WEBVTT 00:00.139 --> 00:04.170 >> Welcome back. There are times when we look at 00:04.170 --> 00:05.610 an incident and we realize that 00:05.610 --> 00:07.755 there was potentially a crime involved. 00:07.755 --> 00:09.960 At that point, we have to shift 00:09.960 --> 00:12.045 over to forensic investigations. 00:12.045 --> 00:14.640 That is going to involve collecting and preserving 00:14.640 --> 00:16.065 evidence in such a manner 00:16.065 --> 00:18.475 that would be admissible in a court of law. 00:18.475 --> 00:23.225 Now, not all incidents require forensics, but some do. 00:23.225 --> 00:25.985 As part of our incident response plan and policy, 00:25.985 --> 00:28.990 we have to know when to escalate an incident. 00:28.990 --> 00:31.190 Now, there are seven steps in 00:31.190 --> 00:33.545 the forensics investigation process, 00:33.545 --> 00:34.730 and you need to make sure you 00:34.730 --> 00:35.810 know the flow of these steps 00:35.810 --> 00:38.555 for the test and what happens with each one. 00:38.555 --> 00:43.800 One, identification two, preservation three, 00:43.800 --> 00:46.725 collection four, examination, 00:46.725 --> 00:49.170 five analysis, six, 00:49.170 --> 00:52.150 presentation and seven decision. 00:52.150 --> 00:55.400 Let's talk about these steps a bit more. 00:55.400 --> 00:57.740 The first stage is identifying 00:57.740 --> 00:59.180 that something is evidence. 00:59.180 --> 01:01.160 Now, Locard's principle of 01:01.160 --> 01:03.455 exchange says that when a crime is committed, 01:03.455 --> 01:04.910 the attacker takes something 01:04.910 --> 01:06.499 >> and leaves something behind. 01:06.499 --> 01:08.105 >> What they leave behind can help 01:08.105 --> 01:10.280 us identify aspects of them. 01:10.280 --> 01:13.280 It could be fingerprints, digital signatures, 01:13.280 --> 01:15.920 or it could be knowledge of information that suggests 01:15.920 --> 01:19.055 who the attacker is or what their motivations were. 01:19.055 --> 01:21.875 The next step is to preserve the evidence. 01:21.875 --> 01:23.270 The most important job of 01:23.270 --> 01:25.655 a first responder is preserve evidence. 01:25.655 --> 01:27.500 We have to make sure it's collected in 01:27.500 --> 01:29.750 a forensically sound manner and that there has 01:29.750 --> 01:32.675 been no modification as part of the collection. 01:32.675 --> 01:35.525 As soon as we identify that something is evidence, 01:35.525 --> 01:37.490 we go right into preservation. 01:37.490 --> 01:39.425 This is where we create the document 01:39.425 --> 01:41.060 of the chain of custody. 01:41.060 --> 01:43.370 This particular document is really 01:43.370 --> 01:46.210 important and definitely could be on the test. 01:46.210 --> 01:48.530 The chain of custody documents, 01:48.530 --> 01:50.480 how evidence was collected, 01:50.480 --> 01:52.115 how it was analyzed, 01:52.115 --> 01:55.145 how it's transported, and how it was preserved. 01:55.145 --> 01:57.890 We don't want anyone to be able to call into question 01:57.890 --> 02:00.845 the preservation or integrity of the evidence. 02:00.845 --> 02:04.550 Digital evidence can be manipulated so easily. 02:04.550 --> 02:06.650 We want to make sure that the evidence is accounted 02:06.650 --> 02:09.190 for and that there are no gaps in time. 02:09.190 --> 02:11.450 Any documentation should always 02:11.450 --> 02:13.805 include time offsets because it can 02:13.805 --> 02:16.040 simply be a matter of minutes or seconds that 02:16.040 --> 02:19.205 make the difference in the evidence being admissible. 02:19.205 --> 02:22.670 Hashing algorithms are used to show the integrity of 02:22.670 --> 02:24.860 the evidence and that the evidence has not been 02:24.860 --> 02:28.140 modified during the investigation process. 02:30.790 --> 02:33.785 Now the next phase is collection. 02:33.785 --> 02:35.510 You want to minimize handling 02:35.510 --> 02:36.980 and touching of the evidence. 02:36.980 --> 02:39.860 Make sure you're not working on original drives. 02:39.860 --> 02:41.855 When it comes to collecting the evidence 02:41.855 --> 02:43.430 and then analyzing the evidence, 02:43.430 --> 02:45.985 you want to make sure that you take a system image. 02:45.985 --> 02:47.480 You don't ever want to work on 02:47.480 --> 02:49.205 an original document or file, 02:49.205 --> 02:51.200 you always want to copy. 02:51.200 --> 02:53.200 You'll hash the original and hash 02:53.200 --> 02:55.835 the copy that you're doing the investigation on. 02:55.835 --> 02:58.400 We also have to work fast because 02:58.400 --> 03:01.400 a lot of digital evidence is very volatile. 03:01.400 --> 03:03.695 Something you need to know for the exam, 03:03.695 --> 03:04.880 is that you need to collect from 03:04.880 --> 03:06.200 the most volatile items 03:06.200 --> 03:08.470 first and then the least volatile. 03:08.470 --> 03:10.695 This means to work in this order. 03:10.695 --> 03:13.335 CPU registers, Cache, 03:13.335 --> 03:16.155 routing table, ARP cache, 03:16.155 --> 03:20.065 process tables, RAM, 03:20.065 --> 03:23.405 paging file and other temporary filing systems. 03:23.405 --> 03:25.640 The paging file could also be called the swap 03:25.640 --> 03:27.500 file and set aside on a hard drive 03:27.500 --> 03:29.210 to act like an RAM in the event that 03:29.210 --> 03:31.865 the systems need more RAM than available. 03:31.865 --> 03:34.600 Hard-drive, remote logs and 03:34.600 --> 03:37.710 monitoring data, and archive media. 03:37.820 --> 03:40.130 Be prepared for a question that 03:40.130 --> 03:41.780 might involve a drag and drop above 03:41.780 --> 03:43.370 the above list and put it in 03:43.370 --> 03:46.530 the correct order of most volatile first. 03:47.920 --> 03:50.540 Examination gives you data, 03:50.540 --> 03:52.780 analysis gives you information. 03:52.780 --> 03:55.040 When I examine a disk for instance, 03:55.040 --> 03:57.020 and remember, I would be working 03:57.020 --> 03:59.725 from a copy of the disk, not the original. 03:59.725 --> 04:02.030 I'm looking for data, I'm 04:02.030 --> 04:04.745 recording what I see and documenting the facts. 04:04.745 --> 04:07.370 But when I get to the analysis I take the data that 04:07.370 --> 04:10.355 I've recorded and I look to get a larger picture. 04:10.355 --> 04:12.925 I'm going to put the facts and the context. 04:12.925 --> 04:16.340 Soon I'd put data through analysis and get information. 04:16.340 --> 04:19.805 Once you've done your analysis 04:19.805 --> 04:21.170 and you have your information, 04:21.170 --> 04:22.250 you would then take it and 04:22.250 --> 04:24.154 >> present the evidence in court. 04:24.154 --> 04:26.540 >> You want to make sure that all these steps have been 04:26.540 --> 04:28.535 performed in a forensically sound manner, 04:28.535 --> 04:30.740 so when you present the evidence in court, 04:30.740 --> 04:33.690 a judge will rule it to be admissible. 04:33.980 --> 04:36.065 As a quick review, 04:36.065 --> 04:38.750 when an event has a negative impact on the system, 04:38.750 --> 04:40.670 then that event becomes an incident, 04:40.670 --> 04:42.410 and how we respond to that event 04:42.410 --> 04:44.815 is going to make or break us. 04:44.815 --> 04:48.095 Just to review the incident response process. 04:48.095 --> 04:50.660 It is preparation, identification, 04:50.660 --> 04:52.655 containment, eradication, 04:52.655 --> 04:55.310 and recovery, and then lessons learned. 04:55.310 --> 04:57.860 Now, once an incident appears to 04:57.860 --> 05:00.020 have criminal intent or criminal elements, 05:00.020 --> 05:01.685 we then move into forensics, 05:01.685 --> 05:03.680 where we follow the seven-step process of 05:03.680 --> 05:06.830 forensic investigation: identification, 05:06.830 --> 05:09.965 preservation, collection, examination, 05:09.965 --> 05:13.235 analysis, presentation, and decision. 05:13.235 --> 05:15.380 I want to stress that this is a very 05:15.380 --> 05:17.360 high-level overview of this topic. 05:17.360 --> 05:19.040 You can get more in-depth coverage 05:19.040 --> 05:21.510 of forensics in another course.