Digital Forensics Lab

Digital Forensics

Free hands-on digital forensics labs for students and faculty


Digital Forensics Lab & Shared Cyber Forensic Intelligence Repository

df

Features of Repository

===================

  • Hands-on Digital Forensics Labs: designed for Students and Faculty
  • Linux-based lab: All labs are purely based on Kali Linux
  • Lab screenshots: Each lab has PPTs with instruction screenshots
  • Comprehensive: Cover many topics in digital forensics
  • Free: All tools are open source
  • Updated: The project is funded by DOJ and will keep updating
  • Two formalized forensic intelligence in JSON files based-on case studies

Table of Contents (updating)

# The following commands will install all tools needed for Data Leakage Case. We will upgrade the script to add more tools for other labs soon.

wget  https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh

Investigating P2P Data Leakage

==============

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include

  • A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
  • Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study.
  • 10 hands-on labs/topics in digital forensics

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Lab Environment Setting Up4M
Lab 1Disk Image and Partitions5M
Lab 2Windows Registry and File Directory15M
Lab 3MFT Timeline6M
Lab 4USN Journal Timeline3M
Lab 5uTorrent Log File9M
Lab 6File Signature8M
Lab 7Emails9M
Lab 8Web History11M
Lab 9Website Analysis2M
Lab 10Timeline (Summary)13K

Investigating NIST Data Leakage

==============

The case study is to investigate an image involving intellectual property theft. The study include

  • A large and complex case study created by NIST. You can access the Senario, DD/Encase images. You can also find the solutions on their website.
  • 13 hands-on labs/topics in digital forensics

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Environment Setting Up2M
Lab 1Windows Registry3M
Lab 2Windows Event and XML3M
Lab 3Web History and SQL3M
Lab 4Email Investigation3M
Lab 5File Change History and USN Journal2M
Lab 6Network Evidence and shellbag2M
Lab 7Network Drive and Windows shellbag5M
Lab 8Master File Table ($MFT) Analysis4M
Lab 9Windows Search History4M
Lab 10Windows Volume Shadow Copy Analysis6M
Lab 11Data Carving3M
Lab 12Crack Windows Passwords2M

Investigating Illegal Possession of Images

=====================

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0HTTP Analysis using Wireshark (text)3M
Lab 1HTTP Analysis using Wireshark (image)6M
Lab 2Rhion Possession Investigation 1: File recovering9M
Lab 3Rhion Possession Investigation 2: Steganography4M
Lab 4Rhion Possession Investigation 3: Extract Evidence from FTP Traffic3M
Lab 5Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic5M

Investigating Email Harassment

=========

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Investigating Harassment Email using Wireshark3M
Lab 1t-shark Forensic Introduction2M
Lab 2Investigating Harassment Email using t-shark2M

Investigating Illegal File Transferring

=========

The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Memory Forensics11M
part 1Understand the Suspect and Accounts
part 2Understand the Suspect’s PC
part 3Network Forensics
part 4Investigate Command History
part 5Investigate Suspect’s USB
part 6Investigate Internet Explorer History
part 7Investigate File Explorer History
part 8Timeline Analysis

Investigating Hacking Case

=========

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points. Note that the PPT is encrypted with a password as one of the major assignments. Email fxu at ubalt dot edu to ask the password if you are a faculty member.

Topics Covered

LabsTopics CoveredSize of PPTs
Lab 0Memory Forensics8M

Tools Used

========

Nameversionvendor
Wine6.0https://source.winehq.org/git/wine.git/
Vinetto0.98https://github.com/AtesComp/Vinetto
imgclip05.12.2017https://github.com/Arthelon/imgclip
Tree06.01.2020https://github.com/kddeisz/tree
RegRipper3.0https://github.com/keydet89/RegRipper3.0
Windows-Prefetch-Parser05.01.2016https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git
python-evtx05.21.2020https://github.com/williballenthin/python-evtx
xmlstarlet1.6.1https://github.com/fishjam/xmlstarlet
hivex09.15.2020https://github.com/libguestfs/hivex
libesedb01.01.2021https://github.com/libyal/libesedb
pasco-project02.09.2017https://annsli.github.io/pasco-project/
libpff01.17.2021https://github.com/libyal/libpff
USN-Record-Carver05.21.2017https://github.com/PoorBillionaire/USN-Record-Carver
USN-Journal-Parser1212.2018https://github.com/PoorBillionaire/USN-Journal-Parser
JLECmd1.4.0.0https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
libnl-utils3.2.27https://packages.ubuntu.com/xenial/libs/libnl-utils
time_decode12.13.2020https://github.com/digitalsleuth/time_decode
analyzeMFT2.0.4https://github.com/dkovar/analyzeMFT
libvshadow12.20.2020https://github.com/libyal/libvshadow
recentfilecache-parser02.13.2018https://github.com/prolsen/recentfilecache-parser

Contribution

=============

  • Frank Xu
  • Malcolm Hayward
  • Richard (Max) Wheeless