1.3 Forensic Investigation Methodology

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

Video Transcription
Hi. Welcome back to the curse. So in the last video, we talk about some concepts, basic information. We define what digital forensics is. How is sometimes called computer forensics. We also analyzed the Windows operating system on disk use. Some common means that people tend to think about the system.
Now in this video, we're going to study the forensic investigation methodology. Different steps on the importance
following a standard methodology is crucial to successful and effective computer forensics. Just as professional programmer, you separate mental apology. Computer forensics professional should use an investigative methodology. A standard metal villa. He will provide full protection of evidence on some common steps that should be followed in the investigation process.
The Sun's Institute, which is a private US for profit company founded in 1989 that specializes in information security on cybersecurity training, developed at a steps mythology that will help the investigator to stay on track on a sure bro representation off computer evidence for criminal or civil case into Kurt.
Legal proceedings on Internet disability actually,
as well as 100 off my word incident on your new cell operational problems. The purpose off this a steps is to respond systematically to forensic investigations on determine what happened.
A similar process insists on was created by the National Institute Off the Standards and Technology known as least. This special publication is consistent with Sands Methodology on reflects the same basic principles different on the ground, literally off each face or terms used. All their similar mythologies are described
in the S 0 27,041
Okay, here's a quick question for you. How many steps are there in the forensic investigation mythology developed by sons? Do you think it's a three steps, or maybe five steps, or to see eight steps or the 10 steps?
If you say, see a steps, you're correct.
Now let's analyze the eight steps in a forensic investigation.
Normally, the computer forensic investigation will be known a spark off on insulin response scenario. I search. The first step should be to verify the incident, has taken place,
determined the scope of the sea and assess the case. No wife situation, the nation off the case and the specifics. This preliminary step is important because we help determining the characteristic of dancing on defining the best approach to identify, preserve and collect the evidence.
He may also help justify business owners to take a system off line.
Then he follows the system. This creature or the step where you start gathering data about the specific incident is starting by taking notes are describing the system you're going to analyse. Where's the system being acquire? Where is the system role in the organization and the network
on land operating system and general configuration, such as disc format? Amount off Ron
on the location of the ***
gave this acquisition. You should identify possible socials off data at quite volatile and non volatile data verified. Intel very off the data and ensure chain of custody
during these steps. Is house important that you prioritize your evidence
on engaged the business owners to determine execution on business impact off shows and strategies Because belittle data changes over time, the order in which data is collected is important.
Please note that all this data should be collected using trusted wineries. I know the ones for impact the system.
After collecting this volatile data, you're going to the next step off collecting normality. Data such as the heart rife together data from the hard drive, depending on the case there. Normally, three strategies to do obits really much using a hard drive device like a right broker in case you can take the system offline. Or remove the heart right
or using an easy a response on foreign 62 kids
or using a life system acquisition that might be used when dealing with a critic system or systems that cannot be taken off line or only accessible remotely
after acquiring data. Ensure I'm verifying isn't authority. You should also be able to clearly describe how the evidence was found, how it was 100 on everything that happened to it.
No dispersed investigation and analysis. The folding steps. Working a look where you can jump from one into another in order to fight footprints on tracks. Left
after devious accusation, you start doing your investigation on dialysis in your foreign signal up to start by doing a timeline analysis. This is crucial step. I'm very useful because it includes information such as when fires were mollified, access changed and created in a human readable four month is no a Semak time evidence.
The data is gathered using a variety of tools,
and it's instructive from the metal area the year of the fire system and then parts on sorted in order to be analysed. Timelines off memory artifacts can also be very useful in reconstructed. What happened? The goal is to generalise. Captured off the activity down in the systems is date. The artifact in bull actions are first
in the media and artifact analysis. The investigation should be able to answer questions such as What programs? Where. Security? Which files were downloaded? Which files were clicked on which directors were open. Which file was deleted? How many others?
When analyzing the Windows system, it can be created a super time like that. Super Time will incorporate multiple times sources into a single fire. Investigator must have no less off fire systems. When those artifacts on race three artifacts take advantage off, this technique will reduce the amount of data to be analysed.
Memory analysis is another key analysis step in order to examine grow processes that were connections on many others, be worse off anti forensic techniques such as stolen or a C or that alteration on the structure. The women talk to investigation analysis, Uncle closure
the string or by search will consist into using tools that will search the low level really much is if we know what we're looking, then we can use this medal to find it.
Is this step that we usedto until leaks that we look for by signatures off known files known as magic cookies. It's also in this step that you do string searches. You see goddess pressures
in the data recovery will be looking on your cover date. A friend If I system, some tools can be used to analyze the fire system.
The teller. You're a metal later liar Analyzing the slack space on a located space and in that file system analysis is part of this step in order to find files off interest carving files from the raw images based on finds. Heather's using tools is another technique. No foreigner gather evidence.
Reporting the results is a key part off an investigation. Consider writing in a way that reflects the usage off scientific methods on facts that you can prove a lot. The reporting style, the printing off the audience on be prepared for the report to be used as evidence for legal or administrative purposes.
All right, just one simple question in which of the steppe investigator should analyze the select space on the locator space on file system.
Is it a data recovery or be reporting results? Or maybe see Stina by search or debriefing cation?
You said a the recovery. You're correct.
So in this meeting, we cover the A step foreign SEC investigation mythology on analyze each of them. In the next model, we're going to study about Windows imaging, some principles, the logical structure of our witness operating system
on the physical right, no mental.
Up Next
2.1 Physical Drive Nomenclature in Windows
2.2 Logical Drive Nomenclature in Windows
2.3 Summary of Windows Device Names
3.1 Basic dd.exe Operation
3.2 dd.exe Logical Drive Example