College of Engineering

Cybersecurity Engineering Program:

Spring Semester AY2023-2024

Course Name: Introduction to Digital Forensics

Course Code: CSE 300
Assessment Lab 1 (Group Assignment, Maximum 2 students in each group)
Marks 10 Marks
Submission Deadline Sunday 22 March 2024 11:59 pm

Lab 1 (Group Task)

1. This lab consists of 7 tasks related to different Digital Forensics Tools and online investigations. All
the tasks are interesting and flexible enough to enable the students to work on the situation and/or
data of their choice.
2. For submission, please generate a report with the details of the steps performed in the given tasks.
Please follow the detailed descriptions for each of the task.
3. Students are allowed to use any tutorial, videos or any other AI tool like ChatGPT etc., to identify an
interesting situation, use case for demonstration of the selected tool. Please list all the references
and cite in the text at appropriate places.
4. The similarity of the text must be less than 15%.

Task 1: Working with Hex Workshop Editor:

Digital forensics experts commonly use the Hex Workshop software for analyzing and investigating files
in binary or hex format. The tool can be downloaded from http://www.hexworkshop.com/ .

The students are required to demonstrate following tasks with this tool using any files. Please highlight
the important findings in the screenshots and paste the pictures in the report.

1. Analyzing the file header and footer: Digital forensics experts can use Hex Workshop to analyze
the file header and footer of a binary file to determine its format, size, and other important
information.

2. Examining file contents: Digital forensics experts can use Hex Workshop to examine the
contents of a binary file at the byte level, which can reveal hidden data, file signatures, or other
important information.
 3. Searching for specific data: Digital forensics experts can use the search function in Hex
Workshop to look for specific strings or byte patterns within a binary file, which can be useful in
identifying malicious code or hidden data.

4. Comparing binary files: Digital forensics experts can use Hex Workshop to compare two binary
files, which can help identify differences and similarities between them.

Task 2: Reading / Writing Data from / to Slack Space

Slack space is the unused space between the end of a file and the end of the cluster in which the file is
stored. This space can be used to store additional data beyond the end of the file. Many specialized tools
such as Sleuth Kit, Autopsy and Slacker to read / write to slack spaces.

Students are required to use any tool of choice to write some data in the slack space and then show the
data available in the slack space. For each of the read and write operations, please paste the
screenshots while highlighting the important parts in the screenshots.

Task 3: Recovering Deleted Files from the Hard Disks

When a file is deleted in Windows, the file's data is not immediately removed from the hard disk.
Instead, Windows marks the space on the hard disk occupied by the file as available for reuse. This
means that the file's data is still present on the hard disk until that space is overwritten by new data.

Many tools are available which can be used to recover the deleted data from the hard disks in Windows
like Recuva, EaseUS Data Recovery Wizard, MiniTool Power Data Recovery, Disk Drill and Stellar Data
Recovery. Students can use any of these listed or non-lilsted tool to demonstrate recovery of data in this
task.

To demonstrate the working for this task, please delete some data from the hard disk (Mix of data
including, text files, images, audios, videos etc.). After deletion, try to write some other data in the hard
disk for possible overwrite of some data. Please ensure that data is also deleted from the Recycle Bin as
well. Later, use any of specialized tool to recover the deleted data. Please analyze whether any data is
lost or corrupted after recovery.
Task 4: Working with Windows Registry

Registry Editor, also known as regedit.exe, is a powerful tool that allows forensic experts to access and
analyze the Windows Registry on a Windows computer. it allows them to access and analyze the wealth
of information stored in the Windows Registry. By using Registry Editor to examine this information,
forensic experts can identify potential evidence of digital crimes and provide valuable insights into
system activity.

For this task, students are required to perform following tasks in Windows Registry:

1. Identify user activity: The Windows Registry stores information about user activity on a system,
including logons, logoffs, and shutdowns, opened files and programs. Forensic experts can use
Registry Editor to examine this information and identify patterns of user activity that may be
relevant to an investigation.
2. Identify system configuration: The Windows Registry stores information about the hardware and
software configuration of a system. Forensic experts can use Registry Editor to examine this
information and identify changes that may be relevant to an investigation.
3. Examine Online User Activity: Try to recover the websites, URLs visited by the user.

Task 5: Windows Event Viewer

Windows Event Viewer is a valuable tool for forensic experts, providing a wealth of information about
system activity and performance that can be used to identify potential evidence of digital crimes or
security breaches. By using the Windows Event Viewer to examine system logs and event data, forensic
experts can gain valuable insights into system activity and provide valuable support for investigations.

For demonstration of working of this tool, please highlight followings:

1. Identifying potential security breaches: Forensic experts can use the Windows Event Viewer to
examine system event logs for signs of security breaches, such as failed login attempts, unexpected
system shutdowns, or changes to system files. By examining these events, forensic experts can
identify potential security breaches and investigate them further.

2. Tracking user activity: The Windows Event Viewer logs a wide range of user activities, including
logons, logoffs, and changes to system settings. Forensic experts can use these logs to track user
activity over time, which can be valuable for identifying suspicious behavior or activity.
3. Analyzing system performance: The Windows Event Viewer can also be used to analyze system
performance issues, such as application crashes or slow system response times. Forensic experts can
use this information to identify potential issues with the system configuration or application settings
that may be relevant to an investigation.

Tasks: Online Undercover Investigations

An undercover investigation is the process used to acquire information without the individual or suspect
knowing the true identity of the investigator. Prior to any interaction with a suspect, an investigator will
perform reconnaissance on the individual. This background search involves building a profile about the
suspect. As more of our personal data, attitudes, communications, and general behaviors are captured
through the Internet, online reconnaissance has become extremely important.

To get ready for online undercover investigation, the digital forensics expert has to follow the steps
given in the chapter. This lab enables the student to go through all those recommended phases to get
hands-on experience.

Task 6: Getting Ready for Under Cover Investigation

Please follow the book and slides for chapter 5 (Online Investigations) to perform following steps. Some
of the recommended websites are listed here in the description as well. However, students are required
to do their own search to find more useful websites for the given tasks.

1. Generate a fake identity using any of the websites discussed in the lecture or safe to use on the
internet. (www.fakenamegenerator.com)
2. Create a fake online persona (sockpuppet). (www.thispersondoesnotexist.com )
3. Create an email account with that fake identity to look real account. Please use the data
generated in the fake identity. (www.protonmail.com )
4. Obfuscate your email information with recommended websites. (www.abine.com )
5. Try SMS verification through recommended websites as well. (www.textnow.com )

Task 7: Group Members to work together to practice the online monitoring of the suspect and Collect
Online Evidences

For this task, the students are required to talk to each other using different available online social media
tools as guided below:
1. Communicate using WhatsApp, Skype and Facebook tools online and collect evidences for
following actions:
a. Screen Capture (Use keyboard screen capture button)
b. Video Capture (Use different tools as recommended in the lecture slides and book e.g.
SaveVid.org, Rebal Player, wmrecorder.com)
c. For collection of evidences from instant messengers, please practice followings:
i. Skype
1. Conversely, Skype text messages are saved by default. The bad news is
that Skype files are not easily readable.
2. Skype files can be recognized by their .dbb file extension.
3. SkypeLogView is a freeware application that can read Skype log files.
ii. Google Hangouts
1. Google Hangouts evidence can be located in the Hangouts.json file,
2. the contents of which can then be viewed using a JSON converter.
3. JSONBuddy is one tool that a forensics investigator might consider
using.