Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
hi will come back to the curse. So in the last month you will find one. I need much space in a forensic investigation. How you can check the integrity off any much fight. We also went over some of the physical and logical structure of our Windows operating system.
00:14
In this mortal, we're going to keep starting emerging, but for a different perspective. Jeweller, what did the e is? How can we use in a forensic investigation? We will see what really much reveal. How about you take advantage of this?
00:29
So before starting a quick pre assessment question for you,
00:34
what's the main purpose of dizzy?
00:36
Do you think is a convert on copy files or ve analyzed the evidencing Kurt or maybe see create books and viruses
00:45
or the testing theory off a fire?
00:49
If you said a cumbersome copy files, you're correct. It is true that if he can be also used for creating images, we will analyze start later in this video.
01:00
Okay, but what does the D?
01:02
There is a utility that could be files from the standard input to standard output by the fault
01:07
with the usual selectable block size. While optionally prefers commercials on it,
01:14
it reads. They put one look at a time
01:18
you think the specified input block size
01:19
it then processes the block off data absolutely returned.
01:23
Which school? The smiler. Then there was the black face.
01:27
It shall apply any commercials that have been specified on right the resulting data to our boat in blocks off the specified output block size.
01:36
You can use this common for coping Partial. Five.
01:40
You can specify the block size this kid count,
01:42
and the number of blocks to coffee
01:46
sizes are in bites by the fort. You can upend alerce W, B or K to a number to indicate worst, which are to bite looks.
01:57
There are 500 plus bites, or K,
02:00
which is 1000 and 24 bites
02:04
when they finished. It supports the number of full and partial blocks. Return return.
02:08
Although there is a common land utility or generally for UNIX like operating systems, there is a version which allows the flexible recouping off data under Windows environment.
02:21
This is a structure off a D D. Comment.
02:23
The beers is the block size.
02:27
The block size can be specified in bites
02:30
Is the block size operas specified on no commercials. I requested the data. Returns from each input block shall be written as a separate out for book.
02:40
If the result earns less than a full block, their sultan output block shall be the same size as they input. Block
02:50
is the B s expression of brown is not a specified or commercialised requested. The impartial be processed and collected into full size output blocks until the end of the input is reached.
03:01
The default locks eyes is 512 which will work for most files on devices. But the copy will be a lot faster. If you's a large block size, for example, a flop it If Ruth with B s equals one K on count equal 14 40
03:22
takes almost twice Islam that if you use B s equals 14 for Kay and count equals one.
03:30
Don't make the block size too large because we knows we'll run out of memory. One. Em is probably a good size on upper limit. Most city or devotees have a to K sector size and probably will not work with a bloke size, which is not a multiple. Off that
03:47
count is the number of blocks to copy. If it is not specified, then really will continue until the end off the file or device it reached
03:59
are many USB devices. This is not a reliable, so you should use size to guess the size of the device.
04:05
You can also use a suffix here, so count equal. Han K will copy 1000 and 24 blocks.
04:15
Ah yes, which means input file. Specify the input past name. The phone is a standard input.
04:23
Oh, if
04:25
which means output file. Specify the output past. Name the fall. It's a standard output.
04:30
Skip is the distance. Keep over the input file before really is commenced.
04:36
It is in blocks, so this time will be skip multiplied by the block sized.
04:42
You can also use the suffix here says Keep equals one k with keep one. Tell Santoni for blocks you can remember that's keep relates to the input file by thinking off a skipping rope.
04:54
Seek. Is that the stuff to seek over in the output file before writing this commenced? It is also in blocks, so this stuff will be seek multiplied by their block size. You can also use a suffix here, so seek equals one K will seek 1024 blocks. Just have to remember the office kid
05:14
is for in then seek is for out.
05:17
Traditionally, when you sing d d if you wanna talk open in terror device, you know, certifiable account and they were really onto the end of the device. If you try to read past the end of the device, they they are up to the end of the device will be returned at. If you kept really, you would get another message.
05:36
Windows, however, does not always do this
05:40
so size. We tell T to figure out the size of the device and make sure it does not read past that point. This is important for us mystics. We stop working if you read *** anistan.
05:54
This is not owned by the fault because gain the correct size of the device is not always possible. Some devices also keep returning fake data past the end of the device without returning a suitable error code
06:08
Windows provides a number of ways to name a device. The least comment will output the preferred names on their end before on Lee. The device hard disk partition method is available being partitioned zero the entire disc
06:24
under window ***. Be some partitions may not have a ball in device. In this case, you can still use the hard disk and partition and name
06:33
we know. So tell someone layer half volume devices which are unique, which identify a disk or partition.
06:42
These are listed along with any mount point that they may be mounted on most off this Hying This is a Dr Flor, but he might be a pass on our file system is you want to read on the late device Didn't recruit the trailing backslash character. If the volume is not mounted, there is no easy way to identify it. So be careful
07:00
on the X p sir Be back Too
07:02
many partitions cannot be read directly even if they are not amused.
07:10
Progress is a nonstandard enhancement TV which will show you the progress as each block is copied
07:16
The protection order Indeed he shall be as follows First on input Look, it's red. Secondly, thing put block is surer than they specified Input block size No bite shall be upended today Input data up to the specify size The remaining commercials on output shall include the bad characters
07:34
as if they have been read from the input.
07:39
If the block size Oprah is specified on no commercially requested their Sultan Day that shall be written to the output as a single block on the remaining steps are meted.
07:50
Any remaining commercials have been performed, these compressions shall operate on the input data independently off they put blocking the dangerous holding front. Input or commercial, or both are being created in tow a little blocks off the specified size. After the end of thing put its reach,
08:07
any remaining output should be written as block without a body.
08:11
Those the final output book may be shorter than they'll put block size.
08:16
Here's a quick question for you.
08:20
What can be done? You Cindy, if it a make an emotion for floppy disk or be rip on I s o from our city,
08:28
or maybe see, read a partition for us being more the device or the off the world.
08:33
If you say the olive devils, you are right. Let's see some examples know how to perform these activities
08:41
Here. You can see some examples
08:43
for making an emotional for the risk. You can't specify a Indian put file as this is the letter, she says in Windows, for from the risks the same case for right in the mush back in this case, Taylor A needs to be in the output file.
09:00
The example were reaping, and I sew for inner city. The common device Siri Room Ciro, as they put file, will tell Didi than they put it's a city
09:11
we're really in a partition from the USB memory device. In the follow example, you should specify the unique volume identification. Korea's the input.
09:20
But if you read the entire use being re device just a specified A device hard dicks, one on partition cereal for the input,
09:28
you can write to any fire or broke device, which we know will allow you to write.
09:35
You can use this thunder clashes with the notation for Windows, support the devices or the media. Specific backslash is with the interrogation sign notation toe access. When those natives devices,
09:46
you cannot write to a city with this program, you should get Microsoft City burn from the Windows experience source kit,
09:52
not them. Floppy disks are extremely unreliable. If you get ever splits, try another floppy disk or refer mating the risk.
10:01
Please don't forget to check out the references on the supplementary material in the next video, we're going to do some exercises to practice the day the Commons that which is analyzed.

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor