Hard Disks and File Systems Part 6

00:01

Hey, welcome back to the course. So in the last video, we talked about H f s H infest plus and then also the different raid levels.

00:09

In this video, we're gonna go over file carving as well as different image files was going to talk about the Sleuth kit and some different commands we can use.

00:19

So file carving. So as the name implies, we're basically kind, kind of, ah, carving out information. So essentially, we're just reconstructing information from different file fragments. We can use many, many different tools, and now some people like to use, you know, command line tools. But generally, most people use gooey interfaces.

00:39

So some different tools you can use it again.

00:42

Not an all inclusive list here, but OS Forensics Data lifter and a simple carver Sweet

00:48

again. Many of the forensics tools out there that you'll use, like in a day to day job, are gonna have some component built in that allow you to do file carving.

00:59

We have different types of image files on many of these were probably all of these you've seen before. So J. Paige bit map gift and then PNG.

01:07

So for J. Paige, just So, you know, for the exam, make sure you understand Joint Photographic Experts Group is what it stands for. Also, the J. Paige uses lossy compression and then at boasts 90%. They were up to 90% compression rates.

01:23

Another key thing to remember for your examination is that the hex value of J Peg file starts with F f D eight f f so very important for the exam that you understand image files and understand the hex value that they start with.

01:38

Next up, we have bit map. So this one's for Windows on. Then a hex value here starts off with 4 to 4 D. So again, just another thing you just want to keep in mind. So as I mentioned just a moment ago, make sure you understand the hex values of these image files. What they start with,

01:59

we have gift or graphics interchange format. Now this one has a bits per pixel 256 color per frame. It supports lossless data compression, and then the hex value. Here is 474946 So, again, starting off with that hex value, make sure remember I said

02:17

PNG or portable network graphic. So this one uses a lossless image format and it was intended are brought about to, ah, replace gift and tiff. If you're not familiar with tiff tact, image file format.

02:30

Hex value here is 89 54 e is an echo, so just keep that in mind as well.

02:37

And so we kind of talked about here like lossy compression, lossless, compression. So, like, what is that stuff? Right, So lossless compression is mostly seen with Giffen PNG eventually that reduces the file size without removing data. Right? So if we if we un compress that file, there's really nothing lost

02:54

Whereas lost Lee it personally discards bits of information, right? So we may not notice necessarily, like in a J Peg photo that, as we know, unzipped it that bits of information are gone. However, if we blow it up right, well, see the different issues with picks, elation. So that's where we see kind of the main difference there

03:14

and the different tools we can use for a lossless. Our winds up peek a zip,

03:17

stuff it and freeze it. And again, not an all inclusive list.

03:23

So this loosely it we talked about this a little earlier in module to but here we're just gonna talk about the different command. So you'll just wanna kinda memorize these for the examination.

03:35

The first stat.

03:37

Istat f l s an image that s o again. F s status displays that general information about a file system. The metadata data details are Istat directory names or file names are F l s. And then details of an image file, which the name on kind of

03:55

leads you to believe it is

03:58

is I am G underscore staff.

04:01

So just one quick post assessment question S o this t s k command displays general details about the file system. So which one is that

04:13

***? If you guessed answer. See, You are correct. That's actually the only T s K command on this list. The other one's air image files.

04:20

So this video we talked about image files, file carving as well as the sleuth kit commands