3.14 Forensic Apps

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back to the Cybrary course
00:00
in building your InfoSec lab.
00:00
I'm your host and Instructor, Kevin Hernandez.
00:00
Our last lesson we installed Nexpose within
00:00
our Windows Server 2016 operating system.
00:00
Nexpose is a validity assessment tool which will help
00:00
us keep the integrity and security of our network.
00:00
In today's lesson, we'll actually go over
00:00
two more forensic applications.
00:00
Unlike our previous installation,
00:00
this are non operating system,
00:00
but applications you can run within windows
00:00
itself. Now let's get started.
00:00
When searching for Autopsy make sure
00:00
your Sleuth Kit has part of the search,
00:00
otherwise, it'll come over
00:00
more biological like autopsies.
00:00
[LAUGHTER] Now, one of the good things about
00:00
Google is that it'll also
00:00
show you right here to right corner.
00:00
People also search for it.
00:00
You can see that FTK is one of those options.
00:00
We're actually going to take a look
00:00
into that tool swell in this lesson.
00:00
Let's go ahead first and go to Autopsy.
00:00
Here you have a little screen of how it looks.
00:00
Let's click ''Download Now''.
00:00
Let's download the 64-bit version.
00:00
Let's wait for it to finish.
00:00
While it's doing that let's go ahead and go back.
00:00
Let's download FTK Imager.
00:00
As you can see it's right here.
00:00
Let's go to FTK Imager.
00:00
Here we go.
00:00
FTK Imager, 2017
00:00
is the release date for this particular version.
00:00
Let's go ahead and download it as well.
00:00
Now so you can see FTK imager
00:00
does require you to sign up.
00:00
Let's go ahead and fill this up.
00:00
I'm going to pause the video while I complete this.
00:00
You can see, once you finally complete it,
00:00
it will provide you 15 minutes to
00:00
download FTK Imager to the e-mail input in the form.
00:00
This here is give or take what you'll see for FTK.
00:00
Now, let's go ahead and click on that link.
00:00
Let's click, you'll see that it will start downloading.
00:00
Now, we have actually downloaded
00:00
both of the tools we'll be looking over in this lesson.
00:00
Let's start with Autopsy.
00:00
Let's click it and wait for it to open. Setup wizard.
00:00
Next, default, install, pretty basic.
00:00
Let's give it a minute or two for it to complete
00:00
the installation. Seems pretty easy.
00:00
No additional prompts have been required from us.
00:00
Now these tools are a slightly different than sift.
00:00
Imager itself it's more towards creating images.
00:00
It's very efficient and it puts
00:00
a right block when you're doing them right,
00:00
It's a software level, but it's still pretty good.
00:00
Now that that's installed, let's go ahead
00:00
and also take care of
00:00
FTK Imager and install it as
00:00
well so that we wouldn't have to go back and forward.
00:00
You can see it's starting to extract the data.
00:00
It's pretty much very similar installation.
00:00
Let's give it a minute and you can
00:00
see it actually completed.
00:00
Now, since we're here,
00:00
let's go ahead with FTK Imager.
00:00
Let me shrink this for a second.
00:00
Here you have FTK Imager.
00:00
Looks pretty simple and it is.
00:00
You have add evidence, image mounting,
00:00
create disk image,
00:00
capture memory, obtain protected files.
00:00
The way this works is if you, for example,
00:00
add evidence item,
00:00
here you will, for example,
00:00
copy of physical drive.
00:00
You can add a logical drive, for example,
00:00
image already drawn or like a virtual disk.
00:00
We have logical drives as well,
00:00
image files, and content of a folder.
00:00
Let's do content of a folder real quick.
00:00
Let's go ahead and click, click ''Next''.
00:00
Let's browse from the folder.
00:00
This case, I'm going to go to my desktop
00:00
and Cybrary forensics and I'll click ''Finish''.
00:00
You can see now here in the left side,
00:00
we actually see the folder.
00:00
Let me go ahead and turn on
00:00
my mouse pointer for this lesson.
00:00
Now you can probably see my mouse so let's expand.
00:00
You can see that there's a test folder in it.
00:00
Once you click on it,
00:00
>> you can actually see the test file.
00:00
>> Here it's a content of the file.
00:00
Very basic tool.
00:00
With it you can actually capture RAM and other things.
00:00
You can click here, capture the whole RAM.
00:00
You click on Autopsy,
00:00
it's loading right now.
00:00
This is a little bit slower loading
00:00
then after chaos you can see
00:00
but they do have a cool logo.
00:00
[LAUGHTER] For some reason it reminds me of John Wick,
00:00
I don't know why, but it does.
00:00
Here we go, it's fully loaded
00:00
so let's create a new case.
00:00
Actually this looks like
00:00
a encase competitor type approach so far.
00:00
Let's go test case.
00:00
Let's put the base directory as Cybrary cases.
00:00
This is going to be a single user.
00:00
Let's click ''Next''. You're going
00:00
to see you can add more information.
00:00
Let's do the date.
00:00
Type of case number.
00:00
[NOISE] Incase you have more than one case per day,
00:00
we'll add three numbers and access my information;
00:00
Kevin, let's see 555-5555,
00:00
like in the movies, myemail@email.com.
00:00
Notes; this is a test. Now, let's hit ''Finish''.
00:00
Now it's creating our case.
00:00
That's taken care of. Let me actually shrink
00:00
the screen so it can fit the recording window.
00:00
There we go. Now you
00:00
can see you can actually
00:00
do it this image like previously,
00:00
local disk, and unallocated space image file.
00:00
Let's click on this one. We can
00:00
do a similar type of approach.
00:00
Let's click ''Next''. Let's search a 40 file.
00:00
This case I actually added the file itself.
00:00
You can see it can break into three gigabytes chunks.
00:00
In this case,
00:00
it's a very small file, so we don't need to do that.
00:00
Next, you can see it's
00:00
already pulled the file in the background.
00:00
Like FTK, you do have a lot of
00:00
tools in here like hashes,
00:00
file type identification,
00:00
all those different parameters,
00:00
I say Next,
00:00
so we process the data.
00:00
In the bottom right corner,
00:00
you should see a processing progress bar.
00:00
Sadly, I didn't have
00:00
enough time to shrink this by the time it was done.
00:00
Here you can see the sector size,
00:00
type of image, device ID.
00:00
Here you can see the values.
00:00
Here you see the textContent that we saw earlier.
00:00
The basic difference between these and FTK Imager,
00:00
FTK itself is more who
00:00
guarding the capturing or creating images.
00:00
While this, for example,
00:00
is more of a full blown forensic tool,
00:00
>> it is really good.
00:00
>> If you're into forensics or
00:00
like to discover more towards forensics,
00:00
I will highly recommend it.
00:00
It's very interesting field,
00:00
especially if you're have that detective or
00:00
investigation type of feeling in
00:00
your career. I highly recommend it.
00:00
In this lesson we actually
00:00
installed an Autopsy on auto sign and FTK Imager,
00:00
which are free to use for personal usage.
00:00
These are great alternative.
00:00
If you want to do very light forensics
00:00
or at least capture content,
00:00
without the requirements of
00:00
having a fully deployed operating system,
00:00
I say it was with a previous option.
00:00
In our next lesson, we'll actually go over
00:00
Module 4 connecting and configuring our labs.
00:00
Hope to see you soon, have a great day.
Up Next