WEBVTT

0:00:08.820000 --> 0:00:14.640000
 So let's now move on to
 Phase 2 or Preservation.

0:00:14.640000 --> 0:00:19.920000
 When we look at the Preservation process,
 we're talking about protecting

0:00:19.920000 --> 0:00:24.400000
 relevant data sources against changes,
 and then we're going to acquire

0:00:24.400000 --> 0:00:29.720000
 those forensic images of the data sources,
 and then we're going to document

0:00:29.720000 --> 0:00:34.820000
 whatever relevant information about
 the data source, and then how that

0:00:34.820000 --> 0:00:38.680000
 was acquired. And in this document,
 we're given all the details.

0:00:38.680000 --> 0:00:42.960000
 And if you want to think back, what
 do you think that document is?

0:00:42.960000 --> 0:00:44.680000
 That's right, I hope you've said it.

0:00:44.680000 --> 0:00:46.600000
 It's going to be your
 chain of custody form.

0:00:46.600000 --> 0:00:49.120000
 It's an all-in-one document.

0:00:49.120000 --> 0:00:54.220000
 Okay, so when you think about where
 you're going to store this evidence,

0:00:54.220000 --> 0:00:57.620000
 you need to really, really think about
 how you're going to use it in the

0:00:57.620000 --> 0:01:02.220000
 future, how somebody is going
 to analyze those images.

0:01:02.220000 --> 0:01:04.960000
 What you need to think about is, are
 you going to put them on external

0:01:04.960000 --> 0:01:09.880000
 hard drives? That's really the most common
 way that digital forensic images

0:01:09.880000 --> 0:01:14.260000
 are stored. And then you might think
 about putting them up on a storage

0:01:14.260000 --> 0:01:18.000000
 area network, or you could even
 put them up in cloud storage.

0:01:18.000000 --> 0:01:21.820000
 That's very, very common in incident
 response, or it could even be really

0:01:21.820000 --> 0:01:24.560000
 common when we do what we
 call a self-collection.

0:01:24.560000 --> 0:01:28.940000
 That's when we would guide somebody doing
 a forensic collection remotely.

0:01:28.940000 --> 0:01:32.320000
 And then instead of them FedExing or
 UPSing it to you, they just shoot

0:01:32.320000 --> 0:01:36.180000
 it up into a cloud location that you've
 already secured for them, and

0:01:36.180000 --> 0:01:38.320000
 then you can pull it down from there.

0:01:38.320000 --> 0:01:44.340000
 Another thing that you're going to need
 to think about when you pull another

0:01:44.340000 --> 0:01:47.500000
 thing that you're going to have to
 think about when you are preserving

0:01:47.500000 --> 0:01:49.200000
 this device is can it communicate.

0:01:49.200000 --> 0:01:53.180000
 So you need to take special care with
 that device because it might have

0:01:53.180000 --> 0:01:55.740000
 some wireless connectivity
 when powered on.

0:01:55.740000 --> 0:01:59.080000
 And as a wireless connection that could
 allow changes to the device, it

0:01:59.080000 --> 0:02:03.760000
 could even allow somebody to remotely
 access that device and do something

0:02:03.760000 --> 0:02:05.600000
 that you don't want to happen.

0:02:05.600000 --> 0:02:10.200000
 This could include devices with SIM
 cards and cellular plans as well as

0:02:10.200000 --> 0:02:12.560000
 devices with wireless capabilities.

0:02:12.560000 --> 0:02:16.920000
 And always, always keep in mind that
 most of our devices these days are

0:02:16.920000 --> 0:02:24.020000
 designed and configured to automatically
 connect with a wireless network.

0:02:24.020000 --> 0:02:28.720000
 So not talking about acquisition
 for a second.

0:02:28.720000 --> 0:02:30.920000
 Let's talk about documentation.

0:02:30.920000 --> 0:02:35.900000
 I want you to take about five to ten seconds
 and think about all the things

0:02:35.900000 --> 0:02:49.540000
 you think should be included in your
 documentation about a digital device.

0:02:49.540000 --> 0:02:52.940000
 Okay, so I hope you thought about it
 for a little bit and we're going

0:02:52.940000 --> 0:02:54.840000
 to go over some real detailed ones.

0:02:54.840000 --> 0:02:59.740000
 Here is a list, a non-exhaustive and
 non-exclusive list of the things

0:02:59.740000 --> 0:03:05.480000
 you should document when you're
 doing your chain of custody.

0:03:05.480000 --> 0:03:11.620000
 Manufacturers make some models, all
 serial numbers, all the dates and

0:03:11.620000 --> 0:03:14.780000
 times that you're aware of that
 you see on that device.

0:03:14.780000 --> 0:03:18.500000
 What is the storage capacity
 of the device?

0:03:18.500000 --> 0:03:22.800000
 Document the hash values
 from your verifications.

0:03:22.800000 --> 0:03:27.940000
 What software and hardware did you
 use to perform an acquisition or is

0:03:27.940000 --> 0:03:33.800000
 it running? And then the custodian
 or owner or user's name?

0:03:33.800000 --> 0:03:36.280000
 And then what is the contact information?


0:03:36.280000 --> 0:03:40.960000
 Any type of physical descriptions or
 content descriptions up and down

0:03:40.960000 --> 0:03:46.560000
 to, even if you see like a unique ID
 number that the custodian has put

0:03:46.560000 --> 0:03:50.320000
 on there or written on there in Sharpie,
 anything that uniquely identifies

0:03:50.320000 --> 0:03:54.460000
 that device or that you can use to correlate
 it to something else, make

0:03:54.460000 --> 0:03:57.740000
 sure you document that in
 the chain of custody.

0:03:57.740000 --> 0:04:02.940000
 And then any type of relevant case numbers
 or other types of case identifying

0:04:02.940000 --> 0:04:05.460000
 or evidence identifying tags.

0:04:05.460000 --> 0:04:08.940000
 And remember your documentation is
 always going to be the single most

0:04:08.940000 --> 0:04:13.760000
 important part of any investigation from
 the very first moment your investigation

0:04:13.760000 --> 0:04:19.520000
 starts. So it is very important to carefully
 document everything you see

0:04:19.520000 --> 0:04:22.420000
 about the data sources
 that you're acquiring.

0:04:22.420000 --> 0:04:28.500000
 Alright, what is forensic acquisition?

0:04:28.500000 --> 0:04:30.740000
 Take a second, think about that one too.

0:04:30.740000 --> 0:04:36.760000
 What do you think forensic
 acquisition is?

0:04:36.760000 --> 0:04:43.340000
 Okay, forensic acquisition is going to
 be the process of creating an exact

0:04:43.340000 --> 0:04:46.900000
 copy of that evidence.

0:04:46.900000 --> 0:04:51.400000
 Think about it as if you're running
 it through a digital copy machine.

0:04:51.400000 --> 0:04:55.080000
 You want to preserve everything
 including the deleted data.

0:04:55.080000 --> 0:05:02.600000
 Think of it like running.

0:05:02.600000 --> 0:05:06.080000
 Think of it like running the device
 through a copy machine.

0:05:06.080000 --> 0:05:08.980000
 You want to get all the text, all the
 pictures, all the errors and mistakes

0:05:08.980000 --> 0:05:10.540000
 you see on that piece of paper.

0:05:10.540000 --> 0:05:15.680000
 Same thing with forensic acquisitions.

0:05:15.680000 --> 0:05:19.240000
 So why do we always acquire?

0:05:19.240000 --> 0:05:25.240000
 It's because we almost never perform
 analysis on the evidentiary device.

0:05:25.240000 --> 0:05:26.140000
 And when we do do that, we do have a lot
 of information about the evidence.

0:05:26.140000 --> 0:05:30.360000
 If we do that, it's usually typically
 in an incident response situation

0:05:30.360000 --> 0:05:34.960000
 and we are still collecting evidence,
 we're just using live scripts and

0:05:34.960000 --> 0:05:38.500000
 we're grabbing memory and stuff like
 that using the operating system to

0:05:38.500000 --> 0:05:44.240000
 do that for us. And we still may take
 an actual forensic image of the

0:05:44.240000 --> 0:05:46.000000
 device after that.

0:05:46.000000 --> 0:05:52.800000
 So ideally, and again remember your
 job here is to protect the evidence

0:05:52.800000 --> 0:05:57.980000
 at all times and your job is to protect
 that original evidence that you

0:05:57.980000 --> 0:06:02.600000
 took. So ideally, you will never be
 performing forensic analysis against

0:06:02.600000 --> 0:06:04.420000
 the initial image.

0:06:04.420000 --> 0:06:10.960000
 That image is your verified
 evidence against the source.

0:06:10.960000 --> 0:06:14.960000
 And from there, you want to make
 copies of that verified image.

0:06:14.960000 --> 0:06:18.680000
 And then you want to keep that original
 image on that original disk.

0:06:18.680000 --> 0:06:23.480000
 You acquired it to in a safe or
 in a secure evidence storage.

0:06:23.480000 --> 0:06:27.240000
 And then again, you're keeping up with
 your chain of custody every time

0:06:27.240000 --> 0:06:30.680000
 that's accessed or taken
 out or put back in.

0:06:30.680000 --> 0:06:34.400000
 And if you do get some data corruption
 on your analysis or your working

0:06:34.400000 --> 0:06:38.780000
 copy, you can always go back to the original
 copy and then copy it again.

0:06:38.780000 --> 0:06:44.860000
 Remember, always take the time to copy
 that original evidence over to

0:06:44.860000 --> 0:06:47.200000
 another working evidence device.

0:06:47.200000 --> 0:06:51.840000
 It's worth the time in digital forensics
 to slow down and do everything