Time
4 hours
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
hi and welcome to everyday digital forensics. I'm your host, your son, he said In today's episode, we're gonna be going over the image Forensics Capstone Lab.
00:10
In today's video, we're gonna go over
00:12
the image Forensics capsule. Mom,
00:14
talk about the initial set up and then
00:17
performing demo of analysis of the file.
00:20
So this video uses the
00:23
image. Forensics comes on lab in order to create an image with FBK Imager. You may have seen us in the previous module where we actually perform that image
00:31
of another system.
00:32
Now we're gonna take a step further and examine the image
00:36
that was created.
00:38
So if you recall the initial lab set up is
00:43
using Windows seven
00:44
well used to this management created partition ISI and call that Dr E will extract image your light and move that over. T Dr will open after Kate imager in the drive and create the image using FCK.
00:58
And this is the point in which we had stopped in her previous module.
01:00
If you recall module three, we went through the process of creating the image using
01:06
the access data. After can amateur. We're at the point in which the image is complete, and we received the drive Image verification results. Look in the report. We can see that it's broken down into different sections. Your MD five hash, your Charlotte hash and your bad sector lists. You will use this information in this report for investigation documentation.
01:26
You will want to identify what your hash values were before the images copied
01:30
for your notices process.
01:33
Before we move forward with the analysis, let's check the image. Summary details
01:37
The summary did tells, gives us in addition information about our image such as physical, this size, details, case information
01:44
and any of those
01:46
inputs during the initial start of using abdicate
01:49
When you scroll down, you also get information
01:53
about the image such as segment list. How many segments that I create in order to create the image when the accusation started finished and when the verification results on the image and their time stamps, As you can see on the screen,
02:08
these details should be copied and pasted over to your report,
02:13
not moving over to autopsy.
02:16
We'll use the image to perform some analysis.
02:21
We're gonna create a new case Neymar case, select Arby's Directory, and in this case, it's gonna be E image investigation directory
02:38
moving on to the next free.
02:42
We're gonna go ahead and fill in whatever information is needed.
02:53
We'll add a new data source
02:54
and this would be a e image investigation. See, underscored, dr dot Easier one.
03:01
Then on the next grain, you'll be given in just monitor options. This is a future from the autopsy tool to automatically extract these types of data for examiner upon mountain. Everybody in the image file.
03:14
So, like any options will give you more details and additional configurations that will pee on the right.
03:22
I'm gonna send just quite a few of them
03:23
and then move on to the next piece.
03:40
Okay, here we are. I've enlarged autopsy screen and said, like business MD five
03:46
Deep
03:46
Dash four point for Ling file.
03:50
Looking at the hex family tab, you can see
03:53
something we talked about previously. You have your offset or your left you're Hexi decimal values. And then the conversion of those hex values to asking
04:01
some of them is magic on some of it's not.
04:04
If you look at the highlight in peace, you can see that I am highlighting the full path off this file.
04:12
All the source file is a thing. File is just a link to a certain particular item. In this case, it's adopted file. If I was broken into typically attributes or headers
04:23
and a body or data similar to HTM Oh, you have your metadata, which is put into, or your headers your body. Which is kind of the information that user sees. Each file system structure will have a different structure to how it's displayed within the files attribute you confined both the short and long name file.
04:41
We can see what the highlighted section, the Hexi decimal values in the middle of transitions
04:46
or covered to the values of the absolute fall path
04:48
from our founding weaken. See the link foul points is about.
04:56
Now we move over to a different section off to the same MD five t file. The section that's highlighted is Windows 81 dot shoes. Er,
05:04
this as an examiner tells me, either this is the user name or this is a conduction of the operative system and the user name. In this case, the operating system would be Windows 8.1 on the user
05:16
name is actually user.
05:18
This could be associated with the user that either created the file or only
05:24
so now let's take a look at this extreme rack. March 2 2095.
05:30
This was discovered under the encryption detected
05:32
section off autopsy. Looking at the results, it gives us the name, which is the type that it's considering. So this is a file
05:42
fire level encryption.
05:44
Our source, Paff will tells us the absolute coming from the image that we created
05:48
and then just an artifact number that's more for the system.
05:53
We move over to the file metadata. As I mentioned earlier. This is kind of
05:57
the top portion off a file if I was broken into different sections and the first section is typically where you'll find meta data or attributes, just as name access dates.
06:08
This kind of information is what's displayed on the first offsets of a file
06:15
moving over to the strength. This is typically what you would find in the body of your or in the data attributes of your file.
06:21
As you can see this just by the name of the foul as an examiner
06:28
coming across this encrypted file
06:30
named Extreme Right just tells me that the suspect had potentially malicious activities.
06:38
A rat is a remote access Children, so this is something that they have potentially have distributed to others in order to pedantry
06:45
or access or systems.
06:47
Looking at the body of the information,
06:50
you can either find code settings for any dump of data that's found on the file.
06:57
So if I was meditator is what you'll find in the header of a structure.
07:00
Autopsy has a feature for not only converting the hex to decimal toe asking, but separating these known values and its own top. For an examiner,
07:09
you'll find information such as created change, modified and access date
07:14
as well as empty five hash values file type in size and more within these types.
07:23
So I'm just gonna explore a little bit to see what's in the Web. Browse
07:27
through a bookmarks and not let's stop this cookie.
07:31
So I was selected this I 6019 end to end dot text file.
07:39
This is a cookie from Internet for
07:41
in relation to the euro 19 to 1681 11 on 10
07:46
that was access on that particular date. Cookies are useful in multiple attacks to user. Whether you're attacking her, what brother are finding out different sessions that they had Let your own
07:58
Okay, Cookie would unknown until time stands the access. Who access that? Your Web browser application
08:07
when it was created when it was modified.
08:13
As you can see, these attributes are also available Money for took cookies but
08:18
different found objects within a system.
08:48
Most of the files found within this image were encrypted, Ziff allows. The point of this video isn't different from an investigation, but rather get comfortable with the information you see on the screen.
08:56
If you like more details or guidance on the examination of file, go ahead and head over to this particular lab and perform yourself and kind of examine the follow
09:07
a little bit more.
09:15
Here we have another sit down called Windows 32. Thought would that Fab 2016 and like I said, this is just gonna get comfortable with the different files. How the different file extensions and file types look within the hex values
09:30
what an examiner sees as your, uh, analyzing an image. As you could tell in the left. The encryption detected since the start of this video has kept in commenting,
09:41
and it's not gonna stop into the analysis complete.
09:43
So, as an examiner, do you wait for everything to finish voting? Or do you just continue exploring? Let's say you covered everything in a Web browser and then moved over to user folder. But as your coins with user folder,
09:56
new items in
10:00
the first folder, you're in
10:03
changed. So now there's new items,
10:05
so there might be a point of missing it. So we're gonna go ahead and now and perform an action an autopsy where we can actually extract data murder and extract data from our user folder.
10:18
We're going to save it into our examination export location.
10:28
So with the autopsy, you can extract files from the image onto your local disk.
10:33
This is helpful in case you
10:35
this is helpful. In the case of encrypted files, malicious files are items that you wish to just pass along to either a new workflow, a new process for the examination or even someone else without giving them the full image you're able to extract portion and hand it off. On the top left, there is a generate report option. That type
10:54
autopsy provides
10:56
this report helps in a an analyst kind of timeline the different sections,
11:03
areas that they looked at, areas that they didn't look out
11:05
for them to generate. The report
11:07
You're also able to do keyword list. Those are actual stored in your report.
11:13
Remember how I mentioned one of the things to document are things that you did search and things that you did it. If you have a list of things that you wanted to search, you start performing. The search was using the keyword list in the keyword search
11:24
it saves, and at the end you can cross out and verify which searches were and then which ones were not performs.
11:33
You also get hash values. Timeline of the in house work, An audit of the actions performs or examined on the disc from both the system and analysts level.
11:43
So I hope you enjoyed today's video. We went over the image forensics Capsule lab From the analysis portion. We had completed the acquisition portion in Module Threat, and now Monjo five. We've performed the analysis and just reviewed the items Module three. We perform the accusation process, and now, in module five,
12:01
we reviewed the image that was created back in module three,
12:05
not at any in depth analysis portion to kind of figure out what this person did, just kind of review to get you comfortable with
12:13
what you would see as an examiner.
12:15
So I hope you enjoyed today's video and I'll catch the next one.

Up Next

Everyday Digital Forensics

In this course, you will be presented with an overview of the principles and techniques for digital forensics investigation in the spectrum of file system analysis.

Instructed By

Instructor Profile Image
Yesenia Yser
Engineering Manager, Security Research & Development at SoFL, Women in Tech Committee Member, University Outreach and STEM Instructor
Instructor