Image Forensics Capstone Lab: Examining the Image

00:00

hi and welcome to everyday digital forensics. I'm your host, your son, he said In today's episode, we're gonna be going over the image Forensics Capstone Lab.

00:10

In today's video, we're gonna go over

00:12

the image Forensics capsule. Mom,

00:14

talk about the initial set up and then

00:17

performing demo of analysis of the file.

00:20

So this video uses the

00:23

image. Forensics comes on lab in order to create an image with FBK Imager. You may have seen us in the previous module where we actually perform that image

00:31

of another system.

00:32

Now we're gonna take a step further and examine the image

00:36

that was created.

00:38

So if you recall the initial lab set up is

00:43

using Windows seven

00:44

well used to this management created partition ISI and call that Dr E will extract image your light and move that over. T Dr will open after Kate imager in the drive and create the image using FCK.

00:58

And this is the point in which we had stopped in her previous module.

01:00

If you recall module three, we went through the process of creating the image using

01:06

the access data. After can amateur. We're at the point in which the image is complete, and we received the drive Image verification results. Look in the report. We can see that it's broken down into different sections. Your MD five hash, your Charlotte hash and your bad sector lists. You will use this information in this report for investigation documentation.

01:26

You will want to identify what your hash values were before the images copied

01:30

for your notices process.

01:33

Before we move forward with the analysis, let's check the image. Summary details

01:37

The summary did tells, gives us in addition information about our image such as physical, this size, details, case information

01:44

and any of those

01:46

inputs during the initial start of using abdicate

01:49

When you scroll down, you also get information

01:53

about the image such as segment list. How many segments that I create in order to create the image when the accusation started finished and when the verification results on the image and their time stamps, As you can see on the screen,

02:08

these details should be copied and pasted over to your report,

02:13

not moving over to autopsy.

02:16

We'll use the image to perform some analysis.

02:21

We're gonna create a new case Neymar case, select Arby's Directory, and in this case, it's gonna be E image investigation directory

02:38

moving on to the next free.

02:42

We're gonna go ahead and fill in whatever information is needed.

02:53

We'll add a new data source

02:54

and this would be a e image investigation. See, underscored, dr dot Easier one.

03:01

Then on the next grain, you'll be given in just monitor options. This is a future from the autopsy tool to automatically extract these types of data for examiner upon mountain. Everybody in the image file.

03:14

So, like any options will give you more details and additional configurations that will pee on the right.

03:22

I'm gonna send just quite a few of them

03:23

and then move on to the next piece.

03:40

Okay, here we are. I've enlarged autopsy screen and said, like business MD five

03:46

Deep

03:46

Dash four point for Ling file.

03:50

Looking at the hex family tab, you can see

03:53

something we talked about previously. You have your offset or your left you're Hexi decimal values. And then the conversion of those hex values to asking

04:01

some of them is magic on some of it's not.

04:04

If you look at the highlight in peace, you can see that I am highlighting the full path off this file.

04:12

All the source file is a thing. File is just a link to a certain particular item. In this case, it's adopted file. If I was broken into typically attributes or headers

04:23

and a body or data similar to HTM Oh, you have your metadata, which is put into, or your headers your body. Which is kind of the information that user sees. Each file system structure will have a different structure to how it's displayed within the files attribute you confined both the short and long name file.

04:41

We can see what the highlighted section, the Hexi decimal values in the middle of transitions

04:46

or covered to the values of the absolute fall path

04:48

from our founding weaken. See the link foul points is about.

04:56

Now we move over to a different section off to the same MD five t file. The section that's highlighted is Windows 81 dot shoes. Er,

05:04

this as an examiner tells me, either this is the user name or this is a conduction of the operative system and the user name. In this case, the operating system would be Windows 8.1 on the user

05:16

name is actually user.

05:18

This could be associated with the user that either created the file or only

05:24

so now let's take a look at this extreme rack. March 2 2095.

05:30

This was discovered under the encryption detected

05:32

section off autopsy. Looking at the results, it gives us the name, which is the type that it's considering. So this is a file

05:42

fire level encryption.

05:44

Our source, Paff will tells us the absolute coming from the image that we created

05:48

and then just an artifact number that's more for the system.

05:53

We move over to the file metadata. As I mentioned earlier. This is kind of

05:57

the top portion off a file if I was broken into different sections and the first section is typically where you'll find meta data or attributes, just as name access dates.

06:08

This kind of information is what's displayed on the first offsets of a file

06:15

moving over to the strength. This is typically what you would find in the body of your or in the data attributes of your file.

06:21

As you can see this just by the name of the foul as an examiner

06:28

coming across this encrypted file

06:30

named Extreme Right just tells me that the suspect had potentially malicious activities.

06:38

A rat is a remote access Children, so this is something that they have potentially have distributed to others in order to pedantry

06:45

or access or systems.

06:47

Looking at the body of the information,

06:50

you can either find code settings for any dump of data that's found on the file.

06:57

So if I was meditator is what you'll find in the header of a structure.

07:00

Autopsy has a feature for not only converting the hex to decimal toe asking, but separating these known values and its own top. For an examiner,

07:09

you'll find information such as created change, modified and access date

07:14

as well as empty five hash values file type in size and more within these types.

07:23

So I'm just gonna explore a little bit to see what's in the Web. Browse

07:27

through a bookmarks and not let's stop this cookie.

07:31

So I was selected this I 6019 end to end dot text file.

07:39

This is a cookie from Internet for

07:41

in relation to the euro 19 to 1681 11 on 10

07:46

that was access on that particular date. Cookies are useful in multiple attacks to user. Whether you're attacking her, what brother are finding out different sessions that they had Let your own

07:58

Okay, Cookie would unknown until time stands the access. Who access that? Your Web browser application

08:07

when it was created when it was modified.

08:13

As you can see, these attributes are also available Money for took cookies but

08:18

different found objects within a system.

08:48

Most of the files found within this image were encrypted, Ziff allows. The point of this video isn't different from an investigation, but rather get comfortable with the information you see on the screen.

08:56

If you like more details or guidance on the examination of file, go ahead and head over to this particular lab and perform yourself and kind of examine the follow

09:07

a little bit more.

09:15

Here we have another sit down called Windows 32. Thought would that Fab 2016 and like I said, this is just gonna get comfortable with the different files. How the different file extensions and file types look within the hex values

09:30

what an examiner sees as your, uh, analyzing an image. As you could tell in the left. The encryption detected since the start of this video has kept in commenting,

09:41

and it's not gonna stop into the analysis complete.

09:43

So, as an examiner, do you wait for everything to finish voting? Or do you just continue exploring? Let's say you covered everything in a Web browser and then moved over to user folder. But as your coins with user folder,

09:56

new items in

10:00

the first folder, you're in

10:03

changed. So now there's new items,

10:05

so there might be a point of missing it. So we're gonna go ahead and now and perform an action an autopsy where we can actually extract data murder and extract data from our user folder.

10:18

We're going to save it into our examination export location.

10:28

So with the autopsy, you can extract files from the image onto your local disk.

10:33

This is helpful in case you

10:35

this is helpful. In the case of encrypted files, malicious files are items that you wish to just pass along to either a new workflow, a new process for the examination or even someone else without giving them the full image you're able to extract portion and hand it off. On the top left, there is a generate report option. That type

10:54

autopsy provides

10:56

this report helps in a an analyst kind of timeline the different sections,

11:03

areas that they looked at, areas that they didn't look out

11:05

for them to generate. The report

11:07

You're also able to do keyword list. Those are actual stored in your report.

11:13

Remember how I mentioned one of the things to document are things that you did search and things that you did it. If you have a list of things that you wanted to search, you start performing. The search was using the keyword list in the keyword search

11:24

it saves, and at the end you can cross out and verify which searches were and then which ones were not performs.

11:33

You also get hash values. Timeline of the in house work, An audit of the actions performs or examined on the disc from both the system and analysts level.

11:43

So I hope you enjoyed today's video. We went over the image forensics Capsule lab From the analysis portion. We had completed the acquisition portion in Module Threat, and now Monjo five. We've performed the analysis and just reviewed the items Module three. We perform the accusation process, and now, in module five,

12:01

we reviewed the image that was created back in module three,

12:05

not at any in depth analysis portion to kind of figure out what this person did, just kind of review to get you comfortable with

12:13

what you would see as an examiner.