WEBVTT

0:00:09.380000 --> 0:00:14.080000
 Okay, let's talk about forensic fundamentals
 and how they play in.

0:00:14.080000 --> 0:00:17.420000
 In this section, we're going to go
 over what is digital evidence.

0:00:17.420000 --> 0:00:21.320000
 We're going to talk a little bit about
 digital forensic tools, and then

0:00:21.320000 --> 0:00:25.560000
 we're also going to introduce you to
 the Daubert standard, and we're going

0:00:25.560000 --> 0:00:28.940000
 to briefly review the scientific method.

0:00:28.940000 --> 0:00:34.000000
 So, within digital forensics, just like
 any other type of investigation,

0:00:34.000000 --> 0:00:36.800000
 our evidence is everything.

0:00:36.800000 --> 0:00:41.060000
 Just like our evidence found in a crime
 investigation and the physical

0:00:41.060000 --> 0:00:46.900000
 evidence, I mean, DNA in a homicide case,
 fingerprints, tire treads, shoe

0:00:46.900000 --> 0:00:52.200000
 prints, really anything you can think
 of physical, that's evidence.

0:00:52.200000 --> 0:00:56.880000
 So in our digital world, evidence can
 be defined as any type of digital

0:00:56.880000 --> 0:01:02.280000
 information that's going to be stored, transmitted,
 or produced from electronic

0:01:02.280000 --> 0:01:04.720000
 devices and software.

0:01:04.720000 --> 0:01:09.460000
 What that really means is that anything
 that's on a hard disk, flash drive,

0:01:09.460000 --> 0:01:12.440000
 ram, anything, that is evidence.

0:01:12.440000 --> 0:01:15.520000
 Now, whether or not it's in scope is
 a different thing, but we're going

0:01:15.520000 --> 0:01:17.920000
 to talk about that a little later.

0:01:17.920000 --> 0:01:25.860000
 Let's talk about some examples of
 what our digital evidence is.

0:01:25.860000 --> 0:01:30.360000
 We're going to have web browsing history,
 downloaded or temporary internet

0:01:30.360000 --> 0:01:33.600000
 files, event logs and system logs.

0:01:33.600000 --> 0:01:36.440000
 Those are two different
 types of evidence.

0:01:36.440000 --> 0:01:42.620000
 Pictures produced by digital cameras,
 print logs saved on printers, email

0:01:42.620000 --> 0:01:48.780000
 messages, deleted or hidden files, applications
 and their associated data

0:01:48.780000 --> 0:01:53.020000
 that kind of goes back to a previous
 example I gave about Uber drivers

0:01:53.020000 --> 0:01:58.180000
 and their Uber software getting having
 their location being recorded at

0:01:58.180000 --> 0:01:59.780000
 a regular intervals.

0:01:59.780000 --> 0:02:02.800000
 Evidence preservation.

0:02:02.800000 --> 0:02:08.360000
 So when we talk about preserving evidence,
 it's really important in digital

0:02:08.360000 --> 0:02:14.260000
 forensics to introduce the least
 amount of changes to a system.

0:02:14.260000 --> 0:02:18.300000
 And that's going to apply to our digital
 devices, operating systems and

0:02:18.300000 --> 0:02:23.220000
 applications. And in order to do that,
 we have to understand how those

0:02:23.220000 --> 0:02:27.520000
 applications and operating systems
 and devices function.

0:02:27.520000 --> 0:02:32.460000
 So do not forget about your
 underlying IT skills.

0:02:32.460000 --> 0:02:37.180000
 And if the data is not acquired correctly
 for the given situation, the

0:02:37.180000 --> 0:02:42.260000
 evidence could be lost or altered in
 your forensics process or even in

0:02:42.260000 --> 0:02:43.800000
 the court testimony process.

0:02:43.800000 --> 0:02:47.140000
 It could get suppressed by counsel.

0:02:47.140000 --> 0:02:52.200000
 And once it's deemed inadmissible to
 be used in court proceedings, then

0:02:52.200000 --> 0:02:57.360000
 it's unlikely that a jury will
 ever see that evidence.

0:02:57.360000 --> 0:03:07.480000
 So when we talk about forensics and
 using forensic tools, I want you to

0:03:07.480000 --> 0:03:11.520000
 understand that the analyst tools,
 they do play a very important role

0:03:11.520000 --> 0:03:14.220000
 in the digital forensic process.

0:03:14.220000 --> 0:03:19.620000
 However, being a forensic processor
 isn't just about using the correct

0:03:19.620000 --> 0:03:22.160000
 tools in the correct ways.

0:03:22.160000 --> 0:03:25.320000
 What we call that is the kind of button
-clicking forensics, and it's really

0:03:25.320000 --> 0:03:29.500000
 not forensics. It's just pushing buttons
 and then printing out results

0:03:29.500000 --> 0:03:31.440000
 in that expected manner.

0:03:31.440000 --> 0:03:36.340000
 So what we strive for you to do and
 what I want you to do is for you to

0:03:36.340000 --> 0:03:41.840000
 develop a deep and thorough understanding
 of all of the underlying technologies

0:03:41.840000 --> 0:03:43.400000
 that you're handling.

0:03:43.400000 --> 0:03:48.460000
 That includes Windows operating systems,
 PC hardware, Linux operating

0:03:48.460000 --> 0:03:52.420000
 systems, all of your network devices,
 routers and switches understand

0:03:52.420000 --> 0:03:57.320000
 how they work and what types of logs
 they generate and what and how they

0:03:57.320000 --> 0:03:59.280000
 can be preserved.

0:03:59.280000 --> 0:04:05.580000
 So understanding these fundamental and
 advanced IT skills will make you

0:04:05.580000 --> 0:04:07.960000
 a better forensic practitioner.

0:04:07.960000 --> 0:04:10.680000
 I'm not saying that you can't be a digital
 forensic practitioner without

0:04:10.680000 --> 0:04:16.180000
 knowing those IT skills, but it should
 be something on your list to develop

0:04:16.180000 --> 0:04:21.660000
 into. When you're a practitioner, and
 I mentioned this up in the earlier

0:04:21.660000 --> 0:04:25.880000
 slide, being able to point and click in
 the right order is not just enough.

0:04:25.880000 --> 0:04:31.900000
 We have to understand what our tools
 are doing as they acquire, process

0:04:31.900000 --> 0:04:35.320000
 and interpret and display the data.

0:04:35.320000 --> 0:04:42.180000
 Even more importantly, we may have
 to describe that process in a court

0:04:42.180000 --> 0:04:46.700000
 of law or in a deposition or even just
 to an attorney or even better.

0:04:46.700000 --> 0:04:47.960000
 We might be on the conference call.

0:04:47.960000 --> 0:04:51.820000
 We might have to educate a customer
 or client on what we're going to do

0:04:51.820000 --> 0:04:54.080000
 and how we're going to do it.

0:04:54.080000 --> 0:05:00.180000
 So talking about the different types
 of forensic tools out there, we're

0:05:00.180000 --> 0:05:05.700000
 going to have proprietary or closed
 source tools such as in case, FTK

0:05:05.700000 --> 0:05:09.940000
 and Axiom. We're going to have open
 source tools out there and usually

0:05:09.940000 --> 0:05:13.100000
 those are going to be found on Linux,
 but they do exist on Windows also.

0:05:13.100000 --> 0:05:18.900000
 And there are some examples are Plasso
 Redripper, FLS as a single command

0:05:18.900000 --> 0:05:24.200000
 tool and then even a tool such as
 Volatility for analyzing RAM.

0:05:24.200000 --> 0:05:26.940000
 And then we're going to have custom
 built tools and these are going to

0:05:26.940000 --> 0:05:30.300000
 be typically tools that you and your
 team bill or tools that you might

0:05:30.300000 --> 0:05:35.340000
 find on GitHub. A lot of these tools are
 scripts that assist in an incident

0:05:35.340000 --> 0:05:39.520000
 response scenario or even
 a rapid triage scenario.

0:05:39.520000 --> 0:05:44.060000
 So you could run a script that could
 dump all the relevant log files and

0:05:44.060000 --> 0:05:47.500000
 RAM and maybe some file artifacts
 that you're looking for.

0:05:47.500000 --> 0:05:49.000000
 You can collect that quickly.

0:05:49.000000 --> 0:05:53.020000
 You can start analyzing the system while
 the bigger acquisition or bigger

0:05:53.020000 --> 0:05:59.640000
 analysis takes because doing a full
 case process in your forensic tools

0:05:59.640000 --> 0:06:05.160000
 can take multiple hours or even days.

0:06:05.160000 --> 0:06:10.260000
 I want to talk quickly and briefly
 about the Dobert standard.

0:06:10.260000 --> 0:06:16.440000
 So the Dobert standard is going to be
 the standard that we look at when

0:06:16.440000 --> 0:06:20.760000
 we are seeing if evidence
 is admissible into court.

0:06:20.760000 --> 0:06:26.820000
 And that's primarily going to be in the
 fact that evidence has to be kind

0:06:26.820000 --> 0:06:29.000000
 of scientific in its nature.

0:06:29.000000 --> 0:06:33.700000
 And so Dobert gives us a scientific
 procedure used to prepare or uncover

0:06:33.700000 --> 0:06:37.720000
 evidence using the following factors.

0:06:37.720000 --> 0:06:44.100000
 Okay, has the standard and.

0:06:44.100000 --> 0:06:48.700000
 Has the procedure been tested?

0:06:48.700000 --> 0:06:55.160000
 And that's you have you tested this
 against some sample data or a sample

0:06:55.160000 --> 0:07:01.020000
 hard drive. Do you know that when you
 do that forensic acquisition or

0:07:01.020000 --> 0:07:05.920000
 when you interpret a result in your
 forensic software, do you know that

0:07:05.920000 --> 0:07:09.160000
 that data is going to give
 you the expected result?

0:07:09.160000 --> 0:07:13.600000
 Because if it doesn't give you the expected
 result, then you might have

0:07:13.600000 --> 0:07:16.320000
 a problem with this.

0:07:16.320000 --> 0:07:21.360000
 Is there a known error rate when you're
 utilizing this forensic technique

0:07:21.360000 --> 0:07:25.280000
 and is low enough that it's okay?

0:07:25.280000 --> 0:07:27.760000
 And that's going to be something that
 you're going to have to determine

0:07:27.760000 --> 0:07:32.800000
 for yourself, but we're going to help
 you out in the next one here in

0:07:32.800000 --> 0:07:36.340000
 a second and we're going to show you
 that there's a little more to that.

0:07:36.340000 --> 0:07:40.420000
 But do you know how often this procedure
 fails and how often it gives

0:07:40.420000 --> 0:07:43.260000
 you the expected or intended result?

0:07:43.260000 --> 0:07:46.800000
 Okay, so the next one we
 have here is accepted.

0:07:46.800000 --> 0:07:54.900000
 Is the forensic procedure or application
 or tool accepted not only by

0:07:54.900000 --> 0:08:00.740000
 you, but by your peers and by the
 larger overarching community?

0:08:00.740000 --> 0:08:04.480000
 So it's one thing for you to accept it,
 but if most of the digital forensic

0:08:04.480000 --> 0:08:09.360000
 community accepts this, then it's going
 to have an easier time being accepted

0:08:09.360000 --> 0:08:14.460000
 in court or it's going to be more likely
 that you're not going to be questioned

0:08:14.460000 --> 0:08:17.380000
 about what you did.

0:08:17.380000 --> 0:08:20.940000
 And then has it been reviewed?

0:08:20.940000 --> 0:08:26.180000
 That's really the crux here and it throws
 in testing error rate and acceptance

0:08:26.180000 --> 0:08:29.420000
 all into reviewed.

0:08:29.420000 --> 0:08:34.400000
 What does the community accept what
 you've done, have they peer reviewed

0:08:34.400000 --> 0:08:35.100000
 what you've done?

0:08:35.100000 --> 0:08:42.000000
 Has somebody else taken a look at
 it and said, yep, that works.

0:08:42.000000 --> 0:08:49.280000
 So when you conduct your investigation,
 you're going to be expected to

0:08:49.280000 --> 0:08:53.300000
 apply the scientific method
 to your investigation.

0:08:53.300000 --> 0:08:58.640000
 You're going to be, you're going to have
 to analyze data and draw accurate

0:08:58.640000 --> 0:09:02.580000
 conclusions and then you're going to
 have to detect when data appears

0:09:02.580000 --> 0:09:07.380000
 to be missing, deleted or corrupted.

0:09:07.380000 --> 0:09:10.900000
 And that can help you out with your
 intentions for your threat actor or

0:09:10.900000 --> 0:09:19.340000
 your suspect. So let's talk a little
 bit about the scientific method.

0:09:19.340000 --> 0:09:22.740000
 Scientific method of problem solving
 is something that we all at least

0:09:22.740000 --> 0:09:27.880000
 basically learned in middle school
 or high school and it is a body of

0:09:27.880000 --> 0:09:33.460000
 techniques for investigating phenomena,
 acquiring new knowledge or correcting

0:09:33.460000 --> 0:09:36.180000
 and integrating previous knowledge.

0:09:36.180000 --> 0:09:41.140000
 Scientific method is going to be our
 most powerful and useful ally when

0:09:41.140000 --> 0:09:44.020000
 we're looking at presenting
 this reliable evidence.

0:09:44.020000 --> 0:09:47.820000
 So let's just do a quick review of the
 scientific method and how it applies

0:09:47.820000 --> 0:09:55.340000
 to forensics. We're going to do a real
 simple methodology and we're going

0:09:55.340000 --> 0:10:02.360000
 to ask a question and this question
 could be something like what user

0:10:02.360000 --> 0:10:10.820000
 printed this document at 1.30
 pm on December 1st, 2021.

0:10:10.820000 --> 0:10:13.140000
 So I've asked a question.

0:10:13.140000 --> 0:10:18.880000
 So what observations do I need to make
 to determine what user printed

0:10:18.880000 --> 0:10:21.600000
 that document? What can I
 observe about the system?

0:10:21.600000 --> 0:10:23.660000
 What artifacts can I observe?

0:10:23.660000 --> 0:10:28.980000
 Where on a computer system am I going
 to see records of a document being

0:10:28.980000 --> 0:10:34.000000
 printed? Then I can move on and
 I can build a hypothesis.

0:10:34.000000 --> 0:10:39.840000
 I can say by looking at these artifacts,
 I can determine that the user

0:10:39.840000 --> 0:10:41.880000
 printed a document.

0:10:41.880000 --> 0:10:45.820000
 Or not. I can perform that analysis then.


0:10:45.820000 --> 0:10:49.680000
 I can go to those locations and event
 logs and system logs and I can see

0:10:49.680000 --> 0:10:52.160000
 that a document has been printed.

0:10:52.160000 --> 0:10:55.540000
 And from there I can make a conclusion
 on whether a document was printed

0:10:55.540000 --> 0:10:57.660000
 or not on this date and time.

0:10:57.660000 --> 0:11:01.640000
 And then utilizing my operating system
 knowledge and operating system

0:11:01.640000 --> 0:11:06.260000
 artifacts, I can most likely make a
 determination as to what user was

0:11:06.260000 --> 0:11:11.080000
 logged in at the time of
 that print job occurring.

0:11:11.080000 --> 0:11:12.600000
 Note what I said.

0:11:12.600000 --> 0:11:18.500000
 I could determine what user was logged
 in when that print job occurred.

0:11:18.500000 --> 0:11:22.720000
 What I cannot determine is whether or
 not that user was the person that

0:11:22.720000 --> 0:11:27.520000
 was physically present at that console
 or logged in to a terminal when

0:11:27.520000 --> 0:11:31.380000
 that occurred. So this is correlating
 evidence but it's not always going

0:11:31.380000 --> 0:11:34.320000
 to be primary evidence.

0:11:34.320000 --> 0:11:36.160000
 So you formed your hypothesis.

0:11:36.160000 --> 0:11:36.960000
 What are you going to do next?

0:11:36.960000 --> 0:11:41.800000
 You're going to make predictions
 based on that hypothesis.

0:11:41.800000 --> 0:11:45.620000
 Those predictions have to
 be testable and provable.

0:11:45.620000 --> 0:11:48.240000
 Otherwise they're just not
 going to work for you.

0:11:48.240000 --> 0:11:53.060000
 And to minimize chances of error, you're
 going to have to consider alternative

0:11:53.060000 --> 0:12:01.880000
 hypotheses. So the example being what if
 there was a different user physically

0:12:01.880000 --> 0:12:05.760000
 present at the console when
 that print job was made?

0:12:05.760000 --> 0:12:11.640000
 What if that user's credentials were
 compromised and somebody else printed

0:12:11.640000 --> 0:12:14.280000
 that document under the user's name?

0:12:14.280000 --> 0:12:15.040000
 Can I prove that?

0:12:15.040000 --> 0:12:15.800000
 Can I figure that out?

0:12:15.800000 --> 0:12:19.180000
 Does that lead me to another question
 and another hypothesis I have to

0:12:19.180000 --> 0:12:23.880000
 form? So you should always be thinking
 in terms of proving or disproving

0:12:23.880000 --> 0:12:25.380000
 your prediction.

0:12:25.380000 --> 0:12:28.800000
 And know that just because you disprove
 something that's not the end of

0:12:28.800000 --> 0:12:30.340000
 the world, it's not the end
 of the investigation.

0:12:30.340000 --> 0:12:35.780000
 It can actually help you and lead
 you to that correct conclusion.

0:12:35.780000 --> 0:12:41.460000
 But you have to present all the data
 that will support or contradict it.

0:12:41.460000 --> 0:12:52.680000
 There are incredibly few, possibly zero
 cases where an investigator can

0:12:52.680000 --> 0:12:57.340000
 use digital evidence to conclusively
 attribute digital activity to an

0:12:57.340000 --> 0:13:01.400000
 individual. It's essential that you
 remember that digital evidence is

0:13:01.400000 --> 0:13:06.380000
 almost always circumstantial with photographic
 or videographic evidence

0:13:06.380000 --> 0:13:10.720000
 coming closest to qualifying
 as direct evidence.

0:13:10.720000 --> 0:13:15.380000
 No matter how much digital evidence
 you have, it is unlikely that you

0:13:15.380000 --> 0:13:23.640000
 can prove whose fingers were on that
 keyboard when the data was generated.

0:13:23.640000 --> 0:13:28.320000
 Keep in mind that the reason why we do
 these procedures is because they're

0:13:28.320000 --> 0:13:30.480000
 backed by science.

0:13:30.480000 --> 0:13:34.740000
 We follow these same scientific procedures
 when we extract artifacts and

0:13:34.740000 --> 0:13:39.760000
 build a hypothesis so that you have
 a scientific base to validate and

0:13:39.760000 --> 0:13:43.220000
 explain your conclusions and
 how you've reached them.

0:13:43.220000 --> 0:13:47.760000
 If there is no scientific reason to
 support your procedure or findings,

0:13:47.760000 --> 0:13:51.800000
 then the credibility of your forensic
 analysis, then the credibility of

0:13:51.800000 --> 0:13:57.020000
 your forensic analysis and the resulting
 evidence will be undermined and

0:13:57.020000 --> 0:14:00.460000
 it may be deemed itadmissible
 in court proceedings.

0:14:00.460000 --> 0:14:05.980000
 So make sure that everything you do
 meets that doppert standard and that

0:14:05.980000 --> 0:14:08.720000
 everything you do has been tested.

0:14:08.720000 --> 0:14:18.140000
 You tested it on evidence where you can
 get the expected result and that's

0:14:18.140000 --> 0:14:21.920000
 test actual evidence and you get
 that same expected result.

0:14:21.920000 --> 0:14:27.600000
 Make sure that that process is documented
 and that it's accepted.

0:14:27.600000 --> 0:14:32.200000
 Make sure that that method is documented
 and that it's accepted by your

0:14:32.200000 --> 0:14:36.460000
 peers and they've looked at it and they've
 confirmed it too and make sure

0:14:36.460000 --> 0:14:39.380000
 all of that is reflective in your notes.