Recovering Graphics Files Lab Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey everybody. Welcome back to the course.
00:00
In the last video,
00:00
we downloaded and extracted
00:00
our USB folder and
00:00
file that we're going to be
00:00
using for the rest of the lab.
00:00
In this video, we're going to
00:00
go ahead and continue on with
00:00
the lab and analyze the information in that folder.
00:00
Let's go back to our lab document here.
00:00
On the desktop, what we're
00:00
going to do is we're going to double-click
00:00
on the ProDiscover shortcut icon.
00:00
Then, we're going to get a little pop-up
00:00
box as soon as it opens up,
00:00
regarding the launch dialogue,
00:00
we're just going to say Cancel to that pop-up box.
00:00
Let's go ahead and do that now.
00:00
It's going to be this ProDiscover Basic 64 icon here.
00:00
It looks like a guy with
00:00
a little magnifying glass and a hat.
00:00
Just go ahead and double-click on that.
00:00
It's going to take a moment or so to launch for you.
00:00
Then you're going to see this launch dialog box here.
00:00
Just go ahead and click on
00:00
the Cancel button at the bottom.
00:00
Let's go back to our lab document.
00:00
Now what we're going to do, we're going to
00:00
select the New Project button
00:00
that's at the top left of this Window.
00:00
It's going to be this little piece
00:00
of blank paper looking icon.
00:00
You'll see if I hover my mouse
00:00
over it, it says new project.
00:00
Go ahead and click on that. It's going
00:00
to give us a new project pop-up box here.
00:00
Here in step 4, the pop-up box is
00:00
opened and now we're just going to in step 5 and
00:00
step 6 under the project number and
00:00
also the project file name in those boxes,
00:00
we're going to type the same thing.
00:00
We're going to type C08InCHp.
00:00
Let's go ahead and do that now.
00:00
C08InChp.
00:00
We'll do the same thing for this one here as well.
00:00
Let's go back to our lab documents.
00:00
We've typed those in now in steps 5 and 6.
00:00
In step 7, we're just going to
00:00
select Okay and then we're
00:00
going to be back at the tool
00:00
where we'll choose some other options here.
00:00
We're just going to say Okay to that.
00:00
Now, we're going to go to
00:00
the top and we're going to select Action.
00:00
From the very top menu there,
00:00
we're going to select Add and then we're going
00:00
to select Image file.
00:00
Then what we'll see is a pop-up box will open for us.
00:00
Let's go ahead and do that now.
00:00
We're going to select Action,
00:00
we're going to select Add,
00:00
and then we're going to select Image File.
00:00
You'll see we have a pop-up box here.
00:00
Now what we're going to do,
00:00
we're going to navigate to this location.
00:00
If you notice, it's going to be where we saved
00:00
that USB file that so the C:\Work\Data files\Ch08,
00:00
and then all the way to our USB folder.
00:00
Let's go ahead and do that now.
00:00
We're going to scroll down, we're going to
00:00
select our C Drive,
00:00
we're going to select Work by double-clicking on it.
00:00
Same with data files, we'll double-click to open that.
00:00
We're going to double-click on Chapter 8,
00:00
and then double-click on our USB folder.
00:00
In there, you see several files.
00:00
Let's go back to our lab document.
00:00
We see in step 11 here we want to select a file
00:00
that's labeled as jo-favorites-usb-2009-12-11.E01.
00:00
Let's go ahead and look for that one.
00:00
We're looking for jo-favorites,
00:00
and you'll see there's only one that's labeled like that.
00:00
jo-favorites-usb-2009-12-11.E01.
00:00
We're going to select that and then just say Open.
00:00
Now, we're at step 12 of our lab document.
00:00
Now we're going to go back to the top
00:00
of our screen there in step
00:00
13 and select Action and then select Search.
00:00
Let's go ahead and do that now.
00:00
We're going to select Action at
00:00
the top and then
00:00
we're going to select the Search option,
00:00
just about a quarter of the way down here.
00:00
It's going to give us this pop-up box here.
00:00
Let's go back to our lab document.
00:00
In step 14, we want to make sure we select
00:00
the Cluster Search tab
00:00
and then we're going to mark the case sensitive checkbox.
00:00
Let's go ahead and do that.
00:00
Here we want to make sure we click on
00:00
the Cluster Search tab and then down here at the left,
00:00
we want to select the case sensitive checkbox.
00:00
Just go ahead and click in there and it'll
00:00
check the checkbox for us.
00:00
Let's go back to our lab document.
00:00
Now, in the search for patterns checkbox,
00:00
we want to type FIF. Let's go ahead and do that.
00:00
In the search for patterns,
00:00
we're going to type FIF.
00:00
Let's move on to the lab document again.
00:00
Here in step 17, under the select the disk images,
00:00
you want to search inbox.
00:00
We're going to select this option.
00:00
It's going to be this one
00:00
that ends in jo-favorites-USB-2009
00:00
, etc., E01.
00:00
You'll see it's going to be this top one here.
00:00
Now, we don't want to select this one,
00:00
you'll see it ends in the C drive,
00:00
we just want to select that top one there.
00:00
Then our next step here is just
00:00
>> click on the Okay button.
00:00
>> What that's going to do is a search just going to start
00:00
for us and it's going to take a minute or two,
00:00
probably about 30 seconds is
00:00
>> probably what it will take.
00:00
>> We'll take a look here. Just go ahead and say,
00:00
Okay here, you will see at the bottom
00:00
it starts initiating that search for us.
00:00
You'll see the little taskbar go in there.
00:00
We're just going to let that run.
00:00
You'll see it didn't take too
00:00
long to pull up the results for us.
00:00
The first thing we're going to do here in step 20,
00:00
once we're done with the search,
00:00
again, it might take 30 minutes or
00:00
maybe even a couple of minutes depending on your system,
00:00
we're going to click on
00:00
the very first search result
00:00
and then what we're going to see is
00:00
we're going to see the hex of
00:00
that particular file or item in the bottom window.
00:00
We're just going to select this top
00:00
one here. Let's go ahead and click on that.
00:00
You'll see all the hex here.
00:00
Now, what we want to do is we
00:00
want to scroll down and look for the FIF.
00:00
Remember, we search for FIF,
00:00
so we want to scroll down and look
00:00
where we see that highlighted.
00:00
Here in step 22,
00:00
we're going to use a scroll bar on
00:00
the right side to scroll down until we
00:00
see the FIF and see where it's highlighted in blue.
00:00
Let's go ahead and do that now.
00:00
We'll just use the scroll bar on the right side here.
00:00
I'm going to scroll down a little bit here.
00:00
We're just looking for FIF in blue.
00:00
You'll see right there,
00:00
we see the blue highlighting,
00:00
and we see here that we have the FIF.
00:00
Let's go back to our lab document.
00:00
Now, what we want to do in step
00:00
23 on the left side of the page,
00:00
we're going to expand the images options.
00:00
We'll click the little Plus sign.
00:00
Under the cluster view,
00:00
we're going to do that again by clicking
00:00
the Plus sign to the left of it.
00:00
Let's go ahead and do that now.
00:00
On the left side here under cluster view,
00:00
we're going to expand the images.
00:00
This little plus sign right
00:00
here, go ahead and click on that.
00:00
Let's go back to our lab document here.
00:00
Now we're going to expand the C:\Work\Data
00:00
files\Ch08 by also clicking
00:00
the small Plus sign to the left of it.
00:00
Let's go ahead and do that.
00:00
This one right here,
00:00
just click the little Plus sign to
00:00
the left and then you'll see we have the C drive.
00:00
Go ahead and just click on the C.
00:00
You'll see all sorts of pretty colors there.
00:00
Let's go back to our lab document.
00:00
Now, what we're going to do is we will see a text box,
00:00
it's going to be on the right side.
00:00
Then we're going to type in AC4.
00:00
So A, C,
00:00
and then the number 4 here in step 26.
00:00
Then we're going to select the Go option.
00:00
Let's go ahead and do that now.
00:00
We're going to want to scroll
00:00
over to the right side here,
00:00
this little text box right here,
00:00
we're just going to type in AC4
00:00
and then just click on Go.
00:00
What that's going to do is search for
00:00
the AC4 box in all of this,
00:00
you'll see we've got the number 4 right
00:00
here and we've got the AC there as well.
00:00
Let's go back to our lab document.
00:00
We see in step 28,
00:00
we see that the AC4 is highlighted in red for us.
00:00
Now, we're going to right-click on
00:00
that red square and select Find File.
00:00
Let's go ahead and do that.
00:00
Just right-click on this little square right
00:00
here and just select the Find File option.
00:00
It might take a moment or
00:00
so and you'll see a pop-up box opens up for us.
00:00
We should see that AC4
00:00
2756 should be selected. Do we see that?
00:00
Yes, we do. It's already selected for us.
00:00
We also see that the indicated file path
00:00
shows a name DSC00018.
00:00
If you notice here on the top right, DSC00018.
00:00
Let's go back to our lab document here.
00:00
In step 32, we're going to click the Show File button.
00:00
Let's go ahead and do that. Now,
00:00
you notice that the view in the background
00:00
there changed for us.
00:00
It's showing us under the content view now.
00:00
Let's look back at our lab document.
00:00
In step 33, it's just another location that hey,
00:00
the view has changed to the content view folder.
00:00
Now we're going to click Close on the pop-up box there.
00:00
Then, we see that we have all these files that start
00:00
in DSC00012, 13,
00:00
14, 00008, 00009, etc.
00:00
Step 35, yes,
00:00
we do see that we have file starting in all that.
00:00
In step 36, we're going to look
00:00
for the file that's labeled as
00:00
DSC00018 and then we're
00:00
going to right-click on it and select Copy.
00:00
This one right here, this DSC00018.
00:00
Go ahead and click on that.
00:00
Right-click and say Copy File.
00:00
A little pop-up box come up for us.
00:00
We get the Save As pop-up box.
00:00
We're going to change this name to
00:00
Recovery1 and then we'll click
00:00
the Save button. Let's go ahead and do that.
00:00
Now, we're just going to type in
00:00
Recovery1 and then just click on the Save button there.
00:00
Let's go back to our lab document.
00:00
We've already saved it here,
00:00
we've clicked the Save button and renamed it.
00:00
Next, we're going to go ahead and just close
00:00
the ProDiscover tool for
00:00
this portion of the lab and we're going to select
00:00
exit at the top menu.
00:00
It's going to ask us, do you want to save this?
00:00
We're just going to say yes when we're prompted.
00:00
Then we'll click the Save button and
00:00
then it should close off the tool for us.
00:00
Then in the next video,
00:00
we'll go ahead and continue on with the lab.
00:00
Let's go ahead and do that now.
00:00
We're going to come to the very top here,
00:00
select File, then Exit.
00:00
It's going to ask this, do you want to
00:00
save the project before quitting?
00:00
We'll say yes to that.
00:00
It's gong to give us the default path and everything.
00:00
Just click on the Save button here.
00:00
Then it'll a moment or so, but you'll see that
00:00
ProDiscover goes ahead and close this for us.
00:00
In this lab, we just went ahead through analyzing
00:00
that USB file that we had downloaded and extracted.
00:00
In the next video, we're going to go ahead and
00:00
continue on with our analysis of that file.
Up Next
Instructed By
Similar Content
