Incident Response and Forensics Part 5

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

4 hours 21 minutes
Video Transcription
So today we're gonna talk about some different tools, so I'm just gonna give a quick demo. Now, we'll start off with Ben Walk, which can be used for now. We're reversing now. We're not gonna reverse mouth were as I mentioned. What is gonna basically open up a file, I think I think the script I have opened up is when I wrote for just changing a Mac address or something.
I forget what it's for, but we're gonna open it up and just see
Well, not necessarily open it up. What is gonna run a command against it and see if there's any potentially nefarious things inside
that the other thing we're gonna jump into is also more of the forensic site with hashtag h x d hex editor s. So we'll do a hash of the files and we'll talk about what? That is what we're talking about. And then also, the hex editor Will will go through a couple of photos and see, from a forensic standpoint, if we notice any differences in those photos
Are you excited? Joe? I'm excited. I'm very excited. It's gonna be great. All right. So let me a cop hop out of this power point here, and I will jump to my games.
So we're gonna start off in Cali, Lennox here. So this is where I'm gonna do that. Been Walk So it actually comes. Callie Lennox. It's a pre installed for you, which makes things a lot easier. So all you have to do if you're running Cali right now, you can just pop open applications,
come down to your forensics tools and then you'll see here that we have been walking here.
It takes a moment, so it's gonna pop it, open the command line for us
what you're gonna notice once it opens up And I just kind of use my mouse and let's maximize that conceit
you're gonna notice. That shows you the different
I tried.
Try to think of a word here. Basically, the keys is for lack of better words that we can use Thio, run the command and look for certain things. Know what I'm just gonna do is a very simple command today to keep things simplistic, but it's gonna basically tight, you know, use this be switch to take a look at the particular file that I want
and then from there Just kind of see if we get any output, it'll
So the first thing I'm gonna do is since I met route here, I'm just gonna look for the files that I actually have in this particular directory. So the way I do that, if you're not a lyrics personal, just type in l s pressing. Enter. You'll see it's going to show me my different files there. Um and there's actually nothing in that. If you guys are seeing the totally not hacking your stuff dot text, there's actually nothing in that file. So just have why,
I should put something in their job, you know, something funny. So anyways, I'm gonna actually pick on the sunshine dot Why? Which is a python script? Somebody's gonna do this by typing in, been walk. And then again, I'll put a space and then my switch, she'll put a dash capital B. You notice I'm actually do my two fingers thing right now
with the typing, and that's okay.
And that would type in the sunshine dot people file.
So again, what we're looking for here is we're just gonna do a quick scan for some common signatures you know, that might be in this particular file or some basic common indicators that might show us that this file may have something Maybe, you know, malicious. Right? So that's kind of what we're looking for here to see, like, maybe there's something going on with this file.
The code inside of it that might show us for my indicate that this file is a bad file.
We're just gonna run that real quick. Let's see if we get any hexi decimal, I'll put it all Okay, so you'll see here that we get some output. So it shows us that based off the Hexen decimal that it's finding in the file. So in the binary, that's the been walk. It's for binary. The bid on that. So it's looking at the binary. It's looking at the hex there, and it's seeing that. Okay,
well, this particular heck string is indicative of
the shebang. You know, which in when you're writing a script in. And we're not gonna dive into that when you're writing a script. That's how we would started, started out for a python script. So we started off with what's called a shitbag. So
that's what this is doing a scene. The hate somewhere.
It's got a shebang in there and that maybe, you know, indicative of an actually executed will scream.
Okay, Cool. You know, and then also it's pulling the hex on the particular file path of saying, Hey, wait a minute. You hear this? This is kind of showing us that this is a python script, so that might be something else that you want to look at now. This was the very simplistic example. I think, actually, I've only got a couple lines of code in this particular script. But this is what a tool that you can use. This a forensic investigator to open different files
in your sandbox and take a look at them and see.
Is there anything the fairies in those files now? Obviously, you can always, you know, open the file and run it and, you know, and potentially mess up your system. But we always want to try to take a look for a static analysis first. That's what we're doing here of looking at the file, the code of the file, and see if there's anything going on with it that might indicate that that's a bad file.
So the next thing we're gonna do is actually the photos that I mentioned will do that in a Windows VM and hopefully didn't clock out of me. There we go. Cool. Having some issues? As I mentioned, Joe, before we jumped on the session today with the windows VM. So, as you can tell, I'm in clinics. Fan Joe's a Windows fan. Wei go back and forth on that, but that's okay.
All right, so I've got several photos here. We're gonna look at a couple. Um, Joe, do you want dogs or cats today? Which one do you want to date? Let's do cats. Okay, let's do a cat now. This is not my cat. As we've spoken about in the different sessions is a random Catherine the internet. So first things first, we're gonna go ahead and we're gonna open. I'm gonna open up both photos. We're gonna look at them.
I just see if we notice any visual differences. So
So what is open our 1st 1 here,
it might take him over, So this VM is sometimes a little slow on, you know. My main thing is, I hope he doesn't click on it.
All right. Cool.
And eventually, it's gonna pull up.
All right, Cool. Should be pulling up. All right, so we see a cat plunging the toilet. By the way, if you've trained your cat to do this, let me know and tell me how you did it. I'm willing to pay you. My cat will not do that tough stuff, but basically, we have a cat with a plunger in a toilet. We've got the floor. You know, we see. It's an orange cat, et cetera, et cetera. So
we don't really see any any differences there at all on. And I will share that. This is the original photo. So this one has not been altered in any way. So we don't notice anything different there. So we could go ahead and close this one out.
So let's take a look at our second photo here.
It's gonna open this one up as well.
Same thing here. Do we notice anything different? You know, So I still see a cat with a plunger. You know, I still see It's an orange Caf? You know, the ears and eyes looked the same. We still see the toilet. That you know, the floor, et cetera. You know, the cats in the same position. So, Joe, do you think it's a different photos? It looks like the same one. Visually, I think it looks exactly the same.
Okay, Okay. And you would be right, Joe. So congratulations. 100% of the exam, all rights. Next thing we're gonna do is look, the file size is now the one thing we're gonna notice that these have different dates on these particular photos. So it actually may be better if we do the dog. So I'm gonna do the dog. What is jumping that real quick? So same thing here.
Visually, we don't actually see a difference. I'll answer the question there. We don't actually see a difference in them.
And so now we're gonna look at the file sizes themselves. We want to see you. I guess there any difference in the file sizes? So we're just gonna right click and go to properties
eventually. Here we go.
All right. So we see that this one is 359 kilobytes, so keep that in mind again. That's the original photo. So the number one on any of these is original.
Let's take a look at our second photo here to see if we notice any differences.
All right, So does that look like the same number Joe
that you know, Canada? I don't think it does.
let's take a look again.
I was gonna make sure. So we remember that one was 3 59 killer bikes.
So it looks like it is the same size like that.
Disclosure I'm watching. A video that I have of your screen is about four seconds later than you talking. So I confused myself, which is all good, which is all good happens to me all the time.
All right, so we've kind of established that. Okay, these visually look the same. And also the file size is the same. Didn't really notice the difference there. So what? I'm gonna do it. So I'm just gonna go ahead and ex out of that.
Now we're gonna actually do a hash of each file. We're just gonna see if we notice a difference there. So I'm using a tool called Hash Falcon. Could use any type of pass calculator that you want to you. Whatever your whatever you know excites you. I just like to use this one. Seems a little easier for the most part.
All right, so now I'm not gonna mess, you know? You see, you could different do different types of hashes. I'm just gonna stick with MD five for our purposes to make things a little easier. So all I have to do is just click the three little dots of the top and then go actually find the files that I want to look at. So I have to do each one individually.
So I'm just gonna start with that 1st 1 there. And what did you calculate? The hash.
You'll see. We get a string there of random characters. I'm not gonna try to memorize all those. I'm just gonna focus on this 464 at the end. And what? What? I should see what the other photo is. Either. It's the same words different. So let's find out.
Click those three little docks again. We'll click on the second photo there, and we're just gonna open it and then calculated again.
So you see here that we don't have that 464 again? We've got different numbers there, Joe. So looks like these are probably something different about them.
Up Next
Introduction to IT & Cybersecurity

In this FREE IT and cybersecurity training for beginners, you will learn about the four primary disciplines of information technology (IT) and cybersecurity. This introduction to IT course is designed to help you decide which career path is right for you.

Instructed By