Forensic Investigation of victim pc using Autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what exactly happened on a computer. You can even use it to recover photos from your camera's memory card for case investigation.

Autopsy features.

·         Timeline Analysis: Displays system events in a graphical interface to help identify activity.
·         Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
·         Web Artifacts: Extracts web activity from common browsers to help identify user activity.
·         Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
·         LNK File Analysis: Identifies short cuts and accessed documents
·         Email Analysis: Parses MBOX format messages, such as Thunderbird.
·         EXIF: Extracts geo location and camera information from JPEG files.
·         File Type Sorting: Group files by their type to find all images or documents.
·         Media Playback: View videos and images in the application and not require an external viewer.
·         Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
·         Robust File System Analysis: Support for common file systems, including NTFS, FAT12, FAT16, FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
·         Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
·         Tags: Tag files with arbitrary tag names, such as 'bookmark' or 'suspicious', and add comments.
·         Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
·         File Type Detection based on signatures and extension mismatch detection.
·         Interesting Files Module will flag files and folders based on name and path.
·         Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

First Download autopsy from here and install in your pc

Click New Case. The ‘Create a New Case’ page will open

Even you can use a device clone which was earlier created click here to view

Fill in the ‘Case Name’, ‘Base Directory’and choose the location to save the report Eg:c\users\raj\desktop\autopsy report
Then click on next to proceed to next step. 

 Here in next step you have to enter the case number and Examiner details and click on finish to proceed to next step

Here now in Add Data Sourceyou have to complete the three steps
In first step that is Enter data Source Information  select the following as local disk, location of local disk, time zone as per your location, click on next to proceed to step 2

In Step 2 Configure ingest Modules I have chosen all the modules as I was discussing about complete information on evidence device or disk or computer etc. and click next for step 3

In Add Data Source just click on finish to generate the report of the device and you can perform complete investigate on the victim device or pc or any disk

Here you can see the local disk of the user we can completely analyze  it from here without accessing the actual data in local disk, you can see Data Sources, Views , Results, Email messages, Interesting items, etc.

Now finally when you choose the Data Sources and select the drive we choose you can see the following details will be shown in the image as all the files and folder available in local disk And also with their Modified Time, Change time, Access time, etc.

With these you can investigate on user details in local disk as well as know which file was deleted from the disk and with their time and date along with information. 

How to Perform Cell Referencing in Excel

Cell Referencing is very important term used in excel formula. Cell Referencing means one cell address is referenced into another cell to do calculations.
There are three types of referencing:

·         Relative Referencing
·         Absolute Referencing
·         Mixed Referencing

Relative Referencing

By Default, Relative Referencing is used in Excel.  Now   see the example of Relative Referencing. Look at formula in cell G2 which references to cell C2, cell D2, cell E2 & cell F2. When we copy this formula by dragging the lower right corner of the cell G1 to another cell  location such as G2 to G11. The relative referencing will take place.  Because G3 references to cell C3, Cell D3, Cell E3 & Cell F3 relatively.

Absolute Referencing

Absolute referencing will be used when we want to make our cell address fixed. See the formula in cell G2 which computes Gross Salary in which TA is fixed for each employee. To Make the Cell F2 as fixed, assign $ sign with column name as well as row number. Then drag lower right corner of cell G2 up to cell G11.

Let us see another example of Absolute Referencing.

In this example , we are calculating the simple interrest by multipling principle, rate and time. When we drag  the formula  from F5 to F9, it shows the result as 0 . Because cell D7 containing Principle and Cell  E5 containing Rate are absolute.

So  to make the  cell  D7 and Cell E7  absolute assign $ sign in column name and row number of cell D7 and E7 in formula cell G7. Now drag lower right corner of the cell G7 upto cell G11. Now see the result ,it shows correct values.

Mixed Referencing

Combination of Relative Referencing and Absolute Referencing is referred as Mixed Referencing.
In this example, we are calculating the Simple Interest in cell G9 by multiplying F8, G8 and G9.
When we drag from G9 to K9 and Then K13. It shows wrong values.

To rectify this use mixed referencing. Use $ sign with column name and row number of cell f8, and assign $ sign with row number of the cell G8 which is common to all cells of rate value. Similarly assign $ sign with column name of cell F8 which is common to all cells of time value. Now it shows correct values.

A Practical Guide to Computer Forensics Investigations


Forensic Investigation of any Twitter account

Twitter forensic toolkit is a Forensic tool where you can Investigate on a criminal or a prime suspect’s Twitter  account hence you can get all the information such as (User profile, number of tweets and tweet by user and date , total followers, total following ,etc.)

Download Twitter forensic toolkit from here and install it in your pc
Now fill the required fields such as Investigator name, Operation Name, Case Number, case Description

also give a file location to save the report of any twitter user account.
Eg:C\Users\RAJ\Desktop Save to proceed to next step

Now in next step you have to choose a option that are search tweets by a User, To a User, To and from user, referencing a user, now choose according to your requirement, as I have chose by user and I have given the account URL to get all the information from the user twitter account as well as results are random as I given 25. Now click on search button to proceed next step.

Here you can see the consumer key and consumer secret and get pin
there you have to click on Get Pin to get the code

Here to get pin, first it will ask for your twitter account login (not the suspect account login details ) and then a pin will be generated as shown below, copy it.

Paste the pin and click on authorize to start processing of required twitter account

Here after completing the process you can see competes report of the desired twitter account, such as count of tweets, followers, following, likes. As well has all the tweets including date and time will be displayed.

Now on the toolbar select TOOLS and select configuration and a windows will be opened where you can see some options like enable Real time monitoring to update the user tweets upto date, even you can configure your email to get the report to your email address.
And the rest of the report will be saved in the folder location that was given in the first step.

How to perform Forensic Investigation on YouTube

Intro: YouTube Forensic toolkit is a great tool which has abilities to gather information like User videos, channel videos, and category type videos, here in this tool you can do lot more things than you do in YouTube where you can see in below description.
First download the YouTube forensic tool from here and install it on your system
Now after installation, open the YouTube forensic tool
fill the required Fields like Investigator name , Operation name , Case Number , Case File Location, Case Description and give the location to save the report of the investigation

Click on save to proceed to next step.

Now in next step you can see lot of options such as Most popular, keyword search, URL Search, User Search, as I chose keyword search as I am not targeting on any user or channel if you want to target on any channel or user then choose URL search or User search and type the username or paste the url from youtube
Now my keyword is hacking articles and chose category as Tech and results can be random as I chose 25.
And click on search to start searching the chosen option.

After searching is complete you can see the result as per the option you have chosen as I chose hacking articles as key word, my result will be displaying results to hacking articles. Here you can see the following (Video title, video comment, video likes, username, last updated , keywords, category )

 Now here you can also do the following as (Download video, View comments, request suspense and etc.)
 For that right click on the video and select the following to perform the task
also you can check the full report from the folder location you have given at starting step.