WEBVTT

0:00:03.140000 --> 0:00:07.020000
 In the previous video, we saw how to
 do file carving using three different

0:00:07.020000 --> 0:00:11.920000
 tools, Scapple, Foremost,
 and Photo Rec.

0:00:11.920000 --> 0:00:15.620000
 In this video, we will go through manual
 file carving techniques, as there

0:00:15.620000 --> 0:00:19.020000
 may be times when your tools aren't
 working, or you have to carve the

0:00:19.020000 --> 0:00:23.420000
 files manually. So, let's say
 that we have a forensic image.

0:00:23.420000 --> 0:00:31.140000
 Let's open it using Winhex.

0:00:31.140000 --> 0:00:35.460000
 Along the top, let's click on Specialist
 and select Interpret Image File

0:00:35.460000 --> 0:00:39.480000
 as Disk and click OK.

0:00:39.480000 --> 0:00:43.200000
 As you can see from the image, we don't
 have any files within this image,

0:00:43.200000 --> 0:00:47.680000
 so we either have a clean disk, which
 has no files created on it, or this

0:00:47.680000 --> 0:00:49.520000
 disk may have been formatted.

0:00:49.520000 --> 0:00:53.380000
 Since we're going to investigate a case
 where a user formatted their disk,

0:00:53.380000 --> 0:00:56.180000
 we suspect that there were some files
 and the user formatted the disk

0:00:56.180000 --> 0:00:58.100000
 to hide those files.

0:00:58.100000 --> 0:01:01.220000
 There are a lot of different approaches
 to solve this case, but I will

0:01:01.220000 --> 0:01:04.260000
 only be showing you two ways.

0:01:04.260000 --> 0:01:09.240000
 First, we'll use the B-strings, which
 is a tool from Eric Zimmerman.

0:01:09.240000 --> 0:01:12.820000
 Eric has programmed several tools, which
 can be used for digital forensics,

0:01:12.820000 --> 0:01:16.020000
 and we will have a chance to
 use them in this course.

0:01:16.020000 --> 0:01:21.780000
 So, we have our tool that we will use,
 B-strings, minus F, carve me 002

0:01:21.780000 --> 0:01:25.740000
.001, which specifies the image.

0:01:25.740000 --> 0:01:28.480000
 List searches for
 a keyword or text.

0:01:28.480000 --> 0:01:32.800000
 Here we have PDF, and lastly, we have
 Results, which is where we want

0:01:32.800000 --> 0:01:34.400000
 to store the results.

0:01:34.400000 --> 0:01:38.140000
 Let's go ahead and create and
 name a folder as Results.

0:01:38.140000 --> 0:01:44.980000
 Now, let's press Enter.

0:01:44.980000 --> 0:01:48.520000
 It didn't find the path, but no
 problem, we can live with that.

0:01:48.520000 --> 0:01:51.740000
 It seems we need to specify
 the full path.

0:01:51.740000 --> 0:01:56.280000
 So now it's searching for PDF, which
 was the keyword specified.

0:01:56.280000 --> 0:02:00.340000
 I simply chose the word PDF, as
 there may be some PDFs hidden.

0:02:00.340000 --> 0:02:03.280000
 I also chose PDF to demonstrate
 the search.

0:02:03.280000 --> 0:02:07.020000
 When you use the tool in your investigations,
 your search words will be

0:02:07.020000 --> 0:02:09.920000
 dependent on what you're
 wanting to look for.

0:02:09.920000 --> 0:02:13.860000
 As you can see, the search results show
 us that there is truly a PDF file

0:02:13.860000 --> 0:02:18.380000
 within the image, which
 we can see here.

0:02:18.380000 --> 0:02:22.440000
 We could have even passed these images
 to specify the offset and go ahead

0:02:22.440000 --> 0:02:27.900000
 and search. Let's use
 another technique.

0:02:27.900000 --> 0:02:33.760000
 Go to the top navigation and click on
 Specialist and select Gather Text.

0:02:33.760000 --> 0:02:36.900000
 Here we will specify what
 text we are looking for.

0:02:36.900000 --> 0:02:44.180000
 Let's save it here and specify
 the file size of the results.

0:02:44.180000 --> 0:02:47.740000
 Now the tool is searching the disk for
 all the text that it can find and

0:02:47.740000 --> 0:02:49.800000
 store it in this file disk.

0:02:49.800000 --> 0:02:54.000000
 This file will be extremely helpful
 to us, as we will be able to clearly

0:02:54.000000 --> 0:02:57.340000
 see what types of files and
 text are on the disk.

0:02:57.340000 --> 0:03:03.420000
 It's now finished.

0:03:03.420000 --> 0:03:05.260000
 Go ahead and click the OK button.

0:03:05.260000 --> 0:03:09.740000
 Let's navigate to where it's
 saved and open the file.

0:03:09.740000 --> 0:03:13.680000
 Here we can see the results.

0:03:13.680000 --> 0:03:25.660000
 We see different text results and here
 we can see we have a PDF file.

0:03:25.660000 --> 0:03:28.180000
 Let's continue looking through the
 results and see what other type of

0:03:28.180000 --> 0:03:34.760000
 files we can find.

0:03:34.760000 --> 0:03:37.720000
 When looking through this, it actually
 takes a little bit of experience

0:03:37.720000 --> 0:03:53.820000
 to know what you are looking at.

0:03:53.820000 --> 0:03:57.220000
 As you can see here, these are all the
 strings that have been found within

0:03:57.220000 --> 0:04:10.600000
 the disk. Clearly, there are other things
 here, not only just a PDF file.

0:04:10.600000 --> 0:04:20.300000
 Maybe we have an EXE.

0:04:20.300000 --> 0:04:23.760000
 We can search for it by using the
 Find feature and typing in MZ.

0:04:23.760000 --> 0:04:28.080000
 We use MZ because EXEs
 start with the word MZ.

0:04:28.080000 --> 0:04:35.560000
 Let's actually try that search
 from the beginning of the file.

0:04:35.560000 --> 0:04:39.360000
 Nope, nothing here.

0:04:39.360000 --> 0:04:42.400000
 Or here. Nothing here either.

0:04:42.400000 --> 0:04:46.740000
 Let's go back. Here's MZ.

0:04:46.740000 --> 0:04:49.360000
 So, there might be an EXE.

0:04:49.360000 --> 0:04:53.660000
 This was simply an example to give
 you an idea of what could be here.

0:04:53.660000 --> 0:04:56.520000
 Let me show you another technique.


0:04:56.520000 --> 0:04:58.020000
 It's quite simple.

0:04:58.020000 --> 0:05:03.620000
 Let's close this first.

0:05:03.620000 --> 0:05:09.580000
 Now, let's go to Specialist and
 then to Gather Free Space.

0:05:09.580000 --> 0:05:13.040000
 Let's go ahead and gather the
 free space that's on the disk.

0:05:13.040000 --> 0:05:17.180000
 Click OK and we'll
 name it Free Space.

0:05:17.180000 --> 0:05:21.740000
 Alright, it's been gathered for us
 and it has even been open for us.

0:05:21.740000 --> 0:05:25.540000
 Let's go ahead and do an example
 search for the word PDF.

0:05:25.540000 --> 0:05:32.600000
 As we can see here, the PDF
 starts at this location.

0:05:32.600000 --> 0:05:39.280000
 So, we can see that we want to go from
 here and just keep scrolling through,

0:05:39.280000 --> 0:05:48.980000
 but we don't actually know
 where exactly ends.

0:05:48.980000 --> 0:05:52.820000
 One of the techniques we can use to
 help simplify this process is go to

0:05:52.820000 --> 0:05:58.300000
 the Signature Table here, which is
 by Gary Kessler and search for PDF.

0:05:58.300000 --> 0:06:02.960000
 Here, we can see what
 is in the header.

0:06:02.960000 --> 0:06:09.840000
 25, 50, 44, 46. And when we go back
 to Winhex, we see the same.

0:06:09.840000 --> 0:06:19.080000
 25, 50, 44, 46. But, we can see in
 the trailers that these are what is

0:06:19.080000 --> 0:06:23.600000
 found. Let's copy and paste this
 value and go back to Winhex.

0:06:23.600000 --> 0:06:28.320000
 Now, from here, we can search
 for the value that we copied.

0:06:28.320000 --> 0:06:34.060000
 We need to search for
 a hex value for this.

0:06:34.060000 --> 0:06:38.860000
 We actually need to
 remove the spaces.

0:06:38.860000 --> 0:06:47.080000
 Let's do that now.

0:06:47.080000 --> 0:06:55.260000
 Here, we can see that it found
 our trailer, 0A2525454F46.

0:06:55.260000 --> 0:07:04.160000
 And here it is in Winhex,
 0A2525454F46.

0:07:04.160000 --> 0:07:07.360000
 But, it seems that this
 is not the end.

0:07:07.360000 --> 0:07:10.760000
 So, let's do another search because,
 as you can see, it seems that it

0:07:10.760000 --> 0:07:14.960000
 ends here. What we can do is select
 from here and scroll our selection

0:07:14.960000 --> 0:07:18.400000
 back up to the beginning
 of our PDF file.

0:07:18.400000 --> 0:07:20.660000
 This is a big file.

0:07:20.660000 --> 0:07:24.140000
 I'll pause the video here and continue
 to grab the selection.

0:07:24.140000 --> 0:07:28.100000
 If an offset was put, we might not
 have to scroll like this, but we'll

0:07:28.100000 --> 0:07:31.500000
 resume the video once we are back
 to the beginning of the PDF.

0:07:31.500000 --> 0:07:38.960000
 Here we are. Now we can edit, copy,
 block, select text values, and edit

0:07:38.960000 --> 0:07:45.080000
 again. Select clipboard data
 and then paste into new file.

0:07:45.080000 --> 0:07:47.480000
 Let's now save the file.

0:07:47.480000 --> 0:07:55.960000
 Now, let's see if it actually truly
 managed to carve this file out.

0:07:55.960000 --> 0:08:05.100000
 We managed to carve this
 file out from the disk.

0:08:05.100000 --> 0:08:08.400000
 Let's now see if we have other files
 on this disk, because, as we see

0:08:08.400000 --> 0:08:10.320000
 here, we have an image.

0:08:10.320000 --> 0:08:14.120000
 Let's go back to the beginning.

0:08:14.120000 --> 0:08:27.500000
 Let's go back to the website and check
 the JPEG values and see what it

0:08:27.500000 --> 0:08:30.380000
 would look like.

0:08:30.380000 --> 0:08:37.000000
 A JPEG would have these values
 here in the trailer.

0:08:37.000000 --> 0:08:42.600000
 We also see different formats.

0:08:42.600000 --> 0:08:49.220000
 We might have these values at the beginning
 or these values here at the

0:08:49.220000 --> 0:08:59.020000
 beginning. I'm going to search
 for these values here.

0:08:59.020000 --> 0:09:02.620000
 Let's clear out the values here and
 paste the new ones and take out the

0:09:02.620000 --> 0:09:07.160000
 spaces. So we didn't
 find this one.

0:09:07.160000 --> 0:09:09.820000
 Let's try it a different way.

0:09:09.820000 --> 0:09:12.760000
 Let's take this bit as it
 is using the unique part.

0:09:12.760000 --> 0:09:25.840000
 Let's just remove this
 bit and search again.

0:09:25.840000 --> 0:09:31.660000
 As you can see, it's
 trial and error.

0:09:31.660000 --> 0:09:44.620000
 Let's try the trailer.

0:09:44.620000 --> 0:10:02.480000
 It seems we did not
 have any JPEG files.

0:10:02.480000 --> 0:10:06.860000
 Let's do this another way.

0:10:06.860000 --> 0:10:10.160000
 So this search is not
 searching as hex.

0:10:10.160000 --> 0:10:22.480000
 This may be why we're not
 able to initially find it.

0:10:22.480000 --> 0:10:25.640000
 Here we have an image, but
 this is not the end of it.

0:10:25.640000 --> 0:10:29.380000
 Even if you see zeros in between bytes,
 that's okay, as some files have

0:10:29.380000 --> 0:10:36.880000
 zeros. Let's go back to the website and
 use the port we used before because

0:10:36.880000 --> 0:10:39.520000
 we were not searching in hex.

0:10:39.520000 --> 0:10:49.300000
 Let's do this again.

0:10:49.300000 --> 0:10:54.360000
 Let's mark this one and you
 can see that is 9000.

0:10:54.360000 --> 0:10:58.340000
 Let's select this line.

0:10:58.340000 --> 0:11:03.400000
 Right-click and select
 beginning of block.

0:11:03.400000 --> 0:11:06.480000
 Let's also add a position as well.


0:11:06.480000 --> 0:11:15.580000
 Entering JPEG into the description
 and then select a color.

0:11:15.580000 --> 0:11:20.000000
 Now, let's find the trailer,
 which is FFD9.

0:11:20.000000 --> 0:11:28.260000
 Let's open find hex
 values and enter it.

0:11:28.260000 --> 0:11:35.020000
 This is one, but as you can
 see, it's not the end.

0:11:35.020000 --> 0:11:38.680000
 Let's press F3 to search
 for another.

0:11:38.680000 --> 0:11:43.500000
 Now here, I think this
 is the end of the file.

0:11:43.500000 --> 0:11:47.480000
 We could select it from here
 or we can define a block.

0:11:47.480000 --> 0:11:53.060000
 The beginning starts at 9000.

0:11:53.060000 --> 0:11:56.360000
 Edit ends at this location.

0:11:56.360000 --> 0:12:02.440000
 Now we have managed to select it.

0:12:02.440000 --> 0:12:07.420000
 Let's edit, select copy block
 and then hex value.

0:12:07.420000 --> 0:12:12.720000
 Let's now go back to edit, clipboard
 data and paste into new file.

0:12:12.720000 --> 0:12:15.940000
 Let's save this file as a JPEG.

0:12:15.940000 --> 0:12:20.820000
 Now we can go and open it.

0:12:20.820000 --> 0:12:25.340000
 And here's our image.

0:12:25.340000 --> 0:12:28.780000
 The file was an image that was extracted
 as evidence from the disk.

0:12:28.780000 --> 0:12:33.980000
 As you can see, it
 is trial and error.

0:12:33.980000 --> 0:12:36.180000
 You should do a couple of tests.

0:12:36.180000 --> 0:12:39.940000
 You can use Gary Kessler's site to
 reference the headers of files.

0:12:39.940000 --> 0:12:44.020000
 If you have a trailer, it will be much
 easier to search for applications.

0:12:44.020000 --> 0:12:47.040000
 If you don't have a trailer, it can be
 a bit tricky as it requires research

0:12:47.040000 --> 0:12:50.380000
 regarding file carving techniques,
 because it doesn't always work like

0:12:50.380000 --> 0:12:55.140000
 this. Sometimes you need to apply different
 and more complicated approaches

0:12:55.140000 --> 0:13:01.320000
 to file carve. This is great for data that
 is continuous and has no fragmentation.

0:13:01.320000 --> 0:13:05.240000
 If there's fragmentation, you have to
 carve the two parts out and figure

0:13:05.240000 --> 0:13:09.520000
 out what part matches with what part,
 and, if you glue them together,

0:13:09.520000 --> 0:13:11.480000
 will you get the file back.

0:13:11.480000 --> 0:13:14.180000
 Sometimes you'll get a couple
 of the files back.

0:13:14.180000 --> 0:13:17.500000
 It actually depends on how complex
 the disk you're dealing with is and

0:13:17.500000 --> 0:13:20.880000
 if there's any fragmentation.

0:13:20.880000 --> 0:13:24.960000
 And this concludes our video lesson
 on how to carve files manually from

0:13:24.960000 --> 0:13:26.660000
 our forensic image.

0:13:26.660000 --> 0:13:27.540000
 Thanks for joining us.