WEBVTT

0:00:09.120000 --> 0:00:12.560000
 So let's talk about the digital
 forensic process.

0:00:12.560000 --> 0:00:15.100000
 And we're going to start that off with
 talking about the digital forensic

0:00:15.100000 --> 0:00:21.180000
 lifecycle or the process of conducting
 a digital forensic investigation.

0:00:21.180000 --> 0:00:24.240000
 We can break this down into five steps.

0:00:24.240000 --> 0:00:29.620000
 And that's going to be identification
 or figuring out what are potential

0:00:29.620000 --> 0:00:34.640000
 sources of relevant data is out there.

0:00:34.640000 --> 0:00:36.100000
 And then preservation.

0:00:36.100000 --> 0:00:39.780000
 How are we going to acquire and what
 is the process we need to follow

0:00:39.780000 --> 0:00:47.280000
 to acquire that to acquire that relevant
 data in a way that preserves

0:00:47.280000 --> 0:00:51.720000
 its integrity. And then we're
 going to perform an analysis.

0:00:51.720000 --> 0:00:57.500000
 And we're going to correlate and study
 all of the data that we have collected.

0:00:57.500000 --> 0:00:59.600000
 We're going to document everything.

0:00:59.600000 --> 0:01:05.780000
 And that's going to be in the terms
 of forensic notes and then reports

0:01:05.780000 --> 0:01:07.680000
 and presentations.

0:01:07.680000 --> 0:01:13.340000
 And then we're going to document
 what we're talking about.

0:01:13.340000 --> 0:01:16.260000
 And then we're going to
 document our analysis.

0:01:16.260000 --> 0:01:20.200000
 And that's going to be recording our relevant
 findings in terms of forensic

0:01:20.200000 --> 0:01:24.280000
 note-taking and in terms
 of a forensic report.

0:01:24.280000 --> 0:01:30.620000
 And then finally, and most importantly,
 we're going to present that in

0:01:30.620000 --> 0:01:35.860000
 a full-fledged digital forensics report
 and probably a walkthrough or

0:01:35.860000 --> 0:01:39.800000
 testimony. There's multiple different
 ways that we're going to present

0:01:39.800000 --> 0:01:45.440000
 data to our relevant parties.

0:01:45.440000 --> 0:01:51.020000
 Okay. For now, just a general understanding
 of the investigative process

0:01:51.020000 --> 0:01:54.280000
 is going to work for you.

0:01:54.280000 --> 0:01:59.280000
 So, let's explore some of the possible
 types and sources of evidence as

0:01:59.280000 --> 0:02:02.640000
 they will determine the tools you will
 need to analyze your evidence.

0:02:02.640000 --> 0:02:07.300000
 For example, analyzing a Mac OS or Linux
 operating system could require

0:02:07.300000 --> 0:02:11.520000
 that you use a completely different
 tool set than those that utilize the

0:02:11.520000 --> 0:02:13.240000
 Windows operating system.

0:02:13.240000 --> 0:02:18.640000
 And also, not all the tools out there
 are ready or can't acquire or analyze

0:02:18.640000 --> 0:02:21.100000
 hard disks and also memory.

0:02:21.100000 --> 0:02:25.320000
 So you're going to be using different
 forensic tools for different...

0:02:25.320000 --> 0:02:31.800000
 Okay, cut that. So, the...

0:02:31.800000 --> 0:02:41.020000
 Oh... So, let's explore some of the possible
 types and sources of digital

0:02:41.020000 --> 0:02:44.960000
 evidence and they will as they will
 determine the tool you'll need to

0:02:44.960000 --> 0:02:46.600000
 analyze that evidence.

0:02:46.600000 --> 0:02:51.540000
 For example, analyzing Mac OS or Linux
 operating system, artifacts could

0:02:51.540000 --> 0:02:55.720000
 require completely different tools than
 those that are used in the Windows

0:02:55.720000 --> 0:02:56.880000
 operating system.

0:02:56.880000 --> 0:03:01.140000
 Also, note that tools can be divided
 out sometimes and tools that analyze

0:03:01.140000 --> 0:03:05.340000
 memory well and tools that analyze hard
 disks or other type of disk information

0:03:05.340000 --> 0:03:11.020000
 really well. Very seldomly do you find
 a forensic tool that does it all.

0:03:11.020000 --> 0:03:17.960000
 So, as you're moving through your investigation,
 it can involve multiple

0:03:17.960000 --> 0:03:22.320000
 types of devices that are capable
 of storing digital data.

0:03:22.320000 --> 0:03:26.580000
 And this list kind of includes any type
 of computer and that's going to

0:03:26.580000 --> 0:03:32.500000
 be a laptop or a desktop and then whatever
 internal storage is in there.

0:03:32.500000 --> 0:03:34.480000
 External storage devices, right?

0:03:34.480000 --> 0:03:38.920000
 Such as external hard drives and that's
 going to be thumb drives or some

0:03:38.920000 --> 0:03:44.980000
 of the like external hard drives and
 like the books style ones, removable

0:03:44.980000 --> 0:03:52.500000
 media such as flash drives, CD-ROMs and
 DVDs, mobile devices such as cell

0:03:52.500000 --> 0:03:57.720000
 phones and tablets and note, I do separate
 mobile devices into a different

0:03:57.720000 --> 0:03:59.260000
 category as computers.

0:03:59.260000 --> 0:04:02.700000
 Even though they are all computers,
 the difference being that you might

0:04:02.700000 --> 0:04:07.520000
 have to take some special and extreme
 steps in mobile devices to get the

0:04:07.520000 --> 0:04:09.520000
 data off of them.

0:04:09.520000 --> 0:04:13.220000
 Peripheral devices such as printers
 and scanners, they do have internal

0:04:13.220000 --> 0:04:17.620000
 memory and there can be some ways to
 get into that memory and see what's

0:04:17.620000 --> 0:04:24.360000
 going on. And then network devices such
 as routers, switches and wireless

0:04:24.360000 --> 0:04:31.080000
 access points. So there's one term you're
 going to hear in the acquisition

0:04:31.080000 --> 0:04:34.840000
 process a lot. That's going
 to be volatility.

0:04:34.840000 --> 0:04:37.720000
 Let's talk about volatility for a minute.


0:04:37.720000 --> 0:04:42.060000
 We can kind of categorize the sort
 data into volatile and non-volatile

0:04:42.060000 --> 0:04:46.200000
 types. Volatile data is going to be
 any type of data that's stored in

0:04:46.200000 --> 0:04:48.540000
 random access memory.

0:04:48.540000 --> 0:04:53.980000
 That data is generally unrecoverable
 once a device is turned off and it

0:04:53.980000 --> 0:04:57.720000
 can be tricky to acquire
 and analyze that.

0:04:57.720000 --> 0:05:01.840000
 But there are processes and procedures
 and steps you can take to ensure

0:05:01.840000 --> 0:05:05.620000
 that you capture as much of
 that as you physically can.

0:05:05.620000 --> 0:05:10.440000
 And then non-volatile data is going
 to be the data out there that sticks

0:05:10.440000 --> 0:05:12.620000
 around once you turn a system off.

0:05:12.620000 --> 0:05:18.660000
 And that's going to be your hard disks,
 maybe data that is in the NV RAM

0:05:18.660000 --> 0:05:20.500000
 or non-volatile RAM.

0:05:20.500000 --> 0:05:22.840000
 A lot of that's going to be your
 tablets and stuff like that.

0:05:22.840000 --> 0:05:25.300000
 So let's look at the order of volatility.


0:05:25.300000 --> 0:05:27.040000
 And here's a quick list.

0:05:27.040000 --> 0:05:29.380000
 We're going to start with
 registers and cache.

0:05:29.380000 --> 0:05:33.740000
 Those are going to be the, that's going
 to be like your processors and

0:05:33.740000 --> 0:05:37.600000
 then the other types of electronic components
 on a motherboard that the

0:05:37.600000 --> 0:05:42.560000
 very moment you take power away from or
 you on a hard disk on the controller

0:05:42.560000 --> 0:05:46.500000
 boards, the moment you take power away from
 those they lose all the information

0:05:46.500000 --> 0:05:51.460000
 in there. And that includes some things
 that even up to RAM which we're

0:05:51.460000 --> 0:05:53.420000
 going to come to in a second.

0:05:53.420000 --> 0:05:56.360000
 But once you turn the system
 off that data is gone.

0:05:56.360000 --> 0:06:02.780000
 So you have to take steps to preserve
 that data in any way that you can.

0:06:02.780000 --> 0:06:05.860000
 And a lot of times that's going to
 be just randomly printing stuff.

0:06:05.860000 --> 0:06:12.540000
 And a lot of times that's going to be
 capturing the information from running

0:06:12.540000 --> 0:06:17.760000
 processes, network connections, that
 kind of stuff and packets and all

0:06:17.760000 --> 0:06:22.320000
 that kind of stuff to just using scripts
 and tools to dump that into a

0:06:22.320000 --> 0:06:26.020000
 text file. We look at memory.

0:06:26.020000 --> 0:06:30.180000
 So that's going to be our routing tables,
 our ARP caches, process tables,

0:06:30.180000 --> 0:06:34.980000
 kernel statistics and
 then your actual RAM.

0:06:34.980000 --> 0:06:37.720000
 Temporary file systems.

0:06:37.720000 --> 0:06:40.260000
 And then our physical disks.

0:06:40.260000 --> 0:06:42.820000
 So that's going to be
 the data on the disk.

0:06:42.820000 --> 0:06:47.660000
 Relevant remote logging and other types
 of monitoring data that's going

0:06:47.660000 --> 0:06:49.900000
 to stick around for a little while too.

0:06:49.900000 --> 0:06:52.840000
 And then our physical and then our physical
 configurations and our network

0:06:52.840000 --> 0:06:56.220000
 topology that's going to be
 things that are plugged in.

0:06:56.220000 --> 0:07:00.500000
 And then last but not least our archival
 media that archival media is

0:07:00.500000 --> 0:07:05.180000
 going to be our least volatile type
 of data because that data is kept

0:07:05.180000 --> 0:07:11.020000
 on backup tapes or other types of archival
 mediums that just it's not

0:07:11.020000 --> 0:07:15.700000
 going to change unless it
 gets physically erased.

0:07:15.700000 --> 0:07:19.700000
 So if we talk about our non-volatile
 data classifications, it's going

0:07:19.700000 --> 0:07:23.120000
 to be categorized into three basic types,
 which is going to be archival

0:07:23.120000 --> 0:07:26.660000
 data, archival and backup
 data and then hidden data.

0:07:26.660000 --> 0:07:33.360000
 Hidden data can then be further divided
 into three basic types, metadata,

0:07:33.360000 --> 0:07:36.920000
 residual data and then replicant data.

0:07:36.920000 --> 0:07:40.500000
 So let's talk about active data first.

0:07:40.500000 --> 0:07:44.600000
 Active data includes files, applications,
 settings, just about anything

0:07:44.600000 --> 0:07:48.620000
 out there you can think of when
 you're using a computer.

0:07:48.620000 --> 0:07:53.460000
 Archival and backup data can either
 be an identical copy of an entire

0:07:53.460000 --> 0:07:59.060000
 disk, selected subset of that disk
 or a differential subset of stored

0:07:59.060000 --> 0:08:03.700000
 data and then it's going to utilize
 storage solutions like flash drives,

0:08:03.700000 --> 0:08:09.080000
 external hard drives, SANS or storage
 area networks and then CDs and DVDs.

0:08:09.080000 --> 0:08:13.420000
 Those can all be considered
 archival media.

0:08:13.420000 --> 0:08:18.360000
 Hidden data. This is going to be data.

0:08:18.360000 --> 0:08:22.140000
 Again this is not easily readable or
 this is going to be data that is

0:08:22.140000 --> 0:08:27.500000
 not readily accessible to a user and it
 can require certain tools to access

0:08:27.500000 --> 0:08:31.140000
 and that does leave a really
 broad category out there.

0:08:31.140000 --> 0:08:35.700000
 During your analysis, hidden data will
 be essential to examine, especially

0:08:35.700000 --> 0:08:40.100000
 if there is a chance that the device owners
 could have attempted to conceal

0:08:40.100000 --> 0:08:42.500000
 their activities.

0:08:42.500000 --> 0:08:45.780000
 The next type of hidden data
 is going to be metadata.

0:08:45.780000 --> 0:08:49.760000
 Metadata we can define
 as data about data.

0:08:49.760000 --> 0:08:54.580000
 Metadata will provide context and additional
 information about files and

0:08:54.580000 --> 0:08:56.720000
 then also the data itself.

0:08:56.720000 --> 0:09:00.080000
 Metadata can be considered one of the
 most valuable pieces of evidence

0:09:00.080000 --> 0:09:04.780000
 as it can include a lot of information
 about a file such as the username

0:09:04.780000 --> 0:09:09.820000
 of the file creator and the time that
 it was last accessed or modified.

0:09:09.820000 --> 0:09:15.040000
 Metadata, particularly our time stamping
 data, can be essential for building

0:09:15.040000 --> 0:09:21.480000
 an accurate timeline of events on that
 device that you are analyzing.

0:09:21.480000 --> 0:09:30.360000
 So here is the abbreviated list of
 types of metadata worth looking at

0:09:30.360000 --> 0:09:35.020000
 and that is going to be file attributes,
 file locations, file accesses

0:09:35.020000 --> 0:09:40.300000
 and then time stamps.

0:09:40.300000 --> 0:09:46.840000
 Residual data is going to be considered
 the data that has been deleted

0:09:46.840000 --> 0:09:50.660000
 but is still on the disk.

0:09:50.660000 --> 0:09:53.900000
 And we can also call that
 unallocated data as well.

0:09:53.900000 --> 0:09:57.780000
 Many users don't realize that file deletion
 can be a multi-step process

0:09:57.780000 --> 0:10:03.100000
 and as a result, files may be easily
 recovered from the recycle bin or

0:10:03.100000 --> 0:10:08.480000
 the trash. When a user empties the trash,
 the operating system marks the

0:10:08.480000 --> 0:10:13.520000
 file location as available to be overwritten
 but this data might still

0:10:13.520000 --> 0:10:19.340000
 be recoverable even once it is no longer
 available or visible to the user.

0:10:19.340000 --> 0:10:24.160000
 So the data doesn't actually go away until
 it has been physically overwritten

0:10:24.160000 --> 0:10:29.900000
 and it is going to rely on the recovery
 of the deleted data relies on

0:10:29.900000 --> 0:10:35.460000
 the physical file location, not being
 overwritten by new data or purged

0:10:35.460000 --> 0:10:39.000000
 by the garbage collection process which
 can be controlled by the operating

0:10:39.000000 --> 0:10:42.940000
 system or by the hard disk itself.

0:10:42.940000 --> 0:10:48.680000
 If the data has not been overwritten,
 then it is not that hard to retrieve

0:10:48.680000 --> 0:10:53.780000
 and most forensic tools are capable
 of detecting and retrieving deleted

0:10:53.780000 --> 0:11:00.360000
 data. So, we can do one quick case study
 about residual data and metadata

0:11:00.360000 --> 0:11:04.780000
 and that is going to be the case of
 the BTK killer otherwise known as

0:11:04.780000 --> 0:11:10.400000
 Dennis Rader. Dennis Rader murdered
 10 people within a span of 17 years.

0:11:10.400000 --> 0:11:16.420000
 Regular investigations led police
 and other investigators nowhere.

0:11:16.420000 --> 0:11:22.460000
 However, Rader sent the police a copy
 of a disk and that disk had a deleted

0:11:22.460000 --> 0:11:25.300000
 file on it that was able to be recovered.


0:11:25.300000 --> 0:11:33.160000
 The analysis of that file revealed
 metadata in a document that gave us

0:11:33.160000 --> 0:11:39.920000
 the name of Rader's church along
 with Dennis as the last modifier.

0:11:39.920000 --> 0:11:44.940000
 So that if you don't know about that
 case read up on it but that little

0:11:44.940000 --> 0:11:51.140000
 bit of metadata solved the case and it
 led to Dennis Rader being arrested.

0:11:51.140000 --> 0:11:56.800000
 Hidden data. Hidden, this type of data
 is generated when a program creates

0:11:56.800000 --> 0:12:00.960000
 a temporary copy of an opened
 or accessed file.

0:12:00.960000 --> 0:12:06.200000
 This is used as a backup to avoid data
 loss in case an error occurs and

0:12:06.200000 --> 0:12:09.680000
 the file is forced to close
 without saving the changes.

0:12:09.680000 --> 0:12:14.600000
 Replicant data can support the construction
 of an event timeline or potentially

0:12:14.600000 --> 0:12:19.720000
 provide insight into former states
 of modified or deleted files.

0:12:19.720000 --> 0:12:24.880000
 And then additionally these files may
 be retrievable even if the original

0:12:24.880000 --> 0:12:26.640000
 file was deleted.

0:12:26.640000 --> 0:12:29.940000
 One great example of some.

0:12:29.940000 --> 0:12:34.560000
 Replicant data is when you print
 a document in Windows.

0:12:34.560000 --> 0:12:39.620000
 Whenever you print a document in Windows
 it actually renders out that

0:12:39.620000 --> 0:12:43.580000
 document and it places that that
 rendered document into a folder.

0:12:43.580000 --> 0:12:49.700000
 When a file. When Windows sees a file
 get dropped in that folder it then

0:12:49.700000 --> 0:12:52.360000
 knows to send that file to the printer.

0:12:52.360000 --> 0:12:56.520000
 You can recover that file in most cases
 if you need to and not only does

0:12:56.520000 --> 0:13:00.640000
 that provide proof that the file was
 printed it can also help you build

0:13:00.640000 --> 0:13:04.740000
 a timeline as to who the logged in user
 was and what time that file was

0:13:04.740000 --> 0:13:14.900000
 printed. So one case to think about is
 presence of information on a computer

0:13:14.900000 --> 0:13:21.980000
 is not necessarily proof or hard evidence
 that a person a human being

0:13:21.980000 --> 0:13:27.880000
 was the one that was physically present
 when the crime occurred and and

0:13:27.880000 --> 0:13:33.000000
 and a little a good little case on
 that is going to be in about 2007 a

0:13:33.000000 --> 0:13:37.760000
 person was convicted of possession of
 child pornography a very very serious

0:13:37.760000 --> 0:13:45.360000
 crime. This went through multiple hearings
 and then on appeal the the

0:13:45.360000 --> 0:13:50.340000
 person convicted insisted that he had accessed
 the source website accidentally

0:13:50.340000 --> 0:13:54.680000
 enclosed it as soon as that he
 realized what it had contained.

0:13:54.680000 --> 0:13:58.520000
 The image files used to prove possession
 were stored in the temporary

0:13:58.520000 --> 0:14:01.720000
 internet files folder on the computer.

0:14:01.720000 --> 0:14:06.200000
 Now expert witness testimony explained
 that files in the folder and that

0:14:06.200000 --> 0:14:11.780000
 folder particularly get generated automatically
 by the web browser and

0:14:11.780000 --> 0:14:17.740000
 that so that aligned to the suspects
 claim without any other evidence

0:14:17.740000 --> 0:14:21.300000
 of possession his conviction
 was overturned.