WEBVTT

00:00.139 --> 00:03.075
>> Forensics tools.

00:03.075 --> 00:05.700
The learning objectives
for this lesson are

00:05.700 --> 00:08.355
to demonstrate forensics
collection tools,

00:08.355 --> 00:11.070
described forensics
analysis tools,

00:11.070 --> 00:13.425
and utilize other
forensics tools.

00:13.425 --> 00:16.290
Let's get started.
The first thing

00:16.290 --> 00:17.385
you're going to
want to consider as

00:17.385 --> 00:18.825
a forensics workstation.

00:18.825 --> 00:22.020
You can think of this as a
hub that will be used to

00:22.020 --> 00:23.955
perform all of the
forensics work

00:23.955 --> 00:26.370
on any data or devices
you've collected.

00:26.370 --> 00:27.960
This workstation needs to

00:27.960 --> 00:29.340
have the capabilities
to read from

00:29.340 --> 00:32.820
many different common
media types such as EIDE,

00:32.820 --> 00:34.755
SATA, SCSI,

00:34.755 --> 00:37.785
SAS, USB, Firewire,
and Thunderbolt.

00:37.785 --> 00:39.645
You also want to
ensure that you have

00:39.645 --> 00:42.170
ample storage space to
store all the images.

00:42.170 --> 00:43.970
These images can get
very large since you're

00:43.970 --> 00:45.990
taking images of
entire hard drives.

00:45.990 --> 00:46.985
So you want to make sure that

00:46.985 --> 00:48.320
your forensics workstation has

00:48.320 --> 00:51.820
enough storage space to
store multiple images.

00:51.820 --> 00:54.500
Then lastly, you want to
consider your software suite.

00:54.500 --> 00:56.120
These are the programs
that you'll use

00:56.120 --> 00:57.560
to perform the analysis.

00:57.560 --> 00:59.315
Some examples would be in case,

00:59.315 --> 01:02.370
the forensics toolkit
and the sleuth kit.

01:02.720 --> 01:04.970
File carving tools.

01:04.970 --> 01:06.470
Now, most of the
tools we're going to

01:06.470 --> 01:08.375
discuss in this lesson
are Linux-based.

01:08.375 --> 01:10.495
Not all of them, but
most of them are.

01:10.495 --> 01:13.670
Foremost is a Linux
utility that can be used

01:13.670 --> 01:17.465
to extract deleted or corrupted
data from a partition.

01:17.465 --> 01:19.700
The key to remember
about foremost is,

01:19.700 --> 01:20.975
it will be able to do this

01:20.975 --> 01:23.335
even if there's no
file system in place.

01:23.335 --> 01:26.900
Strings will recover text
strings and then you can

01:26.900 --> 01:28.580
discover the
attributes regarding

01:28.580 --> 01:31.410
the internal structure
of a program.

01:32.320 --> 01:35.045
Binary analysis tools.

01:35.045 --> 01:38.870
Hexdump is used to extract
data from binary files,

01:38.870 --> 01:41.330
and then it will present
it in either hex,

01:41.330 --> 01:44.005
decimal, octal or ASCII.

01:44.005 --> 01:47.120
Ghidra, this is a tool
that was developed by

01:47.120 --> 01:50.180
the National Security Agency
and it's written in Java.

01:50.180 --> 01:53.225
The purpose is for doing
reverse engineering.

01:53.225 --> 01:55.925
Next, we have the good
new project debugger.

01:55.925 --> 01:57.800
This is used to identify what is

01:57.800 --> 02:00.530
occurring in an application
while it's running.

02:00.530 --> 02:02.660
Then we also have OllyDbg,

02:02.660 --> 02:04.670
which is a debugger,
is focused on

02:04.670 --> 02:07.500
Microsoft Windows and
it also has a GUI.

02:08.720 --> 02:11.240
Next we have Readelf.

02:11.240 --> 02:14.515
This is able to read the
executable and linkable format

02:14.515 --> 02:17.060
or ELF within an object file.

02:17.060 --> 02:19.955
Objdump is similar to Readelf.

02:19.955 --> 02:21.355
It's used to analyze

02:21.355 --> 02:24.940
object files and also
includes the disassembly.

02:24.940 --> 02:27.355
Strace is used to identify

02:27.355 --> 02:30.605
interactions between processes
and the Linux kernel.

02:30.605 --> 02:34.630
Ldd will display a
program's dependencies.

02:35.270 --> 02:37.660
This will display the type of

02:37.660 --> 02:39.535
file by inspecting its content.

02:39.535 --> 02:41.710
It uses the magic
byte of a file,

02:41.710 --> 02:43.150
and then it compares
it to a list of

02:43.150 --> 02:45.940
known magic bits to
identify the file type.

02:45.940 --> 02:47.230
If you've got a file without

02:47.230 --> 02:49.320
an extension and you
have no idea what it is,

02:49.320 --> 02:51.170
file will look in there
and see if it can

02:51.170 --> 02:53.390
find the magic bit and
then compare it to

02:53.390 --> 02:55.085
the database of
others that are known

02:55.085 --> 02:57.500
to help you match
that file type,

02:57.500 --> 03:00.840
so that you can start
working on it from their.

03:01.180 --> 03:03.620
Firmware inspection.

03:03.620 --> 03:06.725
Now firmware are upgrades

03:06.725 --> 03:09.680
or consider the operating system

03:09.680 --> 03:11.660
for lots of different devices.

03:11.660 --> 03:13.820
For example, firewalls
and switches

03:13.820 --> 03:16.175
and routers all will
get firmware updates.

03:16.175 --> 03:18.140
Sometimes we need to look inside

03:18.140 --> 03:20.350
those firmware to find
out what's going on.

03:20.350 --> 03:22.070
Binwalk can be used to

03:22.070 --> 03:24.390
inspect the binary
firmware image files.

03:24.390 --> 03:26.015
That way we can
better understand

03:26.015 --> 03:28.010
what is inside the file itself.

03:28.010 --> 03:29.900
It can also determine
if an image file is

03:29.900 --> 03:32.360
compressed, obfuscated,
or encrypted.

03:32.360 --> 03:34.160
It does this by calculating

03:34.160 --> 03:37.710
the trophy in the file contents.

03:38.590 --> 03:41.165
Live collection tools.

03:41.165 --> 03:43.550
The first is DD, and this
is a really good one.

03:43.550 --> 03:45.725
This is a command
line tool for making

03:45.725 --> 03:48.620
forensics copies of
block level storage.

03:48.620 --> 03:50.210
It copies everything at

03:50.210 --> 03:52.760
the block level rather
than the file level.

03:52.760 --> 03:54.185
By doing this, you're getting

03:54.185 --> 03:57.890
an exact copy of
the entire drive.

03:57.890 --> 03:59.570
Netstat, we'll display

03:59.570 --> 04:02.240
the current network
connections and their state.

04:02.240 --> 04:04.970
Ps or process status is used to

04:04.970 --> 04:07.530
display the running
processes on a Linux system.

04:07.530 --> 04:09.395
It will also include the PID

04:09.395 --> 04:12.100
and the user that is
running those processes.

04:12.100 --> 04:14.300
Vmstat is a command line tool to

04:14.300 --> 04:17.015
display real-time information
on system memory,

04:17.015 --> 04:21.540
running processes, interrupts,
paging and I/O stats.

04:23.090 --> 04:26.930
Lsof, or a list of
open files will

04:26.930 --> 04:28.880
display files that are currently

04:28.880 --> 04:31.715
open and their
associated processes.

04:31.715 --> 04:34.280
Netcat as a tool for
reading and writing from

04:34.280 --> 04:37.480
network connections
using either TCP or UDP.

04:37.480 --> 04:39.080
Now this is a bland description

04:39.080 --> 04:40.630
for what Netcat actually is.

04:40.630 --> 04:44.900
It's considered the Swiss army
knife of tools for Linux.

04:44.900 --> 04:46.160
It can do so many things.

04:46.160 --> 04:47.540
In fact, for
penetration testing,

04:47.540 --> 04:49.445
you can set up a Netcat listener

04:49.445 --> 04:51.560
that will respond
to connections.

04:51.560 --> 04:53.119
It has so many capabilities,

04:53.119 --> 04:54.560
but for forensic purposes,

04:54.560 --> 04:56.210
we're only going over
a very small bit,

04:56.210 --> 04:57.815
but you might want
to look it up and

04:57.815 --> 04:59.570
find out some more
information about it because

04:59.570 --> 05:01.520
Netcat is one of those
things that can be used

05:01.520 --> 05:04.645
in so many areas of your
cybersecurity career.

05:04.645 --> 05:07.010
Next, we have
conntrack. This allows

05:07.010 --> 05:08.270
for the interactions with

05:08.270 --> 05:10.010
connection tracking systems and

05:10.010 --> 05:12.175
they can read data
from IP tables.

05:12.175 --> 05:15.890
Tcpdump, we've gone over this
before in other lessons,

05:15.890 --> 05:18.290
but this is a command line
packet analysis tool.

05:18.290 --> 05:20.285
It will capture the
network traffic data

05:20.285 --> 05:21.800
and then it will
save it as a recap.

05:21.800 --> 05:23.975
Then we can load that
up for analysis.

05:23.975 --> 05:28.170
Wireshark is a GUI based
packet analysis tool.

05:29.260 --> 05:33.150
Hashing utilities, sha256sum.

05:33.150 --> 05:35.930
This is a Linux command
line utility and it will

05:35.930 --> 05:38.630
generate a SHA-2
hash for a file,

05:38.630 --> 05:41.780
and it will produce a
digest length of 256 bits.

05:41.780 --> 05:43.340
This is good for
us to be able to

05:43.340 --> 05:45.755
ensure that we have
a hash of a file.

05:45.755 --> 05:47.240
We know what the hash value is

05:47.240 --> 05:49.210
before we do any analysis on it.

05:49.210 --> 05:50.570
Then after we've done analysis,

05:50.570 --> 05:52.730
we can hash it again to
make sure we didn't do

05:52.730 --> 05:54.500
any changes to the file

05:54.500 --> 05:57.204
in the course of our
analysis process.

05:57.204 --> 06:01.190
Ssdeep is commonly used
by antivirus programs.

06:01.190 --> 06:04.370
It is used to compare
files to identity matches.

06:04.370 --> 06:10.050
It utilizes contexts triggered
piecewise hashing or CTPH.

06:11.150 --> 06:14.870
Let's go over some other
forensics analysis tools.

06:14.870 --> 06:17.585
ExifTool, this is used
to read and write

06:17.585 --> 06:20.705
file metadata from
many file formats.

06:20.705 --> 06:23.225
A way to help make
this a little clearer

06:23.225 --> 06:26.515
is photographs all
contain EXIFdata.

06:26.515 --> 06:28.955
This data would contain
information such as

06:28.955 --> 06:31.820
the GPS location of where
the photo was taken,

06:31.820 --> 06:34.520
the type of device that
was taking the photo,

06:34.520 --> 06:37.040
the exposure, and you'd

06:37.040 --> 06:39.185
be surprised at some of the
information that's there.

06:39.185 --> 06:42.530
EXIFTool will allow
us to go in there and

06:42.530 --> 06:43.940
view all that
information because

06:43.940 --> 06:45.845
sometimes in the course
of the investigation,

06:45.845 --> 06:47.540
we need to know a lot of

06:47.540 --> 06:49.340
information about
this specific photo.

06:49.340 --> 06:50.930
The photo itself is important.

06:50.930 --> 06:52.400
All of the EXIF, information it

06:52.400 --> 06:53.810
contains could even be more

06:53.810 --> 06:55.280
important because
it can help us to

06:55.280 --> 06:57.745
identify the device
that took the picture.

06:57.745 --> 06:59.540
Nmap is an open source

06:59.540 --> 07:02.030
IP Scanner for hosts
and network discovery.

07:02.030 --> 07:04.160
We've discussed in
map in other lessons.

07:04.160 --> 07:07.115
Like Netcat, this is
a bland description.

07:07.115 --> 07:08.930
This tool is one of
those tools that

07:08.930 --> 07:11.410
can be used for so many things.

07:11.410 --> 07:13.805
Even for the penetration
testing side,

07:13.805 --> 07:15.230
it has the capability of running

07:15.230 --> 07:17.960
scripts to help us with
penetration testing.

07:17.960 --> 07:19.970
But for forensic purposes,

07:19.970 --> 07:21.080
we can use it to scan,

07:21.080 --> 07:22.760
to get IP addresses to find out

07:22.760 --> 07:25.130
what's active and what's
not at a given moment.

07:25.130 --> 07:27.290
The same would be
true for aircrack-ng.

07:27.290 --> 07:29.690
This is more of a
penetration testing tool,

07:29.690 --> 07:32.240
but we can use it for other
purposes for forensics.

07:32.240 --> 07:35.165
This is a suite of tools that is

07:35.165 --> 07:38.615
used for assessing and
analyzing Wi-Fi networks.

07:38.615 --> 07:39.965
We can use it to monitor.

07:39.965 --> 07:41.435
We can attack, test,

07:41.435 --> 07:43.555
or crack Wi-Fi networks.

07:43.555 --> 07:46.385
Volatility. This is
a command line tool

07:46.385 --> 07:48.395
used to perform memory analysis.

07:48.395 --> 07:51.990
It can be used to view the
contents of a memory dump.

07:53.450 --> 07:57.440
Let's summarize. We discussed
file carving tools.

07:57.440 --> 07:59.390
We also went over
binary analysis tools

07:59.390 --> 08:01.115
and firmware inspection tools.

08:01.115 --> 08:03.320
Then we discussed
file hashing tools

08:03.320 --> 08:05.570
and other popular
forensics tools.

08:05.570 --> 08:08.050
Let's do some sample questions.

08:08.050 --> 08:10.880
Question 1, a blank is

08:10.880 --> 08:13.895
a device where forensics
analysis is performed.

08:13.895 --> 08:16.370
This should have all the
common interfaces and

08:16.370 --> 08:19.830
sufficient storage space
for forensics analysis.

08:20.600 --> 08:24.865
Forensics workstation.
Question 2,

08:24.865 --> 08:27.470
this command makes
block level copies

08:27.470 --> 08:30.540
of data rather than
file level copies.

08:31.220 --> 08:35.900
Dd. Question 3 this tool

08:35.900 --> 08:39.330
is a graphical
protocol analyzer.

08:39.550 --> 08:44.320
Wireshark. Question 4.

08:44.320 --> 08:46.130
This is a suite of tools for

08:46.130 --> 08:49.860
Wi-Fi assessments,
analysis, and attacks.

08:50.490 --> 08:53.630
Aircrack-ng. I hope this lesson

08:53.630 --> 08:56.460
was useful for you, and I'll
see you in the next one.