Computer Forensics Today Part 2

00:01

Hey, everyone, welcome back to the course. So in the last video, we talked about some of the different types of computer crimes. We might see

00:08

some different challenges for investigators eso things like encryption or anti forensics and then also the investigative process.

00:16

So in this video, we're gonna talk about criminal, civil and administrative investigations.

00:23

So criminal investigations, As the name implies, everyone probably already figured that this is talking about a violation of some law. So give me like a local law. Could be a state law. Federal law, your province law, depending on where you live. Also like international law, if you've been really, really bad.

00:40

So generally this is gonna lead to, um for the most part, jail time, but also could lead to finds and possibly both.

00:47

So with criminal investigations, you basically need follow some kind of standard forensic process. So something basically approved by your particular jurisdiction or the jurisdiction that you want to, um, you know, prosecute in. You need to make sure that they signed off on some type of, you know, digital forensic computer forensic

01:06

investigation process.

01:08

One key point is a formal investigation report it is required for a criminal investigation, So you'll definitely want to keep that portion in mind. If you decide to take the ch EF eye exam, that is gonna be something that you, you may see tested in some capacity,

01:27

the for criminal investigations, the standard of proof has to be very high, right? So basically, that beyond a reasonable doubt is what we prove and the burden of proof there is on the prosecution, right? So they have to prove beyond a reasonable doubt that, you know, Joey committed that crime, right? So keep that in mind.

01:46

We also have several investigations s Oh, this is just a dispute between two parties. Eso kind of difference from criminal in the aspect of it's just monetary damages. So somebody, you know, Sue somebody and then, you know, they get X amount of dollars in return from the judge.

02:01

Now, something else to point out here is it's not beyond a reasonable doubt. So he only t to basically prove the preponderance of truth. Right? So just a greater than 50% showing that, like, Yes, I am telling the truth, Your honor, that way the judge rules in your favor, favor judge or jury, you could have either one

02:22

in a civil case,

02:23

and then we have administrative investigation. So basically, these year, internal investigations by the company or organization. You see, I have a little logo from Customs and Border Patrol, but, you know, again, it may or may not be law enforcement related,

02:40

but generally, it's just gonna be an internal investigation. So,

02:45

um, a lot of times these, these actually turned into a criminal investigation, right? So, for example, you know, we we want to see what documents you know Joey is sending out. So we start a administrative investigation,

02:58

and then we realized that Joey's been stealing our intellectual property. Eso Then we make it criminal, right? We refer to law enforcement, and we might even pursue a civil one. At that point to, right, we could go ahead and assume for stealing that stuff.

03:10

So these, as I mentioned these, we're gonna kind of cover things like policy violations, threatening behavior. So, you know, like your sexual harassment type of stuff.

03:20

It also like corruption and bribery. You know, things like somebody getting a promotion when they shouldn't have right. Just because of whatever with the boss s so, you know, just just kind of that generalized, you know, company related sort of stuff that occurs and again a lot of times, these turn into criminal investigations.

03:40

So what are some of the rules of forensic investigation? So, you know, not in any particular order here and not a full list by any means. But basically what we want to limit access to the original evidence. So by that, you know, of course, we want to make a duplicate copies and then look at those right. We also want to make sure the chain of custody, right.

03:59

So that goes back to the

04:01

limiting access to the original evidence because not everyone needs to touch this stuff. Right? Because at at the end of the day, when we get into court, we're gonna have to prove, like, Okay, you know who touched it and why. Right? What was their legitimate reason for interacting with the evidence?

04:16

We'll also record any changes to the evidence. Right. So, you know, and actually, some of the things we do in forensics might alter certain data. So we have to make sure that we have a solid process in place to record that type of stuff and be able to, you know, again in a court of law. Say, Well, we had to change it, because this is how this works, right?

04:38

Also, you know, setting standards, you know, for the investigation. So saying, Hey, you know, don't you know, don't run in there and turn the, you know, pull the plug on the computer once on, you know, we wanna wait so we can acquire the evidence

04:49

also knowing, you know, your limitations of skills. Right. So an earlier example I mentioned, you know Hey, um, access? No. Maybe I don't know about it. Call somebody else. So know your limitations, right? Don't say I got this, because then you're gonna mess up the actual case,

05:03

so, you know, fine, Fine. Appropriate people or agencies that have the resource is that you're lacking

05:11

secure storage. Right? So we actually get the evidence we want obviously stored securely so nobody can come in and mess with it.

05:17

Wes, all I have to understand, you know the legalities, right? So, you know, as part of the rules of a forensic investigation, we have to understand what's happening in the particular jurisdiction that we're working in, you know? So, you know, can we actually even prosecute this thing, right? Where can we even investigate? Yeah. Is it a crime

05:35

for us to do certain aspects of the investigation? Right. So

05:39

just keep that type of stuff in mind

05:42

and of course, you know, you know, industry tools. So staying abreast of what's changing in the industry, where the latest tools, how they function, how the beneficial depending on what we're trying to do. So just keep all that in mind.

05:56

So e t I is another thing. You know, you'll you'll definitely see in the official material. So it just stands for enterprise theory of investigation. So essentially, what this does it takes a holistic approach to criminal investigations.

06:09

So, for example, where you cripple a criminal or civil, for example, you know, let's just say it's ah, you know, drug ring, right? So, um, you know, as an investigator, I see that. Okay, well, you know, this guy over here, you know, pushes a little bit of, you know of narcotics, but not too much. Right? So then,

06:29

um you know, rather than just saying Okay,

06:30

well, this is just a one time thing, right? It's just one drug dealer. Whatever. You know, we actually, instead kind of develop a pattern. Right? So we noticed. Well, you know, Yeah, that guy's dealing drugs. But he knows this guy over here, you know, and that guy's dealing drugs, too.

06:45

And so we start to piece together kind of the

06:47

the organization, right? So that criminal organization and that's what this is all about, right? This this is helping dismantle, like, you know, street gangs were, you know, higher level crime gangs.

06:59

You know, this is one of the tools that law enforcement uses to try to dismantle that.

07:02

So basically, it's not focusing on like the one person is focusing on the whole picture.

07:10

So different types of evidence. We've got volatile evidence. We always want to collect this before we shut off the machine. So keep that in mind for your examination. Do not like, pull a plug on a machine. And don't do any of that stuff until you've been able to try to at least acquire the volatile evidence. So things like the system time files that are open

07:29

process information,

07:30

server driver information, the command history, et cetera,

07:35

and the non volatile evidence. Right? So, you know things that will stick around after we cut the power, at least for a bit,

07:43

you know. So so slack space, hidden space. What files? Register settings, You know, unused partitions, et cetera. Center.

07:50

So in this video, we talked about several different things. Rights. We talked about criminal civil administrative investigations. We also went over E T I. What? That is so again, enterprise theory of investigation. And that's that holistic approach to doing investigations to try take to try to take down the entire criminal organization.