WEBVTT 00:00.000 --> 00:02.820 >> Forensics concepts. 00:02.820 --> 00:05.880 The learning objectives for this lesson are to 00:05.880 --> 00:09.135 explore the legal issues surrounding data forensics, 00:09.135 --> 00:11.354 to define the forensics process, 00:11.354 --> 00:14.235 and to describe data integrity and preservation. 00:14.235 --> 00:17.190 Let's get started. First, we're 00:17.190 --> 00:19.379 going go over the forensics process. 00:19.379 --> 00:21.420 The first step is identification. 00:21.420 --> 00:23.640 We're going to ensure that our crime scene is 00:23.640 --> 00:27.120 secure so that we can prevent evidence contamination. 00:27.120 --> 00:28.410 Then we're going to identify 00:28.410 --> 00:30.255 the scope of evidence to be collected. 00:30.255 --> 00:33.360 In an example, we've been asked to come over to 00:33.360 --> 00:35.415 a workstation and an office 00:35.415 --> 00:37.995 that has been suspected to be used in a crime. 00:37.995 --> 00:39.630 The first thing we're going to make sure is 00:39.630 --> 00:41.100 that no one can get access to 00:41.100 --> 00:44.390 that workstation so that it's not turned off, 00:44.390 --> 00:46.805 changes aren't being made, that type of thing. 00:46.805 --> 00:50.150 Also, we want to see are any devices connected to 00:50.150 --> 00:51.450 the computer or are 00:51.450 --> 00:53.970 flash drives plugged in mobile devices. 00:53.970 --> 00:56.450 All of this would be within our scope so that 00:56.450 --> 00:59.080 we're sure that we're collecting everything. 00:59.080 --> 01:01.210 Then the next step is collection. 01:01.210 --> 01:03.980 We will make sure that the evidence is collected using 01:03.980 --> 01:07.040 tools and methods that will survive legal scrutiny. 01:07.040 --> 01:08.840 If this part isn't done correctly, 01:08.840 --> 01:10.910 then everything else doesn't matter. 01:10.910 --> 01:13.430 Because if it will not survive legal scrutiny, 01:13.430 --> 01:15.960 then your case is going to get thrown out. 01:16.070 --> 01:18.390 We move to analysis. 01:18.390 --> 01:20.044 This is where we are creating 01:20.044 --> 01:23.135 a forensics copy for us to do our analysis on. 01:23.135 --> 01:25.830 We never do our analysis on the direct data. 01:25.830 --> 01:28.570 We want to make sure we're using a copy for that. 01:28.570 --> 01:31.700 Then we're going to use repeatable methods and tools. 01:31.700 --> 01:35.810 This will also help us to survive legal scrutiny. 01:35.810 --> 01:39.095 Then we will go to the reporting and presentations phase. 01:39.095 --> 01:41.120 This is where we create a report of 01:41.120 --> 01:43.280 all the methods and tools that we used and then we 01:43.280 --> 01:44.690 present all the findings and 01:44.690 --> 01:49.640 our conclusions. Chain of custody. 01:49.640 --> 01:53.195 This is a critical part of any forensics analysis, 01:53.195 --> 01:55.760 not just for computer or IT related. 01:55.760 --> 01:57.530 This is a record of evidence 01:57.530 --> 01:59.300 handling from the collection, 01:59.300 --> 02:01.865 all the way through its presentation in court, 02:01.865 --> 02:04.625 who touched it, who did anything with it. 02:04.625 --> 02:06.690 Every detail is recorded. 02:06.690 --> 02:09.560 Who interacted with the evidence and what they did, 02:09.560 --> 02:11.720 it's a detailed report and 02:11.720 --> 02:14.180 labeling of all evidence collected. 02:14.180 --> 02:16.340 Strong physical controls should 02:16.340 --> 02:18.470 be in place where evidence is stored. 02:18.470 --> 02:21.680 You've heard stories of police evidence locker as 02:21.680 --> 02:25.220 being not necessarily secured and because of that. 02:25.220 --> 02:26.390 The evidence in there became 02:26.390 --> 02:28.145 contaminated and cases where thrown out? 02:28.145 --> 02:29.465 Same type of thing here. 02:29.465 --> 02:30.800 We want to make sure that all of 02:30.800 --> 02:32.720 our evidence is collected and then stored 02:32.720 --> 02:34.190 in a safe way so that we 02:34.190 --> 02:36.900 can maintain the chain of custody. 02:37.340 --> 02:41.704 Data acquisition. This is the process of collecting 02:41.704 --> 02:43.940 forensically clean copies of 02:43.940 --> 02:46.565 all data so that we can use it as evidence. 02:46.565 --> 02:48.290 We're going to work from the most 02:48.290 --> 02:50.420 volatile to the least volatile. 02:50.420 --> 02:52.820 The ISOC best practices say, 02:52.820 --> 02:55.565 to start with the CPU registers and the cache memory, 02:55.565 --> 02:57.350 this being the most volatile. 02:57.350 --> 03:01.025 Then we go down to the contents of the system memory. 03:01.025 --> 03:02.840 After that, we go to the data that's 03:02.840 --> 03:05.335 our mass storage devices such as hard drives. 03:05.335 --> 03:09.095 Then we will look at remote logging and monitoring data. 03:09.095 --> 03:10.910 After that, we will move down to 03:10.910 --> 03:13.985 the physical configuration and the network topology. 03:13.985 --> 03:17.000 Then finally, we will move to the archival media because 03:17.000 --> 03:20.670 this is the least volatile of all the evidence. 03:21.530 --> 03:24.775 Cryptanalysis and steganalysis. 03:24.775 --> 03:28.385 Cryptanalysis is the art of breaking encryption. 03:28.385 --> 03:30.830 In certain situations, this may be 03:30.830 --> 03:33.710 a requirement if collected data is encrypted. 03:33.710 --> 03:37.130 Now, typically, this is going to be beyond 03:37.130 --> 03:41.075 the scope of most companies' evidence response teams. 03:41.075 --> 03:42.800 Even at the state level, 03:42.800 --> 03:45.515 this is going to become a difficulty for law enforcement. 03:45.515 --> 03:47.090 You've seen in the news, where 03:47.090 --> 03:49.460 the FBI often has issues getting 03:49.460 --> 03:54.320 into Apple iOS devices because of the encryption. 03:54.320 --> 03:56.825 I cannot imagine very many times 03:56.825 --> 03:59.870 for a corporation or a company issue 03:59.870 --> 04:01.675 where this is going to become 04:01.675 --> 04:05.490 something that you're expected to do. 04:05.490 --> 04:07.580 Then steganalysis is concerned with 04:07.580 --> 04:11.150 locating data that may be hidden within and other files. 04:11.150 --> 04:13.430 We can often hide documents 04:13.430 --> 04:16.075 inside of picture files using steganography. 04:16.075 --> 04:20.030 We're going to use different tools and help to see if 04:20.030 --> 04:21.590 the files that we've collected 04:21.590 --> 04:24.360 are containing any other types of data. 04:24.360 --> 04:27.259 This is something I can see that would be necessary 04:27.259 --> 04:30.155 in almost anyone's investigation. 04:30.155 --> 04:31.760 You would want to use tools that will 04:31.760 --> 04:33.290 scan through the files to find 04:33.290 --> 04:37.230 out if they're hiding any other pieces of information. 04:37.970 --> 04:41.750 Forensics image versus forensics clone. 04:41.750 --> 04:44.000 Both of these represent duplicates of 04:44.000 --> 04:47.045 electronic media and they're done bit by bit. 04:47.045 --> 04:49.580 An image can be used for analysis. 04:49.580 --> 04:53.215 A clone is a working copy that is not preserved. 04:53.215 --> 04:56.970 These terms are often used interchangeably, 04:56.970 --> 05:00.320 but one thing to keep in mind is that the clone is 05:00.320 --> 05:01.940 the one we're doing our work on 05:01.940 --> 05:03.815 and it's not going to be preserved. 05:03.815 --> 05:05.500 We will be making changes to that, 05:05.500 --> 05:08.450 but we can figure out what we're looking for and 05:08.450 --> 05:09.950 we always have the original 05:09.950 --> 05:12.450 forensics image to go back to. 05:13.130 --> 05:15.775 Evidence preservation. 05:15.775 --> 05:18.820 Everything collected has to be labeled and 05:18.820 --> 05:22.850 bagged and then sealed in tamper resistant bags. 05:24.890 --> 05:27.755 If there is a possibility that 05:27.755 --> 05:31.105 electrostatic discharge will damage different devices, 05:31.105 --> 05:33.400 then those pieces of evidence 05:33.400 --> 05:35.830 should be placed in anti-static shielded bags. 05:35.830 --> 05:42.295 This would be especially important for sensitive drives, 05:42.295 --> 05:43.975 sensitive devices, 05:43.975 --> 05:46.060 sometimes even flash drives if 05:46.060 --> 05:48.715 you're really concerned with what's on there. 05:48.715 --> 05:50.140 Evidence should be stored in 05:50.140 --> 05:52.240 secure facilities that are access control. 05:52.240 --> 05:53.965 This is what I was referring to earlier, 05:53.965 --> 05:57.080 that you need to have the evidence locked away. 05:58.040 --> 06:00.950 Let's summarize. We went over 06:00.950 --> 06:03.875 the forensics process and then the chain of evidence. 06:03.875 --> 06:05.780 We also discussed the difference between 06:05.780 --> 06:08.015 a forensics image and a forensic clone. 06:08.015 --> 06:09.740 We discussed cryptanalysis and 06:09.740 --> 06:12.295 steganalysis in the evidence preservation. 06:12.295 --> 06:15.030 Let's do some example questions. 06:15.030 --> 06:17.750 Question 1, this describes 06:17.750 --> 06:20.180 the process of maintaining evidence from 06:20.180 --> 06:26.490 collection to presenting it in court. Chain of custody. 06:26.490 --> 06:28.915 Question 2, true or false. 06:28.915 --> 06:33.120 Hard drive data should be collected before system memory. 06:33.400 --> 06:36.110 False. System memory is 06:36.110 --> 06:39.030 more volatile and should be collected first. 06:40.570 --> 06:43.445 Question 3, true or false. 06:43.445 --> 06:44.960 A forensics image isn't 06:44.960 --> 06:47.910 preserved and is used for working. 06:48.080 --> 06:50.750 False. A forensics clone 06:50.750 --> 06:53.240 is a working copy that isn't preserved. 06:53.240 --> 06:55.160 Finally, question 4, 06:55.160 --> 06:56.510 this describes looking for 06:56.510 --> 06:59.700 hidden data inside of other files. 06:59.870 --> 07:03.800 Steganalysis. I hope this lesson was very 07:03.800 --> 07:05.060 helpful for you and gave you 07:05.060 --> 07:06.995 a good idea of the forensics process. 07:06.995 --> 07:09.150 I'll see you in the next lesson.