Welcome back, to the computer forensics path, Course 12, hashing. In this module, Module 3, we're going to talk about hashing files and which tools we can use to do that. The hash files, the hash files in drives, and which are open source and which are a commercial tool. These are some of the tools we can use to hash files in folders. There's the Zimmerman Hasher, which is open source. The web address is on the screen. There's also the Karen Hasher. The web address is also in the PowerPoint. Now these are only two examples. There are many tools out there, that will hash files. Now to hash drives and files, almost all of your commercial tools will hash an entire drive, or individual files, or folders. Open source tools that will hash drives and files are Autopsy and FTK Imager from AccessData. FTK Imager will also allow us to export a hash list, which is a very nice feature. Hashing drives and images, also an open source tool would be HDX, or FTK Imager. We're going to do a walk-through, where we're going to need to use the Zimmerman Hasher which we will download as a group. We're going to use our Autopsy. If you did not download Autopsy, in Course 1, Module 4, is the download walk-through for Autopsy. We're also going to use FTK Imager. Again, that download walk-through is also in Course 1, Module 4. We're going to use our Windows 10 VMDK. We're going to need a web browser, because we're going to go out and download the NIST software reference library. Hello, and welcome back, to the computer forensics path. In this course, Course 12, we've been talking about hashing and hash values. In this walk-through, we're going to go ahead and use FTK Imager to extract a file. Once we extract that file, we're going to hash it using the Zimmerman Hasher. Then we're going to go to the NIST website, and we're going to download the National Software Reference Library, the NSRL. We're going to go ahead and open Autopsy, and we're going to create a known good hash database from the NSRL. We're also going to create a known bad, using the file that we're going to extract. With FTK Imager we're going to export it, and then we're going to hash it with this Zimmerman Hasher, and that hash value is going to be our known bad hash value. Let's get started. If you haven't already done so, please go ahead and launch FTK Imager. Once FTK Imager launches, please file, and then we're going to add an evidence item. Once you've done that, once you've added your evidence item, we're going to add the Windows 10 VMDK. It's an image file. Next, we're going to browse out to it, and we're going to pick the Windows 10 VMDK. I just click "Open" and it will launch. Once you've done that, we're going to go to partition 2, we're going to expand the route, we're going to expand users, we're going to expand Ivan, we're going to expand downloads, we're going to expand new folder, and we're going to highlight this upx394w. The file we're looking for here is this upx.exe. We're going to go ahead and highlight that, right-click. We're going to click "Export files." Now you can save this anywhere you'd like. I'm going to go ahead and save it in my documents. Click "Okay." We can see it exported zero folders in one file, and it tells us how many bytes. Once we've done that, we're all set with FTK Imager. We can go ahead and close FTK Imager. Now I want to go ahead and open the Zimmerman Hasher. Once we've opened the Zimmerman Hasher, we're going to go File, and we're going to select our file. We're going to navigate back out to where we saved our file. I know it was in documents, and I selected the upx.exe. I'm going to click "Open." You can see, we're immediately presented with the SHA-132 base and the MD5 hash value of this file. Now we can go ahead and under Tools, Options, you see you can select different types of hash values. We could do the SHA-16, the MD4, SHA-256, SHA-512. But we're going to go ahead and we're going to copy these values. We're going to copy the MD5 and the SHA-1 hash values out to a notepad document. We're going to go to File, Save results, To text. Then it's going to ask you where you want to save them. Then you can go ahead and save them wherever you like. I am going to go ahead and put mine in documents again. I'm going to click "Okay." Results have been saved successfully, and it names them with the date, and it just names them as HashResults.txt. I'm going to go ahead and navigate out to that file, HashResults.txt. We can see it right here with the date. Double-click on it, to open it. You can see, it gives you the path, and it's giving you your SHA-1 and MD5 hashes. It saves it out in a file for us. This is the SHA-1 hash value right here, and this is the MD5 hash value. We can go ahead and close hasher at this point. Now, let's navigate out to the NIST software library. Once we're here, you can see it explains what NIST is, and what it does. We want to go to the NSRL downloads. We want the current hash sets. We want the modern RDS minimal. We can go ahead and save that. I'm going to save that in my downloads. It's going to download. Once it downloads, I'm going to use 7-Zip to extract that. There are several different hash sets here. The full download, comes in an ISO file. It's going to be between 500 megabytes to almost four gigabytes in size. It will take a long time to download. You don't really need that. But if you want to download that on your own, you can do that. For the sake of this course, we are going to just use the minimal. There is also the RDS. Then there's unique. They also have ones for Android, iOS, and legacy computers, older computers, 1999 and earlier. This is all the standard type of software that you would find, on the computer part of the operating system files, regular program files, known Microsoft Office products. These are all known files. It's a National Software Reference library. Once you've done that, go ahead and extract it. Again, all I did was right-click "7-Zip," "Extract files," choose wherever you want to extract them to, and then go ahead and click "Okay." They're extracting. It'll take them a couple minutes because it is a large file. While that's running, go ahead and launch Autopsy. Once you've launched Autopsy, if you haven't done so, create a new case. How we would do that is we would go to Case, New case. You can name the case anything you want. I think we may already have the case in here named hacking. But I'll walk you through this. I'm going to call this, and I know I already have one of these, so I'm just going to call _12. But you can name it whatever you'd like. I have it in single user. Then you'd click "Next." You give the case a number. Any number you want is fine. You could put, usually, the year, and then the number that the case is. You can fill out your name, your phone number, email, and it takes some notes if you'd like. Once you fill that out the way you like it hit "Finish." It will go ahead and create the case. Now we're going to add our disk image or VM file. I'm going to add the Windows 10 VM. You navigate to where you have the Windows 10 VM saved, and click "Open." You can set the time zone. This is the time zone I am in. I will find out what time zone the suspect computer's in. Or you could set it to use TC if you'd like. You can see all the different times that we have here. I'm going to leave mine at American Chicago. The sector size, I'm going to leave that as auto detect. If you knew the hash values, if you had hashed the image beforehand, you could enter those also. Now next, you hit the "Next" button. Then hash lookup, will run on mine. We have not installed hash lookup yet, so it will not run on yours. Just check the recent activities box. Go ahead and uncheck everything else. Let's just do "Deselect All." We're just going to go with recent activities that should do it. We'll just leave it at recent activities. Go in Embedded File Extractor to, an Extension Mismatch Detector, File Type Identification. Just these three, in recent activity click "Next." It will run. Once it's completed running, we're going to go ahead now and we're going to install our hash database. We're going to go to Tools, we're going to go to Options. Here we're going to select Hash Sets. You can see I already have some installed, but I'm going to go ahead and create a new Hash Set local. I'm going to call the hash set, known good. It should take you right to your hash databases, and you're going to save the known good. I'm going to say known, and we're going to click "Okay." Now here I'm going to import a hash set. Now I'm going to navigate out to where I downloaded the NSRL. I'm going to select the NSRL File.txt. I'm going to click "Open." You can see it automatically changes to known NSRL or other. I'm going to click "Okay." It's telling me I already have it loaded in there, so I can't load it again, but you should be able to load that. Now, I'm going to create a known bad. What I'm going to do is I'm going to go New Hash Set. I'm going to name it packers2. You can name it, whatever you like. You can just name it packers. [inaudible]. I'm just going to give it the default here, save it there. It automatically goes to notable. Say "Okay." Now what I want to do is I want to add hashes to this hash set. I'm going to click that button. I'll show you that again. With the packers2 highlighted, I'm going to add hashes to this hash set. Now what I'm going to do is I'm going to use my text document, that we had before, and I'm going to go ahead and put the hash value, the MD5 hash value, copy that, and paste it here. I'm going to say "Okay." It said one hash, successfully added. Now we just click "Apply," "Okay." We're all set. Now, what we're going to do, is we're going to run an ingest module. Again, Tools, Run Ingest Module. We're running it on this image file. Now, I am just going to uncheck everything else. I'll go and deselect all. I'm going to go at Hash Lookup. It's going to check all of these hash sets that I have loaded in here. You should just have the two, the known good and the packers. I'm going to click "Finish." As it's running, you can see, it's running down here, and it's going to give you all kinds of messages as it's going. It will take a little while to run. Once it's finished running, I'm going to go ahead and take a look at my Results tab. I'm going to take a look at hash hits. I can see I have hash hits for packers2. Let's take a better look at here. Packers2, it shows the one I just created, shows me these two hash hits. Again, it's that upx.exe that's hitting on. We can see the file. That is actually a known bad file, that's a packer. That is how we would use the hash value to find a bad file. You could also go through, and hash all the files in the case, and exclude the known good files, and of walk-through.
