WEBVTT

0:00:02.920000 --> 0:00:06.860000
 In this video, we will go over features
 of various file carving tools

0:00:06.860000 --> 0:00:10.920000
 that are helpful to digital investigators,
 especially when analyzing,

0:00:10.920000 --> 0:00:14.460000
 recovering, and retrieving files
 from a corrupted disk.

0:00:14.460000 --> 0:00:18.560000
 Sometimes when we acquire evidence
 it may have a corrupted file system

0:00:18.560000 --> 0:00:20.980000
 or a corrupted USB drive.

0:00:20.980000 --> 0:00:24.780000
 In some cases, carving can be useful
 if the drive is formatted.

0:00:24.780000 --> 0:00:27.180000
 We will see this in this video.

0:00:27.180000 --> 0:00:30.480000
 Utilizing file carving techniques can
 help when finding or extracting

0:00:30.480000 --> 0:00:33.960000
 files for forensic images
 that you have acquired.

0:00:33.960000 --> 0:00:38.000000
 In this video, we will be working with
 a forensic image for a disk that

0:00:38.000000 --> 0:00:40.900000
 unfortunately for us is formatted.


0:00:40.900000 --> 0:00:43.980000
 Let's go ahead and mount the
 drive to a loopback device.

0:00:43.980000 --> 0:00:48.600000
 Let's use loop 2.

0:00:48.600000 --> 0:00:53.200000
 This is our evidence.

0:00:53.200000 --> 0:00:57.800000
 So now we are attaching our evidence to
 loop 2, which is a loopback device.

0:00:57.800000 --> 0:01:03.340000
 We can now analyze this disk, just
 like we did with FTK Imager, which

0:01:03.340000 --> 0:01:05.860000
 we use to mount the
 disk and analyze it.

0:01:05.860000 --> 0:01:09.500000
 We will be doing the
 same with Linux.

0:01:09.500000 --> 0:01:14.460000
 Now, if we use the FLS tool from the
 sleuth kit, it will try to list what

0:01:14.460000 --> 0:01:17.820000
 files are on this drive.

0:01:17.820000 --> 0:01:28.980000
 As we can see, it only found the volume
 label, MBR, file drive, FAT1,

0:01:28.980000 --> 0:01:33.860000
 FAT2, and the orphan files, but it didn't
 actually find any other files.

0:01:33.860000 --> 0:01:36.420000
 Let's try this script out.

0:01:36.420000 --> 0:01:41.360000
 It also didn't find any evidence.

0:01:41.360000 --> 0:01:47.680000
 Let's now look at the options for
 sleuth kit FLS by typing in FLS-H.

0:01:47.680000 --> 0:01:51.340000
 There are several options
 that we can use.

0:01:51.340000 --> 0:01:55.740000
 For instance, like D, which displays
 deleted entries only, or F, which

0:01:55.740000 --> 0:02:00.000000
 displays only files, or L, which
 displays long version.

0:02:00.000000 --> 0:02:05.800000
 For example, with long versions,
 we can enter this.

0:02:05.800000 --> 0:02:09.740000
 We will use this later when we do a
 file timeline analysis file and make

0:02:09.740000 --> 0:02:12.360000
 a buddy file for file
 timeline analysis.

0:02:12.360000 --> 0:02:17.020000
 Currently, there are no
 files on this drive.

0:02:17.020000 --> 0:02:21.620000
 So, it's clear that this
 drive could be formatted.

0:02:21.620000 --> 0:02:23.540000
 Our evidence is here.

0:02:23.540000 --> 0:02:26.440000
 Evidence 001.dd.

0:02:26.440000 --> 0:02:29.980000
 We will analyze it using a
 couple of different tools.

0:02:29.980000 --> 0:02:33.760000
 The first tool we use is Foremost,
 which is an extremely easy tool to

0:02:33.760000 --> 0:02:38.160000
 use. To open it, simply type in the
 tool name and the forensic image.

0:02:38.160000 --> 0:02:42.240000
 Let's see what's available to us.

0:02:42.240000 --> 0:02:45.420000
 Here we see several options
 that we can use.

0:02:45.420000 --> 0:02:50.520000
 For instance, we can specify the type
 of files we want, like JPG or PDF.

0:02:50.520000 --> 0:02:53.840000
 We can also specify what
 file we want to use.

0:02:53.840000 --> 0:02:57.100000
 By default, it will use the
 file we are providing it.

0:02:57.100000 --> 0:02:59.840000
 Also, we can use the
 output directory.

0:02:59.840000 --> 0:03:04.720000
 Let's do that by entering Foremost,
 minus O, and Foremost again, so we

0:03:04.720000 --> 0:03:07.620000
 can differentiate between the
 results from different tools.

0:03:07.620000 --> 0:03:17.060000
 We can see that Foremost is processing
 the forensic evidence and it is

0:03:17.060000 --> 0:03:20.760000
 trying to extract any useful evidence
 it can find on the drive.

0:03:20.760000 --> 0:03:25.460000
 It does this based on signatures that
 it searches for on the drive.

0:03:25.460000 --> 0:03:28.980000
 This shouldn't take very long as the
 forensic image is not very large.

0:03:28.980000 --> 0:03:35.160000
 Let's wait for it to finish.

0:03:35.160000 --> 0:03:40.460000
 The process is now complete, and we
 can see that we have a directory.

0:03:40.460000 --> 0:03:52.620000
 It also generates a report
 called audit report.

0:03:52.620000 --> 0:03:56.760000
 The report tells us what files were
 found, the signs of the files, and

0:03:56.760000 --> 0:03:59.000000
 the offset of where
 the file was found.

0:03:59.000000 --> 0:04:07.320000
 It also provides a summary
 of the extracted files.

0:04:07.320000 --> 0:04:13.680000
 We can see that it managed
 to extract 16 JPEG files.

0:04:13.680000 --> 0:04:33.080000
 Now, we can check this by using Microsoft
 Office to open the file.

0:04:33.080000 --> 0:04:43.820000
 Now, let's open the directory where the
 results are stored using Nautilus.

0:04:43.820000 --> 0:04:47.140000
 Here we can see it made a couple of
 directories, and it categorized them

0:04:47.140000 --> 0:04:48.860000
 based on their type.

0:04:48.860000 --> 0:04:56.860000
 If we click on the JPEG folder, we can
 see all of those types of images

0:04:56.860000 --> 0:05:01.460000
 here. In the PDF folder,
 we see the PDF files.

0:05:01.460000 --> 0:05:06.220000
 We can also see the DLL files,
 EXE files, and GIF files.

0:05:06.220000 --> 0:05:09.900000
 Let's now go to the results directory
 and to the zip files.

0:05:09.900000 --> 0:05:12.980000
 Here we are going to apply the same
 techniques that we used in previous

0:05:12.980000 --> 0:05:16.640000
 labs to determine if they are
 really zip files or not.

0:05:16.640000 --> 0:05:21.500000
 Unfortunately, it didn't
 give us a lot of results.

0:05:21.500000 --> 0:05:27.160000
 Perhaps they really are zip files.


0:05:27.160000 --> 0:05:31.880000
 Let's check. This zip couldn't be opened,
 and this file here we were able

0:05:31.880000 --> 0:05:34.560000
 to open, and it is a zip file.

0:05:34.560000 --> 0:05:41.100000
 Again, foremost was able to extract
 most of these files and provided us

0:05:41.100000 --> 0:05:45.360000
 with a report of its results to show
 what we did and what we didn't.

0:05:45.360000 --> 0:05:48.900000
 When checking these files, we may find
 that some of them are corrupted

0:05:48.900000 --> 0:05:52.200000
 and may need some manual editing.

0:05:52.200000 --> 0:05:55.860000
 Let's move on to the next tool called
 Scalpel, which was developed by

0:05:55.860000 --> 0:06:04.180000
 Dr. Richard Gordon.

0:06:04.180000 --> 0:06:12.860000
 Scalpel is based on foremost, but can
 be faster as we specify what we

0:06:12.860000 --> 0:06:17.060000
 want to do, and it will
 then carve it out.

0:06:17.060000 --> 0:06:22.660000
 Now, let's go to the Scalpel
 configuration file.

0:06:22.660000 --> 0:06:29.980000
 By default, everything
 comes commented out.

0:06:29.980000 --> 0:06:34.800000
 For example, if you want to extract
 a PNG, you have to uncomment this.

0:06:34.800000 --> 0:06:41.260000
 This here denotes that it is a PNG,
 and within this value we will find

0:06:41.260000 --> 0:06:46.480000
 this magic number, which
 is related to the PNG.

0:06:46.480000 --> 0:06:48.360000
 Let's scroll up a bit.

0:06:48.360000 --> 0:06:52.160000
 Here we can see what each column represents,
 which is the case, size,

0:06:52.160000 --> 0:06:54.640000
 header, and footer.

0:06:54.640000 --> 0:06:56.640000
 So the case is PNG.

0:06:56.640000 --> 0:06:59.020000
 The value is the size.

0:06:59.020000 --> 0:07:03.740000
 Next, we see the header, and
 here we have the footer.

0:07:03.740000 --> 0:07:09.360000
 I've selected PNG here.

0:07:09.360000 --> 0:07:12.060000
 I've also selected this
 one for the doc.

0:07:12.060000 --> 0:07:15.700000
 And as we see here, this is the
 header and footer for the doc.

0:07:15.700000 --> 0:07:19.120000
 Just a bit below, here's
 another for doc.

0:07:19.120000 --> 0:07:29.300000
 Let's also specify these two
 for PDF, and then save it.

0:07:29.300000 --> 0:07:31.740000
 Scalpel is an easy tool to use.

0:07:31.740000 --> 0:07:35.600000
 We can even add your own signature to
 start file carving, especially if

0:07:35.600000 --> 0:07:35.900000
 you have a signature.

0:07:35.900000 --> 0:07:39.400000
 We have a specific file
 you're searching for.

0:07:39.400000 --> 0:07:44.140000
 We'll have an opportunity
 to do that in a lab.

0:07:44.140000 --> 0:07:48.380000
 So now that we've done our uncommenting,
 let's go back.

0:07:48.380000 --> 0:07:52.200000
 Now, let's bring up
 Scalpel's options.

0:07:52.200000 --> 0:07:57.900000
 The output uses minus O.

0:07:57.900000 --> 0:08:05.900000
 Now let's type Scalpel for the output directory,
 and then put in the evidence.

0:08:05.900000 --> 0:08:09.220000
 We can see that it is searching the evidence,
 and the search is not taking

0:08:09.220000 --> 0:08:20.480000
 very long, which is good, but it
 also depends on your system too.

0:08:20.480000 --> 0:08:26.220000
 Scalpel is done, and we can see that
 it is carved two files, and elapsed

0:08:26.220000 --> 0:08:28.200000
 equals 18 seconds.

0:08:28.200000 --> 0:08:34.780000
 So, Scalpel took 18 seconds to
 carve out two files for us.

0:08:34.780000 --> 0:08:38.360000
 If we go to the Scalpel directory, we
 can find our audit file, which tells

0:08:38.360000 --> 0:08:39.680000
 us what happened.

0:08:39.680000 --> 0:08:42.920000
 It also gives us the following information
 for the carved file, like the

0:08:42.920000 --> 0:08:48.580000
 file names, where they start, the length,
 as well as the extraction location.

0:08:48.580000 --> 0:08:54.800000
 Now if we click this folder, we can
 see the two PDF files it carved out.

0:08:54.800000 --> 0:09:02.280000
 If we click on them, we
 see they are working.

0:09:02.280000 --> 0:09:05.660000
 Let's now explore another
 tool called Photorek.

0:09:05.660000 --> 0:09:10.000000
 Photorek can be used on mounted evidence,
 or we can use it directly.

0:09:10.000000 --> 0:09:13.080000
 So, let's go ahead and use it
 directly on this machine.

0:09:13.080000 --> 0:09:15.820000
 Let's just type in Photorek.

0:09:15.820000 --> 0:09:21.420000
 Now, let's specify a log, but
 first let's check the options.

0:09:21.420000 --> 0:09:29.800000
 Now, let's type in forward slash log,
 forward slash D, and Photorek.

0:09:29.800000 --> 0:09:35.040000
 This is simply to differentiate which
 tool was used to extract the evidence.

0:09:35.040000 --> 0:09:38.480000
 Photorek also comes with
 a test disk toolkit.

0:09:38.480000 --> 0:09:42.620000
 All we need to do is press this, and
 a simple DOS mode application will

0:09:42.620000 --> 0:09:48.260000
 appear. Along the bottom, we see a warning
 stating that some disks won't

0:09:48.260000 --> 0:09:50.060000
 appear unless you're
 the root user.

0:09:50.060000 --> 0:09:54.660000
 Since we're using this image directly,
 we don't really need this, but

0:09:54.660000 --> 0:09:57.800000
 if you're dealing with a forensic image
 and it's mounted, then you may

0:09:57.800000 --> 0:10:01.560000
 need to go ahead and select root.

0:10:01.560000 --> 0:10:07.280000
 Here we have the sudo command, which
 we can use to restart as root.

0:10:07.280000 --> 0:10:09.920000
 We also have quit to simply quit.

0:10:09.920000 --> 0:10:13.380000
 However, we'll use the proceed option,
 and if we look towards the top

0:10:13.380000 --> 0:10:17.320000
 of the screen, we can see the evidence
 Photorek will be working on.

0:10:17.320000 --> 0:10:22.940000
 Here we are presented with two options,
 the whole partition, which we

0:10:22.940000 --> 0:10:24.980000
 can tell from the whole
 disk text at the end.

0:10:24.980000 --> 0:10:28.420000
 The other option is to go with the
 single partition, which is a FAT32

0:10:28.420000 --> 0:10:33.060000
 partition. The nice thing about this
 particular case is that both the

0:10:33.060000 --> 0:10:36.500000
 whole disk and the partition are identical
 in sector size, which could

0:10:36.500000 --> 0:10:39.640000
 mean that we only have this single
 partition on this disk.

0:10:39.640000 --> 0:10:43.940000
 If we only select the partition, then
 we will be searching the entire

0:10:43.940000 --> 0:10:47.280000
 disk, so let's go ahead
 and leave it like that.

0:10:47.280000 --> 0:10:51.040000
 If we look at the bottom of the screen,
 we see a few options we can select.

0:10:51.040000 --> 0:10:53.040000
 We see search, which will
 start the search.

0:10:53.040000 --> 0:10:55.980000
 Options allows us to select
 the options we want.

0:10:55.980000 --> 0:10:59.640000
 The first option listed here is paranoid,
 which is set to yes and brute

0:10:59.640000 --> 0:11:01.160000
 force is disabled.

0:11:01.160000 --> 0:11:03.660000
 It will search the whole
 disk in paranoia mode.

0:11:03.660000 --> 0:11:08.460000
 Paranoia mode will verify the files
 that it is found, and if they are

0:11:08.460000 --> 0:11:13.600000
 working or not. The next option is
 keep corrupted files, which is set

0:11:13.600000 --> 0:11:17.980000
 to no. If it finds corrupted files,
 we can delete them, or we can set

0:11:17.980000 --> 0:11:20.620000
 it to yes to keep their
 corrupted files.

0:11:20.620000 --> 0:11:24.140000
 Sometimes we actually need the corrupted
 files, because we may need to

0:11:24.140000 --> 0:11:25.880000
 be able to fix them manually.

0:11:25.880000 --> 0:11:30.300000
 So for this option, we are going to say
 yes to keep their corrupted files.

0:11:30.300000 --> 0:11:35.600000
 Here, we have the expert mode option,
 which allows us to specify the sector

0:11:35.600000 --> 0:11:40.780000
 size and the cluster size, but if the
 file system is not intact itself,

0:11:40.780000 --> 0:11:42.860000
 only the data is deleted.

0:11:42.860000 --> 0:11:46.100000
 Then photorec can automatically detect
 all these details from the volume

0:11:46.100000 --> 0:11:48.140000
 boot record for the disk.

0:11:48.140000 --> 0:11:51.420000
 Now to the last option,
 low memory.

0:11:51.420000 --> 0:11:54.220000
 If you are running photorec on low memory
 and you don't want the system

0:11:54.220000 --> 0:11:58.180000
 to crash during the recovery process,
 you can select this, so it takes

0:11:58.180000 --> 0:12:00.300000
 that into consideration.

0:12:00.300000 --> 0:12:02.880000
 Now, let's go back
 to the main menu.

0:12:02.880000 --> 0:12:06.640000
 If we look at file options, it shows
 us what files it will search for.

0:12:06.640000 --> 0:12:09.460000
 We can see a lot of files that
 photorec searches for.

0:12:09.460000 --> 0:12:12.720000
 The nice thing about this option is
 that you can search for other files

0:12:12.720000 --> 0:12:17.140000
 that you can specify.

0:12:17.140000 --> 0:12:21.580000
 We will do this in lab, so let's
 just go with the basics here.

0:12:21.580000 --> 0:12:26.080000
 Let's go back to the menu, and the
 last option we have here is quit.

0:12:26.080000 --> 0:12:28.820000
 Now, let's do a search.

0:12:28.820000 --> 0:12:34.480000
 Here, it is asking us what
 file system it's using.

0:12:34.480000 --> 0:12:39.240000
 As we saw earlier, the file system
 is FAT32, and as we can see above,

0:12:39.240000 --> 0:12:43.540000
 photorec also managed to
 identify it as FAT32.

0:12:43.540000 --> 0:12:46.820000
 Let's select the second option, which
 is other, so we can recover the

0:12:46.820000 --> 0:12:49.200000
 files from these types
 of file systems.

0:12:49.200000 --> 0:12:55.620000
 So let's select other, and now we can choose
 which space needs to be analyzed.

0:12:55.620000 --> 0:12:59.820000
 We can select the free space of the FAT32,
 which is the unallocated space,

0:12:59.820000 --> 0:13:03.060000
 or we have the option to extract
 from the whole partition.

0:13:03.060000 --> 0:13:04.880000
 Let's select whole.

0:13:04.880000 --> 0:13:08.040000
 Now, let's go ahead and
 press the enter key.

0:13:08.040000 --> 0:13:11.540000
 It has started extracting files, and
 it is also providing us a summary

0:13:11.540000 --> 0:13:13.620000
 of what was done.

0:13:13.620000 --> 0:13:16.860000
 It is now finished.

0:13:16.860000 --> 0:13:19.740000
 It managed to recover 115 files.

0:13:19.740000 --> 0:13:23.220000
 Let's go ahead and quit this here,
 and on the next screen too.

0:13:23.220000 --> 0:13:38.260000
 Let's exit photorec and
 see what we have.

0:13:38.260000 --> 0:13:40.460000
 This is what we got from photorec.


0:13:40.460000 --> 0:13:44.020000
 Let's also open the report,
 which is the photorec log.

0:13:44.020000 --> 0:13:56.340000
 Here we can see the log, which logged
 all of the actions done by photorec.

0:13:56.340000 --> 0:13:59.980000
 Photorec managed to find the
 block size, which is 512.

0:13:59.980000 --> 0:14:06.860000
 It recovered all these files.

0:14:06.860000 --> 0:14:10.220000
 If we look at this entry here, it was
 recovered from this block to this

0:14:10.220000 --> 0:14:14.520000
 block. This file here is
 actually just one block.

0:14:14.520000 --> 0:14:20.420000
 The file above is 8 blocks.

0:14:20.420000 --> 0:14:25.520000
 As we scroll through, we see JPEG
 files, EXEs, and zip files.

0:14:25.520000 --> 0:14:36.860000
 Here we can see that it recovered 97
 text files, 9 JPEGs, 4 EXE files,

0:14:36.860000 --> 0:14:41.240000
 2 PDF files, 2 zip
 files, and 1 GIF.

0:14:41.240000 --> 0:14:48.640000
 Let's go ahead and open
 some of these files.

0:14:48.640000 --> 0:14:52.960000
 The first thing we see is a
 tool that is an XF tool.exe.

0:14:52.960000 --> 0:14:58.700000
 We also see Java files, text files,
 and a couple of images.

0:14:58.700000 --> 0:15:01.860000
 Let's open this JPEG file.

0:15:01.860000 --> 0:15:04.160000
 It seems it was deleted
 from the disk.

0:15:04.160000 --> 0:15:12.300000
 Let's open another image file.

0:15:12.300000 --> 0:15:18.080000
 And here we have a PDF here that
 scalpel did manage to carve.

0:15:18.080000 --> 0:15:24.640000
 So, we use three different file-carving
 tools to carve out and extract

0:15:24.640000 --> 0:15:27.700000
 some files from a formatted disk.

0:15:27.700000 --> 0:15:31.160000
 I highly recommend you investigate the
 differences between all of them.

0:15:31.160000 --> 0:15:34.720000
 I also recommend that when you are
 working on a case, that you verify

0:15:34.720000 --> 0:15:36.720000
 your work using two
 different tools.

0:15:36.720000 --> 0:15:40.080000
 It does not necessarily have to be
 these three tools, as you may have

0:15:40.080000 --> 0:15:44.000000
 a forensic toolkit that already comes
 with file-carving capabilities.

0:15:44.000000 --> 0:15:48.800000
 By the way, Photorek is also integrated
 into Autopsy, so Autopsy will

0:15:48.800000 --> 0:15:53.060000
 already be running Photorek for you,
 if you select a plugin for it.

0:15:53.060000 --> 0:15:56.060000
 I hope this video gave you an idea of
 how to extract files automatically

0:15:56.060000 --> 0:16:01.700000
 and carve them out from corrupted
 forensic images or disks.

0:16:01.700000 --> 0:16:04.980000
 And this concludes our video lesson
 on automatic file carving.

0:16:04.980000 --> 0:16:06.280000
 Thank you for joining us.