WEBVTT

0:00:10.060000 --> 0:00:13.980000
 Okay, so on this lab, we are still looking
 at this image of a thumb drive

0:00:13.980000 --> 0:00:16.060000
 that's under investigation.

0:00:16.060000 --> 0:00:17.640000
 And now we're going to
 have a look at it.

0:00:17.640000 --> 0:00:18.520000
 We're going to analyze it.

0:00:18.520000 --> 0:00:21.640000
 We're going to try and find some suspicious
 evidence that might be in

0:00:21.640000 --> 0:00:23.280000
 some document files.

0:00:23.280000 --> 0:00:27.220000
 We're going to be given the evidence.ing
 file that's located in our default

0:00:27.220000 --> 0:00:30.080000
 directory when we
 start up the lab.

0:00:30.080000 --> 0:00:32.020000
 So let's have a look here.

0:00:32.020000 --> 0:00:35.120000
 There it is. Evidence.img.

0:00:35.120000 --> 0:00:39.640000
 So what we're going to do here is we
 are going to do some disk forensic

0:00:39.640000 --> 0:00:44.180000
 techniques to recover deleted
 or unallocated files.

0:00:44.180000 --> 0:00:47.720000
 And we're going to use the
 scalpel tool for this.

0:00:47.720000 --> 0:00:51.980000
 Okay, so what is the first thing that
 we should always, always do when

0:00:51.980000 --> 0:00:55.000000
 we're working with
 forensic evidence?

0:00:55.000000 --> 0:00:59.580000
 I hope you thought this, but it
 is we need to do our hashes.

0:00:59.580000 --> 0:01:01.200000
 We need to check our notes.

0:01:01.200000 --> 0:01:02.740000
 We need to compare hashes.

0:01:02.740000 --> 0:01:05.280000
 We need to compare them against
 our chain of custody.

0:01:05.280000 --> 0:01:09.900000
 And we got to start a chain of custody
 if we don't already have one.

0:01:09.900000 --> 0:01:19.500000
 So let's get that hash.

0:01:19.500000 --> 0:01:24.780000
 There's our MD5 sum and when this is
 complete, I'm going to either hand

0:01:24.780000 --> 0:01:29.900000
 copy or copy and paste this
 over into my forensic notes.

0:01:29.900000 --> 0:01:36.640000
 Now while this is running after this,
 we are going to go looking for our

0:01:36.640000 --> 0:01:44.800000
 document files. So the tool we're
 going to use is scalpel.

0:01:44.800000 --> 0:01:48.400000
 Let's just, let's see what happens
 if we type in scalpel.

0:01:48.400000 --> 0:01:54.060000
 Oh, we got lots of
 usage instructions.

0:01:54.060000 --> 0:02:04.720000
 Basic usage though is going to be scalpel
 and then our image file and

0:02:04.720000 --> 0:02:10.100000
 then we can do dash O and
 an output directory.

0:02:10.100000 --> 0:02:12.040000
 So let's give that
 a shot real quick.

0:02:12.040000 --> 0:02:23.700000
 So let's see what
 that does for us.

0:02:23.700000 --> 0:02:29.560000
 So you throw in an error.

0:02:29.560000 --> 0:02:31.780000
 Carbs zero files.

0:02:31.780000 --> 0:02:36.080000
 It looks like it opened
 up the evidence file.

0:02:36.080000 --> 0:02:44.200000
 Okay. But it tells me the configuration
 file didn't specify any file types

0:02:44.200000 --> 0:02:49.100000
 to carve. So what that tells me is
 that there's something I got to do

0:02:49.100000 --> 0:02:50.520000
 to make this work.

0:02:50.520000 --> 0:02:52.020000
 And the last line is the key.

0:02:52.020000 --> 0:02:56.020000
 It says C, ATC scalpel,
 scalpel.com.

0:02:56.020000 --> 0:03:02.220000
 So it's telling me I'm going to have
 to uncomment some of the file types.

0:03:02.220000 --> 0:03:05.060000
 So let's go check that out.

0:03:05.060000 --> 0:03:10.000000
 You can always use the text
 editor of your choice.

0:03:10.000000 --> 0:03:12.700000
 I'm going to use a buy.

0:03:12.700000 --> 0:03:18.120000
 So do that. And then because we like
 to be efficient, I'm just going to

0:03:18.120000 --> 0:03:23.680000
 copy and paste that
 right down there.

0:03:23.680000 --> 0:03:32.400000
 Okay. Okay. We have our
 configuration file.

0:03:32.400000 --> 0:03:37.060000
 So we know we have
 to uncomment it.

0:03:37.060000 --> 0:03:39.960000
 So when I look through here,
 I see all these pound signs.

0:03:39.960000 --> 0:03:42.840000
 I think all these pound
 signs are my comments.

0:03:42.840000 --> 0:03:45.600000
 See some extensions.

0:03:45.600000 --> 0:03:49.460000
 AOL files, GIF files, PNGs.

0:03:49.460000 --> 0:03:51.060000
 And then I see how we're
 commented out here.

0:03:51.060000 --> 0:03:54.180000
 So I want to find PDFs and
 then uncomment that.

0:03:54.180000 --> 0:03:57.200000
 Let's get down to a CPDF.

0:03:57.200000 --> 0:04:00.440000
 A WPDF. There we go.

0:04:00.440000 --> 0:04:08.300000
 So I'm going to delete the comment file,
 delete the comment, delete the

0:04:08.300000 --> 0:04:15.320000
 comment. And then over here, what I
 have are the file signatures, but

0:04:15.320000 --> 0:04:18.680000
 identify the headers and
 footers of a PDF file.

0:04:18.680000 --> 0:04:24.880000
 So if I input these parameters into
 scalpel, it can look through a disk

0:04:24.880000 --> 0:04:32.440000
 and it can parse for those identifiers and
 then it can pull and even reassemble

0:04:32.440000 --> 0:04:37.040000
 a file back. This could be a
 quick formatted hard disk.

0:04:37.040000 --> 0:04:40.520000
 It could be where a file is deleted
 or it could be from a corrupt file

0:04:40.520000 --> 0:04:42.940000
 system or it could be
 a regular file system.

0:04:42.940000 --> 0:04:46.560000
 It's going to parse through the bits
 and bytes for those file signatures

0:04:46.560000 --> 0:04:50.420000
 and then it's going to pull
 that out of the image.

0:04:50.420000 --> 0:04:54.140000
 So let's go ahead and save this.

0:04:54.140000 --> 0:05:13.780000
 So let's go ahead and save this
 and quit and see what we can do.

0:05:13.780000 --> 0:05:19.340000
 So one thing that we notice is that
 we created that output folder, even

0:05:19.340000 --> 0:05:23.000000
 though scalpel didn't run,
 it created that folder.

0:05:23.000000 --> 0:05:24.620000
 So we want to remove that folder.

0:05:24.620000 --> 0:05:30.720000
 So just a simple Linux command.

0:05:30.720000 --> 0:05:35.480000
 Rm-R for recursive F for
 force and then output.

0:05:35.480000 --> 0:05:41.020000
 Okay. And it's going to remove the output
 directory and any subdirectories

0:05:41.020000 --> 0:05:43.060000
 and files created in there.

0:05:43.060000 --> 0:05:49.460000
 So that's done. Let's try and run scalpel
 again, just how we did before.

0:05:49.460000 --> 0:05:51.160000
 Let's see what happens.

0:05:51.160000 --> 0:05:54.860000
 Oh, I see good progress.

0:05:54.860000 --> 0:06:02.640000
 So from here, I can tell that we carved
 out one file with the right, with

0:06:02.640000 --> 0:06:07.820000
 the PDF header. And no errors.

0:06:07.820000 --> 0:06:08.700000
 Everything looks good.

0:06:08.700000 --> 0:06:10.160000
 It only took three seconds.

0:06:10.160000 --> 0:06:13.260000
 But again, this is a small file.

0:06:13.260000 --> 0:06:20.420000
 Okay. So let's retrieve the flag.

0:06:20.420000 --> 0:06:28.100000
 Let's have a look at what we got.

0:06:28.100000 --> 0:06:37.700000
 So we see audit.txt is a folder and
 we see the PDF-1-0 is a folder.

0:06:37.700000 --> 0:06:40.680000
 So let's just have a
 look at audit.txt.

0:06:40.680000 --> 0:06:42.720000
 Let's do what it says.

0:06:42.720000 --> 0:06:44.440000
 So there's the file we carved out.


0:06:44.440000 --> 0:06:48.760000
 So I know that I'm looking
 for what is that?

0:06:48.760000 --> 0:06:53.340000
 8 zeros.pdf. And it looks like
 it was successfully carved out.

0:06:53.340000 --> 0:06:56.220000
 We've got the file size and the
 image that was extracted from.

0:06:56.220000 --> 0:07:00.200000
 This is great stuff to put in your notes
 and it's great stuff to include

0:07:00.200000 --> 0:07:03.040000
 in your forensic reporting
 later on.

0:07:03.040000 --> 0:07:06.340000
 Okay. So we know that we need
 to go check out this PDF.

0:07:06.340000 --> 0:07:08.160000
 So CD space PDF.

0:07:08.160000 --> 0:07:14.000000
 Let's have a look one
 more time in there.

0:07:14.000000 --> 0:07:16.300000
 There's our PDF file.

0:07:16.300000 --> 0:07:19.280000
 Okay. So what do we do from here?

0:07:19.280000 --> 0:07:25.640000
 We are in a CLI environment, not really
 in the appropriate place to open

0:07:25.640000 --> 0:07:29.760000
 up Acrobat Reader or another
 tool and open up a PDF file.

0:07:29.760000 --> 0:07:41.600000
 So what we can do for these purposes
 is we can convert this to a txt file.

0:07:41.600000 --> 0:07:45.640000
 And before we do that though, let's take
 a hash of this just to make sure

0:07:45.640000 --> 0:07:52.900000
 that we have this evidence file that
 we've extracted, hashed out and part

0:07:52.900000 --> 0:07:54.140000
 of our chain of custody.

0:07:54.140000 --> 0:07:55.440000
 So there's our hash.

0:07:55.440000 --> 0:07:58.020000
 Okay. So now let's do
 that PDF to text.

0:07:58.020000 --> 0:08:01.820000
 We're going to type
 in PDF to text.

0:08:01.820000 --> 0:08:05.800000
 What I really love about Linux is there
 seems like there's a tool for

0:08:05.800000 --> 0:08:11.800000
 everything. So 1 0, there's
 our PDF file done.

0:08:11.800000 --> 0:08:14.160000
 We're going to specify output.

0:08:14.160000 --> 0:08:15.820000
 I know our direction
 type in output.

0:08:15.820000 --> 0:08:23.160000
 I'm going to say output dot txt just so
 I know and that's a personal preference.

0:08:23.160000 --> 0:08:27.560000
 So I know and then anybody else would
 know that this is a text file.

0:08:27.560000 --> 0:08:30.340000
 Hit enter. All right.

0:08:30.340000 --> 0:08:31.880000
 So we'll see if this works.

0:08:31.880000 --> 0:08:38.260000
 I should just be able to display
 the contents and get a flag.

0:08:38.260000 --> 0:08:39.360000
 There's our flag.