CCS343 - Digital and Mobile Forensics

Laboratory Experiments

S. Faculty
Date Experiment Marks
No. Sign.

Installation of Sleuth Kit on Linux. List

all data blocks. Analyze allocated as
well as unallocated blocks of a disk
image.

Data extraction from call logs using

Sleuth Kit.

Data extraction from SMS and contacts

using Sleuth Kit.

Install Mobile Verification Toolkit or

MVT and decrypt encrypted iOS
backups.

Process and parse records from the iOS

system.

Extract installed applications from

Android devices.

Extract diagnostic information from

Android devices through the adb
protocol.

Generate a unified chronological

timeline of extracted records
Ex. No. : 1 Installation of Sleuth Kit on Linux. List all data blocks. Analyze
Date : allocated as well as unallocated blocks of a disk image.

Aim:

To Install the Sleuth Kit on Linux. List all data blocks. Analyze allocated as well as
unallocated blocks of a disk image.

Procedure & Commands:

Pre - Requisites:
1.1 Sleuthkit
1.2 Disk Image File (Raw file (.dd) format recommended) We need a disk image file
on which we are going to perform our experiment, i.e. we are going to use the disk image to analyse
the disk and the contents inside to gather information about it.
• Use a Pendrive (Physical disk) to create a disk image so that we have an image of a physical
disk.
• Using the image of a partition of the disk in the computer itself may result in creation of a
logical disk image which may not help us with the experiment.
(Commands like mmls may not produce proper output for us to understand.)

So, we are going to investigate a pen drive (a physical disk) using it’s disk image.

Create a disk image:

• Insert pen drive. (Pen drive of 4GB/8GB is preferred as the disk image creation time
depends on the size of the pen drive)

• Use the command lsblk to list all the disk blocks and to know block name of the pendrive.

Here, sdb is the block of my pendrive

a) Now run the command:
$sudo dd if=/dev/sdb of=diskimage.dd bs=4M
(- Replace /dev/sdb with your pendrive’s block name (It could be the same in
most of the cases.
-diskimage.dd is the image file that will be created.)

This will create the disk image for the pendrive. (This may take a while)

Now, we are ready to proceed with the experiment.

1. Get image information -img_stat

2. List all data blocks (Allocated and Unallocated) -mmls

Here, Start and End denote the offsets.

For example, the The Empty partition starts from the offset 64 and ends at
7660227.

The next partition starts from 7660228.

3. Analyzing an allocated partition -fsstat and -fls
We are going to analyze the partition named “Empty”. You can choose any partition.
● File system information of the partition

● Looking into the file system (Files and directories inside it)

Here, 64 denotes the starting of the partition “Empty”.

● Looking into a directory inside the partition.
Iam going to look inside the directory named “manjaro”. We have to mention the inode of the directory for
that, which is 6.

Here, x86_64 is a directory which is present inside the “manjaro” folder.

● Expand all the directories inside the partition.

All the directories and their subdirectories and files inside the partition are shown.
4. Analyzing an unallocated partition
Perform the same operations for an unallocated partition.

Here, I have used the offset starting point 7668420 which is of an unallocated partition. (Refer
the output of mmls command above)

5. Recover the files in the image file.

This will recover all the files in the disk image to your computer.

Here, test_recover is just the name of the folder in which the recovered files will be stored. You can
give any name.

Check for the recovered files using ls command.

Thus, we have all the files in the disk recovered.

Result :

Thus, the examination via The Sleuth Kit unveiled both allocated and unallocated data
blocks, shedding light on active content and potential forensic evidence. This enhances
comprehension of the disk image and facilitates forensic investigations or data recovery.
Ex. No. : 2
Data extraction from call logs using Sleuth Kit.
Date :

Aim
To utilize the Sleuth Kit for extracting call log data from a disk image, facilitating forensic
analysis of communication activities.

Procedure

To extract data from call logs using The Sleuth Kit, you can follow these steps:

1. Prepare Environment: Ensure The Sleuth Kit is installed on your system and the call log file
is accessible.
2. Identify Call Log File: Locate the call log file within the disk image or the target device.
3. Run Sleuth Kit Commands: Utilize Sleuth Kit commands such as fls to list allocated and
deleted file names, and icat to extract specific file content.
4. Extract Call Log Data: Use the icat command to extract data from the identified call log file.
Specify the inode number or file path to extract the content.
5. Analyze Extracted Data: Examine the extracted call log data for relevant information such as
caller/callee numbers, call durations, timestamps, etc.

Command :

fls <disk_image> | grep "call_log_file"

icat <disk_image> <inode_number> > extracted_call_log.txt

Bash script to automate the extraction process:

#!/bin/bash

# Path to the disk image

disk_image="path/to/disk/image.dd"

# Call log file name or pattern

call_log_pattern="call_log"

# Identify the call log file using fls

call_log_inode=$(fls "$disk_image" | grep "$call_log_pattern" | awk '{print $1}')

# Check if call log file is found

if [ -z "$call_log_inode" ]; then
echo "Call log file not found."
exit
fi
[

# Extract call log data using icat

icat "$disk_image" "$call_log_inode" > extracted_call_log.txt

# Check if extraction was successful

if [ $? -eq 0 ]; then
echo "Call log data extracted successfully."
else
echo "Failed to extract call log data."
fi

This script performs the following actions:

• Sets the path to the disk image and defines the pattern for the call log file.

• Uses fls to list files within the disk image and grep to filter out the call log file.
• Retrieves the inode number of the call log file.

• Uses icat to extract the content of the call log file.

• Outputs the extracted data to a text file named "extracted_call_log.txt".

• Provides feedback on the success or failure of the extraction process.

Save this script to a file (e.g., extract_call_logs.sh), make it executable ( chmod +x

extract_call_logs.sh), and then run it ( ./extract_call_logs.sh) to extract call log data from the

disk image using The Sleuth Kit.

Execution :
./extract_call_logs.sh evidence.dd "calls.txt"

Output
Call log data extracted successfully

Result:

Thus the extraction process using the provided script yielded successful results, with call
log data successfully retrieved from the specified disk image.
Ex. No. : 3
Data extraction from SMS and contacts using Sleuth Kit
Date :

Aim:
To extract SMS messages and contacts from a disk image using The Sleuth Kit for forensic

analysis.
Procedure:

1. Prepare Environment : Ensure The Sleuth Kit is installed and accessible on the system, and
obtain the disk image containing the SMS messages and contacts.

2. Identify SMS and Contacts Files : Use Sleuth Kit commands such as `fls` to list allocated and

deleted file names within the disk image. Identify the specific files related to SMS messages and
contacts.

3. Extract Data : Utilize commands like `icat` to extract the content of the SMS and contacts

files from the disk image.

4. Analyze Data : Examine the extracted SMS messages and contacts data for relevant
information such as message content, sender/receiver numbers, timestamps, contact names,

and other relevant details crucial for forensic analysis.

Commands:
fls <disk_image> | grep "sms_file"

icat <disk_image> <sms_inode_number> > extracted_sms.txt

fls <disk_image> | grep "contacts_file"

icat <disk_image> <contacts_inode_number> > extracted_contacts.txt

Bash script demonstrating how to use The Sleuth Kit to extract SMS messages and
contacts from a disk image:

#!/bin/bash
# Function to display error messages

display_error() {
echo "Error: $1"

exit 1
}

# Check if the required commands are installed

command -v fls >/dev/null 2>&1 || display_error "The Sleuth Kit commands are not installed."

command -v icat >/dev/null 2>&1 || display_error "The Sleuth Kit commands are not installed."
# Check if the correct number of arguments are provided

if [ "$#" -ne 2 ]; then

display_error "Usage: $0 <disk_image> <file_pattern>"

fi
# Assign arguments to variables

disk_image="$1"
file_pattern="$2"

# Check if the disk image exists

if [ ! -f "$disk_image" ]; then

display_error "Disk image '$disk_image' not found."

fi

# Identify the file using fls

file_inode=$(fls "$disk_image" | grep "$file_pattern" | awk '{print $1}')

# Check if file is found

if [ -z "$file_inode" ]; then

display_error "File matching pattern '$file_pattern' not found."

Fi

# Extract data using icat

icat "$disk_image" "$file_inode" > extracted_data.txt

# Check if extraction was successful

if [ $? -eq 0 ]; then
echo "Data extraction successful. Extracted data saved as 'extracted_data.txt'."

else
display_error "Failed to extract data."

fi

You can save this script to a file (e.g., extract_data.sh), make it executable (`chmod +x

extract_data.sh`), and then run it (`./extract_data.sh disk_image.dd "file_pattern"`) to extract SMS

messages or contacts from the disk image. Adjust the variables (disk_image and file_pattern)

according to your specific scenario.

Execution:

./extract_data.sh mobile_image.dd "sms"

-- the script is named "extract_data.sh" and the disk image is named "mobile_image.dd"
containing SMS messages and contacts

Output:

Data extraction successful. Extracted data saved as 'extracted_data.txt'.

Result:

Thus the extraction process using Sleuth Kit successfully retrieved SMS messages and contacts
from the disk image.
Ex. No. : 4
Install Mobile Verification Toolkit (MVT) and utilize it to decrypt encrypted
Date :
iOS backups

Aim:
To install Mobile Verification Toolkit (MVT) and utilize it to decrypt encrypted iOS backups
for forensic analysis

Procedure:

1. Installation of Mobile Verification Toolkit (MVT):

• Download the MVT from its official repository or source.

• Follow the installation instructions provided in the documentation or README file.

• Typically, this involves cloning the repository and running an installation script.

2. Preparation of iOS Backup:

• Obtain the encrypted iOS backup file (.mddata) that you intend to decrypt.

• This backup file is usually created by iTunes or Finder when you back up your iOS
device to your computer.

3. Decryption of Backup:

• Use the MVT's command-line tool, typically named mvt-ios, to decrypt the iOS
backup file.
• Provide the path to the encrypted backup file ( --input) and specify the directory
where you want the decrypted backup to be saved ( --output).

• Depending on the encryption used and any additional security measures, you
might need to provide authentication credentials such as a password or encryption

key.

4. Extraction of Data:

• After decryption, you can use various forensic analysis tools to extract relevant

data from the decrypted backup.

• This may include extracting messages, contacts, call logs, photos, videos, app data,

and more.
Commands:

• Install MVT: Follow the installation instructions provided by MVT documentation or

GitHub repository.
• Decrypt iOS Backup: Use MVT command-line tools such as mvt-ios with appropriate
options to decrypt the encrypted backup file.

# Installation
git clone https://github.com/protectedmobility/mvt.git
cd mvt
./install.sh

# Decrypt encrypted iOS backup

mvt-ios decrypt --input <encrypted_backup.mddata> --output
<decrypted_backup_directory>

Output for decrypting an iOS backup using Mobile Verification Toolkit:

Decryption in progress...

Decryption completed successfully.

Decrypted backup saved in: /path/to/decrypted_backup_directory

Result:

Thus the successful installation of MVT enables decryption of iOS backups, revealing
accessible data for forensic analysis and investigative purposes.
Ex. No. : 5 Process and parse records from the iOS system
Date :

Aim:

To process and parse records from the iOS system for forensic analysis and investigative
purposes.

Procedure:

1. Acquire Data : Obtain the iOS system image or device backup containing the records you
want to analyze.

2. Extraction : Use forensic tools or utilities to extract relevant records from the iOS system
image or backup.

3. Parsing : Develop or utilize parsers to parse the extracted records into a readable format or
database structure.

4. Analysis : Analyze the parsed records for relevant information such as messages, call logs,
contacts, app data, and more.

Coding:

# Python script for parsing iOS records

import plistlib

def parse_ios_records(plist_file):

with open(plist_file, 'rb') as f:

plist_data = plistlib.load(f)

# Parse the plist data here according to your requirements

# Example: Extract messages, call logs, contacts, etc.

messages = plist_data.get('Messages', [])

call_logs = plist_data.get('CallLogs', [])

contacts = plist_data.get('Contacts', [])

# Perform further processing as needed

 return messages, call_logs, contacts

# usage

messages, call_logs, contacts = parse_ios_records('ios_records.plist')

print("Messages:", messages)

print("Call Logs:", call_logs)

print("Contacts:", contacts)

Commands:

- Acquire Data: Use tools like iTunes or third-party forensic tools to create a backup of the iOS
device.

- Extraction: Use tools like Magnet AXIOM, Cellebrite UFED, or Autopsy to extract data from
the iOS system image or backup.

- Parsing: Write custom parsing scripts in Python, or utilize existing parsers to parse the
extracted records.

- Analysis: Analyze the parsed records using tools like SQLite, Microsoft Excel, or specialized
forensic analysis software.

Output:

Messages: [{'sender': 'John', 'content': 'Hello, how are you?', 'timestamp': '2024-05-10 09:30:00'}, ...]

Call Logs: [{'caller': 'Alice', 'callee': 'Bob', 'duration': '00:15:23', 'timestamp': '2024-05-10 10:00:00'}, ...]

Contacts: [{'name': 'Alice', 'phone': '1234567890'}, {'name': 'Bob', 'phone': '9876543210'}, ...]

Result:

Thus the process successfully extracts and parses records from the iOS system image or
backup, providing valuable information for forensic analysis and investigative purposes.
Ex. No. : 6 Extract installed applications from Android devices

Date :

Aim:

To extract installed applications from Android devices for analysis or investigation

purposes.

Procedure:

1. Acquire Data : Obtain a forensic image of the Android device using tools like ADB
(Android Debug Bridge), commercial forensic tools like Cellebrite UFED, or open-source
solutions like Oxygen Forensic Detective.

2. Extract Applications : Utilize forensic tools or scripts to extract information about

installed applications from the acquired image. This information may include package names,
version numbers, installation dates, and file paths.

3. Parsing : Develop or use parsers to parse the extracted information into a readable
format or database structure.

4. Analysis : Analyze the parsed data to identify installed applications, their versions,
and any other relevant information.

Coding:

# Python script for extracting installed applications from Android device image

import os

def extract_installed_apps(device_image):

installed_apps = []

# Example command to extract installed applications using ADB

os.system(f"adb shell pm list packages -f > {device_image}_installed_apps.txt")

# Parse the extracted data and add it to the installed_apps list

with open(f"{device_image}_installed_apps.txt", 'r') as f:

for line in f:

# Extract package name and file path

package_name = line.split(":")[1].strip()
 app_path = line.split("=")[1].strip()

installed_apps.append({'package_name': package_name, 'app_path': app_path})

return installed_apps

# usage

device_image = 'path_to_device_image'

installed_apps = extract_installed_apps(device_image)

for app in installed_apps:

print(app)

Commands:

- Acquire Data: Use ADB or forensic tools to create a forensic image of the Android
device.

- Extract Applications: Use ADB or forensic tools to extract information about installed
applications from the device image.

- Parsing: Write custom parsing scripts in Python, or utilize existing parsers to parse the
extracted information.

- Analysis: Analyze the extracted data to identify installed applications, their versions,
and other relevant information.

Output:

Installed Applications:

- Package Name: com.example.app1

Location: /system/app/app1.apk

- Package Name: com.example.app2

Location: /data/app/app2.apk

Result

Thus the process successfully extracts information about installed applications from the
Android device image, providing valuable insights for analysis and investigation purposes.
Ex. No. 7 Extract diagnostic information from Android devices

Date: through the adb protocol

Aim:
To extract diagnostic information from Android devices through the adb protocol

Procedure :
Device Information : To get basic information about connected devices:
adb devices

Output:

To get detailed device information:

adb shell getprop

Logcat: To view the device logs in real-[[[[time:

adb logcat

To save logcat output to a file:

adb logcat > logcat.txt

 Output:

Dumpsys: : To get information from system services:

adb shell dumpsys
Bugreport:
To generate a full bug report for diagnostic purposes: It can Working Only android
7.0 and Above.

adb bugreport > bugreport.txt

To capture a screenshot of the device:

adb shell screencap -p /sdcard/screenshot.png

Battery Information: To get battery information
adb shell dumpsys battery

Network Information: To get information about the network status:

adb shell ip addr show

Memory Information: To get memory usage information:

adb shell dumpsys meminfo

Result:
Thus the Extraction of diagnostic information from Android devices through the adb
protocol successfully executed.
Ex. No. : 8
Generate a unified chronological timeline of extracted records
Date :

Aim:
To generate a unified chronological timeline of extracted records from various
sources for comprehensive analysis and investigation.

Procedure:

1. Acquire Data : Collect records from different sources such as call logs, messages,
application usage logs, and system logs.

2. Standardize Timestamps : Ensure that all timestamps in the extracted records

are converted to a standardized format, preferably UTC, for consistency.

3. Merge Records : Merge the extracted records into a single dataset, ensuring that
each record includes a timestamp indicating when the event occurred.

4. Sort Records : Arrange the merged records in chronological order based on their
timestamps.

5. Generate Timeline : Create a visual representation of the chronological timeline

using tools like Microsoft Excel, Google Sheets, or specialized forensic analysis
software.

Coding:

# Python script to generate a unified chronological timeline

import pandas as pd

# Load extracted records into pandas DataFrame

call_logs = pd.read_csv('call_logs.csv')
messages = pd.read_csv('messages.csv')
app_usage = pd.read_csv('app_usage.csv')
system_logs = pd.read_csv('system_logs.csv')

# Concatenate all dataframes into a single dataframe

merged_records = pd.concat([call_logs, messages, app_usage, system_logs],
ignore_index=True)

# Convert timestamps to datetime objects

merged_records['timestamp'] = pd.to_datetime(merged_records['timestamp'])
# Sort records by timestamp
merged_records.sort_values(by='timestamp', inplace=True)

# Export sorted records to a CSV file

merged_records.to_csv('unified_timeline.csv', index=False)

Output:

timestamp,source,event
2024-05-01 08:00:00,call_logs,Incoming call from Alice
2024-05-01 08:05:00,messages,Received message from Bob: "Good morning!"
2024-05-01 08:10:00,app_usage,Opened WhatsApp
2024-05-01 08:15:00,system_logs,Device unlocked
2024-05-01 08:20:00,messages,Sent message to Alice: "Good morning!"
2024-05-01 08:25:00,call_logs,Outgoing call to Bob
2024-05-01 08:30:00,app_usage,Opened Maps

Result:
Thus the generated unified chronological timeline provides a consolidated view of
events across different sources, facilitating comprehensive analysis and investigation.