👀 Enjoying this video? Watch the full Forensics playlist here! 👇 🔍 In this video, we continue exploring digital forensics using Kali Linux to analyze an NTFS image, which is commonly used by Windows systems. We begin by downloading an image file from and verifying its integrity using SHA-256 hashing. After extracting the image, we dive into the concept of Alternate Data Streams (ADS) in NTFS, which allows files to contain multiple streams of data. We mount the image and search through the file system for files, focusing on one interesting file, , which turns out to be a video with a hidden text file in its alternate data stream. Using tools from The Sleuth Kit, we analyze the image without mounting it, uncovering the hidden text file containing hacker-related information. This video highlights the power of forensic tools in Kali Linux and the importance of understanding NTFS's hidden capabilities for real-world investigations. 🌐 Github ▸ 𓃥 Sleuth Kit ▸ 👮 Linux LEO ▸ 📂 NTFS Disk Image ▸ 📝 Commands mount -o ro,loop,offset=$((2048*512)) /mnt/ewf/ewf1 /mnt/evidence find /mnt/evidence -type f find /mnt/evidence -type f | grep "AlbertE/Pictures" fls -o 2048 -Fr | grep fls -o 2048 -Fr 39-128-3 | file - fls -o 2048 -Fr 39-128-3 | less sudo apt install ewf-tools sudo apt install mplayer 👉 YouTube Membership: 🏬 Fresh Forensics Store: 📜 Affiliate Links Some links are affiliate links, which means I may earn a small commission at no extra cost to you. Thank you for support! 🎶 Music Credits 🔹 Music is provided by Chosic under the Creative Commons CC BY-SA 3.0 License 📢 Disclaimer This video is for educational purposes only. 🔑 Timestamps: 00:00 - Introduction 00:10 - Recap Previous Video 01:00 - Overview of Video & NTFS 01:35 - Referencing LinuxLeo & PDF 02:32 - Downloading NTFS Image 03:34 - Hashing Image (256sum) 04:17 - Alternate Data Streams (ADS) 05:17 - List & Extract Archive 06:46 - Expert Witness Format 08:32 - Install ewf-tools 09:12 - Identify Partition Layout of Image 10:43 - Switch To Root User 10:53 - Create Mountpoint 11:06 - Mount Image 12:13 - List Files In Image 12:43 - Use Find Command to List Files 13:18 - Filtering For Specific File With Grep 15:15 - Install & Use Mplayer to View Video 16:28 - Unmount Mountpoints 18:14 - Using fls to List Directory & File Names 18:43 - Using mmls to display Partition Layout 19:00 - Examining ADS of File of Interest (fls) 20:45 - Examining Alternate Data Stream (icat) 23:13 - Recap of Video