Image Forensics Capstone Lab: Examining the Image
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
hi and welcome to everyday digital forensics. I'm your host, your son, he said In today's episode, we're gonna be going over the image Forensics Capstone Lab.
In today's video, we're gonna go over
the image Forensics capsule. Mom,
talk about the initial set up and then
performing demo of analysis of the file.
So this video uses the
image. Forensics comes on lab in order to create an image with FBK Imager. You may have seen us in the previous module where we actually perform that image
of another system.
Now we're gonna take a step further and examine the image
that was created.
So if you recall the initial lab set up is
using Windows seven
well used to this management created partition ISI and call that Dr E will extract image your light and move that over. T Dr will open after Kate imager in the drive and create the image using FCK.
And this is the point in which we had stopped in her previous module.
If you recall module three, we went through the process of creating the image using
the access data. After can amateur. We're at the point in which the image is complete, and we received the drive Image verification results. Look in the report. We can see that it's broken down into different sections. Your MD five hash, your Charlotte hash and your bad sector lists. You will use this information in this report for investigation documentation.
You will want to identify what your hash values were before the images copied
for your notices process.
Before we move forward with the analysis, let's check the image. Summary details
The summary did tells, gives us in addition information about our image such as physical, this size, details, case information
and any of those
inputs during the initial start of using abdicate
When you scroll down, you also get information
about the image such as segment list. How many segments that I create in order to create the image when the accusation started finished and when the verification results on the image and their time stamps, As you can see on the screen,
these details should be copied and pasted over to your report,
not moving over to autopsy.
We'll use the image to perform some analysis.
We're gonna create a new case Neymar case, select Arby's Directory, and in this case, it's gonna be E image investigation directory
moving on to the next free.
We're gonna go ahead and fill in whatever information is needed.
We'll add a new data source
and this would be a e image investigation. See, underscored, dr dot Easier one.
Then on the next grain, you'll be given in just monitor options. This is a future from the autopsy tool to automatically extract these types of data for examiner upon mountain. Everybody in the image file.
So, like any options will give you more details and additional configurations that will pee on the right.
I'm gonna send just quite a few of them
and then move on to the next piece.
Okay, here we are. I've enlarged autopsy screen and said, like business MD five
Dash four point for Ling file.
Looking at the hex family tab, you can see
something we talked about previously. You have your offset or your left you're Hexi decimal values. And then the conversion of those hex values to asking
some of them is magic on some of it's not.
If you look at the highlight in peace, you can see that I am highlighting the full path off this file.
All the source file is a thing. File is just a link to a certain particular item. In this case, it's adopted file. If I was broken into typically attributes or headers
and a body or data similar to HTM Oh, you have your metadata, which is put into, or your headers your body. Which is kind of the information that user sees. Each file system structure will have a different structure to how it's displayed within the files attribute you confined both the short and long name file.
We can see what the highlighted section, the Hexi decimal values in the middle of transitions
or covered to the values of the absolute fall path
from our founding weaken. See the link foul points is about.
Now we move over to a different section off to the same MD five t file. The section that's highlighted is Windows 81 dot shoes. Er,
this as an examiner tells me, either this is the user name or this is a conduction of the operative system and the user name. In this case, the operating system would be Windows 8.1 on the user
name is actually user.
This could be associated with the user that either created the file or only
so now let's take a look at this extreme rack. March 2 2095.
This was discovered under the encryption detected
section off autopsy. Looking at the results, it gives us the name, which is the type that it's considering. So this is a file
fire level encryption.
Our source, Paff will tells us the absolute coming from the image that we created
and then just an artifact number that's more for the system.
We move over to the file metadata. As I mentioned earlier. This is kind of
the top portion off a file if I was broken into different sections and the first section is typically where you'll find meta data or attributes, just as name access dates.
This kind of information is what's displayed on the first offsets of a file
moving over to the strength. This is typically what you would find in the body of your or in the data attributes of your file.
As you can see this just by the name of the foul as an examiner
coming across this encrypted file
named Extreme Right just tells me that the suspect had potentially malicious activities.
A rat is a remote access Children, so this is something that they have potentially have distributed to others in order to pedantry
or access or systems.
Looking at the body of the information,
you can either find code settings for any dump of data that's found on the file.
So if I was meditator is what you'll find in the header of a structure.
Autopsy has a feature for not only converting the hex to decimal toe asking, but separating these known values and its own top. For an examiner,
you'll find information such as created change, modified and access date
as well as empty five hash values file type in size and more within these types.
So I'm just gonna explore a little bit to see what's in the Web. Browse
through a bookmarks and not let's stop this cookie.
So I was selected this I 6019 end to end dot text file.
This is a cookie from Internet for
in relation to the euro 19 to 1681 11 on 10
that was access on that particular date. Cookies are useful in multiple attacks to user. Whether you're attacking her, what brother are finding out different sessions that they had Let your own
Okay, Cookie would unknown until time stands the access. Who access that? Your Web browser application
when it was created when it was modified.
As you can see, these attributes are also available Money for took cookies but
different found objects within a system.
Most of the files found within this image were encrypted, Ziff allows. The point of this video isn't different from an investigation, but rather get comfortable with the information you see on the screen.
If you like more details or guidance on the examination of file, go ahead and head over to this particular lab and perform yourself and kind of examine the follow
a little bit more.
Here we have another sit down called Windows 32. Thought would that Fab 2016 and like I said, this is just gonna get comfortable with the different files. How the different file extensions and file types look within the hex values
what an examiner sees as your, uh, analyzing an image. As you could tell in the left. The encryption detected since the start of this video has kept in commenting,
and it's not gonna stop into the analysis complete.
So, as an examiner, do you wait for everything to finish voting? Or do you just continue exploring? Let's say you covered everything in a Web browser and then moved over to user folder. But as your coins with user folder,
new items in
the first folder, you're in
changed. So now there's new items,
so there might be a point of missing it. So we're gonna go ahead and now and perform an action an autopsy where we can actually extract data murder and extract data from our user folder.
We're going to save it into our examination export location.
So with the autopsy, you can extract files from the image onto your local disk.
This is helpful in case you
this is helpful. In the case of encrypted files, malicious files are items that you wish to just pass along to either a new workflow, a new process for the examination or even someone else without giving them the full image you're able to extract portion and hand it off. On the top left, there is a generate report option. That type
this report helps in a an analyst kind of timeline the different sections,
areas that they looked at, areas that they didn't look out
for them to generate. The report
You're also able to do keyword list. Those are actual stored in your report.
Remember how I mentioned one of the things to document are things that you did search and things that you did it. If you have a list of things that you wanted to search, you start performing. The search was using the keyword list in the keyword search
it saves, and at the end you can cross out and verify which searches were and then which ones were not performs.
You also get hash values. Timeline of the in house work, An audit of the actions performs or examined on the disc from both the system and analysts level.
So I hope you enjoyed today's video. We went over the image forensics Capsule lab From the analysis portion. We had completed the acquisition portion in Module Threat, and now Monjo five. We've performed the analysis and just reviewed the items Module three. We perform the accusation process, and now, in module five,
we reviewed the image that was created back in module three,
not at any in depth analysis portion to kind of figure out what this person did, just kind of review to get you comfortable with
what you would see as an examiner.
So I hope you enjoyed today's video and I'll catch the next one.