WEBVTT

00:07.280 --> 00:13.040
Oftentimes, you may be looked at as a cybersecurity expert to perform forensic investigations.

00:13.040 --> 00:18.470
This is the required standardization process and procedures to ensure integrity within the rule of law.

00:18.500 --> 00:26.120
The rule of law dictates how we seize, acquire, analyze, and report any digital evidence within our

00:26.120 --> 00:26.840
confines.

00:26.840 --> 00:32.030
That means that you may be called to go to a crime scene and investigate different problems associated

00:32.030 --> 00:33.170
with digital evidence.

00:33.170 --> 00:37.790
The primary aim of seizure is to maintain the integrity of evidence by preventing any alterations from

00:37.790 --> 00:40.520
both the purchase trader or the investigator.

00:40.520 --> 00:42.590
We're not there to prove guilt or innocence.

00:42.590 --> 00:47.570
We're there to identify specific digital evidence and analyze the evidence accordingly.

00:47.570 --> 00:51.050
To do that, we need to seal off the investigative area.

00:51.050 --> 00:53.210
We're going to put up crime tape if need be.

00:53.240 --> 00:55.040
We're going to document everything.

00:55.040 --> 01:00.140
We're going to take pictures of the screens on the computers and the electronic devices, how the cables

01:00.140 --> 01:04.460
are connected to the laptop or desktop computer or any other electronic device.

01:04.460 --> 01:05.990
Where are they getting power from?

01:05.990 --> 01:08.540
Does it make sense that they're getting power from a USB?

01:08.570 --> 01:10.460
Or maybe the wall outlet itself?

01:10.460 --> 01:16.970
We're going to take pictures of digital media that may be external USB CDs, Blu rays, external hard

01:16.970 --> 01:17.540
drives.

01:17.570 --> 01:22.250
We're going to document everything, and we're not going to let anybody turn off the computer screen.

01:22.250 --> 01:27.260
We're going to go through and thoroughly document the manufacturers, the model numbers, the serial

01:27.260 --> 01:27.890
numbers.

01:27.890 --> 01:31.940
All of that needs to be properly documented, photographed and sealed.

01:31.940 --> 01:36.170
Before we go through with the process, we need to identify volatile memory.

01:36.200 --> 01:40.820
We're going to use specialized equipment to hook into that computer and grab that volatile memory.

01:40.820 --> 01:42.740
And then the non-volatile memory.

01:42.770 --> 01:45.230
We're going to tag and label everything.

01:45.230 --> 01:48.830
We're going to inventory it, and then we're going to bag it up and seal it.

01:48.830 --> 01:54.350
When we go through the seizure process, we really need to be very, very OCD about everything that

01:54.350 --> 01:58.490
we grab so that we can properly investigate it within the rule of law.

01:58.490 --> 02:03.960
We're going to maintain the aspect of that digital evidence and make sure that it's not left in a car

02:03.960 --> 02:05.610
in the middle of a Phoenix summer.

02:05.610 --> 02:07.830
We need to avoid extreme temperatures.

02:07.830 --> 02:09.600
We need to avoid rainfall.

02:09.600 --> 02:14.220
We need to make sure that the the digital devices don't get too cold or too hot.

02:14.250 --> 02:18.300
We need to make sure that everything is as we had it when we first arrived.

02:18.300 --> 02:25.080
That means a very temperature neutral environment in which it sealed, documented, and ready to be

02:25.110 --> 02:25.950
analyzed.

02:26.070 --> 02:31.860
Preserving the integrity of the original evidence is critical throughout the entire process of the analyzation

02:31.860 --> 02:33.450
of our digital media.

02:33.450 --> 02:39.450
That means that we need to prepare a destination drive to take all the data from the original.

02:39.450 --> 02:45.810
We're not going to investigate the original data drives or the original digital format that we grabbed

02:45.810 --> 02:46.590
or seized.

02:46.590 --> 02:48.240
That would be irresponsible.

02:48.240 --> 02:54.480
Instead, we're going to do a bit for bit copy with fixed pattern over to the new medium, which we're

02:54.480 --> 02:56.910
going to then utilize for investigation.

02:56.910 --> 03:02.420
We're going to do a hash and make sure that it matches bit for bit on the existing media, from the

03:02.420 --> 03:04.070
new media that we put it on.

03:04.070 --> 03:07.640
We're going to prevent changes to the original using a right blocker.

03:07.640 --> 03:12.650
We're going to make sure that even though we're logging in to the old hard drive, that we're not providing

03:12.650 --> 03:18.170
any information over to that real original drive to change the format in any way, shape or form, we're

03:18.170 --> 03:22.430
going to hash the original evidence, and then we're going to match that hash to the new evidence.

03:22.430 --> 03:26.180
When we copy over the evidence, it's going to be on a bit for bit format.

03:26.180 --> 03:31.790
Every little zero and one going from that original drive is going to go over to our new drive, and

03:31.790 --> 03:37.340
we're going to verify the acquisition of that evidence by matching those two hashes to ensure that everything

03:37.340 --> 03:43.220
is identical to the original, which allows for the analysis of with confidence of the original drive.

03:43.250 --> 03:48.590
The analysis is the interpretation of the extracted data to determine if it's relevance to the case.

03:48.590 --> 03:54.020
While the tools and commands for analysis may vary based on the operating or the file systems involved,

03:54.020 --> 03:57.110
the core issues remain consistent and the same.

03:57.110 --> 04:02.800
We need to identify the date and time of every documented log or evidence on that original drive.

04:02.830 --> 04:09.250
Many times, crimes are perpetrated in a specific time frame by identifying the exact date and time

04:09.280 --> 04:14.110
stamps of all the evidence that were called into question, we can accurately define whether or not

04:14.110 --> 04:18.850
that data was relevant and on the drive at the time of the crime committed.

04:18.850 --> 04:20.770
We're going to verify the time zone.

04:20.770 --> 04:26.410
If I'm on the East Coast, and the time zone of my evidence is in Western time or Pacific time, there

04:26.440 --> 04:27.040
is a problem.

04:27.040 --> 04:30.130
We need to be able to extrapolate and identify that.

04:30.130 --> 04:33.820
11 a.m. Pacific time is 2 p.m. Eastern time.

04:33.820 --> 04:36.430
Where did the source of the the data come from?

04:36.430 --> 04:37.960
Did it come from a thumb drive?

04:37.990 --> 04:40.660
Did the thumb drive get accurately documented?

04:40.660 --> 04:44.410
Are we talking about a thumb drive number one or thumb drive number ten?

04:44.410 --> 04:46.570
What's the serial number of the thumb drive?

04:46.570 --> 04:51.430
All that source information needs to be documented within the context of our investigation.

04:51.430 --> 04:53.380
We need to name all the items.

04:53.380 --> 04:57.520
If you have ten different thumb drives, a nomenclature model might be the best.

04:57.520 --> 05:02.210
But if we're going to number it one through ten, we also need to Document, the serial number, the

05:02.240 --> 05:07.460
make and model of the thumb drive, and any identifying factors that that thumb drive may have, both

05:07.460 --> 05:09.260
physically and digitally.

05:09.290 --> 05:11.690
We need to identify the item location.

05:11.690 --> 05:14.600
Where did we find the thumb drive when we picked it up?

05:14.600 --> 05:19.100
Was it inside the computer logged in already or was it in a desk drawer off to the side?

05:19.100 --> 05:21.110
Was it sitting inside of a bookcase?

05:21.140 --> 05:26.390
Item location can be important when it comes to the actual evidence in question.

05:26.390 --> 05:31.070
If the evidence was acquired on a person, we need to document that it was on the person at the time

05:31.070 --> 05:33.110
and not at the original crime scene.

05:33.140 --> 05:39.680
Finally, we need a description, an accurate, detailed description of where the evidence is located.

05:39.680 --> 05:44.570
Now that means both the logging evidence, which file it was in, or the physical location as in the

05:44.570 --> 05:45.710
person's being.

05:45.710 --> 05:47.570
Where did that evidence come from?

05:47.570 --> 05:52.190
The description of the evidence is important when it comes to the digital investigation.

05:52.220 --> 05:58.280
A chain of custody is a meticulous document recording and detailing the handling, collection, transportation,

05:58.280 --> 06:02.620
and preservation of evidence throughout each stage of the analysis process.

06:02.650 --> 06:08.080
We need to document every little nuance of the investigation when it comes to that specific evidence.

06:08.080 --> 06:12.760
If it left somebody in custody and went into an evidence bag, that needs to be documented.

06:12.790 --> 06:17.890
That evidence bag is then moved over to a central collection point that needs to be documented who it

06:17.890 --> 06:23.560
went from to who it's going to, who put it away, what was the date, what was the time if it was checked

06:23.560 --> 06:23.920
out?

06:23.920 --> 06:25.420
That needs to be documented.

06:25.420 --> 06:31.300
Every step of that evidence and its pathway from the moment that it leaves the person or the moment

06:31.300 --> 06:38.680
it's picked up off the desk or the or the crime scene, needs to be documented in detail to every step

06:38.680 --> 06:44.470
of the way, from the point of acquisition to the point of investigation, to the point of storage.

06:44.470 --> 06:50.500
When it's put into place, we need to permanently identify every aspect of that documentation.

06:50.500 --> 06:52.000
You can see here in the figure.

06:52.000 --> 06:54.460
An example of a chain of custody documentation form.

06:54.490 --> 06:59.620
A legal hold is an administrative procedure frequently employed by organizations during a digital forensics

06:59.670 --> 07:00.660
Investigation.

07:00.660 --> 07:06.120
If you work for an enterprise environment, you have no right to stop a legal hold from taking place.

07:06.150 --> 07:11.010
Your only concern is that the legal hold is in place, and that you need to safeguard that information

07:11.010 --> 07:15.750
to the best of your ability, whether that's storing it on a device or preventing its use.

07:15.750 --> 07:19.740
We need to make sure that that legal hold maintains its validity.

07:19.770 --> 07:25.980
The only people that can pull back a legal hold are your legal department or from the opposing counsel,

07:25.980 --> 07:29.790
meaning the law enforcement agency that requested legal hold in the first place.

07:29.790 --> 07:35.550
Your manager or director has no right or bearing to tell you that, hey, this legal hold has been lifted.

07:35.550 --> 07:37.530
You can now destroy that information.

07:37.530 --> 07:43.440
As a cybersecurity professional, legal holds must be lifted by lawyers and legal personnel or the legal

07:43.470 --> 07:44.160
office.

07:44.190 --> 07:50.070
It's implemented as a precaution in case of an external investigation or agency requires the evidence,

07:50.100 --> 07:52.830
particularly if a legal violation has occurred.

07:52.830 --> 07:57.420
As a cybersecurity professional, you need to understand that legal holds are something that we need

07:57.420 --> 08:00.720
to hold sacred and secure within our enterprise environment.