👀 Enjoying this video? Watch the full Forensics playlist here! 👇
https://www.youtube.com/playlist?list=PLbLfGhJtu3KmxcYiqGXTlgXOQC949wCDb🔍 In this video, we continue exploring digital forensics using Kali Linux to analyze an NTFS image, which is commonly used by Windows systems. We begin by downloading an image file from Linuxleo.com and verifying its integrity using SHA-256 hashing. After extracting the image, we dive into the concept of Alternate Data Streams (ADS) in NTFS, which allows files to contain multiple streams of data. We mount the image and search through the file system for files, focusing on one interesting file, Jet.MPG, which turns out to be a video with a hidden text file in its alternate data stream. Using tools from The Sleuth Kit, we analyze the image without mounting it, uncovering the hidden text file containing hacker-related information. This video highlights the power of forensic tools in Kali Linux and the importance of understanding NTFS's hidden capabilities for real-world investigations.
🌐 Github
▸
https://github.com/DouglasFreshHabian𓃥 Sleuth Kit
▸
https://sleuthkit.org👮 Linux LEO
▸
https://linuxleo.com📂 NTFS Disk Image
▸
https://linuxleo.com/Files/NTFS_Pract_2017_E01.tar.gz📝 Commands
mount -o ro,loop,offset=$((2048*512)) /mnt/ewf/ewf1 /mnt/evidence
find /mnt/evidence -type f
find /mnt/evidence -type f | grep "AlbertE/Pictures"
fls -o 2048 -Fr NTFS_Pract_2017.E01 | grep jet.mpg
fls -o 2048 -Fr NTFS_Pract_2017.E01 39-128-3 | file -
fls -o 2048 -Fr NTFS_Pract_2017.E01 39-128-3 | less
sudo apt install ewf-tools
sudo apt install mplayer
👉 YouTube Membership:
https://www.youtube.com/channel/UC17VZx3ERdQsNvAvXQYjKKw/join🏬 Fresh Forensics Store:
https://t10fpe-zh.myshopify.com📜 Affiliate Links
Some links are affiliate links, which means I may earn a small commission at no extra cost to you. Thank you for support!
🎶 Music Credits
🔹 Music is provided by Chosic under the Creative Commons CC BY-SA 3.0 License
📢 Disclaimer
This video is for educational purposes only.
🔑 Timestamps:
00:00 - Introduction
00:10 - Recap Previous Video
01:00 - Overview of Video & NTFS
01:35 - Referencing LinuxLeo & PDF
02:32 - Downloading NTFS Image
03:34 - Hashing Image (256sum)
04:17 - Alternate Data Streams (ADS)
05:17 - List & Extract Archive
06:46 - Expert Witness Format
08:32 - Install ewf-tools
09:12 - Identify Partition Layout of Image
10:43 - Switch To Root User
10:53 - Create Mountpoint
11:06 - Mount Image
12:13 - List Files In Image
12:43 - Use Find Command to List Files
13:18 - Filtering For Specific File With Grep
15:15 - Install & Use Mplayer to View Video
16:28 - Unmount Mountpoints
18:14 - Using fls to List Directory & File Names
18:43 - Using mmls to display Partition Layout
19:00 - Examining ADS of File of Interest (fls)
20:45 - Examining Alternate Data Stream (icat)
23:13 - Recap of Video