WEBVTT

0:00:09.260000 --> 0:00:13.720000
 Okay, so let's dig right in and let's
 talk a little bit about the definition

0:00:13.720000 --> 0:00:20.980000
 of digital forensics and kind of the
 history behind some digital forensics

0:00:20.980000 --> 0:00:25.440000
 cases and how digital
 forensics came to be.

0:00:25.440000 --> 0:00:30.460000
 So the very first thing to think about
 is that digital forensics is definitely

0:00:30.460000 --> 0:00:35.900000
 a forensic science and most people
 don't realize how much information

0:00:35.900000 --> 0:00:39.200000
 they leave behind when they
 use their computers.

0:00:39.200000 --> 0:00:43.800000
 In the world of digital forensics we
 call this information evidence or

0:00:43.800000 --> 0:00:49.300000
 artifacts and all of this contributes
 to an investigation.

0:00:49.300000 --> 0:00:53.800000
 Digital forensics is one of the branches
 of forensic sciences and it encompasses

0:00:53.800000 --> 0:00:59.380000
 the recovery, the investigation, the
 examination and analysis of data

0:00:59.380000 --> 0:01:02.560000
 found on digital devices.

0:01:02.560000 --> 0:01:07.780000
 This practice is often conducted as part
 of an investigation into criminal

0:01:07.780000 --> 0:01:12.560000
 activity. All included within a common
 digital forensic investigation

0:01:12.560000 --> 0:01:18.140000
 is going to be four primary phases
 and those phases are preservation,

0:01:18.140000 --> 0:01:23.360000
 investigation, analysis and reporting.

0:01:23.360000 --> 0:01:30.200000
 So as you can think of in most investigations,
 technology is everywhere

0:01:30.200000 --> 0:01:32.760000
 and it's all throughout our life.

0:01:32.760000 --> 0:01:37.640000
 Just like any other type of report or
 even like a college paper or a science

0:01:37.640000 --> 0:01:41.900000
 paper, we're really trying to answer
 the five W's regarding any type of

0:01:41.900000 --> 0:01:46.180000
 event. In the end, in our digital forensic
 report, we want to define the

0:01:46.180000 --> 0:01:50.700000
 what, where, when, who and how.

0:01:50.700000 --> 0:01:54.860000
 And you're going to have to detail those
 in your reports, especially in

0:01:54.860000 --> 0:01:56.940000
 the how section of your report.

0:01:56.940000 --> 0:02:02.180000
 You're really going to talk a lot about
 the methodologies you took that

0:02:02.180000 --> 0:02:10.700000
 defined how the methodologies you took
 to determine how this person conducted

0:02:10.700000 --> 0:02:14.220000
 this activity on a digital device.

0:02:14.220000 --> 0:02:18.020000
 We want to spend a little bit of time
 talking about the differences between

0:02:18.020000 --> 0:02:21.180000
 digital forensics and incident response.

0:02:21.180000 --> 0:02:25.900000
 Now, in many occasions, they are grouped
 together, but for this course,

0:02:25.900000 --> 0:02:29.780000
 we're going to focus definitely
 on digital forensics.

0:02:29.780000 --> 0:02:35.360000
 The fields are quite unique and the
 skills have diverged a little bit

0:02:35.360000 --> 0:02:43.840000
 just over time and technology,
 especially when you disc space.

0:02:43.840000 --> 0:02:49.180000
 There is more disc space that we have
 to investigate out there in the

0:02:49.180000 --> 0:02:54.080000
 world today than we actually have the
 amount of time to conduct a deep

0:02:54.080000 --> 0:02:59.080000
 in depth forensic investigation, especially
 when it comes to an incident

0:02:59.080000 --> 0:03:05.140000
 response. What I would say is that you
 are going to use digital forensics

0:03:05.140000 --> 0:03:13.880000
 as one subset of techniques in an overall
 greater response in an incident.

0:03:13.880000 --> 0:03:21.100000
 So here is some quick differences between
 digital forensics and incident

0:03:21.100000 --> 0:03:24.580000
 response. I'm going to actually go to
 the right side first and I'm going

0:03:24.580000 --> 0:03:29.060000
 to say in an incident, we're going
 to focus on utilizing triage tools,

0:03:29.060000 --> 0:03:32.000000
 logs, and rapid analysis.

0:03:32.000000 --> 0:03:35.440000
 In order to accomplish that, we're going
 to utilize a lot of scripts that

0:03:35.440000 --> 0:03:40.140000
 pull data out of a live system
 or a forensic image.

0:03:40.140000 --> 0:03:43.900000
 And then we're also going to do a lot
 of live log analysis thinking that

0:03:43.900000 --> 0:03:50.540000
 the goal is to provide as much information
 as rapidly as possible to solve

0:03:50.540000 --> 0:03:52.180000
 the current incident.

0:03:52.180000 --> 0:03:57.740000
 Then when we flip to digital forensics,
 we may do a more thorough in depth

0:03:57.740000 --> 0:04:02.600000
 investigation or a full analysis.

0:04:02.600000 --> 0:04:06.440000
 And is going to take a
 considerably longer.

0:04:06.440000 --> 0:04:12.540000
 Typically, you'll find that you will
 spend about 20 hours or more per

0:04:12.540000 --> 0:04:15.100000
 device doing a forensic investigation.

0:04:15.100000 --> 0:04:19.940000
 And that's not going to count your reporting
 in your communication about

0:04:19.940000 --> 0:04:27.020000
 what you did. Remember that those
 five W's we mentioned previously.

0:04:27.020000 --> 0:04:31.920000
 So when we conduct an incident, we're
 typically looking to try a specific

0:04:31.920000 --> 0:04:41.140000
 question, which could be
 who was the threat actor?

0:04:41.140000 --> 0:04:43.160000
 Where is the threat actor?

0:04:43.160000 --> 0:04:46.100000
 Do we still have threat actors
 still in our network?

0:04:46.100000 --> 0:04:51.840000
 When we do a digital forensic, we're
 actually trying to answer and prove

0:04:51.840000 --> 0:04:54.960000
 that specific question.

0:04:54.960000 --> 0:04:59.760000
 And we're going to be using that in
 criminal and non criminal matters.

0:04:59.760000 --> 0:05:02.160000
 And one of the things we always have
 to be aware of when we are performing

0:05:02.160000 --> 0:05:07.500000
 an investigation is that it always
 always always has the potential to

0:05:07.500000 --> 0:05:09.680000
 become a criminal matter.

0:05:09.680000 --> 0:05:14.960000
 So we always have to follow proper
 protocols in the investigation.

0:05:14.960000 --> 0:05:18.820000
 And a lot of these protocols are developed
 on the federal rules of evidence

0:05:18.820000 --> 0:05:23.080000
 so that we can always ensure that our actions
 and our activities are admissible

0:05:23.080000 --> 0:05:28.760000
 in court. And what I'm trying to say about
 the differences between incident

0:05:28.760000 --> 0:05:33.220000
 response and digital forensics is that
 the skills are similar, but sometimes

0:05:33.220000 --> 0:05:44.860000
 our objectives are different, such as
 we may be focused on a manner that's

0:05:44.860000 --> 0:05:47.900000
 going to be suitable and
 provable in court.

0:05:47.900000 --> 0:05:54.980000
 Sometimes it's a higher priority to get
 that threat actor out of the network.

0:05:54.980000 --> 0:06:00.960000
 Okay, so let's talk about a
 couple of case studies here.

0:06:00.960000 --> 0:06:04.400000
 I want to look at Marty Thier.

0:06:04.400000 --> 0:06:09.160000
 Marty Thier was murdered by his wife.

0:06:09.160000 --> 0:06:17.500000
 And as part of the big investigation in
 2000, 77,000 emails of that contained

0:06:17.500000 --> 0:06:22.740000
 in creating evidence were pulled from digital
 devices between and specifically

0:06:22.740000 --> 0:06:31.960000
 emails between his wife and John
 Diamond, who was another suspect.

0:06:31.960000 --> 0:06:35.360000
 And one of the key things when you're
 trying to prove a first degree capital

0:06:35.360000 --> 0:06:39.940000
 murder is you have to really prove
 premeditation and planning.

0:06:39.940000 --> 0:06:47.500000
 So what these emails showed was detailed
 planning in their murder of Marty.

0:06:47.500000 --> 0:06:52.820000
 And remember that this digital evidence
 corroborated other evidence.

0:06:52.820000 --> 0:06:57.980000
 So so as in most cases, digital evidence
 isn't always primary evidence,

0:06:57.980000 --> 0:07:03.880000
 but it's going to be used to
 support the bigger picture.

0:07:03.880000 --> 0:07:11.000000
 A case study involving social media,
 again, a conventional crime, digital

0:07:11.000000 --> 0:07:16.100000
 evidence, we can use social media and
 device usage to track locations

0:07:16.100000 --> 0:07:19.380000
 and the providers typically retain data.

0:07:19.380000 --> 0:07:26.140000
 Not only that, this data is always retained
 in databases on digital devices.

0:07:26.140000 --> 0:07:32.620000
 And it's been a great way for forensic
 examiners to track and recreate

0:07:32.620000 --> 0:07:39.320000
 a criminal's whereabouts during or
 prior to or after the commission of

0:07:39.320000 --> 0:07:46.340000
 a crime. If you think about it in the
 specific case of a robbery, maybe

0:07:46.340000 --> 0:07:51.000000
 this person is an Uber driver or maybe
 an Uber driver or another app,

0:07:51.000000 --> 0:07:56.540000
 applications like that constantly ping
 locations and save them in their

0:07:56.540000 --> 0:08:01.040000
 database. So what you can actually
 do is you could perform a forensic

0:08:01.040000 --> 0:08:02.860000
 analysis on a mobile device.

0:08:02.860000 --> 0:08:07.480000
 You can actually see every five to
 10 minutes where this person was.

0:08:07.480000 --> 0:08:14.900000
 So you can show evidence of whether
 or not a burglar was casing, a scene

0:08:14.900000 --> 0:08:18.820000
 or a robber was casing, a scene
 in the weeks leading up to it.

0:08:18.820000 --> 0:08:22.060000
 And then you can actually see where
 else they've gone and maybe you can

0:08:22.060000 --> 0:08:32.600000
 identify or tie this person using
 digital forensics to other crimes.

0:08:32.600000 --> 0:08:38.040000
 Okay. In another example, a person named
 William McGrier, William McGuire

0:08:38.040000 --> 0:08:43.920000
 was murdered in 2004 and police actually
 found some evidence on his wife's

0:08:43.920000 --> 0:08:49.640000
 computer. The evidence again corroborated
 the murder and it helped with

0:08:49.640000 --> 0:08:54.180000
 pre-planning because what they were
 able to find were Google searches

0:08:54.180000 --> 0:09:02.020000
 relating to untraceable poisons, how
 to commit a murder, and where to

0:09:02.020000 --> 0:09:08.200000
 buy a gun in Pennsylvania.

0:09:08.200000 --> 0:09:12.480000
 More examples of committing conventional
 crimes involve digital evidence

0:09:12.480000 --> 0:09:19.360000
 all the time and those examples are fraud,
 child exploitation, terrorism,

0:09:19.360000 --> 0:09:21.440000
 drug trafficking, and homicide.