Windows Forensics Kdirstat Lab

Welcome to the new world of visual hard drive analysis.  Kdirstat is a software analytics tool that unlike other hard drive analytics which is static data, gives you a visual perspective of what is happening with and in a hard drive system. This Kdirstat lab demonstrates both visual analytics and well as some cleanup and other functions for an entirely different perspective on conducting storage resource analysis. [toggle_content title="Transcript"] Hey, Leo Dregier here. I want to talk to you about, by far one of the – my favorite tools on the planet. Um, there's so many cool things that I could say about this toy. I don't even know where to start. First of all, the 50,000 level high overview here is that sometimes we want to analyze hard drives. And we're only given basically one tool or maybe two tools – Windows Explorer or the command line, or graphical user interface and a terminal, however you want to look at that. So we get used to evaluating files and folders in that format. And these people have – the Win dirstat people or the dirstat people, they have taken a whole new approach to analyzing a hard drive. So what we get here is basically visual analysis of the whole hard drive in itself And so it's really, really unconventional to visually see what's in a hard drive. Now you'll notice here if I'm just kind of like poke around and yeah, if I wanted to know, you know, what are the biggest directory on my computer was, on this default, uh, Minixfil that I have here. I could just, uh, click this right here 'cause obviously it's quite large, and see that actually I have a meta sploit log directory that's huge, okay? It's, uh, very, very, very large in comparison to something. If I just pick on something like this, which is, uh, looks like a language file. Uh, if I kind of pop around here – just going to give you a little tutorial. That's a Maltego information. I got some Fishtank big, uh, big, large, uh, Fishtank, uh, xml file there. I've got, uh, another test log over here. Um, also you can look at whole directories, too. I like, I like that component. So if I wanted to kind of work through a whole directory and literally just go to file, to file, to file, to file and see the largest files in that directory, um, we certainly could do that. Now I've used this program for quite some time in the capacity of, you know, I have a lot of hard drives. I need to clean up space. You know, I got video directories, uh, got recording directories. I've got curriculums, and I just want to know where stuff is. And it's real easy for me to kind of look inside of any particular directory and see okay, well, here's the largest set of files in that direct, directory. Now from a forensics point of view, we can kind of guess what files are going to be larger than others. Like, what would you expect to be larger, an MPG or a PNG? Exactly. So if I was looking for a whole bunch of video files, I could easily just open up a tool like this, evaluate the hard drive or the directory, and then boom, I can see exactly where those files are just simply because of the, the size that I'm, I'm dialed into down here in this, in this window display, okay? Um, very, very easy program to use. Basically you just open, grab your directory. It'll take a second for it to kind of work up and build the picture. Uh, not too long; you know, nothing really more than a minute, usually, even for a large drive. You can open in Conquerer. You can open in specific locations at a terminal. You can delete to the trash bin right from here. Um, and it's pretty non-forgiving In other words, if I delete this file and – oops, if I delete this file and delete to the trash bin, um, it goes bye-bye. Now I'm not going to do that here just because I'm working on other things, but if, uh, if you want to, you, you absolutely can. So a little caution there. Um, you can do reports; you can send that to an owner or somebody else if you want to right within the, the program. You can open it in Conqueror, alright? You can view things in terms of the tree map, which is the – I think the most creative piece of this application. So the tree map, always start there. The status bar, that's this place down here. Um, and then the toolbar, uh, at the top, alright? So keep all of that open, alright? So that's Kdirstat. Now a couple of you may be asking well, how did you get there, okay? So from a terminal, it's just apt, a-p-t – oops. Alright? Well, let's start with where is it on the menu. Uh, on the menu, if you go under Accessories, it's K4dirstat. If you're looking in it for any of the other menus, you're not going to find it. They actually put it – install it in the, in the directory, so it's, uh, K4 directory statistics. I'm going to close out of that. I believe that was the problem. And move out of some other things here. Let's clean this up. Okay, so if you wanted to install this, it's apt, dash, get, install Kdirstat, and that will go ahead and if you just run – I already have it installed. That's why you're seeing the [05:46]. Or you can go, um, with a dash-y at the end of that, and that will – won't prompt you hey, would you like to install this? It'll just automatically do it, okay? So just a little trick there. But apt, dash, get install Kdirstat. That's how you get it, uh, from the Kelley operating system. Now let's flip over and look at this from one other way here. Here's the Windows version of this, very, very similar, uh, but right away, you can see, you know, some large programs. I got Solar Winds, I got Misplay Framework, I've got Hacking Webservers, just these different labs, and installers, and things like that. So clearly, this directory is uh, an important directory, uh, currently that I'm working on. You got, you know, Windows applications looks like down here. If you compare that to the, the tree. So it's the visual size down here and then where – what does that realistically mean in terms of where is it on the file system in hierarchy, right? So looks like my page file.sys right now, uh, is going pretty crazy. It's, you know, over a gigabyte in size. And then if you go down to something like this, you can see a whole bunch of small dlls. Uh, but I don't know. It's got a nice lot – lot of nice colors. You can get the – uh, if you want to sort by colors or turn a color on or turn a color off, you certainly can do that, and it'll highlight different sections of this, as you can see. So really, really, really interesting to kind of see this get highlighted and, and used. Same thing in the, in the Kali program. You know, tree maps, status bars. Uh, you can actually have a clean-up button in the Windows version, uh, and you can open files. So try this. I think you'll love it in terms of forensics analysis, and, and giving you a whole new way of looking at evaluating file systems. So go ahead, get all your old hard drives off the shelf, uh, plug this in, analyze them, uh, and as long as you don't go delete anything, you should be okay. My name's Leo Dregier. Thank you for watching, and don't forget to check us out on Facebook, LinkedIn, YouTube, and Twitter. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?