WEBVTT 0:00:09.480000 --> 0:00:16.080000 Okay, in this lab, we are going to continue investigating a thumb drive. 0:00:16.080000 --> 0:00:20.440000 And for the purposes of this one, we're going to retrieve information 0:00:20.440000 --> 0:00:25.820000 from a JPEG file that exists on the disk image. 0:00:25.820000 --> 0:00:30.500000 We're going to have the same evidence .img file in other example labs that 0:00:30.500000 --> 0:00:36.620000 we've done. And the goal of this is going to be to extract that JPEG file 0:00:36.620000 --> 0:00:42.900000 from the evidence image and then retrieve whatever information, however 0:00:42.900000 --> 0:00:47.240000 it is from there. 0:00:47.240000 --> 0:00:50.360000 What we're going to learn on this is we're going to learn a disk forensic 0:00:50.360000 --> 0:00:52.880000 technique called file carving. 0:00:52.880000 --> 0:00:58.120000 And that's going to allow us to recover deleted or unallocated files, 0:00:58.120000 --> 0:01:04.480000 specifically a file that, for some reason or the file system, may have 0:01:04.480000 --> 0:01:07.160000 stopped tracking. 0:01:07.160000 --> 0:01:09.240000 Okay, we're going to use two Linux tools. 0:01:09.240000 --> 0:01:12.640000 We're going to use Linux. 0:01:12.640000 --> 0:01:13.480000 We're going to use Foremost. 0:01:13.480000 --> 0:01:22.040000 And then we're going to later on use a tool that's called VI image view. 0:01:22.040000 --> 0:01:27.220000 And what that does is it actually renders a JPEG image to a CLI console. 0:01:27.220000 --> 0:01:28.540000 So that's very useful. 0:01:28.540000 --> 0:01:32.260000 So you don't have to get into a GUI environment to do that. 0:01:32.260000 --> 0:01:37.460000 A few things we're going to do. 0:01:37.460000 --> 0:01:42.080000 Let's just do an LS here and we're going to see that you see it in that 0:01:42.080000 --> 0:01:46.980000 evidence route. Now we're not going to go through the full hashing routines 0:01:46.980000 --> 0:01:51.800000 for this, but just keep on keep remembering your good forensic processes 0:01:51.800000 --> 0:01:56.900000 and procedures, chana custody, hashing things the first time and then 0:01:56.900000 --> 0:01:59.820000 running hashes against them to verify their integrity. 0:01:59.820000 --> 0:02:05.140000 So we can just do a quick MD five some on this to show that we are keeping 0:02:05.140000 --> 0:02:12.580000 that in mind. All right. 0:02:12.580000 --> 0:02:16.980000 If this hash matches the hash that I have in my notes, then I'm good to 0:02:16.980000 --> 0:02:24.580000 go. Okay. So this next task, we are actually going to use Foremost to 0:02:24.580000 --> 0:02:27.360000 identify and retrieve a target file. 0:02:27.360000 --> 0:02:29.740000 Let's talk about Foremost for a second. 0:02:29.740000 --> 0:02:36.180000 Foremost is a file and forensic data recovery program that we use in Linux. 0:02:36.180000 --> 0:02:41.760000 And it can recover files using their headers, their footers and other 0:02:41.760000 --> 0:02:45.400000 known data structures that a file can possess. 0:02:45.400000 --> 0:02:48.760000 And that process is called file carving. 0:02:48.760000 --> 0:02:55.680000 So Foremost can really carve out any file as long as we know the file 0:02:55.680000 --> 0:02:59.160000 signature of it, which is the header and the footer and those data structures 0:02:59.160000 --> 0:03:00.820000 we talked about. 0:03:00.820000 --> 0:03:05.480000 By default, Foremost is set up to recover JPEG files. 0:03:05.480000 --> 0:03:10.760000 So as luck would have it, we are searching for a JPEG file. 0:03:10.760000 --> 0:03:14.340000 Really simple tool to use here. 0:03:14.340000 --> 0:03:21.120000 What we're just going to type in Foremost, give it a dash V, give it a 0:03:21.120000 --> 0:03:27.480000 dash I evidence. 0:03:27.480000 --> 0:03:30.840000 Dot IMG and see with Linux tools, we're still kind of following that that 0:03:30.840000 --> 0:03:36.460000 Linux format. I've specified my input file as evidence dot IMG in that 0:03:36.460000 --> 0:03:38.600000 I'm telling it where to output it. 0:03:38.600000 --> 0:03:42.480000 So it's our input and our outputs. 0:03:42.480000 --> 0:03:49.600000 And it kind of takes itself away from here. 0:03:49.600000 --> 0:03:56.260000 So it found this JPEG file inside the image and it's processing the image 0:03:56.260000 --> 0:04:02.600000 for more files right now. 0:04:02.600000 --> 0:04:09.120000 And then as soon as it's done, we should find the JPEG file within a structure 0:04:09.120000 --> 0:04:11.800000 in the output folder. 0:04:11.800000 --> 0:04:13.920000 There we are. We're all done. 0:04:13.920000 --> 0:04:17.640000 So let's have a look. 0:04:17.640000 --> 0:04:22.420000 We'll do LS and notice that the output directory is there. 0:04:22.420000 --> 0:04:24.000000 It was not there before. 0:04:24.000000 --> 0:04:27.140000 Move up to that. 0:04:27.140000 --> 0:04:33.200000 Tell us one thing that Foremost does is it organizes the files recovered 0:04:33.200000 --> 0:04:38.800000 by extension. So we see that we have the JPEG directory there. 0:04:38.800000 --> 0:04:41.280000 So we know that there's something in there. 0:04:41.280000 --> 0:04:44.640000 Let's have a look at this audit .txt file real quick though. 0:04:44.640000 --> 0:04:52.260000 So we have a record of everything that it has retrieved. 0:04:52.260000 --> 0:04:57.200000 Okay. Let's pop up into the JPEG directory. 0:04:57.200000 --> 0:04:59.980000 Have a look and see what's in there. 0:04:59.980000 --> 0:05:04.320000 Well, there's a file there. 0:05:04.320000 --> 0:05:10.360000 So we know that we're trying to recover some type of information about 0:05:10.360000 --> 0:05:18.820000 this file. And so with JPGs, I'm assuming Stegenography. 0:05:18.820000 --> 0:05:21.460000 All right. Some type of Steg is going on here. 0:05:21.460000 --> 0:05:23.820000 So I'm not going to go for the obvious. 0:05:23.820000 --> 0:05:26.120000 I know I know sometimes somebody's going to want to go for the obvious. 0:05:26.120000 --> 0:05:31.200000 It's going to be the file name 0026314.jpg. 0:05:31.200000 --> 0:05:34.700000 But if somebody's hiding something, I don't think that that flag is going 0:05:34.700000 --> 0:05:37.980000 to necessarily be a file name. 0:05:37.980000 --> 0:05:45.000000 So let's use that VI image viewer that I mentioned earlier. 0:05:45.000000 --> 0:05:50.920000 And let's see what this file looks like. 0:05:50.920000 --> 0:05:55.880000 Okay. Hit enter. 0:05:55.880000 --> 0:05:58.360000 To me, that looks like a flag. 0:05:58.360000 --> 0:05:58.940000 What do you think?