Computer Forensics Today Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we talked about the differences between criminal, civil and administrative investigations.
We also talked about E. T I or enterprise theory of investigation and why that's being used.
So in this video, we're gonna wrap up our discussion in module one. We're gonna talk about the federal rules of evidence. We also talk about different laws that are pertinent
to, ah, forensic investigation as well as, well, finally figure out if he didn't know already what S W g E stands for?
So the federal rules of evidence. Now, this is not an all inclusive list. These are some of the most common ones. I think you're probably gonna see in some capacity on the exam itself. However, you want to study all the federal rules of evidence just to make sure you're familiar with them.
So some of the key ones there I think you should kind of memorize off this list are going to rule 103 The rulings on evidence as well as rule 105 limited admissibility
and then also rule 50 to attorney client privilege. So again, it's not an all inclusive list. And I obviously can't tell you what's on the exam because I may not know myself and ah, again. Ugh. You just want to make sure you study the federal rules of evidence. All of them.
So different laws that are pertinent for, ah, digital or computer Forensic investigator. Um, the main one here gonna be Title 18 United States Code subsection 10 30 which is a computer fraud and abuse act again. We talked about it a little bit earlier. A sw far. Is that kind of me that umbrella
Ah, law that, like federal law enforcement, say agencies might grab you on if you start hacking
systems that you don't have permission to do.
We also have title 18 United States Code subsection 22 52 A, which covers child ***. Ondas Well, a SW sub section 22 50 to be that covers misleading domains. Now, you know, if on the exam you happen to see something about, like 20 to 52 it just has one of these two listed, it doesn't,
you know, differentiate between a or B.
Um, that's probably your answer, right? If you see one of those and it says 22 52. That's probably your answer again. I don't know if you're going to see that on the exam, but just know that if it's broken down like that, you might just see it listed in the City Council exams, just like the actual you know, subsection 22 52. Or, like, you know, you know,
58 62 or whatever the case might be.
Some other laws are fisma G. L B A. HIPPA socks and PC idea says is actually standard.
So Fisma, that's the federal Information Security Management Act. So basically, this one covers federal agencies and requires them to have an information security plan in place for their systems. And so, uh, here, this act just kind of requires him to annually review it and make sure that it's still relevant.
G o B a r the grand leech Bliley act. So that requires financial institutions to protect the customer information. So think of this one is like the banking one s. So if you if you see this on the exam, if you see something, maybe asking you like you know which one covers like banking institutions, focus on this one being being the correct answer there,
hippo, which we we cover like in the ch material s o the surf. Identical hacker material. But basically, that's just a health care one so hip is designed to help protect patient data. So not just yourself. Security number of your date of birth, but also your actual medical record. Right, So that the surgery's you've got or, you know,
the surgery is that your grandmother got that sort of stuff.
Socks or sabanis Oxley act. So this one, if anyone remembers the Enron in, like, WorldCom scandals from the early two thousands? Um, this act was passed to help protect events. Investors. Excuse me against you. No fraudulent Accounting practices, Inc. So
you know what? Those candles the investors didn't know and near neither did like regular people
like you're I. They didn't know that the companies like Enron were essentially cooking the books right, so socks was put in place to make sure there's certain controls. So, basically, like you know, nowadays, executives have to sign off on the financial reports, and they could be held criminally liable, a swell civilly liable if there's some issue with those reports.
PC Idea says, As I mentioned, is a standard. It's very beneficial for, like, smaller companies that are looking that aren't in the payment card industry that are looking for just kind of like what? What kind of security stuff should I put in place? Because it has a lot of good information now payment card industry data, security standards, what it stands for and obviously that with that name,
it's for the payment card industry. So people are companies that are
processing, like payment card information. It sets certain standards that they have to follow to secure that data.
The Fourth Amendment. So basically anyone acting under the cover up the cover of government authority of Excuse me, the color of government authority. And I was like, You know, your federal law enforcement or your you know, your local law enforcement agents. Basically, it specifies that you know they can't search or sees things without a warrant
from areas where somebody has a reasonable expectation of privacy. Right? So,
um, one thing that people mess up on a lot if they think that because of the Fourth Amendment, their employer can't, you know, come search your stuff. However, you know, of course, it depends on your state. But the Fourth Amendment only covers people acting under the of the color of government authority. Right. So, you know, like if law enforcement came to your job,
then they want to search your bag. They would need a warrant, right? Or they would need your permission,
whereas and again, this is not legal advice. So I'm not an attorney. I'm not giving legal of Isil through that disclaimer in there real quick, but, you know, they would need a warrant to search your bag. In most cases
where, you know, like your boss. If you sign a piece of paper and you consent for your boss to search it, your boss could look through your bag
without a warrant.
Now we're gonna cover warrants in module to and kind of talk about the different ones. But just know that the Fourth Amendment is tied into that aspect of it.
Best evidence rule. So basically, here the goal is to prevent alteration of the digital evidence. So the best evidence is like a It's not altered. So we want to use that original evidence in the actual quarter law now. Ah, a duplicate of the evidence is admissible
if it meets one of these criteria. Right? So the original evidence is destroyed in a fire, flood or other, you know, act of nature.
The original evidence is destroyed in the normal course of business. Right? So we as investigators, as we're analyzing evidence, we may actually destroy some of it just because it's volatile evidence.
And then the original evidence is in possession of 1/3 party. Right? So you know that that, you know, child *** criminal has her laptop has the information on there. We can't necessarily get to their laptop. Right. But we can, you know, they uploaded to their web site so we can access their website. We can get warrants for that and get the duke
basically the same data. Right. But we can't get actual access to their physical machine.
S w g e is we talked about in the pre assessment question for all these videos. It's scientific working group, additional evidence. So several standards involved there that they have. So they kind of make organizations follow this forensics well, companies conducting forensic examinations.
So you have to maintain an S O P document review it annually
has to be accepted by that kind of the general community of the general forensic community. Written copies of technical procedures. We need those as well. And then we also would have to use appropriate hardware and software, right? So we couldn't just like makeup. Software needs to be stuff that's generally accepted or approved by the forensic industry.
And then, of course, recording all activities for review or testimony. If you need Thio present in 1/4 law.
So forensic, any readiness is kind along the lines. If you have a business background kind along the lines of like lean startup, right, So we want to make optimal use of our resources. So in this case, optimal use of the digital evidence in a in a potentially limited time frame with limited investigation costs, so again costs being a factor there
and kind tying that in with, like me and start up methodology of
we want to keep costs low and kind of be, you know, innovative on our approach
and then incident response. So, you know, forensics and incident response kind of tied together. So instant response, right? You figured out something happened, and now you want to, like, actually take a deep dive and figure out, you know, like everything that happened right to how to get in all the stores stuff. So that's where the forensics would tie into it where we're going like a deep dive in Mauer analysis.
We're taking a deep dive in that data breach. Just figure out, like in the logs
where exactly they got in. Well, vulnerabilities we have. How can we patch those et cetera, et cetera.
So again, we're not really creating this course on instant response. This one's more so along the lines of forensics. However, just understand that if you work in an incident response, you're gonna be handling forensics in some capacity
from speaking of forensics, Forensic investigator, Right, So kind of what do they do? So they evaluate any damage, right? They also identify and recover data. So we kind of plan out like, Okay, what's the evidence we're looking for? Let's go get it. Uh, extracting the evidence and sound manner so following, you know, best practices and along along with that proper handling of the data
creating report software. Our findings are,
and then, you know, if applicable, testifying in court and then also staying abreast of current technologies and current best practices. Right? So as new forensic tools come out, then you know, we want to be on those learning learning those so we can use him on investigations.
So, ethics, you know, this kind of common sense stuff, you know, we wantto maintain fairness and integrity at all time. And if we have conflict of interest, we want to make sure we address that and take ourselves off the case s O, for example. You know, if your grandmother committed a crime, you would not be the one investigating that crime. Necessarily. You know, of course, we know, like federal law enforcement says, Hey,
are you willing to arrest your grandmother is part of this interview process,
But keep in mind that they wouldn't be putting you on the case of your grandmother because there's a conflict of interest.
So just a couple of quick post assessment questions. So which of these laws or standards protect patient data?
All right, so if you guessed answer, see, Hippo, you are correct. Again. Answer. A Gramm Leach Bliley Act is regarding banking institutions, financial institutions to protect their customer data. The answer Be socks or sabanis? Oxy actually act is to protect investors against fraudulent corporate accounting
and then answer. D is PC idea says standard or payment card industry
data Security standard. And that will covers protecting cardholder data.
So question number two digital forensic investigators should never document. So is that true or false?
Well, obviously we know that's false, right? We want a document. And, ah, as we mentioned throughout the entire course of chain of custody doc, custody document.
All right, so in this video, we talked about quite a bit of stuff. We talked about the federal rules of evidence. We talked about different laws and standards as well is like the Fourth Amendment. We also talked about things like the best evidence rule and the scientific working group on digital evidence.
So the next macho we're gonna jump into module two of the computer investigation process or were to talk about the pre investigation, the investigation phase as well as the post investigation phase
Up Next