WEBVTT

0:00:09.580000 --> 0:00:18.040000
 Okay, so let's start moving into our
 acquisition methodologies and let's

0:00:18.040000 --> 0:00:22.900000
 start thinking about the types of
 acquisitions we're going to do.

0:00:22.900000 --> 0:00:26.680000
 So there's basically two
 ways to tango on this.

0:00:26.680000 --> 0:00:31.320000
 We got two different types of styles
 for data acquisition and that's going

0:00:31.320000 --> 0:00:42.040000
 to be a dynamic or live disk acquisition
 or a static slash dead disk acquisition.

0:00:42.040000 --> 0:00:46.980000
 So dynamic acquisition refers to any
 type of forensic imaging we do when

0:00:46.980000 --> 0:00:49.660000
 the source device is powered on.

0:00:49.660000 --> 0:00:53.460000
 For computers that means we're going
 to utilize internal storage such

0:00:53.460000 --> 0:00:58.520000
 as hard drives that are
 of damage or corruption.

0:00:58.520000 --> 0:01:02.240000
 And what we're seeing that more and
 more in are these integrated laptops

0:01:02.240000 --> 0:01:06.800000
 with NAND devices or we see these
 things with maybe even a MacBook.

0:01:06.800000 --> 0:01:12.940000
 What we're finding is that you can only
 disassemble a MacBook so far and

0:01:12.940000 --> 0:01:16.300000
 you're not going to be able to get to
 the hard disk connections or even

0:01:16.300000 --> 0:01:19.480000
 be able to pull the hard disk out very
 much anymore without actually doing

0:01:19.480000 --> 0:01:24.560000
 something that's destructive to the MacBook's
 future functionality itself.

0:01:24.560000 --> 0:01:28.260000
 So that means you could be doing
 a dynamic acquisition.

0:01:28.260000 --> 0:01:32.820000
 Dynamic acquisitions also cover our volatile
 data such as network connections,

0:01:32.820000 --> 0:01:37.740000
 memory, cache and we're keeping
 that stuff intact.

0:01:37.740000 --> 0:01:40.880000
 If our volatile data is likely to be
 relevant to the case, the dynamic

0:01:40.880000 --> 0:01:44.560000
 acquisition could and
 should be performed.

0:01:44.560000 --> 0:01:47.960000
 It may not always be the right
 path forward though.

0:01:47.960000 --> 0:01:52.800000
 A dynamic acquisition can cause damage
 to the data on the device.

0:01:52.800000 --> 0:01:57.000000
 So the choice should always be carefully
 considered and you need to document

0:01:57.000000 --> 0:02:01.920000
 every step of the way if you choose to
 proceed with a dynamic acquisition.

0:02:01.920000 --> 0:02:05.020000
 So let's move over to the other side
 and talk about static acquisitions

0:02:05.020000 --> 0:02:07.160000
 or dead disk acquisitions.

0:02:07.160000 --> 0:02:10.820000
 Those are going to occur
 when the power is off.

0:02:10.820000 --> 0:02:15.420000
 For that means for a computer it's
 going to be internal storage again

0:02:15.420000 --> 0:02:20.120000
 such as a hard disk that could be
 removed without damaging anything.

0:02:20.120000 --> 0:02:26.540000
 This is going to ensure that the data
 doesn't change and it's not going

0:02:26.540000 --> 0:02:29.340000
 to impact the creation
 of an image.

0:02:29.340000 --> 0:02:35.180000
 A static or a dead disk acquisition
 is going to ensure that data is not

0:02:35.180000 --> 0:02:38.880000
 going to change from that disk
 because it's off, right?

0:02:38.880000 --> 0:02:42.240000
 A dynamic or a live disk acquisition
 is going to make some assumptions.

0:02:42.240000 --> 0:02:46.260000
 It's going to make a dynamic or a live
 disk acquisition is going to make

0:02:46.260000 --> 0:02:52.920000
 some assumptions that the data itself
 will change as you're taking the

0:02:52.920000 --> 0:02:54.700000
 image sometimes.

0:02:54.700000 --> 0:02:58.460000
 So you have to make a very careful
 consideration about that.

0:02:58.460000 --> 0:03:04.740000
 Something that I like to consider here
 is do you do a dynamic acquisition

0:03:04.740000 --> 0:03:08.960000
 or do you do a static acquisition
 or do you do both?

0:03:08.960000 --> 0:03:14.860000
 In the world of incident response,
 in the world of trying to see what

0:03:14.860000 --> 0:03:19.380000
 was the user doing, the moment you turn
 a computer off, a lot of important

0:03:19.380000 --> 0:03:21.100000
 information goes away.

0:03:21.100000 --> 0:03:22.640000
 What was in the memory?

0:03:22.640000 --> 0:03:24.380000
 What applications were open?

0:03:24.380000 --> 0:03:30.040000
 What processes were running and network
 connections were in place?

0:03:30.040000 --> 0:03:32.760000
 If you look at the memory, there's so
 many different things you can see

0:03:32.760000 --> 0:03:39.180000
 from that, like current user logins,
 you can actually carve out TCP IP

0:03:39.180000 --> 0:03:44.760000
 packets from the memory itself and
 you can see everything going on.

0:03:44.760000 --> 0:03:49.480000
 So in a lot of cases, I will always
 make the decision that I'm going to

0:03:49.480000 --> 0:03:54.460000
 do a dynamic or a static acquisition
 if the computer is on already and

0:03:54.460000 --> 0:03:55.960000
 if it's logged in.

0:03:55.960000 --> 0:04:00.440000
 Another good case for doing a dynamic
 acquisition is if you think that

0:04:00.440000 --> 0:04:05.440000
 there's encryption going on because when
 it's logged in, you will be able

0:04:05.440000 --> 0:04:11.740000
 to do a certain type of disk image
 of the and you'll get a copy of all

0:04:11.740000 --> 0:04:12.760000
 that decrypted data.

0:04:12.760000 --> 0:04:17.400000
 Once you log that user off or once
 you turn off the system, that data

0:04:17.400000 --> 0:04:21.300000
 may be encrypted and you'll
 never get to see it again.

0:04:21.300000 --> 0:04:23.360000
 It's a huge possibility.

0:04:23.360000 --> 0:04:28.980000
 Regardless, after you acquire the relevant
 volatile data, go ahead and

0:04:28.980000 --> 0:04:31.620000
 do a graceful shutdown or
 pull the plug shutdown.

0:04:31.620000 --> 0:04:34.760000
 It's going to be your choice on that
 one and you should just follow your

0:04:34.760000 --> 0:04:36.340000
 known best practices.

0:04:36.340000 --> 0:04:43.460000
 Okay, so remember when I said that you
 might be able to only get one chance

0:04:43.460000 --> 0:04:48.820000
 at imaging the encrypted data, what
 you're going to be performing there

0:04:48.820000 --> 0:04:52.140000
 is a logical acquisition.

0:04:52.140000 --> 0:04:56.600000
 So let's talk about the differences
 between physical acquisitions and

0:04:56.600000 --> 0:04:58.680000
 logical acquisitions.

0:04:58.680000 --> 0:05:03.260000
 A physical acquisition is going to create
 an image of the entire source

0:05:03.260000 --> 0:05:09.580000
 device such as it doesn't care about
 the C drive or the D drive or an

0:05:09.580000 --> 0:05:13.740000
 E drive. It doesn't care about what files
 have been deleted and what files

0:05:13.740000 --> 0:05:15.540000
 are allocated or unallocated.

0:05:15.540000 --> 0:05:18.880000
 It's essentially going to take a copy
 of all the ones and zeros on that

0:05:18.880000 --> 0:05:22.980000
 hard disk from the very first sector
 to the very last sector.

0:05:22.980000 --> 0:05:28.160000
 And then it's going to put that in an
 image file for your analysis software

0:05:28.160000 --> 0:05:36.540000
 to have a look at.

0:05:36.540000 --> 0:05:41.220000
 The way the operating system
 sees your hard disk.

0:05:41.220000 --> 0:05:47.500000
 So everything you can see on a C drive
 or a D drive or an E drive or even

0:05:47.500000 --> 0:05:51.780000
 on a thumb drive that's mounted as an
 image, that's all that you're going

0:05:51.780000 --> 0:05:56.820000
 to acquire. So if you browse through Windows
 Explorer or do an LS in Linux,

0:05:56.820000 --> 0:06:00.500000
 when you do a logical acquisition, those
 are the things that you're going

0:06:00.500000 --> 0:06:04.260000
 to see. What you're not going to see
 are files that have been deleted.

0:06:04.260000 --> 0:06:08.820000
 You may not see files that are
 protected or are reprotected.

0:06:08.820000 --> 0:06:14.200000
 You may not see files that you don't
 have permission to access or files

0:06:14.200000 --> 0:06:18.600000
 that have been unallocated and are waiting
 for a garbage cleanup process.

0:06:18.600000 --> 0:06:22.340000
 So a logical is not going to see
 those, but a physical will.

0:06:22.340000 --> 0:06:30.060000
 Keep in mind that with some devices,
 the only rational decision could

0:06:30.060000 --> 0:06:34.540000
 be to perform a logical acquisition
 with the modern tools.

0:06:34.540000 --> 0:06:39.780000
 Even though physical is preferred, sometimes
 we just have to do a logical.

0:06:39.780000 --> 0:06:44.300000
 And remember that you're trying to make
 the best decision possible given

0:06:44.300000 --> 0:06:45.560000
 the circumstance.

0:06:45.560000 --> 0:06:51.180000
 So there is no overarching, you should
 always do a physical or you should

0:06:51.180000 --> 0:06:52.760000
 always do a logical.

0:06:52.760000 --> 0:06:57.340000
 Just like dynamic versus static, sometimes
 if the system's logged in and

0:06:57.340000 --> 0:07:00.500000
 you're right there, the best
 answer is why not both.