. Now it will allow you to analyze the message header, bodies and attachments.

How to Preserve Forensics Image file Timestamp

Forensicopy is designed to copy evidence files from one location to another while maintaining the original timestamps (MAC Times). It also creates a hash of all the files before and after the copy process and verifies that the file has been copied accurately. A extensive logfile is generated during the copy process in order to maintain the chain of custody.

Please note:

Forensicopy is designed to copy evidence files. It’s not a substitute for a forensic image. If possible you should always create a full forensic drive image. Only in situations where it’s not possible to create a forensic image it’s recommended to make a forensic copy with a tool like Forensicopy.

First of all we are copying a file from one location to another, while copying the timestamp will change.

As you will see below.

So copying forensic file, the timestamp should remain the same. To do so we are using Forensicopy tool.

In Forensicopy tool, browse the file which is to be copied in source directory.

Browse the path for folder where file will be copied and click on start.

It will show the message for copy completion and ask for log file to be exported.

Now we will see the properties of the copied file. Its timestamp will remain the same.

After log file creation, we will open the log file; it will show us the timestamp of start copy, finish copy, source, and destination of all the Files in that folder. The timestamp will remain the same.

How to identify any Suspicious changes to files or directory (Disk Drive Signature)

By OSForensics

Creating a signature generates a snapshot of the directory structure of the drive at the point of creation. This information includes data about a file's directory path, file size and file attributes.

How to Create Signature

First of all download the OSForensics from here.

Select Create Signature Option. Click on Config.

Now browse the desired Directory from Directory list management, in my case I am selecting h: Drive which specifies Pen drive. Click on Add to list Option to include the directory. Click OK.

Now in start folder option, it will show us the selected Drive i.e. H: Drive. Click on the Start Option.

It will ask for the File Name, enter the File Name & click on Save. So signature for data drive will be created.

Now does some modification in data drive and repeat the same steps to create another signature after modifications in data drive.

Now click on Compare Signature Option.

Browse both files in Old Signature as well as in New Signature Option.

Click on Compare option .It will start the process. Now it will show us the files with their modification status as well as their creation and modification date. We can select show option to see only modified or deleted files.

By Clicking on the modified file, it will show the file differences by showing old as well as new signature path, its creation and modification date.

Forensics Investigation of RAW Image using OS Forensics Tool

OS Forensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data.

It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.

Features

·         Discover Forensic Evidence Faster

·         Find files faster, search by filename, size and time

·         Search within file contents using the Zoom search engine

·         Search through email archives from Outlook, ThunderBird, Mozilla and more

·         Recover and search deleted files

·         Uncover recent activity of website vists, downloads and logins

·         Collect detailed system information

·         Password recovery from web browsers, decryption of office documents

·         Discover and reveal hidden areas in your hard disk

·         Browse Volume Shadow copies to see past versions of files

·         Identify Suspicious Files and Activity

·         Verify and match files with MD5, SHA-1 and SHA-256 hashes

·         Find misnamed files where the contents don't match their extension

·         Create and compare drive signatures to identify differences

·         Timeline viewer provides a visual representation of system activity over time

·         File viewer that can display streams, hex, text, images and meta data

·         Email viewer that can display messages directly from the archive

·         Registry viewer to allow easy access to Windows registry hive files

·         File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images

·         Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images

·         Web browser to browse and capture online content for offline evidence management

·         ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system

·         SQLite database browser to view the and analyze the contents of SQLite database files

·         ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications

·         Prefetch viewer to identify the time and frequency of applications that been runnning on the system, and thus recorded by the O/S's Prefetcher

First Download OS Forensic  from here and install in your pc then open OS Forensic and click on create  case  button to  create a new forensic case.

First Download OS Forensic  from here and install in your pc then open OS Forensic and click on create  case  button to  create a new forensic case.

Now enter the details such as Case Name, Investigator Name, Default Drive, and Acquisition Type.

To specify the case folder, click on browse & select the Location where you want to save your Evidence Report.

Now it will show us the registered case in this tool. Now to manage this case, click on Add Device option available in Manage Current Case.

Now select Image File option in Select Device to add option. Now assign the path of the folder where image file exists and also give the Display Name which is compulsory. Click on OK Button.

Now it will show us the details of the Image File.

Now to search the file based on file type click on the option File Name Search .Browse the forensic Image file in Start Folder. Select Preset Popup Menu to specify the type of the file such as images, audio, or video etc. It will show the file list.

Now to get the recent activity which is helpful to see the latest trends and activities of the user, click on    Recent Activity Option and select the Scan Drive option and then click on Scan Option.

To find the Deleted File from User System, Click on Deleted File Search. Select Forensic Image File and click on Search option. It will show all the deleted files in the Forensic Image File. To see the working of other options in this tool wait for the article which is coming soon?