 Welcome back everyone today. I'm going to talk about how to extract data from an easy row one disk image and feed that data directly into hfind or a hash database Without saving the file so without doing file extraction per se or not without saving the file data I'm going to just extract extract the files data Send that to in this case md5 sum and then send that hash value that we get into Hfind and check if it's actually in the database. Okay, so I already have my test disk image this test easy row one I've already Copied everything and it basically has a Copy of the files that you see on my desktop here So I just copied them into a USB stick and made a disk image. So I already have core utils installed So core utils you might you might know from a previous video Gives me basic utilities that you would find in Linux that are the GNU Utilities so for example md5 sum is not usually in Windows But now I can use md5 sum. So let's check that we have it Okay, so we get the help menu so I can see that I do have md5 sum installed and I've also installed The newest version of sleuth kit which is in this case. I think it's 4.6 point zero. So if I do Hfind which is the one of the sleuth kit utilities that we want to use hfind-v We can see the version number so sleuth kit version 4.6 zero So we have hfind or the sleuth kit installed in Windows and we have core Utils also installed in Windows and those will make it very easy to be able to do Different tasks so on my desktop if I do di r di r on the desktop I can see that I have my test e zero one file. This is an expert witness format file And yeah, so we have access to it. So let's start to analyze this file The first thing I need to do is find out what partitions are available on this test e zero one file So I can use the sleuth kit command mmls and Then test e zero one and that should tell me the partition table Okay So whenever I run that we see a couple different things in here But I can already tell the most interesting is probably going to be this win 95 fat 32 Partition and I can see the start of the partition is offset 128 And then the end is 4130943 and this is the biggest partition that I see And it looks like it's the only one with a file system So I'm probably interested in this this partition if I want to access All of the data that was in the file system now There are some Unallocated space before and after the partition, but they don't look very big You know, I might want to check them for some hidden data or something like that But in this case, I'm mostly interested in the partition with the file system installed now What I need to get is the actual Starting offset the starting offset. So 128. Okay, so that's the important number. I need to remember So next I want to actually see if there are files in that partition what the files are so I can use the sleuth kit command FLS and then I want to give the offset, which is dash o FLS dash o actually, I'll bring up the help menu here just to just to give a reference. So I want to run FLS and then dash o is the image offset that I want to look at so in this case where the Partition is that I'm going to be analyzing so dash o offset and then the image file itself Now if I do that, I should at least see some Some file system data. Okay, so let's try this FLS dash o Then my offset was 128 your offset might be different and then my image is test e01 So if I run that Then I can see we have a couple different things here, but basically this RR is a regular Regular file and this DD is a directory. So we have the system volume information Directory which is pretty standard for Windows and then I have these regular files and most of them like I said are from the desktop They are links and PDFs and links and one executable Most of these are link files. Okay, so now We're able to Get some information from FLS first off the File name and this number is the i-note address That FLS is showing us basically the location or the address where the data actually is. Okay, so We can extract data in two ways The first way is using a tool called f cat and f cat is also part of the sleuth case So I can run f cat and I'm gonna bring up the help menu so f cat basically Let's you extract the data for a file from the disk image. Remember, this is all about the disk image So we can run f cat and then I still need to give it the offset just like before and our offset was 128 the partition and then It's kind of skipping ahead. I have this file path and The image so the file path and the image well our file path This is actually the root of our physical disk the root of our physical disk. So Our file path is just the name of the file. There is no special file path here So for example, I'll try this win hex dot link file. Okay, so the file path I can type win Was that a capital H? Win capital H hex dot L in K and then the name of our disc image So in this case, I have f cat and then dash O is the offset 128 to the first partition that we're interested in win hex dot link is The file name that we're interested and then test E01 so basically I'm saying find this file and Get all of that files data and then if we just hit enter It will print that data to the screen. We're not actually doing anything with it. Okay, so enter now I can see the the files original data. Okay, so now We actually want to do something with that data. Okay Actually while I'm here, I'll Mention something very quickly F cat has this dash s switch and Basically the dash at and the dash at s switch Displays slack space at the end of the file. Okay now slack space is not being displayed by default We're only getting the file data, but we could display slack slack space and sometimes that's very interesting And I'll show you why that's important in a second. Okay, so just remember Slack space is not being shown right now and we'll we'll come back to that Okay, so what I really want to do I have all of this raw data for win hex dot link File and I want to be able to hash it. Well, since I'm already extracting the data directly I have f cat dash o 128 My offset win hex dot link test E01 and that extracts the data Directly I can just pipe that which is the on my keyboard if I type shift And then the key that's right above the interkey. I get this pipe and it's basically an up and down Yeah, pipe. I don't know what else to call it a pipe It's not a it's not a one Sometimes you find it to the left of your one on the keyboard sometimes it's above the interkey But it's a very specific thing called a pipe. Okay, so I hope you can find it on your keyboard. So I have this f cat Getting all of the files data and then I'm piping that into One of the core utilities that I've installed called MD5 sum MD5 sum. Okay, so then if I Run this command then I get the hash value and then this star dash means it was piped in So this is data that was piped into MD5 sum. So what this is doing is taking the the files data Piping it into MD5 sum and producing the hash output. Okay, now notice our in our hash value into a 07409 Okay, so that's something we need to remember. So what I want to do now is show you a slightly different way So so far we were using f cat With the file name. I'm going to use I cat I cat Which is the basically cat for I node To try to get the file data using the I node and I cat and f cat work very very similarly Just a little bit different and I tend to use I cat more than f cat Okay, so what I need to do first is go back to my FLS command, okay, and then show all of the files now what I want to do is get the I node address and you can see the I node address right after the the file type or the Yeah, the type then I can start to build my I cat Command okay, so I cat works pretty much the same If I do help so I'm gonna I'm going to get the data for this MD red file So number 10 or the I node number 10. So if I run I cat to get the help menu so I cat and then It's asking for the image offset So we have to give it the offset again, which is 128 and then the image is test e 0 1 and then the I node number so the I know number goes after The image in this case. So in that case, it's 10. So I would run I cat dash o 128 test e 0 1 10 now if I run this I'm just going to give the data direct the data is going to be coming directly to the Command prompt, so let's run that and there's all of my data coming through the command prompt. Okay Yeah, so let's close that. Okay, so what I actually want to do is just like with f cat I want to pipe this data into MD 5 sum Okay, now this was a PDF file. So I'm extracting all the data for the PDF file piping it directly into MD 5 sum Okay, and then we get obviously a different hash because it's different data. So let me go back to FLS and We had this win hex link and it is I node 21. Okay, so then instead of 10 I node 10 Instead of I know 10 let's do I node 21 21 and then we get this 0 7 4 9 4 0 9 hash value Okay, so that looks about the same just to confirm. Let's go back to f cat F cat with MD 5 sum Okay, so we're at least extracting the data from the same place, right? So we're actually getting the data from the Disc image correctly if we use I cat or f cat But is this the same as the original file? Well, I have win hex link The the original file on my desktop. It's this link file right here. So I can just run MD 5 sum and then win hex link. This is coming from my my desktop not from the image file and Then we get 0 7 4 9 So I'm actually extracting the correct data from the disk image if I'm using I cat or f cat, okay? Yeah, so that's basically what I wanted to show is you can use I cat with the offset the disk image and then the I node to Extract the data directly and feed that data directly into MD 5 sum notice. I haven't saved the data anywhere I'm just extracting this directly in the memory and hashing Okay, and then same for f cat basically doing the same thing except instead of using the I node I'm using the link file or the file name itself file path And then piping that all into MD 5 sum and I get the same value hash value as if I was just hashing the original file Except it's coming from the suspect disk image. Okay So the next thing I want to talk about was that dash s switch. So if I do let's go back to yeah f cat is okay If I do dash s Then I am including I am including slack space for the file Okay, so if I'm including slack space for the file Then I should get actually a little bit more data Which means my hash value should be different. Okay, so if I hit enter Yep, so we get this a e cc instead of 0 7 4 0 9 So I get a different hash value whenever I include Slack space and that's because slack space in the system was actually Saved whenever I made a copy and there was some slack available. So Just be aware that if you're reading an I node Let's say if you're reading all of the data Manually then you might include slack space and not know it if you do then you'll get a different hash value You have to get only the data that's related Directly to the file and not slack space Now each tool will do this a little bit differently. So just be aware that Be aware if the tool is including or not including slack space whenever it's trying to hash files. Okay So the next thing I want to do we have the hash value, right? But I actually want to check this against my database. Okay, so let's say that I have a hash database Actually, let's go ahead and create a hash database. So I have some files on my desktop so let's say I want to Which one do I want to use I want to use MD red so I'm gonna do MD five some and Then I'll just do MD red guide and then that will give me a hash value, right? But what I actually want is to save this into hash dot DB Okay, so now I have this hash dot DB file and this is going to be my database So I have h find installed and I need to use h find to create a hash database Index so I need to do dash I for index and then the type of index is MD five some and Then the the hash file itself or the hash database itself. It's called hash DB So h find dash I MD five some hash DB that should create an index for the hash File that are the hash database. I just created so index created and here we go Okay, so now we have our index files And this one too. We have our index files So now I can try to check if my hash value actually Is in that hash database. So here we have our fcat s Let me remove the s Let me do the icat actually. Yep. So icat dash o 128 test 21 So we're extracting the WinHex link data feeding it into MD five some now This isn't very good because I get not only the hash. I also get this extra little Text here, so I need to cut this now cut is a another core utility So I can use cut dash D and this is the delimiter I need to use double quotes with a space dash f1 What this does is says dash D is the delimiter where we cut at here I'm saying an empty space so cut at an empty space, which would be this space here and then dash f the What is it fragment or field field that we want is the first field So basically cut at the space and give me the first field Okay, so I should if I run this just get the hash value. Okay, so now I've removed the Extra extra field. Okay, so now What we can do from here is feed this or pipe this directly into hfind with What was the database name hash dot DB hash dot DB? Okay, so if I run this hash not found. Well, why is the hash not found because we just fed in 21 which was WinHex link, so let's find using FLS FLS Let's find the what was it MD red or MD next I don't remember. Let's do both of them So it was either the MD red or MD next guide. So it's either 10 or 14. So let's check Okay, so again, we have icat dash o 128 the offset is 128 and then I want to check I node 10 Get that data feed that into MD 5 sum get only the first part of the hash value and then feed that into the hash DB So if I run that then hash not found so I guess it was 14 Aha, okay. So here the actual file was MD next. So that was at I node 14. We extracted the data directly from the Test E01 file fed it into MD 5 sum make sure you only get the hash value and then run hfind hash DB Directly so now if you wanted to run a script and I'll probably show this later running a script just Loop over all of the I nodes Extract the data and then run that again to hfind now. Remember, we haven't actually extracted or we haven't Saved any of the file data. So this is all happening in memory. We're not writing anything to the disc We're just reading from the disc. Okay, so now I'm using here just FLS dash o 128, but I can also do FLS Recursively and list all of the files. So what I would do is go through and for all of the regular files get the I node number of each file Hash it and then feed that into hash DB and that could be a pretty quick and easy script to write. Okay, so that's a little bit today about Extracting data directly from a disk image using sleuth kit and then also checking that data against a hash database without saving the file Okay, so that's it today for today. Thank you very much