/digital-forensics-lab

Free hands-on digital forensics labs for students and faculty

Primary LanguageRoff

Digital Forensics Lab & Shared Cyber Forensic Intelligence Repository

Features of Repository

===================

  • Hands-on Digital Forensics Labs: designed for Students and Faculty
  • Linux-based lab: All labs are purely based on Kali Linux
  • Instructional screenshots: Each lab has PPTs, the associated files, and instructional screenshots
  • Comprehensive: Cover many topics in digital forensics
  • Free: All tools are open source
  • Updated: The project is funded by DOJ, DHS, and NSF. The tmeam will keep updating the repostory
  • Two formalized forensic intelligence in JSON files based-on case studies
  • Kindly send me an email at wxu at ubalt dot edu if you utilize the course materials or find this repository useful. Your cooperation is greatly appreciated.

Please cite our paper:

W. Xu, L. Deng, and D. Xu, "Towards Designing Shared Digital Forensics Instructional Materials," in Proceeding of the 46st Annual International Computer Software and Applications Conference (COMPSAC 2022), pp. 117-122, July 2022. (Video Presentation)

or in BibTeX

@inproceedings{xu2022forensics,
 title={Towards Designing Shared Digital Forensics Instructional Materials},
 author={Xu, Weifeng and Deng, Lin, and Xu, Dianxiang},
 booktitle={46st Annual International Computer Software and Applications Conference (COMPSAC 2022)},
 volume={1},
 pages={117--122},
 year={2022},
 organization={IEEE}
}


Table of Contents (Newly Added: 1. AI for Forensics - Identifying IPs with a Fine-tuned Language Model, 2. Docker for Digital Forensics, 09/2023, 3. Add Python version to NIST Dataleakage Case, 10/2023)

Tool Installation

Method 1: Importing customized Kali VM image

The customized Kali VM = Kali (2021.4) + tools used for completing most of the labs listed above (except p2p Data Leakage case)

Method 2: Installing tools using the customized script (the script ONLY is tested on Kali 2021.4)

The following script will install tools needed for completing most of the labs listed above (except p2p Data Leakage case, which has its own script described in PPTs). Please let us know if you need us to add more tools to the script.

  • Install Virtualbox

  • Install Kali 2021.4. Notes: Suggest You configure the disk size of Kali VM 80G because the size of each leakage cases image is 30G+

  • Run a tool installation script instructions, or you can simply follow the commands below

wget  https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh
  • Installed tools. Note that most of the commands for tools can executed globally. Now you can skip most of tool installation steps in PPTs.

Method 3: Using a Docker container based on Ubuntu 22.04 LTS (added in 09/23, may need more testing, report any issues please)

  • The host machine of the Docker container is Ubuntu 22.04 LTS.
  • The container is built on top of Ubuntu 22.04 LTS as well.
  • All tools are pre-install on the Ubuntu container.
  • You can follow the tuturial Docker for Digital Forensic Investgiation

Investigating NIST Data Leakage

==============

The case study is to investigate an image involving intellectual property theft. The study include

  • A large and complex case study created by NIST. You can access the Scenario, DD/Encase images. You can also find the solutions on their website.
  • 14 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered (Command Line) Python Version
Lab 0 Environment Setting Up
Lab 1 Windows Registry
Lab 2 Windows Event and XML Python version
Lab 3 Web History and SQL Python version
Lab 4 Email Investigation Python version
Lab 5 File Change History and USN Journal
Lab 6 Network Evidence and shellbag
Lab 7 Network Drive and Cloud
Lab 8 Master File Table ($MFT) and Log File ($logFile) Analysis
Lab 9 Windows Search History
Lab 10 Windows Volume Shadow Copy Analysis/SQL database carving
Lab 11 Recycle Bin and Anti-Forensics
Lab 12 Data Carving
Lab 13 Crack Windows Passwords

Investigating P2P Data Leakage

==============

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study includes

  • A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
  • Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline.
  • 10 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Lab Environment Setting Up 4M
Lab 1 Disk Image and Partitions 5M
Lab 2 Windows Registry and File Directory 15M
Lab 3 MFT Timeline 6M
Lab 4 USN Journal Timeline 3M
Lab 5 uTorrent Log File 9M
Lab 6 File Signature 8M
Lab 7 Emails 9M
Lab 8 Web History 11M
Lab 9 Website Analysis 2M
Lab 10 Timeline (Summary) 13K

Investigating Illegal Possession of Images

=====================

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 1 Review HTTP Analysis using Wireshark (text) 3M
Lab 2 Rhion Possession Investigation 1: File recovering 9M
Lab 3 Rhion Possession Investigation 2: Steganography 4M
Lab 4 Rhion Possession Investigation 3: Extract Evidence from FTP Traffic 3M
Lab 5 Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic 5M

Investigating Email Harassment

=========

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Investigating Harassment Email using Wireshark 3M
Lab 1 t-shark Forensic Introduction 7M
Lab 2 Investigating Harassment Email using t-shark 2M

Investigating Illegal File Transferring

=========

The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Memory Forensics 11M
part 1 Understand the Suspect and Accounts
part 2 Understand the Suspect’s PC
part 3 Network Forensics
part 4 Investigate Command History
part 5 Investigate Suspect’s USB
part 6 Investigate Internet Explorer History
part 7 Investigate File Explorer History
part 8 Timeline Analysis

Investigating Hacking Case

=========

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Hacking Case 8M

Investigating Morris Worm Attack

=========

The case study is an investigation of the Morris Worm Attacking. We are using the VM provided by SeedLab. The goal of the lab is to find all evidence related to Morris Worm attacking.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Morris Worm Attack 7M
Lab 0 Investigating Morris Worm Attack 2M

Investigating Android 10

The image is created by Joshua Hickman and hosted by digitalcorpora.

=========

Labs Topics Covered Size of PPTs
Lab 0 Intro Pixel 3 3M
Lab 1 Pixel 3 Image 2M
Lab 2 Pixel 3 Device 4M
Lab 3 Pixel 3 System Setting 5M
Lab 4 Overview: App Life Cycle 11M
Lab 5.1.1 AOSP App Investigations: Messaging 4M
Lab 5.1.2 AOSP App Investigations: Contacts 3M
Lab 5.1.3 AOSP App Investigations: Calendar 1M
Lab 5.2.1 GMS App Investigations: Messaging 6M
Lab 5.2.2 GMS App Investigations: Dialer 2M
Lab 5.2.3 GMS App Investigations: Maps 8M
Lab 5.2.4 GMS App Investigations: Photos 6M
Lab 5.3.1 Third-Party App Investigations: Kik 4M
Lab 5.3.2 Third-Party App Investigations: textnow 1M
Lab 5.3.3 Third-Party App Investigations: whatapp 3M
Lab 6 Pixel 3 Rooting 5M

Investigating iPhone iOS 13.4.1

The image is created by Joshua Hickman and hosted by digitalcorpora.

=========

Labs Topics Covered Size of PPTs
Lab 0 Intro Intro iPhone iOS 13 5M
Lab 1 iOS 13.4.1 Image 5M
Lab 2 iPhone Device investigation 3M
Lab 3 iOS System Settings 3M
Lab 4 Overview of App Life Cycle 2M
Lab 5 Messages Investigations 3M
Lab 6 Contacts Investigations 3M
Lab 7 Calender Investigations 2M
Lab 8 Safari Investigations 3M
Lab 9 Photo Investigations 7M
Lab 10 KnowledgeC Investigations 5M
Lab 11 Health_ Investigations 5M
Lab 12 Location Investigations 8M
Lab 13 Cellebrite Investigations 12M
Lab 14 Magnet Axiom Investigations 13M
Lab 14 Jailbreak Investigations 6M

Investigating Drone DJI

The dataset includes logical files extracted from a DJI controller (mobile device) and a SD card image used by the device. The Drone dataset is created by VTO Labs. The lab covers GPS investigation and cached image retrieval. Note that it is a draft. We will improve the lab later.

=========

Labs Topics Covered Size of PPTs
Lab 0 DJI Mavic Air Mobile 13M
Lab 1 DJI Mavic Air MicroSD Raw 2M
Lab 2 DJI Mavic Air MicroSD Encase Format 2M

Tools

  • Commands tested
Name Command Repository Installation Method
Wine wine --version https://source.winehq.org/git/wine.git/ Custom
Vinetto vinetto -h https://github.com/AtesComp/Vinetto Custom
imgclip imgclip -h https://github.com/Arthelon/imgclip apt install
RegRipper rip.pl -h https://github.com/keydet89/RegRipper3.0 Customized scirpt
Windows-Prefetch-Parser prefetch.py -h https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git Custom
python-evtx evtx_dump.py -h https://github.com/williballenthin/python-evtx apt install
libesedb-utils esedbexport -h https://github.com/libyal/libesedb apt install
libpff pffexport -h https://github.com/libyal/libpff apt install
USN-Record-Carver usncarve.py -h https://github.com/PoorBillionaire/USN-Record-Carver apt install
USN-Journal-Parser usn.py -h https://github.com/PoorBillionaire/USN-Journal-Parser apt install
time_decode time_decode.py -h https://github.com/digitalsleuth/time_decode Git clone
analyzeMFT analyzeMFT.py -h https://github.com/dkovar/analyzeMFT Customized scirpt
libvshadow vshadowinfo -h https://github.com/libyal/libvshadow Customized scirpt
INDXParse INDXParse.py - Customized scirpt
carving sqlite .db undark -h https://github.com/inflex/undark.git Customized scirpt
stegdetect stegdetect -V Customized scirpt
stegbreak stegbreak -V Customized scirpt
stego-toolkit jphide Customized scirpt
jpsestego-toolkitek jpseek Customized scirpt
volatility-2 vol.py -h https://github.com/volatilityfoundation/volatility.git Customized scirpt
liblnk-utils lnkinfo -h apt install
JLECmd https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip Git clone
recentfilecache-parser https://github.com/prolsen/recentfilecache-parser
LogFileParser https://github.com/jschicht/LogFileParser.git Git clone
UsnJrnl2Csv ttps://github.com/jschicht/UsnJrnl2Csv.git Git clone
  • Other tools installed via apt install python3-pip, leafpad, terminator, sqlite3, tree, xmlstarlet, libhivex-bin, pasco, libhivex-bin, npm, binwalk, foremost, hashdeep, ewf-tools, nautilus

Contribution

=============

  • PI of the project
    • Dr. Frank Xu (Email: fxu at ubalt dot edu)
  • Students:
    • Danny Ferreira (iPhone)
    • Harleen Kaur (Partial of Android)
    • Malcolm Hayward (P2P Leakage)
    • Richard (Max) Wheeless (Hacking case)
    • Chimezie Onwuegbuchulem (Docker for Digital Forensics)
    • Etinosa Osawe (AI for Forensics - Identifying IPs with a Fine-tuned Language Model)
<script async src="//static.getclicky.com/101329461.js"></script>

trackgit-views