WEBVTT

0:00:09.560000 --> 0:00:13.240000
 So in this scenario, we're still going
 to be investigating this thumb

0:00:13.240000 --> 0:00:17.480000
 drive. However, our analysis
 has changed a little bit.

0:00:17.480000 --> 0:00:22.760000
 And so now we're being asked to search
 for any activity related to a user

0:00:22.760000 --> 0:00:30.520000
 called evil. And we're also going to
 need to search for the user's email,

0:00:30.520000 --> 0:00:34.720000
 which is evil at attacker.co.uk.

0:00:34.720000 --> 0:00:38.140000
 And we want to find any attached or associated
 evidence, such as a telephone

0:00:38.140000 --> 0:00:39.580000
 number in there.

0:00:39.580000 --> 0:00:43.540000
 We're still going to be working with
 the evidence.img, and it's going

0:00:43.540000 --> 0:00:47.040000
 to be located at default
 login directory.

0:00:47.040000 --> 0:00:53.600000
 Let's talk about this for a minute,
 because the carving tools we've been

0:00:53.600000 --> 0:00:57.780000
 using don't necessarily cover
 that particular situation.

0:00:57.780000 --> 0:01:02.840000
 What we're trying to do now is instead
 of pulling files out or carving

0:01:02.840000 --> 0:01:07.040000
 them, we're actually trying
 to carve for information.

0:01:07.040000 --> 0:01:12.500000
 There is a really, really excellent tool
 called Bulk Extractor out there.

0:01:12.500000 --> 0:01:19.840000
 And what that tool will do is not only
 will it look for files and directories,

0:01:19.840000 --> 0:01:24.440000
 it will also look for strings
 and information.

0:01:24.440000 --> 0:01:29.140000
 And it does a very, what we call
 a very rapid triage for this.

0:01:29.140000 --> 0:01:33.400000
 So it doesn't take the amount of time
 that it would take to fully process

0:01:33.400000 --> 0:01:39.160000
 an image. So let's go
 ahead and get started.

0:01:39.160000 --> 0:01:44.120000
 So as usual, as usual, we always, always,
 always are going to do that

0:01:44.120000 --> 0:01:45.820000
 hash check, right?

0:01:45.820000 --> 0:01:48.140000
 So LS, we're going to
 see our evidence.

0:01:48.140000 --> 0:01:50.040000
 We have evidence.img there.

0:01:50.040000 --> 0:01:53.940000
 We want to go ahead and hash that.


0:01:53.940000 --> 0:01:56.740000
 We're just going to do it in D five
 some, but you can do the other ones

0:01:56.740000 --> 0:02:01.720000
 too. If you like, MD five
 some evidence.img.

0:02:01.720000 --> 0:02:07.160000
 And for this one, I'm actually going
 to redirect it to a hash.txt file.

0:02:07.160000 --> 0:02:12.820000
 And you'll see why a
 little bit later on.

0:02:12.820000 --> 0:02:20.240000
 Just see what we got here.

0:02:20.240000 --> 0:02:24.060000
 Okay, there's my hash.

0:02:24.060000 --> 0:02:27.880000
 We'll go ahead and clear this
 up so we can see the screen.

0:02:27.880000 --> 0:02:30.100000
 So now we want to run
 Bulk Extractor.

0:02:30.100000 --> 0:02:35.520000
 This is a very simple
 command to run.

0:02:35.520000 --> 0:02:41.840000
 We're basically going to run Bulk Extractor
 and type in Bulk and tab through

0:02:41.840000 --> 0:02:43.920000
 there and you get the rest of it.

0:02:43.920000 --> 0:02:48.480000
 We wanted to run it against
 an evidence.img.

0:02:48.480000 --> 0:02:54.460000
 And then we want to say dash O is going
 to output it to whatever directory

0:02:54.460000 --> 0:02:58.940000
 we tell it to. In this case, we're going
 to use a folder called output.

0:02:58.940000 --> 0:03:03.200000
 Give it an enter.

0:03:03.200000 --> 0:03:08.980000
 This is going to take
 a little bit to do.

0:03:08.980000 --> 0:03:12.340000
 Notice that we're
 using 48 threads.

0:03:12.340000 --> 0:03:17.960000
 So it will take advantage of all of
 the CPU threads you throw at it.

0:03:17.960000 --> 0:03:20.800000
 This is really great to run
 in Amazon Web Services.

0:03:20.800000 --> 0:03:22.000000
 You can split something up.

0:03:22.000000 --> 0:03:23.080000
 You can run this on it.

0:03:23.080000 --> 0:03:25.880000
 You can get your output out and
 you can spin it back down.

0:03:25.880000 --> 0:03:28.920000
 So we can do a very rapid
 analysis with this tool.

0:03:28.920000 --> 0:03:33.600000
 That's one of the benefits of it
 is that it is multi-threaded.

0:03:33.600000 --> 0:03:37.320000
 Not a lot of forensic tools
 are actually multi-threaded.

0:03:37.320000 --> 0:03:38.740000
 So we're done reading.

0:03:38.740000 --> 0:03:41.660000
 Now we have to process
 the results here.

0:03:41.660000 --> 0:03:45.080000
 So that was about 13 seconds
 to process about a gigabyte.

0:03:45.080000 --> 0:03:46.980000
 So take that into mind.

0:03:46.980000 --> 0:03:51.800000
 While it's very fast, it still can take
 30 to 45 minutes to process something

0:03:51.800000 --> 0:03:57.900000
 in the 100 to 1 terabyte sizes.

0:03:57.900000 --> 0:03:59.380000
 So we're all done.

0:03:59.380000 --> 0:04:02.600000
 Okay. So we have the reading.

0:04:02.600000 --> 0:04:04.560000
 We have the processing
 further down.

0:04:04.560000 --> 0:04:09.700000
 We see that we finished everything
 with no errors.

0:04:09.700000 --> 0:04:14.960000
 It gives us some recommendations saying
 that if we ran this on say an

0:04:14.960000 --> 0:04:21.940000
 IOP optimized Amazon instance or an
 IOP optimized physical system that

0:04:21.940000 --> 0:04:23.740000
 we would get better performance.

0:04:23.740000 --> 0:04:27.380000
 So we have to think about that when we
 do our digital forensics analysis.

0:04:27.380000 --> 0:04:29.400000
 Okay. And look right under that.

0:04:29.400000 --> 0:04:35.120000
 This tool automatically took an MD5
 some of the image and it displayed

0:04:35.120000 --> 0:04:40.100000
 it back to us. So when I see that,
 I can now just have a look at what

0:04:40.100000 --> 0:04:43.780000
 my image is. And I
 see this the same.

0:04:43.780000 --> 0:04:44.940000
 It hasn't checked.

0:04:44.940000 --> 0:04:51.420000
 So we can go ahead and notate all
 of that in our logs, our notes.

0:04:51.420000 --> 0:04:54.820000
 I mean, so we can have a look
 at overall performance too.

0:04:54.820000 --> 0:05:00.160000
 We processed it at about
 22 megabytes per second.

0:05:00.160000 --> 0:05:03.540000
 So that can give you a good estimate
 of how long it would take to run

0:05:03.540000 --> 0:05:09.240000
 a larger case. So what's next?

0:05:09.240000 --> 0:05:12.280000
 We need to move up into
 the output folder.

0:05:12.280000 --> 0:05:21.700000
 All right. Let's see what we got.

0:05:21.700000 --> 0:05:23.680000
 Let's see what our
 output is in here.

0:05:23.680000 --> 0:05:26.020000
 What does it look like?

0:05:26.020000 --> 0:05:29.300000
 Oh, that's a lot of stuff.

0:05:29.300000 --> 0:05:32.640000
 There you go. You can
 see it all that way.

0:05:32.640000 --> 0:05:34.120000
 That is a lot of stuff.

0:05:34.120000 --> 0:05:42.180000
 So our goal is to search for a user and
 an email address and a phone number

0:05:42.180000 --> 0:05:43.500000
 and all of this.

0:05:43.500000 --> 0:05:47.960000
 I can cat each one of these
 files on their own.

0:05:47.960000 --> 0:05:53.020000
 I can load them up in a spreadsheet
 and search through each one of them.

0:05:53.020000 --> 0:05:57.820000
 As you can see, there's one, two, three,
 four text files that deal with

0:05:57.820000 --> 0:06:02.420000
 email. And there's several that
 deal with phone numbers too.

0:06:02.420000 --> 0:06:06.720000
 But what I could do since, again,
 I'm rapidly triaging.

0:06:06.720000 --> 0:06:12.260000
 The point of bulk extractor is really
 to see if the evidence is worth

0:06:12.260000 --> 0:06:14.180000
 fully processing.

0:06:14.180000 --> 0:06:18.660000
 Is there any type of evidence
 that I need on this image?

0:06:18.660000 --> 0:06:22.980000
 I don't know. This is going to take
 me a lot of time to go through.

0:06:22.980000 --> 0:06:29.080000
 One really fun trick to do is
 to just grep all of this.

0:06:29.080000 --> 0:06:33.180000
 That's a regular expression
 search and string mapping.

0:06:33.180000 --> 0:06:35.780000
 We're not going to do any regular expressions,
 but we are going to give

0:06:35.780000 --> 0:06:41.840000
 it a string. So we know that one of
 the key requirements is to find the

0:06:41.840000 --> 0:06:44.740000
 evil at attacker.co.uk.

0:06:44.740000 --> 0:06:47.540000
 So let's just grep for that
 and see what we get.

0:06:47.540000 --> 0:07:02.600000
 Here's my string.

0:07:02.600000 --> 0:07:08.520000
 Just verify what I typed in there because
 it is quite normal for myself

0:07:08.520000 --> 0:07:11.480000
 and all of us to mistype stuff.

0:07:11.480000 --> 0:07:15.800000
 And we just want to make sure
 that we get it right.

0:07:15.800000 --> 0:07:19.360000
 Evil at a TTA CKER.co.uk.

0:07:19.360000 --> 0:07:24.780000
 Looks good. The dot here says
 search this entire directory.

0:07:24.780000 --> 0:07:28.740000
 And I'm going to add in a little
 bit of extra flavor here.

0:07:28.740000 --> 0:07:31.740000
 Dash dash color.

0:07:31.740000 --> 0:07:39.820000
 And what that should do is highlight
 any red entries that match my search

0:07:39.820000 --> 0:07:44.720000
 string. So let's see what we get.

0:07:44.720000 --> 0:07:46.740000
 Pretty fast, huh?

0:07:46.740000 --> 0:07:50.900000
 Okay. So what we have is we have three
 files that have evil at attacker

0:07:50.900000 --> 0:07:55.340000
.co.uk in there. We've got
 that highlighted in red.

0:07:55.340000 --> 0:08:00.600000
 We have an email dot TXT domain dot
 TXT and email histogram dot TXT.

0:08:00.600000 --> 0:08:08.620000
 So we definitely have email traffic
 from evil at attacker dot co dot uk.

0:08:08.620000 --> 0:08:12.600000
 And we have at the end what looks
 to me like a telephone number.

0:08:12.600000 --> 0:08:18.560000
 And we have exactly the same thing in
 domain dot TXT and the same thing

0:08:18.560000 --> 0:08:21.880000
 in the email histogram.

0:08:21.880000 --> 0:08:27.040000
 So what I'm reading about this is that
 we have evidence that one email

0:08:27.040000 --> 0:08:38.880000
 is in this image from the left.

0:08:38.880000 --> 0:08:43.880000
 So we have met our requirements,
 our scope for this lab.