Incident Response and Forensics Part 6

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

4 hours 21 minutes
Video Transcription
So in order to help people understand this, we should maybe take just a second Explain exactly what Hash is actually are.
I wanted to make everyone an expert instantly, Joe s o t kind of bring anybody who may not be familiar or who may know what an MP five is not really understanding what hashing is a one way algorithm in which you feed all of the bits that ones and zeros of a file
into it into an outer of them, which is just a really fancy word for a set of rules.
That process is those bits and turns it into a single say, I don't remember how many characters in 7528 64. Something like that point is it It turns it into a strength that is
theoretically only going to match to that one set of meds now MD five in particular is 1/2 does have. There are collisions that people have worked on. You know, people use that crack passwords, they find hash collisions. But the idea is that generally speaking, it is. It is vanishingly unlikely that if you alter a document, you will be able to get that same hash back,
so it's sort of an integrity check to make sure that the date is the same.
So if Kent, as Ken pointed out here, this hash is different from the previous. Which means that
well, you want to tell him, Kim.
Yeah, it's me, especially. There's something going on with
All right, so our second picture there, something might be in there could be malicious code. It could just be that somebody's type something in there like a secret message, for example, using steganography. But it could be in a lot of things. But just this indicates to us that there's something different about it now. Kind of picking backing off what Joe was mentioning with integrity of the file.
When you go to a different websites and you're downloading like a file from the website, if you see that they're offering you a hash, then real quickly just down the cash calculator or something like that, and hash to file that they're providing you for download and compare it to the hash that they're saying that it should be. If it matches up, then you should be good to go to install that file if it's different,
you want to hold off in contact. Whatever company that isn't say, Hey, look, the hash is different when I downloaded.
You know, can you just double check this or whatever on your side? Because a lot of times they might have been attacked and not know it. And then Soem attacker might have uploaded a malicious file in there.
So be safe, be safe and hash.
It's also worth noting you can without doing an additional download of hash out or something like that on Mac. And I believe Lennox, you could run a comedian, the MD five Command, which will provide you with the MP five, some of ah given file. It's not as verbose, it's not as robust, and obviously you can see the cash cow that can uses has a lot of other options, and it's more effective.
But if you just want to do a very quick MD five check, that is an option.
And I like cash cow because I find it pretty.
It is pretty. That's true. All right, we're gonna we're gonna actually crack open these these files, so we're gonna use a hex editor. I just like to use a 60 you can use essentially anyone that you want to.
There's still mention there's a lot of different options to do these things.
Eso es checks d. What I'm gonna do is just go to file that opened my actual photo so we'll start off with the cat one.
Excuse me. The dog one.
We're gonna open it up. So you see here, this is all the hex. Now, just one thing I'll touch on here. Since this is Jay paid file, you'll notice is F f D eight f f If you ever decide to get into forensics and you ever decide to go for the joyous
just know that I just know the each image. You know how it starts in the hex. So I'll give that tidbit if anyone out there planning to study for the exam.
All right, so we're all we're gonna do is just basically scroll down to the bottom. We're not gonna actually talk about Hex or anything like that today. That's a little more advanced. And that's something that you can learn as you're going through these different career paths. But we're just gonna scroll down to the very bottom and looking past all these random characters to see if we notice any text that we can read at the end of it,
I'm just gonna go down. And, Joe, I'm gonna pin you for the question here.
So do you see any text Joe at the end here? That really makes sense to you at all.
It makes sense to Well, let me say, if you didn't know forensics or hex or anything like that, Is there anything that would make sense to you from a like an English language stamp?
It's what I would say, Probably not.
Okay. And that is the right answer. So good job.
All right, so let's open our other photo now so we don't notice anything in there and again. That's the original photo. Let's take a look at our other one to see if we find anything in there.
I'm hoping we find some kind of super secret message.
Here's hoping,
All right, so let's open this one
and same thing here. You'll notice we have the exact same sense. It's also a JPEG file. We see the F f D a f f, but we're going to scroll down again to the very bottom here and see if we notice any secret words or messages in here.
All right, So you don't Do you notice anything on this one, Joe? That's that's readable It all.
Give me just one second for my video to catch up to you talking. Absolute. And then we will see,
I'm very excited to find out.
Well, that looks like a secret message. Oh, man, that looks like some company. Or they think that that's that cool company, isn't it? I am a big fan of theirs. I like him quite a bit. All right, So, uh, so you see, we just got the worst ever there. Now, one thing I just want to mention is that
your average user or or even your forensic investigator if you don't have the original file, which we do in this case. But if we don't have the original file When the apartment we looked at the file size, we may not know that the file's been altered based off of that thing. You know the same thing with the actual image itself. If we're looking at it, we may not know. So
a lot of times we just have to open it up in a hex editor and look for
information that might be hidden in there.
So that wraps up that lab. Jo, Did you have anything else in the labs? And she wanted to comment on our thoughts, and I think that one of those one of the things that I want to address there so can example, was one that you can kind of understand pretty quickly. Something that is often done with pictures like that is that people will invent messages in the the
color depths. And essentially, it's called steganography, and essentially
it is possible to hide data in photographs like that. It's incredibly difficult to recover that data, however, if you have the original photo. What Ken just demonstrated is actually the easiest way to identify steganography, to identify data that's it, even encrypted data that is hidden inside of a photo like that.
So it's one of the That's one of the most common or not most common. But one of the better ways that people used to hide data
on that technique is actually the best way to identify. Yes, yes, absolutely, is yeah, and you'll see, you know if you decide to go into forensics investigation and you and I kind of trust on this when we were doing the very first course in this series of, you know, we mentioned the federal law enforcement and the things you might see.
So just keep that in mind as well. If you decide to move into forensics, definitely
consider it, you know, and definitely think through it and definitely talk to people that are actually doing it to make sure it's something that would match with your your goals, absolutely.
Up Next
Introduction to IT & Cybersecurity

In this FREE IT and cybersecurity training for beginners, you will learn about the four primary disciplines of information technology (IT) and cybersecurity. This introduction to IT course is designed to help you decide which career path is right for you.

Instructed By