Digital Forensics with FTK Imager (TryHackMe Advent of Cyber Day 8)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let's do some detective work and some digital forensics to try and uncover how one hacker wanted to pull off a Mau attack just by plugging in a USB drive this is today's task from the tryhackme Advent of cyber Challenge on day 8 December 8th we're going to dive into some Access Data ftk imager so I'll go ahead and scroll down to this challenge in disk forensics and there's a little bit of the storyline here I have gone ahead and spun up the virtual machine I have that connected with the VPN with the credentials username and password combination I can use here and the objectives are to just analyze these digital artifacts and evidence we'll recover recently deleted digital artifacts and verify the Integrity of a driver image just like this USB drive in part of the action here this is pretty awesome they go through a little bit of the storyline the lore where our adversary leaves USB drives in the parking lot and the poor innocent victim plugs it in and could very well have been attacked for the sake of our learning environment we do have the drive this USB drive mounted and accessible for us but it is in readon mode it's trying to replicate that real world scenario where a physical Drive is connected to a right blocker as you would do for real digital forensics now there is a whole lot of text and explanation on how to use Access Data ftk imager but personally I want to get our hands dirty I want to just dive in so let's go ahead fire it up and see what tasks we have to complete at the very bottom here we have our practical exercise we want to look for the Weare commanded control server we want to look for some files inside a deleted zip archive deleted PNG files and validate the Integrity by determining the Sha 1 hash so I have started the machine and let's dive in here we are inside of the virtual machine associated with today's task I am connected via RDP or that remote desktop protocol over the VPN and I've spun up that ftk imager icon on the desktop this will take just a moment to start but then we can dig in here we go user account control kicking in we can select yes and it'll fire it up I'll go ahead and full screen this and we can move over to that file item in the menu navigation and let's add an Evidence item which is a physical drive I'll go ahead and click next and we want to make sure that we select from the drop down physical Drive number two as that was what was suggested inside the text article for tryhackme here now we can load this up and in our evidence Tree on that top left we can expand these out and now we can see all of the files present on the drive looks like there's a do not open folder a password cracking tool 7zip archive now unfortunately I can't make the tech size any bigger here uh connecting over RDP doesn't really allow me to toggle the display settings but we can see the listing of files present on this USB drive looks like there are a couple deleted files they're marked with this x here uh you can see some folders as well as other PNG images all with an X that are deleted but hey thanks to this forensics toolkit we could try to recover them inside this do not open directory though I'm a little bit curious about what that is oh and I see some cryp toy minor prototype Python scripts we can see the text down below maybe uh some hash lib requests all some methods and functionality here but I am a little bit curious about that secret chat. text file ooh oh it looks like this is a chat message back and forth between these actors they say hey you there yeah what's up just finalizing the malware C2 setup the server is good to go at mcgreedy secret c2m oh so there is the answer to the first question what is the maware command and control server I will go ahead and copy that domain and we'll go bring that back to trackme to submit it what is the maware C2 server let's just paste that go ahead and submit and perfect that answer is correct now we need to know what file is inside the deleted zip archive o we thought we saw one of those earlier back inside the ftk imager I do see that juicy tomato to.zip uh and I don't think we even need to extract this out because it gives us the file name here as it's displaying that little preview here we could if we wanted to rightclick and Export that file that'll allow us to create a copy of it and actually interact with it on our file system but this might be enough for us juicy tomato toy. exe let's see can I try and submit that juicy tomato to.ex go and click submit yes that's the correct answer okay easy enough next question is a little bit interesting hey what flag is hidden in one of the deleted PNG files now bear in mind a PNG file is an image right it's a picture so all the contents of the file the bytes the hex whatever data representation you're get end up looking that file at it's all non-printable characters though it's not just plain text like English words and letters that we can read it's computer speak so here trackme is really great about this because you can click on the hints and it'll show you you know what if you want to search through the hex or the bytes of the file you could actually use that crlf hotkey and then try to look for the flag prefix or the actual token string that you're looking for just capital THM for tryhackme and then that opening curly brace let's go see if we can find it looking back in Access Data there is nothing in this hey do not open directory that is a PNG file so I'm going to move back up to the root of the USB drive file system and there were a couple others that we saw there were some deleted. PNG files here's one portrait.png um that's going to be displaying it kind of automatically down below we also see a wallpaper.png both of those would be worth digging into was there anything else no I think that's it so let's go swap this kind of switch it over to that hex View and I'm going to click into that area down below where it shows the preview and let me hit crlf on my keyboard and let's search for that THM all caps an opening curly brace I'll go ahead and hit find and okay not present in that apparently um let's go look in the portrait we can try that one I'll click in again and do the exact same steps fingers crossed we have a hit there it is okay THM bite level analysis okay that's a lot of lead speak can I copy that out uh kind of not really let me see if I can rightclick okay cool we can copy just the text with contrl C with that we can go ahead submit our flag we'll paste that in here submit and correct another correct answer now the last one this is super duper simple hey we need to verify the Integrity of our image all that really means is like calculating the hash of the file or checking out the digital fingerprint or the check sum hey doing some mathematical calculations and functions to boil down this entire file and all of its bytes and data there into one small little string of heximal values I'm sure you know all about hashes and check sumps but this is absolutely crucial when you're doing like real world digital forensics because say you have literally a piece of evidence like something under a judicial system that requires going into court and being submitted as evidence it is absolutely Paramount important that you are working with the correct evidence file so you always absolutely undoubtedly need to check that hash thankfully this is super duper easy to do with an ftk imager all we need to do is go to our physical Drive in the evidence tree right click and verify driver image and it will take a little bit of time because it's got to Crunch the numbers for everything in this file but it will eventually give us the actual hash fingerprint and checkm that we need to submit for try hackme all right been about a minute and a half we were about 90% away there almost done just about there at the very end look at that okay so we have our md5 hash that's computed and evaluated along with the SHA one hash now they were asking for the shaw one hash so again we can rightclick copy paste I think I might need to contrl C because I can't seem to right click here but that's okay that should still give us the value and let's go paste it into try hackme what is the Sha one hash of the physical drive and forensic image let's paste that in and submit there we go that is the correct answer and we're done that's everything that we needed to tactically answer for this challenge but they note hey if you like today's tasks you have the digital forensic case b4d m755 bad mess maybe that that room or bad Miss I don't know that room is an excellent overview of the entire digital forensics and instant response process so worth checking out if you're interested that is a totally free room we can go ahead and Mark that as complete and we are done with today's task I don't know about you but I am loving the hackme Advent of cyber thus far it's always got some hey beginner friendly sort of small stuff to get you crawl walk run and really digging into a lot of these security tasks and slowly ramping up the difficulty and trajectory but still showcasing awesome and incredible things in our cyber security industry thanks so much for watching hope you enjoyed this video hope you enjoyed today's task and I'll see you in the next one for tryck me Advent to cyber Link in the video description you should jump into the action thanks so much for watching like comment subscribe see you in the next one

Info

Channel: John Hammond

Views: 53,340

Rating: undefined out of 5

Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers, AoC, christmas

Id: 7wB0HNf1qh4

Channel Id: undefined

Length: 9min 3sec (543 seconds)

Published: Fri Dec 08 2023