WEBVTT

0:00:09.220000 --> 0:00:14.080000
 So let's talk about the first phase
 in a digital forensics investigation

0:00:14.080000 --> 0:00:17.880000
 and that is going to be the
 identification phase.

0:00:17.880000 --> 0:00:25.460000
 This phase is going to focus on defining
 the different components that

0:00:25.460000 --> 0:00:27.860000
 are going to be inside
 of the investigation.

0:00:27.860000 --> 0:00:33.380000
 That's going to include establishing
 the authority that we need to conduct

0:00:33.380000 --> 0:00:37.380000
 this investigation based on
 the type of case that it is.

0:00:37.380000 --> 0:00:41.140000
 We're going to define the scope
 and who all that impacts.

0:00:41.140000 --> 0:00:48.000000
 We're going to identify potential sources
 of relevant evidence and we're

0:00:48.000000 --> 0:00:52.180000
 going to coordinate access with all
 the different custodians of evidence

0:00:52.180000 --> 0:00:56.680000
 sources. Now don't get too confused
 with the word that I used custodian.

0:00:56.680000 --> 0:01:01.680000
 We're going to use custodian sometimes
 interchangeably with the word suspect

0:01:01.680000 --> 0:01:04.280000
 or even the word user.

0:01:04.280000 --> 0:01:08.500000
 I can define the word custodian for
 you as the person that is currently

0:01:08.500000 --> 0:01:14.820000
 in possession or is responsible for maintaining
 that data or that device.

0:01:14.820000 --> 0:01:16.500000
 That's all a custodian is.

0:01:16.500000 --> 0:01:21.720000
 What you're going to see is the word custodian
 is used in the large majority

0:01:21.720000 --> 0:01:25.700000
 of civil matters.

0:01:25.700000 --> 0:01:27.660000
 The first thing you're going to have
 to do is you're going to have to

0:01:27.660000 --> 0:01:30.260000
 establish the authority
 for the case.

0:01:30.260000 --> 0:01:34.040000
 We don't just get to say, hey, we're
 ready to go and ready to collect

0:01:34.040000 --> 0:01:36.560000
 devices and we're going to
 start collecting devices.

0:01:36.560000 --> 0:01:40.520000
 We have to get permission and you're
 going to have to think about who

0:01:40.520000 --> 0:01:43.140000
 and how that permission
 comes to you.

0:01:43.140000 --> 0:01:46.700000
 Typically that permission is going to
 come to you through a general counsel

0:01:46.700000 --> 0:01:58.440000
 or somebody by policies and procedures
 that your customer or your company

0:01:58.440000 --> 0:02:04.780000
 has in place. What that's going to do
 is it's going to talk about governance

0:02:04.780000 --> 0:02:09.900000
 and ownership. Ownership would be the
 individuals or companies that can

0:02:09.900000 --> 0:02:16.020000
 provide the authority to
 analyze devices they own.

0:02:16.020000 --> 0:02:21.620000
 Governance is defined as judiciaries
 that can provide the authority to

0:02:21.620000 --> 0:02:27.160000
 analyze devices owned by resident
 individuals or companies.

0:02:27.160000 --> 0:02:31.100000
 One thing in here, we mentioned
 the United States jurisdiction.

0:02:31.100000 --> 0:02:35.260000
 If you're outside of the United States
 jurisdiction, you need to make

0:02:35.260000 --> 0:02:40.120000
 sure that these definitions and these
 people providing the authority to

0:02:40.120000 --> 0:02:45.120000
 conduct an investigation are the same
 because they do differ greatly based

0:02:45.120000 --> 0:02:48.380000
 on the country that you're in.

0:02:48.380000 --> 0:02:55.240000
 You'll also need to define the scope
 of the investigation and you're going

0:02:55.240000 --> 0:02:58.660000
 to collaborate with this authorizing
 party to do that.

0:02:58.660000 --> 0:03:03.500000
 What you're going to be looking at are
 particularly individual devices,

0:03:03.500000 --> 0:03:10.860000
 maybe some users across every device
 or all devices in a location or then

0:03:10.860000 --> 0:03:15.960000
 only a subset or particular devices in
 that location or devices that maybe

0:03:15.960000 --> 0:03:20.480000
 match some type of activity
 on the network.

0:03:20.480000 --> 0:03:25.200000
 Once all that is done and all that
 is identified, you're going to get

0:03:25.200000 --> 0:03:31.340000
 that in writing and it's going to
 be approved by all of the parties.

0:03:31.340000 --> 0:03:35.720000
 And then one thing to consider is once
 it's in writing, breach of scope

0:03:35.720000 --> 0:03:39.120000
 is definitely not an ideal
 way to close the case.

0:03:39.120000 --> 0:03:44.040000
 So you want to stick, breach of scope
 is not an ideal way to close the

0:03:44.040000 --> 0:03:48.640000
 case. So you want to make sure that
 you stick to that scope of work that

0:03:48.640000 --> 0:03:50.060000
 you've agreed upon.

0:03:50.060000 --> 0:03:54.420000
 And you also, if you breach that scope,
 you may conduct some type of serious

0:03:54.420000 --> 0:03:58.640000
 ethical breach or you just might not
 get compensated for that work that

0:03:58.640000 --> 0:04:00.740000
 you did that was not approved.

0:04:00.740000 --> 0:04:04.500000
 So it's really incredibly important to
 make sure that everybody understands

0:04:04.500000 --> 0:04:07.500000
 and agrees to the scope.

0:04:07.500000 --> 0:04:12.100000
 So once all that is done,
 you're under contract.

0:04:12.100000 --> 0:04:17.140000
 So once you're under contract, you're
 ready to begin your investigation.

0:04:17.140000 --> 0:04:22.280000
 What you really need to think about
 as you're getting started is where

0:04:22.280000 --> 0:04:26.940000
 is the physical location that these
 devices are and where are they going

0:04:26.940000 --> 0:04:32.020000
 to be acquired? Are you going to take
 custody of them and take them back

0:04:32.020000 --> 0:04:34.260000
 to a lab and acquire them?

0:04:34.260000 --> 0:04:37.740000
 Or are you going to be going around to
 individual users' desks or cubicles

0:04:37.740000 --> 0:04:41.040000
 and running tools to
 do the acquisition?

0:04:41.040000 --> 0:04:45.180000
 Either way, you also have to make sure
 that everyone is aware of your

0:04:45.180000 --> 0:04:48.380000
 timelines to do these
 acquisitions.

0:04:48.380000 --> 0:04:53.440000
 And then, of course, you need to clearly
 identify confidentiality and

0:04:53.440000 --> 0:04:55.340000
 communication restrictions.

0:04:55.340000 --> 0:04:58.860000
 One really, really important thing that
 you do under the collection phase,

0:04:58.860000 --> 0:05:02.820000
 especially if you're running around
 a company that's full of people, is

0:05:02.820000 --> 0:05:04.200000
 you don't talk to them.

0:05:04.200000 --> 0:05:09.700000
 You only talk to the people that you have
 been authorized to talk to relevant

0:05:09.700000 --> 0:05:14.940000
 to the case. Now, it is okay to be cordial
 and nice and tell them, hey,

0:05:14.940000 --> 0:05:19.280000
 Mr. User, I have to do something
 on your computer right now.

0:05:19.280000 --> 0:05:22.660000
 You won't be able to access it for
 about the next four or five hours.

0:05:22.660000 --> 0:05:26.060000
 And typically, unless it's some type
 of criminal case, that is going to

0:05:26.060000 --> 0:05:27.920000
 be communicated ahead of time.

0:05:27.920000 --> 0:05:30.100000
 So you're going to show up and they're
 just going to get up and walk away

0:05:30.100000 --> 0:05:30.980000
 from their desk.

0:05:30.980000 --> 0:05:32.600000
 And then you can do
 your collection.

0:05:32.600000 --> 0:05:34.900000
 And then it all just works out.

0:05:34.900000 --> 0:05:39.740000
 Okay. So we're now under contract.


0:05:39.740000 --> 0:05:42.060000
 We've got our agreements in place.


0:05:42.060000 --> 0:05:44.500000
 We know what we're
 going to acquire.

0:05:44.500000 --> 0:05:48.940000
 Now we got to start with
 our scavenger hunt.

0:05:48.940000 --> 0:05:52.580000
 And what that means is it's time to start
 taking inventory of the relevant

0:05:52.580000 --> 0:05:58.040000
 devices. And when you're acquiring these
 devices and taking them in possession,

0:05:58.040000 --> 0:06:03.400000
 you're going to want to start using
 a basic chain of custody form.

0:06:03.400000 --> 0:06:08.160000
 And while a chain of custody is really
 only relevant for cases that go

0:06:08.160000 --> 0:06:11.840000
 to court, applying the same process
 to all these cases, starting with

0:06:11.840000 --> 0:06:16.860000
 chain of custody is going to help you
 with your device organization and

0:06:16.860000 --> 0:06:18.300000
 your case integrity.

0:06:18.300000 --> 0:06:23.220000
 What I'm saying by that is every device
 you collect and analyze gets a

0:06:23.220000 --> 0:06:24.500000
 chain of custody.

0:06:24.500000 --> 0:06:28.520000
 Every tablet, every phone, every computer,
 every laptop, every network

0:06:28.520000 --> 0:06:34.380000
 device, every single device should have
 this form or something like this

0:06:34.380000 --> 0:06:41.700000
 form filled out completely.

0:06:41.700000 --> 0:06:46.960000
 Okay. So now let's start thinking about
 when we go behind locked doors.

0:06:46.960000 --> 0:06:50.800000
 We need to talk about the access
 that we're going to have.

0:06:50.800000 --> 0:06:55.540000
 Are the in scope devices secured
 in areas I can't reach?

0:06:55.540000 --> 0:06:58.220000
 Who am I going to have
 to coordinate with?

0:06:58.220000 --> 0:07:03.880000
 And are we clear on the authorization
 that I have and that they have to

0:07:03.880000 --> 0:07:08.780000
 allow me access to that device and
 you're going to do that by working

0:07:08.780000 --> 0:07:10.660000
 with a legal team.

0:07:10.660000 --> 0:07:14.540000
 And if the if this investigation is
 court sanctioned, the lawyers are

0:07:14.540000 --> 0:07:20.340000
 typically always going to arrange this
 for you and they're going to get

0:07:20.340000 --> 0:07:23.840000
 you access or they're going to help you
 work with law enforcement if needed

0:07:23.840000 --> 0:07:27.680000
 when the device needs to be seized
 for that type of a case.

0:07:27.680000 --> 0:07:33.080000
 But otherwise, always schedule and
 be conscientious of production and

0:07:33.080000 --> 0:07:38.000000
 people's work schedules, especially if it's
 a private or internal investigation.

0:07:38.000000 --> 0:07:40.280000
 You're going to have
 to work with people.

0:07:40.280000 --> 0:07:43.940000
 And again, that's really a more of a
 concept of working with the managers,

0:07:43.940000 --> 0:07:49.540000
 working with the authorizing persons and
 then they will communicate expectations

0:07:49.540000 --> 0:07:57.780000
 down to that person acting.

0:07:57.780000 --> 0:08:00.880000
 And then of course,
 clearly communicate.

0:08:00.880000 --> 0:08:05.320000
 Whenever you're performing acquisitions
 on site, clear communication on

0:08:05.320000 --> 0:08:08.160000
 how long they will take.

0:08:08.160000 --> 0:08:12.220000
 So no one is surprised and let them know
 if there's going to be any delays.