Analyze Photos Lab Part 3
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, welcome back to the course.
00:00
In the last video, we went ahead and
00:00
set up our photos to use.
00:00
In this part of the lab,
00:00
we're going to actually analyze the two photos.
00:00
Now again, since we set them up,
00:00
we obviously know what we typed,
00:00
we know the differences between the two files.
00:00
However, again, this is a good lab to
00:00
do to show off to your family and friends.
00:00
Step number 1, if you're not already launched into
00:00
your Windows machine, make sure you log in.
00:00
Then we're going to open wherever you
00:00
saved the two files at.
00:00
More or basically you're going to do
00:00
is open both of the photos
00:00
and then we're going to open
00:00
our tools. Let's go ahead and do that now.
00:00
Mine I've got it saved in this folder here,
00:00
so go ahead and open both photographs.
00:00
Then we're basically just going
00:00
to compare them side-by-side.
00:00
You might have to do a little modification on
00:00
the sizing of each one.
00:00
You might have to close certain windows, etc.
00:00
Bear with me a second here while I get mine set up,
00:00
it might take a moment or so
00:00
especially if we're working inside of a virtual machine.
00:00
Then again, we're just going
00:00
to compare these side-by-side.
00:00
We're also going to use our two tools,
00:00
our hash calculator as well as our hex editor,
00:00
so the HxD Hex Editor.
00:00
Bear with me just another moment while I
00:00
modify our sizing here just so everybody can see it.
00:00
By the way, if you have a cat that can actually do this,
00:00
if you have a cat that can actually plunge
00:00
a toilet and clean toilets and stuff,
00:00
please feel free to send them over to my place
00:00
and I'll pay him to clean my bathroom.
00:00
That will be super cool
00:00
if we can actually train cats to do
00:00
stuff. The next step here.
00:00
If we go back to our lab document,
00:00
we're going to go ahead and actually open
00:00
our hash calculator application as
00:00
well as the hex editor,
00:00
so that HxD Hex Editor.
00:00
All we do is just double-click on each one.
00:00
Double-click on HashCalc just to open
00:00
that up and then same thing with HxD.
00:00
Just go ahead and double-click on that.
00:00
Again, we'll use those in just a moment here.
00:00
I just want to get those
00:00
opened and then we're going to actually
00:00
compare the files on our own here.
00:00
If you look at these two photos,
00:00
let's just look at them visually for a moment.
00:00
Let's just see, do we notice any differences at all?
00:00
Look at the photos that you have
00:00
if you're using different photos,
00:00
feel free to look at those and just look at differences.
00:00
Now obviously, we know they're
00:00
both the same photo and we
00:00
just used one and we've made
00:00
some changes to it in the Hex,
00:00
but just go ahead and look at them to
00:00
get to practice on it.
00:00
We see a cat here,
00:00
we see a cat here.
00:00
It looks like the cat is plunging the toilet.
00:00
I see that in both of them.
00:00
I see a bathroom floor.
00:00
I see that here. Something black here.
00:00
It could be a towel, could be like
00:00
a little rug that they put on the toilet.
00:00
I see that there. I see the wall back here.
00:00
I see the cats got two ears.
00:00
It's got an eye there, I see the eye.
00:00
Basically visually, these two files
00:00
look pretty much the same.
00:00
Let's go back to our lab documents.
00:00
Question number 1 here, are there
00:00
any visual differences in
00:00
those actual photos? The answer is no.
00:00
We knew that again from our setup of this lab,
00:00
but there are no visual differences that we can tell.
00:00
We're going to go ahead and close
00:00
our photos now and then we're
00:00
going to right-click on each one,
00:00
and then we're just going to check the file size.
00:00
Again, as I mentioned in the last video,
00:00
we want to make sure that we typed a shorter word or
00:00
a short or phrase in there so
00:00
we didn't alter the file size.
00:00
Because as you see here,
00:00
that's one of the areas that we do check.
00:00
I'm just going to go ahead and close these photos here.
00:00
I'm going to go back to my folder where I have them.
00:00
Just go ahead and right-click on each one
00:00
and see if you notice a difference in file size.
00:00
Just right-click on it,
00:00
go to Properties and
00:00
it might take a moment or so to pull up,
00:00
but it will eventually pull up and tell you the size,
00:00
which I see here is 85 kilobytes.
00:00
Once we see that, just go ahead and exit out of that one,
00:00
do the same thing here.
00:00
Just right-click on it, go to Properties,
00:00
and then 85 kilobytes we see right there.
00:00
So we know that, hey, they're both the same file size.
00:00
They look the same, they're both the same file size.
00:00
What else do we need to look at?
00:00
Well, let's go back to our lab document and find out.
00:00
Question number 2, are the files the same size?
00:00
Yes, they are. We noticed that
00:00
they were both the same size.
00:00
Next, we're going to check the hashes of the file.
00:00
We're going to do the hash and just like we did with
00:00
the downloadable file to see if it had been
00:00
altered at all when we took the hash,
00:00
we're doing the same thing here.
00:00
We're just going to check
00:00
the hash of the file and
00:00
see if there's a difference at all.
00:00
Let's go ahead and do that now.
00:00
Where are you going to go?
00:00
First for our hash calculator.
00:00
Let me just move this window out the way,
00:00
and then also this one as well and we have
00:00
our hash calculator that just
00:00
decided to close on me. There we go.
00:00
Let's go back to our lab document now.
00:00
The first thing we're going to do,
00:00
once we've got the hash calculator pulled up,
00:00
Step 7 here we're going to
00:00
click the three little dots that are
00:00
on the corner near the top right of the tool,
00:00
and then I'm going to select File.
00:00
Let's go ahead and do that now.
00:00
Click those three little dots.
00:00
It's going to open up for us the search box here,
00:00
and then we're just going to find our initial file there.
00:00
If we look at our lab document,
00:00
it's going to be that very first photo
00:00
that we saved from the Internet,
00:00
or if you're using a family photo, something like that.
00:00
I'm going to go ahead and pull mine up and
00:00
it doesn't look like it's pulling up
00:00
that folder for some reason.
00:00
Oh, well, that's why.
00:00
I'm looking in the downloads when
00:00
it's on the desktop. There we are.
00:00
Once we find out where it's at and we pull it up,
00:00
we're just going to open that very first one that
00:00
we did not type anything in,
00:00
that we did not alter and then just say Open there.
00:00
Let's go back to our lab document.
00:00
Now we're going to unselect
00:00
all the different hash options except for the MD5.
00:00
Again, we could do a lot of different hashes
00:00
inside of the hash calculator.
00:00
We're just going to choose the MD5 one.
00:00
Let's go ahead and select that and select only that one,
00:00
and then click Calculate
00:00
and then just basically make a notation of the hash.
00:00
We're just going to uncheck
00:00
these other couple of ones here.
00:00
Then make sure we just leave
00:00
the MD5 and then just say Calculate.
00:00
We see our long hash here.
00:00
Let's go back to our lab document.
00:00
Now what we're going to do, we're going to
00:00
select those three little dots
00:00
again and now we're going to select
00:00
the file that we actually did alter.
00:00
We want to check and see for Question 3,
00:00
here are the file hashes the same?
00:00
Let's go ahead and check that now.
00:00
Click those three little dots again,
00:00
now choose a file that you altered in this case mine is
00:00
cat3.jpeg. Just say Open there.
00:00
Same thing here, just go ahead and calculate the hash.
00:00
You're going to notice that the hash
00:00
is different here than it was in the other one.
00:00
The photos looked visually the same.
00:00
Then we check the file size, that was the same.
00:00
But we do a hash on it and they're different.
00:00
Well, I think we need to take a closer look
00:00
at those couple of photos.
00:00
Let's go ahead and do that now. We see that no,
00:00
the file hashes were not the same for those photos.
00:00
Again, we altered one of those.
00:00
We knew what the issue was.
00:00
Now we're going to switch over to the hex editor.
00:00
We're going to select File and Open
00:00
and then still we're going to look
00:00
at both photos and see if we notice anything wrong.
00:00
Let's go ahead and do that now.
00:00
We're going to switch back to our hex editor or HxD.
00:00
We're just going to select File and then Open.
00:00
Let's go back to our lab document here.
00:00
Once we select File and Open,
00:00
we're going to go back to our, again,
00:00
our original photo that we had saved and select
00:00
Open and we're going to
00:00
see if we notice any information in there.
00:00
Let me navigate to that spot,
00:00
will grab the photo.
00:00
Again, that original one,
00:00
we're just going to say Open to
00:00
that, might take a moment or so.
00:00
If you get this box on the right side of where it says
00:00
special editors, daily inspector.
00:00
Then just click that little extra
00:00
that'll close up box for you.
00:00
Let's scroll to the very bottom here and just take
00:00
a look at the last little bit of character strings there.
00:00
Do we notice anything readable?
00:00
And if yes, what is it?
00:00
The answer is no. This is basically our original file.
00:00
We didn't alter this in any way,
00:00
so it shouldn't be anything at the very end there.
00:00
Let's go ahead and
00:00
next thing we're going to do is actually open the
00:00
other file inside of this hex editor. Let's do that now.
00:00
Do we notice any secret information in the first file?
00:00
The answer is no, we didn't notice anything in there.
00:00
Next we're going to select File,
00:00
Open and then we navigate to that,
00:00
quote-unquote, "Corrupt file".
00:00
Then we're going to open it up.
00:00
We're just going to look for
00:00
any secret information that might be typed in there.
00:00
Let's go ahead and do that now.
00:00
Go to File and then Open.
00:00
Now we're going to check the Cat 3,
00:00
at least in my example, the cat3.jpeg.
00:00
I'm going to say Open there,
00:00
could take a moment or so.
00:00
But that's going to open the hex editor for us.
00:00
So you might have to scroll down a bit.
00:00
Let's go back to our lab document now.
00:00
Question 5, is there
00:00
any already secret information hidden in there?
00:00
You might find different information possibly,
00:00
but is there any secret information inside of the Hex?
00:00
Let's go ahead and take a look. Oh, yeah.
00:00
Looks like the word password.
00:00
Technically, this is probably something simple.
00:00
Generally, this is not something that
00:00
a malicious actor might
00:00
hide long amount of information in,
00:00
especially if they're trying to
00:00
keep the file size the same.
00:00
However, keeping that in mind,
00:00
there are ways around that,
00:00
but for our purposes,
00:00
we typed something very short in here.
00:00
You'll see that was pretty easy to find.
00:00
We were able to see the password at
00:00
the very end there or whatever word
00:00
you had chosen to use.
00:00
But that's what we're looking for in this particular lab.
00:00
If we image your suspect machine,
00:00
and we noticed a couple of photos that
00:00
are the same thing there,
00:00
then we generally are going to want to open them in
00:00
a hex editor to see what content is actually in there.
00:00
Because it might be something where this
00:00
might be the password to get in their actual laptop.
00:00
Then we can use that to get in the laptop and
00:00
actually get stronger conviction on the bad person.
00:00
In this video, we just
00:00
wrapped up our analysis of the photos.
00:00
In the next video,
00:00
we're going to start off Module 2 for
00:00
the computer forensics investigation process and
00:00
we'll talk about things like the
00:00
>> pre-investigation phase,
00:00
>> investigation phase,
00:00
as well as the post-investigation phase.
Up Next
Instructed By
Similar Content
