WEBVTT 0:00:09.620000 --> 0:00:14.400000 In this forensics basics lab, we're going to look at a simple scenario 0:00:14.400000 --> 0:00:17.320000 where a user's thumb drive is under investigation. 0:00:17.320000 --> 0:00:23.060000 We are tasked to do a preliminary assessment and identify the data on 0:00:23.060000 --> 0:00:24.100000 the thumb drive. 0:00:24.100000 --> 0:00:30.100000 The evidence we're going to be given is an evidence.img file and it's 0:00:30.100000 --> 0:00:34.720000 located in the default directory when you log into this lab. 0:00:34.720000 --> 0:00:38.200000 Our goals are to analyze the contents of the disk image using the slitkit 0:00:38.200000 --> 0:00:44.120000 toolset. Determine the image format used of the system. 0:00:44.120000 --> 0:00:47.620000 Determine which file system type is used in the image. 0:00:47.620000 --> 0:00:53.320000 See which directory was mounted most recently from the disk whose image 0:00:53.320000 --> 0:00:55.920000 it was provided to us. 0:00:55.920000 --> 0:00:59.020000 Then we're going to obtain a listing of all the contents of the image. 0:00:59.020000 --> 0:01:02.360000 Identify all the files and directories in evidence.img. 0:01:02.360000 --> 0:01:08.640000 Then we determine if any files are deleted and then we're going to extract 0:01:08.640000 --> 0:01:11.020000 a file from the image. 0:01:11.020000 --> 0:01:16.600000 All of these tools are going to be using the slitkit and then also Linux 0:01:16.600000 --> 0:01:20.080000 native tools. So let's go ahead and get started. 0:01:20.080000 --> 0:01:24.640000 The first thing we always, always, always do when we're doing forensics 0:01:24.640000 --> 0:01:26.780000 is we have to hash things. 0:01:26.780000 --> 0:01:31.660000 That's going to be like an integrity seal for our evidence. 0:01:31.660000 --> 0:01:35.860000 Using any of these hashing algorithms, if we were to change one byte or 0:01:35.860000 --> 0:01:41.720000 one bit of data, the hash would not just change, but it would look significantly 0:01:41.720000 --> 0:01:45.800000 different. It would look visually different. 0:01:45.800000 --> 0:01:48.720000 So what we're going to do is we're going to do the MD5 sum and the shot 0:01:48.720000 --> 0:01:55.440000 one sub. Now the MD5 sum has about what we would call a 1 in 32 million 0:01:55.440000 --> 0:01:57.580000 chance of a hash collision. 0:01:57.580000 --> 0:02:02.520000 What that means is that for any given file, there's that 1 in 32 million 0:02:02.520000 --> 0:02:09.360000 chance that another file out there exists with the same hash when we run 0:02:09.360000 --> 0:02:11.260000 an MD5 hash sum on it. 0:02:11.260000 --> 0:02:16.320000 So we don't love that there's a 1 in 32 million chance. 0:02:16.320000 --> 0:02:18.500000 We're going to call that a rare chance. 0:02:18.500000 --> 0:02:23.280000 So there's a rare chance out there that a file exists with the same MD5 0:02:23.280000 --> 0:02:29.400000 hash. Now what we're going to do is we're going to run a SHA1 hash of 0:02:29.400000 --> 0:02:30.840000 the evidence file as well. 0:02:30.840000 --> 0:02:36.120000 What that SHA1 hash is going to do is it's going to add another layer 0:02:36.120000 --> 0:02:37.780000 of hashing on to there. 0:02:37.780000 --> 0:02:43.420000 And so now we're going to have two unique hashes using two different types 0:02:43.420000 --> 0:02:46.460000 of hashing algorithms on the evidence. 0:02:46.460000 --> 0:02:52.700000 So we're going to reduce those chances to astronomically rare that there 0:02:52.700000 --> 0:02:57.060000 is going to be a hash collision of that file. 0:02:57.060000 --> 0:02:58.920000 Okay, so let's get started. 0:02:58.920000 --> 0:03:00.040000 Let's have a look. 0:03:00.040000 --> 0:03:03.820000 How are we going to obtain an MD5 sum hash of this file? 0:03:03.820000 --> 0:03:06.440000 Well, the great thing is that we have Linux native tools. 0:03:06.440000 --> 0:03:09.700000 We have a tool out there called MD5 sum. 0:03:09.700000 --> 0:03:16.140000 I can't do that because it runs an output. 0:03:16.140000 --> 0:03:21.560000 What MD5 sum is going to do is it's just going to get that MD5 sum hash 0:03:21.560000 --> 0:03:22.260000 of the evidence. 0:03:22.260000 --> 0:03:26.280000 So we can do MD5 sum evidence. 0:03:26.280000 --> 0:03:33.940000 There's our hash output, BA4 ending in 00A. 0:03:33.940000 --> 0:03:36.140000 So what I'm going to have to do with that is I'm going to have to write 0:03:36.140000 --> 0:03:41.800000 all that down or I'm going to copy and paste it into notepad or one note 0:03:41.800000 --> 0:03:45.700000 or whatever you're using digitally, whatever you're approved and authorized 0:03:45.700000 --> 0:03:46.900000 to use for note taking. 0:03:46.900000 --> 0:03:50.060000 A lot of old school forensics places means that you're going to have to 0:03:50.060000 --> 0:03:55.780000 copy each one of these characters down by hand into a notebook. 0:03:55.780000 --> 0:03:57.940000 That's just the way it's got to be. 0:03:57.940000 --> 0:04:00.080000 All right, so there's our MD5 sum. 0:04:00.080000 --> 0:04:04.040000 But like we said, MD5 sum could be considered a little weak by the cryptologic 0:04:04.040000 --> 0:04:08.480000 people. Not really for forensics, but that's okay. 0:04:08.480000 --> 0:04:13.160000 So we add in the SHA-1 just to make again that chance of a hash collision 0:04:13.160000 --> 0:04:18.140000 being astronomically rare. 0:04:18.140000 --> 0:04:24.520000 So we run this hash real quick. 0:04:24.520000 --> 0:04:27.380000 All right, so see how we have two different hashes. 0:04:27.380000 --> 0:04:28.660000 SHA-1 is a little more complex. 0:04:28.660000 --> 0:04:31.440000 So again, we're going to notate that one down. 0:04:31.440000 --> 0:04:35.440000 Now between those two, we're good. 0:04:35.440000 --> 0:04:38.280000 We don't really need to do any hashing. 0:04:38.280000 --> 0:04:41.460000 However, the hashing community and the forensic community is responding 0:04:41.460000 --> 0:04:47.040000 to the cyber community as their criticism for both MD5 sum and SHA-1 sum. 0:04:47.040000 --> 0:04:51.740000 So what we're going to do is we can have an option to increase the complexity 0:04:51.740000 --> 0:04:56.080000 of the algorithm a little bit more of our running a SHA-256 sum. 0:04:56.080000 --> 0:04:59.100000 Okay, so we can do that one as well. 0:04:59.100000 --> 0:05:03.240000 If you want. Now this one takes a little bit longer to run. 0:05:03.240000 --> 0:05:13.900000 Keep in mind that we are looking at hashing a 1 gigabyte file. 0:05:13.900000 --> 0:05:20.420000 So that's how fast it took to return this SHA-256 out of 1 gigabyte file. 0:05:20.420000 --> 0:05:25.040000 Now think about the fact that in modern day forensics, we're dealing with 0:05:25.040000 --> 0:05:29.640000 drives that are a minimum size of, I would say, 800 gigabytes to a 10 0:05:29.640000 --> 0:05:31.000000 gigabyte file. So we're going to do a 10 gigabyte and now we're going 0:05:31.000000 --> 0:05:36.040000 to do a 10 gigabyte and as large as 8 to 10 terabytes. 0:05:36.040000 --> 0:05:40.080000 Think about how long it's going to take to run these hashes. 0:05:40.080000 --> 0:05:43.040000 So you need to think about the necessity of whether or not you need to 0:05:43.040000 --> 0:05:45.800000 run this hash. Nevertheless, we have our hashes. 0:05:45.800000 --> 0:05:50.380000 We're good. I want you to think though. 0:05:50.380000 --> 0:05:54.280000 Just with the MD5 hash, what's the problem with this? 0:05:54.280000 --> 0:05:58.740000 What's happened to this hash? 0:05:58.740000 --> 0:06:04.440000 Where is it? If I didn't copy and paste it or write it down somewhere, 0:06:04.440000 --> 0:06:08.120000 what happens to it when I do this? 0:06:08.120000 --> 0:06:11.760000 It's gone forever. 0:06:11.760000 --> 0:06:15.760000 So how can we make this better? 0:06:15.760000 --> 0:06:20.740000 Well, one thing we can do is we can output the result into a file. 0:06:20.740000 --> 0:06:32.400000 Right? Okay. I've output the results of my MD5 sum to a file. 0:06:32.400000 --> 0:06:35.720000 We can cat and look at our hashes.txt file. 0:06:35.720000 --> 0:06:39.660000 There it is. All right. 0:06:39.660000 --> 0:06:47.280000 So now I want to do a SHA1 sum. 0:06:47.280000 --> 0:06:49.260000 So we run that one. 0:06:49.260000 --> 0:06:54.000000 Let's do a cat and see what hash.txt looks like. 0:06:54.000000 --> 0:06:58.680000 What happened? Where did my MD5 sum go? 0:06:58.680000 --> 0:07:02.480000 Right? So those of you that know Linux know that we basically overrode 0:07:02.480000 --> 0:07:03.940000 it with this one out arrow. 0:07:03.940000 --> 0:07:12.780000 It basically overrode it. 0:07:12.780000 --> 0:07:15.880000 And we could set up overriding it. 0:07:15.880000 --> 0:07:17.600000 We could tell it to append. 0:07:17.600000 --> 0:07:27.300000 Now if we have a look at the contents of the file, we've got two hashes. 0:07:27.300000 --> 0:07:28.940000 How do I know which one's the SHA1? 0:07:28.940000 --> 0:07:31.160000 How do I know which one's the MD5? 0:07:31.160000 --> 0:07:35.540000 I mean, obviously they're fixed string links so I could take a guess, 0:07:35.540000 --> 0:07:37.040000 but I don't really know. 0:07:37.040000 --> 0:07:38.500000 And we don't do that in forensics. 0:07:38.500000 --> 0:07:41.320000 So what can I do? 0:07:41.320000 --> 0:07:48.160000 What can I do to allow this and build this command in a way that can document 0:07:48.160000 --> 0:08:09.520000 things? What about a command that will repeat our input that we type? 0:08:09.520000 --> 0:08:15.600000 Right? But then we can also take that and repeat some customized input 0:08:15.600000 --> 0:08:19.840000 into a text file. 0:08:19.840000 --> 0:08:23.180000 I'm sorry about that. 0:08:23.180000 --> 0:08:27.520000 I'm fat fingering. 0:08:27.520000 --> 0:08:35.500000 All right. So how can we modify this to forensics and what we're doing? 0:08:35.500000 --> 0:08:37.840000 Let's go ahead and give this a clear. 0:08:37.840000 --> 0:08:47.340000 So what I want to do is maybe echo MD5. 0:08:47.340000 --> 0:08:54.940000 Okay. We want to tab it. 0:08:54.940000 --> 0:09:00.340000 So we're going to give it the backslasher escape t. 0:09:00.340000 --> 0:09:04.140000 $ says we're going to call command. 0:09:04.140000 --> 0:09:05.440000 And we're going to command. 0:09:05.440000 --> 0:09:16.220000 We're going to output the results of MD5 some here. 0:09:16.220000 --> 0:09:24.480000 And we're going to go ahead and output that to a new hash. 0:09:24.480000 --> 0:09:26.600000 We'll call it hashes to. 0:09:26.600000 --> 0:09:35.420000 I'm going to go ahead and use this append here and you'll see why soon. 0:09:35.420000 --> 0:09:38.140000 So let's go ahead and output that and see what it does. 0:09:38.140000 --> 0:09:39.840000 It looks like it's going to work. 0:09:39.840000 --> 0:09:41.560000 The news is good news. 0:09:41.560000 --> 0:09:42.880000 It's going to do something. 0:09:42.880000 --> 0:09:45.260000 Okay. So let's see if we got a file. 0:09:45.260000 --> 0:09:45.720000 There's our hash. 0:09:45.720000 --> 0:09:48.420000 Let's have a look at it. 0:09:48.420000 --> 0:09:55.020000 Look at that. There's our now we know that this is going to be an MD5 0:09:55.020000 --> 0:09:56.460000 some right here. 0:09:56.460000 --> 0:09:59.320000 So how do we keep this going? 0:09:59.320000 --> 0:10:00.940000 All it is up arrow. 0:10:00.940000 --> 0:10:07.380000 I can change MD5 some to SHA1. 0:10:07.380000 --> 0:10:18.740000 And there's just going to append that. 0:10:18.740000 --> 0:10:21.840000 I can do a SHA256. 0:10:21.840000 --> 0:10:32.740000 While we're doing the SHA256, one thing I do want to mention is that when 0:10:32.740000 --> 0:10:36.500000 you're dealing with malware, it is actually very common to see SHA256 0:10:36.500000 --> 0:10:40.720000 hashes being taken and submitted to your malware review sites. 0:10:40.720000 --> 0:10:45.060000 So that is one useful purpose of running a SHA256 on our files. 0:10:45.060000 --> 0:10:50.580000 Now that that's run, let's go ahead and have a look at our hashes file. 0:10:50.580000 --> 0:10:53.800000 Now look at that. 0:10:53.800000 --> 0:10:58.660000 I've got an MD5, some that I can identify easily. 0:10:58.660000 --> 0:11:02.220000 I've got a SHA1 hash and a SHA256 hash. 0:11:02.220000 --> 0:11:06.260000 The only change I might think that I might like to make on this would 0:11:06.260000 --> 0:11:12.060000 be maybe to tab these two right here out to meet the SHA256 so it looks 0:11:12.060000 --> 0:11:15.300000 clean and neat. But that's it. 0:11:15.300000 --> 0:11:20.420000 So I'd like you to challenge yourself by adding a date and time. 0:11:20.420000 --> 0:11:22.920000 We're turning this into a bash or a Python script. 0:11:22.920000 --> 0:11:24.980000 Do that outside of the lab. 0:11:24.980000 --> 0:11:25.920000 We'll do that in this lab. 0:11:25.920000 --> 0:11:27.600000 There's no instructions to do it. 0:11:27.600000 --> 0:11:30.860000 Do some independent research and see if you can figure it out. 0:11:30.860000 --> 0:11:36.140000 Okay. One thing I'd also like you to consider is that these types of Linux 0:11:36.140000 --> 0:11:41.880000 native tools only really work on images that are mounted or in slash dev 0:11:41.880000 --> 0:11:45.700000 or a raw image like what we're working with here. 0:11:45.700000 --> 0:11:51.380000 It's not really going to work with an expert witness file in Yo1 or an 0:11:51.380000 --> 0:11:56.080000 AFF advanced forensic file format image. 0:11:56.080000 --> 0:11:59.760000 Those are containerized images with metadata and their own little integrity 0:11:59.760000 --> 0:12:05.940000 seals in them. So we have to run through a separate process to hash those. 0:12:05.940000 --> 0:12:10.420000 However, it's good to take a hash on an unknown file you have in evidence. 0:12:10.420000 --> 0:12:18.860000 So now that we have hash our file, we started a chain of custody. 0:12:18.860000 --> 0:12:23.480000 If we need one, we are ready to move on into task two and determining 0:12:23.480000 --> 0:12:27.300000 the image format of the evidence item. 0:12:27.300000 --> 0:12:33.760000 So what we're going to do here is we're going to look at the IMG underscore 0:12:33.760000 --> 0:12:40.680000 stat. Command. See what it does. 0:12:40.680000 --> 0:12:41.960000 Got some offer here. 0:12:41.960000 --> 0:12:45.840000 We see that the dash dash I is image type. 0:12:45.840000 --> 0:12:48.420000 Okay. We have some options for that dash I list. 0:12:48.420000 --> 0:12:50.300000 So let's give that a shot. 0:12:50.300000 --> 0:12:53.980000 Image that dash I list. 0:12:53.980000 --> 0:12:59.400000 There are there are our list of supported image format types. 0:12:59.400000 --> 0:13:05.320000 We've got raw AFF, AFD, AFM, AFF Lib and EWF. 0:13:05.320000 --> 0:13:11.080000 And really the relevant part of that is that this tool supports the raw 0:13:11.080000 --> 0:13:13.260000 image file format or DD. 0:13:13.260000 --> 0:13:17.320000 It supports the advanced forensic format or it supports the expert witness 0:13:17.320000 --> 0:13:24.240000 format. So that's going to cover probably darn near 100% of the types 0:13:24.240000 --> 0:13:27.340000 of imaging we're going to do specifically we're going to see images that 0:13:27.340000 --> 0:13:32.720000 are raw and then images that are in the EWF format, not a whole lot of 0:13:32.720000 --> 0:13:35.540000 AFF out there. Okay. 0:13:35.540000 --> 0:13:40.760000 So now that we know how to use the tool, we are going to see what type 0:13:40.760000 --> 0:13:42.760000 of evidence we're looking at here. 0:13:42.760000 --> 0:13:47.360000 So we want to change that dash I to a T. 0:13:47.360000 --> 0:13:52.360000 And give it our image. 0:13:52.360000 --> 0:13:55.180000 It comes back right away with a raw image file. 0:13:55.180000 --> 0:13:58.600000 So we know that we're dealing with a file that was probably acquired using 0:13:58.600000 --> 0:14:02.900000 the DD tool and then it's in the raw image format. 0:14:02.900000 --> 0:14:13.460000 So that moves us on to task three. 0:14:13.460000 --> 0:14:17.300000 We're going to figure out what type of file system is used on the image 0:14:17.300000 --> 0:14:25.900000 now. So we use a tool called FSS stat. 0:14:25.900000 --> 0:14:30.760000 And it's going to work almost like the other tools. 0:14:30.760000 --> 0:14:33.280000 And you're going to see that with these smooth get tools. 0:14:33.280000 --> 0:14:37.580000 We have different command line names, but they build on each other and 0:14:37.580000 --> 0:14:39.820000 they kind of work the same way. 0:14:39.820000 --> 0:14:43.080000 So FSS stat, let's go ahead and tell it that we're going to work with 0:14:43.080000 --> 0:14:49.140000 a raw image dash I raw. 0:14:49.140000 --> 0:14:54.500000 And let's see the different types of file systems. 0:14:54.500000 --> 0:14:59.420000 So dash F list, very similar to image. 0:14:59.420000 --> 0:15:07.340000 So there are supported file system types. 0:15:07.340000 --> 0:15:13.480000 What I see here is every major file system in use right now and a lot 0:15:13.480000 --> 0:15:17.380000 of minor ones. So this takes care of us really, really well. 0:15:17.380000 --> 0:15:26.080000 So now we want to figure out and identify this file system. 0:15:26.080000 --> 0:15:31.440000 So let's just give the FSS stat command. 0:15:31.440000 --> 0:15:43.220000 And what we get are some options. 0:15:43.220000 --> 0:15:45.680000 Because again, we're staying consistent. 0:15:45.680000 --> 0:15:49.580000 So I know we need to do a dash I and a raw. 0:15:49.580000 --> 0:15:54.120000 And I know we want to do a dash T to display the evidence type. 0:15:54.120000 --> 0:15:56.220000 So let's give it a shot. 0:15:56.220000 --> 0:16:05.280000 Dash I raw. And then dash T evidence. 0:16:05.280000 --> 0:16:08.460000 But I'm G. What do we think it's going to be? 0:16:08.460000 --> 0:16:10.240000 Let's give it a go. 0:16:10.240000 --> 0:16:12.220000 EXT for file system. 0:16:12.220000 --> 0:16:15.580000 So that's good. Now I know what we're working with here. 0:16:15.580000 --> 0:16:24.760000 Let's go and move on now to figure out in task four, which directory this 0:16:24.760000 --> 0:16:29.780000 image was mounted to most recently from the disk whose image was provided 0:16:29.780000 --> 0:16:35.480000 to us. Essentially what we're saying is where was this disk mounted to? 0:16:35.480000 --> 0:16:39.780000 If we're working within Linux, it's going to be something like disk one 0:16:39.780000 --> 0:16:42.220000 or disk zero, disk two. 0:16:42.220000 --> 0:16:46.040000 And typically you're going to see that in the slash dev folder. 0:16:46.040000 --> 0:16:49.300000 And that's going to be where all of our devices end up by default. 0:16:49.300000 --> 0:16:51.660000 Those are all unmounted devices. 0:16:51.660000 --> 0:16:55.620000 We don't really interact directly with those folders in there, but we 0:16:55.620000 --> 0:16:59.420000 could. So what we're typically going to do is if we see like a slash dev 0:16:59.420000 --> 0:17:05.440000 slash disk one, we are going to mount it in slash MNT. 0:17:05.440000 --> 0:17:08.960000 slash disk one, or we could mount it really anywhere else in the file 0:17:08.960000 --> 0:17:10.280000 system because that's Linux. 0:17:10.280000 --> 0:17:11.740000 We kind of do what we want. 0:17:11.740000 --> 0:17:17.920000 This is going to definitively tell us where that device was logically 0:17:17.920000 --> 0:17:35.780000 mounted to. So we're still using the FS stat tool. 0:17:35.780000 --> 0:17:41.520000 FS. Okay, still a raw image. 0:17:41.520000 --> 0:17:44.240000 But now we know something more. 0:17:44.240000 --> 0:17:53.020000 We know that it's an ext4 file system. 0:17:53.020000 --> 0:17:55.900000 So we've given a little more information. 0:17:55.900000 --> 0:17:58.560000 Let's see if it tells us a little more information. 0:17:58.560000 --> 0:18:02.000000 Told us all a lot more information. 0:18:02.000000 --> 0:18:07.060000 We now can read anything we want to read about this disk. 0:18:07.060000 --> 0:18:12.840000 But what we're specifically looking for is where was it mounted. 0:18:12.840000 --> 0:18:16.000000 So let's go up here to the base information up here. 0:18:16.000000 --> 0:18:19.540000 We know that we got a 64 file system. 0:18:19.540000 --> 0:18:23.920000 We can see our last tree right dates last mounted date. 0:18:23.920000 --> 0:18:28.760000 And here we go slash MNT slash disk zero. 0:18:28.760000 --> 0:18:30.520000 That's what we want. 0:18:30.520000 --> 0:18:34.540000 So I can go into my notes and I can say this. 0:18:34.540000 --> 0:18:41.620000 This DD image was last mounted to slash MNT slash disk zero. 0:18:41.620000 --> 0:18:51.840000 So we want to obtain a listing of the contents of the image as our next 0:18:51.840000 --> 0:18:55.900000 step. So we're going to switch up commands. 0:18:55.900000 --> 0:19:01.660000 But again, everything is similar. 0:19:01.660000 --> 0:19:04.980000 So the new command we're going to use is called FLS. 0:19:04.980000 --> 0:19:08.800000 So FLS. See what it does. 0:19:08.800000 --> 0:19:11.940000 Lots of stuff here, right? 0:19:11.940000 --> 0:19:15.180000 But notice I still have my dash I for image type. 0:19:15.180000 --> 0:19:21.420000 Notice I still have my TASH F for file system type. 0:19:21.420000 --> 0:19:25.180000 The usage format is going to be very similar. 0:19:25.180000 --> 0:19:32.400000 And we're using that Linux input first and then output sequence that you 0:19:32.400000 --> 0:19:36.100000 should be so very familiar with when we're with Linux operating systems. 0:19:36.100000 --> 0:19:37.980000 That's why I love these tools. 0:19:37.980000 --> 0:19:44.800000 Okay. So I want the FLS tool to output a directory listing of the evidence 0:19:44.800000 --> 0:19:53.000000 in the image. So we know we're going to use FLS. 0:19:53.000000 --> 0:19:56.540000 We know that we have a raw partition. 0:19:56.540000 --> 0:20:02.520000 We're working with an ext4 file system. 0:20:02.520000 --> 0:20:08.960000 And we're going to use evidence.img. 0:20:08.960000 --> 0:20:15.520000 So there is the root level directory output. 0:20:15.520000 --> 0:20:19.420000 So what directories do we see there? 0:20:19.420000 --> 0:20:22.640000 We're going to use a directory listing, not a full file listing here. 0:20:22.640000 --> 0:20:26.340000 So we've got two directories, three directories, right? 0:20:26.340000 --> 0:20:30.520000 We have notes, photos and videos. 0:20:30.520000 --> 0:20:38.740000 So let's just have a quick look and see if we can determine if any files 0:20:38.740000 --> 0:20:42.140000 have been deleted on this one. 0:20:42.140000 --> 0:20:45.220000 We're going to use the same command. 0:20:45.220000 --> 0:20:48.220000 We're going to modify things a little bit here. 0:20:48.220000 --> 0:20:49.780000 So we're going to get rid of the dash I. 0:20:49.780000 --> 0:20:52.900000 I'm going to give it a dash R D. 0:20:52.900000 --> 0:20:57.740000 If we look above the dash R D, lowercase R, that's going to recurse on 0:20:57.740000 --> 0:20:59.700000 directory entries. 0:20:59.700000 --> 0:21:08.040000 And then the lowercase D is going to display only deleted direct entries. 0:21:08.040000 --> 0:21:11.860000 So if I hit this, let's see what happens. 0:21:11.860000 --> 0:21:13.740000 Now we got an error. 0:21:13.740000 --> 0:21:14.580000 Sometimes that happens. 0:21:14.580000 --> 0:21:16.760000 There's my fat finger. 0:21:16.760000 --> 0:21:19.060000 So let's fix this dash I. 0:21:19.060000 --> 0:21:20.520000 Let's put that back in. 0:21:20.520000 --> 0:21:22.540000 That was some mistake. 0:21:22.540000 --> 0:21:26.100000 Okay. Now let's hit enter. 0:21:26.100000 --> 0:21:28.280000 No news is good news. 0:21:28.280000 --> 0:21:41.660000 What that tells me is that there are no deleted files on this file system. 0:21:41.660000 --> 0:21:50.500000 Okay. So the next thing we need to do is we want to search through the 0:21:50.500000 --> 0:21:56.220000 directories using that fellas and we want to see if anything is actually 0:21:56.220000 --> 0:22:00.240000 there. We're looking for a flag. 0:22:00.240000 --> 0:22:03.980000 Okay. So let's start with our notes directory. 0:22:03.980000 --> 0:22:09.400000 Same command. Same exact command. 0:22:09.400000 --> 0:22:13.520000 Except do you see these reference these numbers here? 0:22:13.520000 --> 0:22:17.060000 Those are reference numbers. 0:22:17.060000 --> 0:22:23.500000 So I want to do a directory listing of the notes directory. 0:22:23.500000 --> 0:22:26.300000 So I'm going to specify 12. 0:22:26.300000 --> 0:22:28.260000 I want to hit that. 0:22:28.260000 --> 0:22:32.740000 If I finger it again, look at that. 0:22:32.740000 --> 0:22:35.800000 Let's go over here. 0:22:35.800000 --> 0:22:39.560000 We want to get rid of dash R D because there's no deleted files. 0:22:39.560000 --> 0:22:41.640000 Now we're just doing the dash I. 0:22:41.640000 --> 0:22:44.480000 Now let's try it. 0:22:44.480000 --> 0:22:48.240000 One file and it's called flag dot txt. 0:22:48.240000 --> 0:22:50.860000 I think that's what we're looking for. 0:22:50.860000 --> 0:22:59.500000 However, we can always have a look at the photos folder. 0:22:59.500000 --> 0:23:03.420000 Or we can have a look at the videos folder. 0:23:03.420000 --> 0:23:13.760000 And we can dig down deeper into the college directory. 0:23:13.760000 --> 0:23:19.020000 Or the school directory. 0:23:19.020000 --> 0:23:22.640000 But we're not really getting anything else. 0:23:22.640000 --> 0:23:27.280000 So we can pretty much definitely say that we are looking for this record 0:23:27.280000 --> 0:23:29.720000 16 flag dot text. 0:23:29.720000 --> 0:23:35.520000 So now that we found our flag, we need to export it. 0:23:35.520000 --> 0:23:38.320000 All right. And we're going to do this command a little bit quicker because 0:23:38.320000 --> 0:23:40.640000 we're familiar with these formats. 0:23:40.640000 --> 0:23:43.680000 Let's just give us a clear that we're breaking to the top first. 0:23:43.680000 --> 0:23:47.580000 Okay. The tool we're going to use to extract the file images I kept. 0:23:47.580000 --> 0:23:55.540000 So I see a T. Some familiar switches. 0:23:55.540000 --> 0:24:06.040000 Okay. If we remember, we're looking for a record 16. 0:24:06.040000 --> 0:24:09.760000 So now we're going to specify record 16 there. 0:24:09.760000 --> 0:24:11.020000 And now we got sent to somewhere. 0:24:11.020000 --> 0:24:17.420000 So we're going to send it to flag dot txt. 0:24:17.420000 --> 0:24:24.480000 So what this should do is again in our typical Linux output formats, it's 0:24:24.480000 --> 0:24:28.000000 going to look through evidence.img. 0:24:28.000000 --> 0:24:31.780000 It's going to take whatever's on record 16 and it's going to output it 0:24:31.780000 --> 0:24:35.920000 to a file called flag dot txt. 0:24:35.920000 --> 0:24:37.740000 Let's sit in there. 0:24:37.740000 --> 0:24:46.180000 And I got an error. 0:24:46.180000 --> 0:24:48.860000 And sometimes we make mistakes. 0:24:48.860000 --> 0:24:51.020000 That should fix it. 0:24:51.020000 --> 0:24:53.680000 There he goes. Let's see what we got. 0:24:53.680000 --> 0:24:58.320000 L s. Okay. I got flag dot txt exported out of there. 0:24:58.320000 --> 0:25:05.380000 Now your first instinct is going to be, let's have a look at it. 0:25:05.380000 --> 0:25:08.600000 But for me, that's not my first instinct. 0:25:08.600000 --> 0:25:10.280000 I want to hash it. 0:25:10.280000 --> 0:25:15.660000 So let's go ahead and do an MD five sum. 0:25:15.660000 --> 0:25:22.920000 Flag dot txt. And let's import that. 0:25:22.920000 --> 0:25:25.120000 Let's export that up to flag dot hash. 0:25:25.120000 --> 0:25:26.680000 This is a given your lab instructions. 0:25:26.680000 --> 0:25:32.460000 This is just good forensic processes since we have generated an evidence 0:25:32.460000 --> 0:25:36.380000 file. We need to go ahead and generate that hash and keep our chain of 0:25:36.380000 --> 0:25:42.280000 custody and our integrity seals just above reproach. 0:25:42.280000 --> 0:25:47.600000 So now we have our hash. 0:25:47.600000 --> 0:25:49.560000 Let's give it a check. 0:25:49.560000 --> 0:25:56.360000 Okay. We got a good hash. 0:25:56.360000 --> 0:26:04.740000 Now let's have a look at the flag. 0:26:04.740000 --> 0:26:07.420000 Okay. And we have another hash in there. 0:26:07.420000 --> 0:26:16.720000 So we have successfully extracted and viewed and hashed our flag. 0:26:16.720000 --> 0:26:22.020000 Okay. Well, let's see what you can do from this lab. 0:26:22.020000 --> 0:26:25.460000 My recommendation is you go back and do this lab two or three times. 0:26:25.460000 --> 0:26:29.380000 You do that challenge I talked about with Python or bash and automating 0:26:29.380000 --> 0:26:30.740000 some of the hashing. 0:26:30.740000 --> 0:26:33.840000 And I think you're going to be well on your way to your forensics basics 0:26:33.840000 --> 0:26:35.200000 using the sleuth kit tools.