frankwxu / digital-forensics-lab Goto Github PK

Free hands-on digital forensics labs for students and faculty

Home Page: https://github.com/frankwxu/digital-forensics-lab

License: Other

Shell 1.02% Batchfile 0.05% HTML 16.78% Java 0.99% Rich Text Format 2.35% Python 2.81% Dockerfile 1.00% Jupyter Notebook 37.65% ColdFusion 2.24% Roff 32.90% DIGITAL Command Language 2.21%

cybersecurity digital education forensics free cyber cybercrime cybersecurity-education investigation hands-on

digital-forensics-lab's People

Contributors

Stargazers

Watchers

Forkers

victorwealtha ltvthang munjurhasan444 vanyell xtiankisutsa bolisettynihith materaj2 h4iryw0nd3r userimack crackercat fork-and-test jgru chaulagaisachin cybersecops rnyambugi pranay7700 gabb4r ekmixon wagga40 anasm84 stefanaustin hackergod00001 pr3l14t0r morpheusc johto89 polashneog jkose002 godsakani rvramesh20 esdnwoozyv1 andresrt kolabszar youngjun-chang whobin watch-dog-man ana7z adversaryemulator itsmenaga zorg08 taiihu nejibnbm killvxk dumpofmemory saidhfm y0d4a isiaon johnjohnsp1 arunkuttiyani starson1 yarafan dkr1818 ishita4416 onesorzer0es marciopocebon pir8g33k thego0n puzzithinker nx6110a5100 adberte 4ss3mbl3rv cybernewbies 0xcyberpj niall23236 cmeninwa kyl3song ttaegit hadryan githubismyresume ch4rli3kop o3t1w exzettabyte aileenmedina ruacon35 rosodam rohit-kaundal benwaldner ninasree jayantisingh scriptkkiddie anshvaid4 skmtr1 delphinfo stanhardy alexandermedici rurbin3 mongdev nitin-mane xmkxabc bhargavvishwanadua dio-plutus vu3zhy mkdirlove 0x3fang edenramoneda developer191 hamidmdh amadzirak ayaz-z rahulgitsit zigmud

digital-forensics-lab's Issues

strongly recommend to stop using analyzeMFT

analyzeMFT is no longer maintained https://github.com/dkovar/analyzeMFT/blob/master/README.txt
and has several known short comings rowingdude/analyzeMFT#56

I strongly recommend to stop using it

Digital-forensics-lab

P2P_Leakage- Can't download the Disk_Image_ID-20210327

We can't download Disk_Image_ID-20210327, it reaches 8 GB from 30 GB and the download terminates.
Help to download disk image for lab work P2P_Leakage
https://github.com/frankwxu/digital-forensics-lab/tree/main?tab=readme-ov-file#investigating-p2p-data-leakage

fls command is partly hidden below image on slide #29 in NIST_Data_Leakage_Case/NIST_Data_Leakage_00*.pptx.

I don't know if Libreoffice for Linux has problems displaying the PPT files correctly...

The command

 fls -F -d -r -o 206848 cfreds_2015_data_leakage_pc.dd|grep -P '\.pf' --color

is hidden below an image.

Wrong inode number used for muicache from usrclass.dat on slide NIST_Data...01_...pptx

Hi,

I've observed, that the muicache sample on slide NIST_Data_Leakage_01_Registry_Correction.pptx uses the wrong inode number. (Slide 52, last page).

Would it be correct like the following?

`┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd|grep -i usrclass.dat$
r/r 63765-128-3: Users/admin11/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 13929-128-3: Users/informant/AppData/Local/Microsoft/Windows/UsrClass.dat
r/r 70107-128-3: Users/temporary/AppData/Local/Microsoft/Windows/UsrClass.dat

┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# icat -o 206848 cfreds_2015_data_leakage_pc.dd 13929 > usrclass_informant.dat

┌──(root㉿forensiclinux)-[/FORENSIC/lab_data_leaks_Win]
└─# rip.pl -r usrclass_informant.dat -p muicache
Launching muicache v.20200525
muicache v.20200525
(NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key

Software\Microsoft\Windows\ShellNoRoam\MUICache not found.

Local Settings\Software\Microsoft\Windows\Shell\MUICache
LastWrite Time 2015-03-25 15:29:12Z

C:\Windows\system32\WFS.exe (Microsoft Windows Fax and Scan)
C:\Program Files\Internet Explorer\iexplore.exe (Internet Explorer)
C:\Users\informant\Desktop\Download\IE11-Windows6.1-x64-en-us.exe (Internet Explorer 11 Setup utility)
C:\Windows\System32\xpsrchvw.exe (XPS Viewer)
`

Unable to Download Disk_Image_ID-20210327.001

I am able to access the webpage but I cannot download via firefox or wget. Please help.

Digital Forensics

Andriod

Im wondering if this is mispelt on purpose just to annoy me.

Thanks

Dropbox-DD-Images of data_leakage_cases of "Lab 0" PPT are broken.

The links within the PPT slide of "Lab 0" don't provide valid 7z images. The link to the original data files of the NIST are hidden below an image with the link to some dropbox files. The original case study files should be used instead:

Please update your PPT files. Thank you.

Here is the image creation failure of your files:
`
└─$ ls -l
insgesamt 6291480
-rw-r--r-- 1 kali kali 2147483648 23. Feb 15:32 cfreds_2015_data_leakage_pc.7z.001
-rw-r--r-- 1 kali kali 2147483648 23. Feb 15:58 cfreds_2015_data_leakage_pc.7z.002
-rw-r--r-- 1 kali kali 2147483648 23. Feb 16:28 cfreds_2015_data_leakage_pc.7z.003

└─$ 7z e cfreds_2015_data_leakage_pc.7z.001

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=de_DE.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (306A9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 2147483648 bytes (2048 MiB)

Extracting archive: cfreds_2015_data_leakage_pc.7z.001
ERROR: cfreds_2015_data_leakage_pc.7z.001
cfreds_2015_data_leakage_pc.7z
Open ERROR: Can not open the file as [7z] archive

ERRORS:
Headers Error
WARNINGS:
There are data after the end of archive

Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
`

Correction: Github link for RegRipper tool in NIST_Data_Leakage_00_Env_Setting.pptx, p. 40

Slide p. 40: RegRipper binary can be downloaded from Kali's Git repository: https://gitlab.com/kalilinux/packages/regripper with git.

The advantage is that more plugins are available.

This is how I did it:

# Create folder for Kali tools in ~/lab
mkdir ~/lab/kali-tools

# Change directory
cd ~/lab/kali-tools

# Clone RegRipper
git clone https://gitlab.com/kalilinux/packages/regripper.git

# Make perl scripts executable
sudo chmod u+r regripper/rip.pl regripper/plugins/*.pl

# Create alias for 'rip.pl'
# temporarely
alias rip.pl='perl ~/lab/kali-tools/regripper/rip.pl'

# If you want to change the alias permanently add the command to your .bashrc file and source it.

# Test the command by entering 'rip.pl'

Regards,
ela

Please fix your README

Also see: https://github.com/libyal/libpff/releases