Analyze Photos Lab Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
welcome back to the course. So in the last video, we went ahead and set up our photos to use in this part of the lab where we're actually analyzed. The two photos
now again. Since we set him up, we obviously know what we typed. We know the differences between the two files. However, again, this is a good lab to do kind of show off to your family and friends.
So step number one. If you're not already launched into your Windows machine, make sure you log in on and then we're gonna open wherever you saved the two files that so we're basically going to do is open both of the photos, and then we're gonna open our tools. Let's go and do that now.
So mine I've got saved in this folder here. So go ahead and open both photographs,
and then we're basically just gonna compare them side by side, so you might have to do a little modification on the sizing of each one. You might also have to d'oh!
You might have thio close her windows, et cetera, et cetera. So bear with me a second here while I get mind set up might take a moment or so, especially for working inside of a virtual machine.
And then again, we're just gonna compare these side by side. We're also gonna use our tool tool. So our hash calculator is, well, our it's our hex editor. So the HX d hex editor.
All right, so bear with me just another moment, while I kind of modifier sizing here just so everybody can see it.
And by the way, if you have a cat that can actually do this if you have a Catholic and actually plunge the toilet and clean toilets and stuff, please feel free to send him over to my place. And, you know, I'll pay him to clean my bathroom.
That would be super cool if we could actually trained cast to do stuff, right? All right, the next step here. So if we go back to our lab document, we're gonna go ahead and actually open our hash applications. Wells are hex editor. So that hx d hex editor. So all we do is just double click on each one, So double click on hash coke. Just open that up.
And then same thing with HX t Just go ahead. Double click on that.
So, again, we'll use those in just a moment here. I just want to get those open, and then we're gonna actually compare the files on our own here.
All right, So if you look at these two funnels, let's just look at him visually for a moment, right? So let's just see, Do we notice any difference? It's all so, Andi, look at the photos that you have a few using different photos. Feel free to look at those and then just look at differences. Now, obviously, we know they're both the same photo on and we just used one, and we made some changes to it in the hex.
But you go ahead and look at him to get to practice on it. So we see a cat here. Was he a cat here?
Looks like the cat's plunge in the toilet. I see that in both of them. I see a bathroom floor. I see that here. Something black here could be a towel. I could be like a little rug that they put around the toilet. I see that there. I see the wall back here. I see the cats got two ears.
It's got an eye there. I see the eye. So basically, visually, these two files look the same, right? They look pretty much the same.
All right, let's go back her lab documents. So question number one here other. Any visual differences in those actual photos?
All right, so the answer is No. I mean, we kind of knew that again from our setup of this lab, but there are no visual differences that we can tell.
All right, So we're gonna go ahead and close our photos now and then we're going to right click on each one, and we're just gonna check the file size. So again, as I mentioned in the last video we just wanted we wanted to make sure that we talked a shorter word or a shorter phrase in there. So we didn't alter the file size because, as you see here, that's one of the areas that we do. Check.
All right. So I'm just gonna go ahead and close these photos here.
All right? So I'm gonna go back to my folder where I have, um so just go ahead and right. Click on each one and see if you notice a difference in file side. So just right. Click on it, go to properties. And it might take a moment or so to pull up, but it will eventually pull up and tell you this size, which I see here is 85 kilobytes.
Once we see that, just go ahead next time on that one. Do the same thing here, so just right. Click on it,
go to properties and then 85 kilobytes. We see right there. So we know that they're Hey, they're both the same file size, huh? All right, so they look the same. They're both the same file size. So what else do we need to look at?
All right, well, let's go back to our lab document to find out.
So, Question number two are the files of same size. Yes, they are. Right. We noticed that they were both the same size.
All right, Next we're gonna check the hashes of the file. So we're gonna do that hash and just kind of like we did with the downloadable file to see if it had been altered ill when we took the hash.
We're doing the same thing here, right? We're just gonna check the hash of the files and see if there's a difference at all.
So let's go ahead and do that now. So we're gonna go first for the hash. Coke are hash calculator. So let me just kind of move this window out the way and then also this one as well. And we have our hatch calculator that just decided to close on me. There we go. All right,
so let's go back to our lab document now. So the first thing we're going to do once we've got the hash, calculate her pulled up a step seven here word and click the three little dots that are on the counter near the top, right of the tool. And there were a select file.
Let's go and do that. Now
click those three little dots
going open up for us. It opens up the search box here, and then we're just gonna find our initial file there. Right? So if we look at our lab document, it's gonna be that very, very first photo that we saved, like from the Internet, More for using, like, a family photo, something like that.
All right, I'm gonna go ahead and pull mine up.
He doesn't look like it's pulling up that folder for some reason. Oh, well, that's why I'm looking at the downloads when it's on the desktop. There we are. All right,
So once we find out where it's at and we pull it up,
we're just gonna open that very 1st 1 that we did not type anything in right, so that we did not alter and then just say, open there.
Let's go back to our lab document.
So now we're gonna unsolicited all the different hash options it set for the MD five. So again we could do a lot of different hash is inside of the hash calculator. We're just gonna choose the MD 51 So let's go ahead and select at and select only that one on. Then click calculate and then especially, make a notation of the hash.
All right, so we're just gonna unchecked these other couple of one's here,
and then make sure we just leave them to five and then just say, calculate
very soon we see our long hash years. Let's go back to our lab document.
All right, so now we're gonna do where to select those three little dots again and that were to select the file we actually did alter. Right. So we wanna check and see for question three. Here are the file. Hash is the same. So let's go and check that now.
So those three little dots again
Now choose a file that you altered in this case, minds cat three Dodge a peg.
Just say open there.
Same thing here. Just go ahead and calculate the hash.
All right, you're gonna notice at the hash is different here than it was in the other one. So Okay, so the photos looked visually the same,
and then we checked the file size that was a saint.
But we do a hash out, and they're different, huh? Okay, well, I think we need to take a closer look at those couple of photos.
Let's go ahead and do that now.
All right, so we see that. Know the file hashes. We're not the same for those photos again. We altered one of those. We kind of knew what the issue was.
So now we're gonna switch over to the hex editor were It's like filing open, and the rescuers are gonna look at both photos and see if we notice anything wrong.
Let's go ahead and do that now.
So we're to switch back to our A hex editor or a checks D.
I was gonna select file and then open.
All right, let's go back to our lab document here. So once we select file on open, we're gonna go back to our again our original photo that we had save and select Open.
And we're gonna see if we notice any information in there.
All right, So let me navigate to that spot. We'll grab the photo. So again, that original one was going to say open to that, I take a moment. So and you can if you get this box on the right side of where it says special editors, Data Inspector. Excuse me, inspector. Then just click that little extra that'll close that box for you.
All right. The score to scroll to the very bottom here and just take a look at the last little bit of character strings there. Do we notice anything readable?
And if yes, what it is, it's gonna be What is it?
All right. So the answer is no This is basically our original file, right? So we didn't alter this in any way, so it shouldn't be anything at the very end there. All right, so let's go ahead, and we're next thing we're gonna do is actually open the other file inside of this hex editor. So let's do that now.
All right. So do we notice any secret information in the first file? The answer is no. We didn't notice anything in there. So next we're just, like, file open, and they were to navigate to that next quote unquote corrupt file.
Then we're gonna open it up. We're just gonna look for any secret information that might be typed in there.
So let's go ahead and do that. No.
All right. So go to file and then open.
All right, Now we're gonna check the cat three. At least in my example. The cat three Dodge a pig.
Just say open there
could take a moment. So whether that's gonna open the hex editor for us, so you might to scroll down a bit.
All right, so let's go back to our lab document now.
So the question question five. Is this already secret information hidden in there, right? So you might find different information, Possibly. But is there any secret information inside of the hex? So let's go ahead and take a look.
Oh, yeah.
Looks like the word password. Right. So, technically, this is probably, you know, something simple.
You know, general, this is not something that a malicious actor might hide
Amount of information, and especially if they're trying to keep the file size of same. However, keeping that in mind, there are ways around that. But for our purposes, we tied something very short in here. You'll see. That was pretty easy to find, right? We were able to see that The password at the very end there, whatever word you have chosen to use.
But that's what we're looking for in this particular lab, right? We wantto if we images suspects machine. We noticed a couple photos that are the same thing there.
Then we generally are gonna want to open them and in a hex editor to see what content is actually in there. Because, you know, if I might be something where this might be the password to get in their actual laptop, right? So then we can use that to get in the laptop and actually get a stronger conviction on the bad person
are. So in this video, we just wrapped up our analysis of the photos and the next video. Where to start off model, too, for the computer forensics investigation process. So we'll talk about things like the pre investigation phase investigation phase as well as the post investigation phase.
Up Next