Time
4 minutes
Difficulty
Intermediate

Video Transcription

00:05
Hello. Welcome back to breaking stuff, Joe. Here on Cyberia, on demand. Today we're gonna be talking about the tool been Walk the walk is a great forensic utility for examining firmware images and extracting executed bols images, file types, different file types, just anything you might be able to pull from a firmware image
00:24
this is capable of doing.
00:26
It's a really simple tool to use very, very effective. And it's a great way to do that. Sort of first past scan of any target of forensic activity if you have a firm where image. So we're gonna see how easy it is to you. We're gonna see how useful it is, and we're gonna actually show in use here on breaking stuff with Joe.
00:45
As usual, here we are back in our Callie BM. Now you may note that this text on the screen is a little bit smaller than usual, little bit tougher to read. There's a good reason for that you'll see in just a second. So, as I said before in the intro, we're looking at the tool called Been Walk today,
01:00
and it's a quick look because it's a pretty easy tool to use at its most basic level. All been walk is really doing is searching through
01:06
a given binary image. Generally speaking firm where images or what you're looking for, Andi, it's just
01:12
100 for any file signatures, any images, any files that it confined.
01:17
Insight of that firm where?
01:19
So we're gonna go ahead. We're going to just do a quick example
01:23
to see how you could use this tool. Now, I downloaded a firm or file off of the Intel website pretty much at random,
01:30
and we're gonna go ahead. We're just gonna run against that.
01:33
So first, just to get a look at all the different options you have within walk because it is a pretty hefty tool, you can see that it will attempt to extract known file types. If you give it that opportunity, it will attempt to calculate file entropy. You can find all sorts of different signatures, which is what we're going to be looking for in this case. So we're gonna be using this tack. Be option here in just a second.
01:53
To find common file signatures,
01:55
you have to have disassembly scan options, binary differential options. This is a very robust tool that can perform very in depth forensic analysis on this binary that we have access to. In this case, we're really just want to take a quick look and see what we can pull out at an initial scan and see what information we can gather with. Basically no work.
02:14
We're gonna go ahead and Ben walk
02:15
Capital Beak, and then we'll just auto complete with this file that again. This is just a firmware image that I pulled down from in tow,
02:23
and you can see this is why we didn't zoom in. So if you zoom in the the, uh, yeah, it becomes very, very difficult to read.
02:34
So here you can see we've got a few different pieces of information. We have
02:38
the decimal location, the hex decimal, and we have a description of what was found there. So this is again just looking for common final signatures, and as soon as it finds one, it reports the location both and desolate Hexi decimal. And then it gives you a description. So it's got an A R G archive data. So these air archives
02:55
you could see most of the files I found were archives, with some exceptions,
02:59
we have to copyright strings here. Get both saying copyright from Intel
03:04
on. Do you concede that we've got sort of an initial look at all the different
03:07
pieces of file information already in here. You can see over here we've got the original names of these different files that have been turned into archives. You can see that the OS is for M ISS tosses for a window system, the compressed file size versions. You can do some depth, some digging into these air J's
03:24
And of course, because we know where they are. And we know that Ben Walk is able to identify them very easily. We could extract those actual archives and start digging through them
03:32
Now. I would be the subject of a much more focused and, of course, much longer course. But that's a sort of work that you could start doing and start playing around with this tool on your own time. And then, you know, in some of the labs that we have available here on Cyber Eri, so that's all there is for this tool. Been walk again. It is a tool for forensic examination
03:49
of firmware images or really any binary but most specifically in most generally
03:53
firmware images. Thank you all for watching. This has been breaking stuff with Joe on Cyber Eri on.

How to Use binwalk (BSWJ)

In this course, you will learn the fundamentals of Binwalk, which is a popular analysis tool for finding executable code and embedded files inside binary files. These images can be used to crack IoT devices or any device that relies on code that is embedded into hardware.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor