WEBVTT

00:00.120 --> 00:09.180
Digital forensics is the art the science of collecting storing and quantifying digital evidence to be

00:09.180 --> 00:14.970
used as the result of some action that takes place now in our world.

00:14.970 --> 00:18.390
Most forensics are going to take place from one of two reasons.

00:18.390 --> 00:22.210
Number one there's going to be some incident that takes place in-house.

00:22.230 --> 00:28.560
Somebody has broken an important policy and we need to be able to document that they've done this and

00:28.560 --> 00:30.840
we have to go through a process of forensics.

00:30.870 --> 00:38.370
The other place this can happen is from a legal hold legal holds are documents that are sent to an organization

00:38.370 --> 00:45.930
from another organization to let them know that they are going to be doing some exploratory information

00:46.230 --> 00:52.260
and that we have to provide that information for them in such a way that they can do whatever legal

00:52.260 --> 00:55.290
discovery they need to do to take care of that.

00:55.290 --> 01:02.790
Now before I get into a lot of detail here for the exam digital forensics is pretty basic and the whole

01:02.790 --> 01:08.430
concept of digital forensics is huge you can get a doctorate in digital forensics these days.

01:08.430 --> 01:14.790
But as far as the exam is concerned if you really think in terms of one computer where one person has

01:14.790 --> 01:18.110
done something naughty you'll usually be in better shape.

01:18.210 --> 01:27.800
So probably the first thing I want to talk about is the idea of chain of custody.

01:27.930 --> 01:34.710
The whole idea behind chain of custody is the fact that you or someone underneath your purview is going

01:34.710 --> 01:42.150
to be gathering evidence against somebody or something and that somebody or something has a chance of

01:42.360 --> 01:50.950
losing their job or losing money or losing freedom or even losing honor or whatever it might be.

01:51.240 --> 01:58.290
If we are going to be presenting evidence we have to show that the data that we've collected is of high

01:58.290 --> 01:59.230
integrity.

01:59.250 --> 02:04.620
We don't want somebody going Oh will he change that name or oh that didn't come from here or now that

02:04.620 --> 02:06.350
was gathered days later.

02:06.360 --> 02:13.260
So the whole idea of chain of custody is to show good integrity of the evidence itself.

02:13.260 --> 02:18.430
So the best way to do this is let's march through the chain of custody process.

02:18.660 --> 02:22.920
The cornerstone of chain of custody is a chain of custody form.

02:22.950 --> 02:28.730
And here's an example from that I got from the NIST to give you an idea of how this looks.

02:28.740 --> 02:32.790
Basically we're looking for very specific types of information.

02:32.790 --> 02:35.400
Number one we define the evidence.

02:35.400 --> 02:38.050
What are we actually collecting here.

02:38.100 --> 02:39.960
And what does it look like.

02:39.970 --> 02:41.260
Well how does it form.

02:41.370 --> 02:43.790
That could be an image of a hard drive.

02:43.800 --> 02:46.650
It could be an image from a thumb drive.

02:46.650 --> 02:50.100
It could be a video whatever it might be what we define it.

02:50.100 --> 02:52.840
Number two we document the collection method.

02:53.100 --> 02:58.020
One of the big things that we have to worry about is that people will challenge us that we may have

02:58.020 --> 02:59.220
changed data.

02:59.250 --> 03:05.730
So there's a number of collection methods that allow us to grab data from mass storage without affecting

03:05.730 --> 03:06.370
it.

03:06.450 --> 03:07.250
Number three.

03:07.380 --> 03:08.550
Date and time collected.

03:08.640 --> 03:13.880
It can be very important that we determine exactly when this particular evidence was collected.

03:14.740 --> 03:20.890
Number four the people handling the evidence we need to know the names that includes contact information

03:20.980 --> 03:23.210
e-mail that type of information.

03:23.410 --> 03:28.030
Exactly telling who's handled the evidence and we're not just talking about the people who collected

03:28.030 --> 03:28.470
it.

03:28.480 --> 03:30.630
Anybody down the chain as well.

03:31.490 --> 03:34.990
Number five the function of the person handling the evidence.

03:35.120 --> 03:39.720
That actually means is this person an in-house I.T. person whatever it might be.

03:39.740 --> 03:45.290
In particular we do this to show that these people are qualified to do whatever part of the chain of

03:45.290 --> 03:47.630
custody they're involved in.

03:47.630 --> 03:55.340
And last is locations of the evidence evidence will move over time from the initial collection to being

03:55.340 --> 04:00.020
stored in a storage room to potentially be moved to law enforcement.

04:00.020 --> 04:02.850
We need to be able to document all of those steps.

04:03.050 --> 04:06.160
When you approach a computer to begin gathering data.

04:06.230 --> 04:10.320
One big concern is the order of volatility.

04:10.370 --> 04:14.420
Computer has got all kinds of ones and zeroes start all over it.

04:14.420 --> 04:18.050
And our job is to try to grab as much of this data as we can.

04:18.110 --> 04:23.570
So the order volatility is basically a checklist that says what do you go first then what do you go

04:23.570 --> 04:25.450
to and then what you do after that.

04:25.610 --> 04:27.710
So number one is going to be memory.

04:27.710 --> 04:32.030
Now when we're talking about memory certainly all the processes and services that are running on the

04:32.030 --> 04:36.500
computer are important but there's a lot of other stuff in there too as well.

04:36.500 --> 04:40.920
For example caches even CPQ caches can be absolutely critical.

04:40.970 --> 04:45.540
We could have routing tables which can change back and forth on a system.

04:45.620 --> 04:50.150
You could have an art table wouldn't it be great to know the MAC addresses of everybody that that particular

04:50.150 --> 04:51.520
system has been talking to.

04:51.620 --> 04:53.420
Just this very given moment.

04:53.660 --> 04:56.690
So dealing with memory is very very important.

04:56.720 --> 05:01.670
Now luckily for us there are tons of great programs out there that are great at grabbing and dumping

05:01.670 --> 05:07.900
memory and they have very clever names like dump it or volatility and it's volatile volatility.

05:07.920 --> 05:09.110
OK funny joke.

05:09.170 --> 05:13.820
These are well-known programs and basically you just take a thumb drive you run the program they have

05:13.820 --> 05:19.430
a tiny tiny memory footprint and their job is just to grab everything in memory and dump it to a file

05:20.830 --> 05:23.980
after memory is data on the disk itself.

05:23.980 --> 05:26.370
Now certainly when we talk about data on disk.

05:26.410 --> 05:31.630
And by the way this could be equally true for example optical media or flash drive whatever it might

05:31.630 --> 05:32.490
be.

05:32.770 --> 05:38.050
When a system is up and running there's a lot of data on that disk that will probably disappear when

05:38.050 --> 05:39.670
the system shut down.

05:39.670 --> 05:44.710
For example things like cache files you've got a big swap file on there you might want to grab that

05:44.710 --> 05:45.970
data as well.

05:45.970 --> 05:50.920
There could be temp files that are very very important to whatever you're going to be doing with this.

05:50.980 --> 05:57.550
Now in this type of situation there literally hundreds of programs that are out there and designed to

05:57.550 --> 05:59.080
grab the data.

05:59.080 --> 06:04.870
All of these programs are designed to work in some form of what we call right block something where

06:04.870 --> 06:10.090
you could say in a court of law it's impossible for me to write on the system because this piece of

06:10.090 --> 06:15.650
hardware for example will only grab data it's not capable of actually writing back to it.

06:15.910 --> 06:21.490
If you're looking for simple software even a program like Linux is wonderful dd program does a great

06:21.490 --> 06:26.960
job of doing a detailed grab of the entire image.

06:27.320 --> 06:31.540
Now once we're done with the system you're not really done yet.

06:31.570 --> 06:36.870
The other thing you need to consider is remotely logged data.

06:36.970 --> 06:43.940
If something is going wrong here a lot of times there are two connections that are taking place.

06:43.960 --> 06:48.250
So if you're worried that someone's doing something on a website there might be logs on that remote

06:48.250 --> 06:48.940
web site.

06:49.090 --> 06:52.330
If you're worried that somebody is doing something on a file server there might be something on the

06:52.330 --> 06:57.790
file server in terms of when did they access that or something like that that can be very very important

06:58.030 --> 06:59.170
for you to grab.

06:59.440 --> 07:06.320
Logs tend to last a fairly good amount of time but it's important for you to grab it as quickly as possible.

07:06.340 --> 07:10.010
The last part of order of volatility are backups.

07:10.210 --> 07:14.220
Backups are going to be terrible until he knew what happened right now.

07:14.290 --> 07:17.590
But they can be a wonderful tool for looking for trends.

07:17.590 --> 07:20.470
Oh this person has done this multiple times in the past.

07:20.710 --> 07:25.790
We've had this exact situation take place five times in the last year.

07:25.900 --> 07:31.930
However backups even though they have very low volatility it can often take awhile to grab all of that

07:31.930 --> 07:32.370
data.

07:32.380 --> 07:35.810
So be comfortable with the order of volatility.

07:35.810 --> 07:36.240
All right.

07:37.560 --> 07:45.150
I guess the last thing we need to do is actually take a look at the process of gathering this data.

07:45.150 --> 07:50.790
So what I'm going to be doing here and this is not a particular order but basically a checklist of issues

07:51.030 --> 07:56.160
you should be thinking about when you're performing digital forensics.

07:56.160 --> 08:02.130
Number one capture the system image you would be hard pressed to come up with a scenario where you're

08:02.130 --> 08:08.190
not grabbing the system image from whatever system is in question what tool use is up to you.

08:08.220 --> 08:14.130
But keep in mind right blocking tools are often very common for this type of situation.

08:14.130 --> 08:17.170
Number two grab network traffic and logs.

08:17.190 --> 08:23.280
Not only will the be some logs on the system itself but here's the opportunity to go over to the domain

08:23.280 --> 08:30.030
controller to go over to what other servers that the system might be accessing and get an idea of where

08:30.030 --> 08:33.090
this person has been and what they're doing.

08:33.090 --> 08:36.860
Number three is capture video now that has two different meanings to me.

08:36.870 --> 08:43.950
Number one if I'm in a forensic situation and I'm approaching the system I will videotape physically

08:44.220 --> 08:50.170
the workstation everything laid around it so that it's well-documented what I approached.

08:50.370 --> 08:55.250
Secondly though capturing video can mean if you're finding media.

08:55.410 --> 09:01.800
And when I say video this could even include audio on a system you would go ahead and want to capture

09:01.800 --> 09:07.680
all that too which would be normally part of the system image itself last you might want to look around

09:07.680 --> 09:15.180
for security cameras are there any other cameras that are part of a broader physical security system

09:15.390 --> 09:18.600
that might be appropriate to this particular situation.

09:18.600 --> 09:22.250
Anytime you're dealing with video always record a time offset.

09:22.320 --> 09:26.270
Make sure people know what they're seeing and when it happened.

09:27.970 --> 09:35.360
Next take hashes take hashes of everything hash every file hash every image just keep on hashing.

09:35.380 --> 09:42.070
Most good forensics tools actually have built in auto hashing functions for you but the hash is your

09:42.070 --> 09:47.630
ultimate proof to show the integrity of any single piece of data that you've handled.

09:48.650 --> 09:50.500
Next take screenshots.

09:50.570 --> 09:55.790
When you walk up grab a screen capture take a look at what's happening and be sure to capture all these

09:55.880 --> 10:02.360
and again be sure to record date and time next interview witnesses.

10:02.400 --> 10:09.240
Anybody who's been nearby anybody who a communication was taking place get these interviews done quickly

10:09.480 --> 10:16.080
get the documentation contact information and their job function within that organization so that if

10:16.080 --> 10:19.610
necessary law enforcement can speak to them.

10:19.740 --> 10:26.850
And the last one this is interesting is track the man hours you are costing people money by doing these

10:26.850 --> 10:33.000
forensics for example you might have budget issues in terms of how hard your organization is going to

10:33.000 --> 10:37.890
be defending a particular issue or you might have an insurance issue where your organization is going

10:37.890 --> 10:39.810
to be paid back for your hard work.

10:39.810 --> 10:44.250
The bottom line is every moment you're working you're tracking those man hours.

10:44.490 --> 10:48.630
The whole world of digital forensics is absolutely fascinating.

10:48.630 --> 10:55.330
I have spent decades working both in the public and private sector dealing with digital forensics.

10:55.470 --> 11:00.940
And I can tell you not only is it interesting it's also a very very good career.

11:00.990 --> 11:04.400
So for the exam we're only doing the lightest of touches.

11:04.440 --> 11:09.630
You're not going to be seen much on there other than definitions of what is chain of custody what is

11:09.660 --> 11:11.040
order of volatility.

11:11.160 --> 11:13.950
But if you really want to get into it I can't recommend it enough.

11:14.040 --> 11:15.070
It's actually a lot of fun.