1.3 Forensic Investigation Methodology

00:00

Hi. Welcome back to the curse. So in the last video, we talk about some concepts, basic information. We define what digital forensics is. How is sometimes called computer forensics. We also analyzed the Windows operating system on disk use. Some common means that people tend to think about the system.

00:17

Now in this video, we're going to study the forensic investigation methodology. Different steps on the importance

00:24

following a standard methodology is crucial to successful and effective computer forensics. Just as professional programmer, you separate mental apology. Computer forensics professional should use an investigative methodology. A standard metal villa. He will provide full protection of evidence on some common steps that should be followed in the investigation process.

00:44

The Sun's Institute, which is a private US for profit company founded in 1989 that specializes in information security on cybersecurity training, developed at a steps mythology that will help the investigator to stay on track on a sure bro representation off computer evidence for criminal or civil case into Kurt.

01:03

Legal proceedings on Internet disability actually,

01:04

as well as 100 off my word incident on your new cell operational problems. The purpose off this a steps is to respond systematically to forensic investigations on determine what happened.

01:15

A similar process insists on was created by the National Institute Off the Standards and Technology known as least. This special publication is consistent with Sands Methodology on reflects the same basic principles different on the ground, literally off each face or terms used. All their similar mythologies are described

01:34

in the S 0 27,041

01:40

Okay, here's a quick question for you. How many steps are there in the forensic investigation mythology developed by sons? Do you think it's a three steps, or maybe five steps, or to see eight steps or the 10 steps?

01:56

If you say, see a steps, you're correct.

02:00

Now let's analyze the eight steps in a forensic investigation.

02:04

Normally, the computer forensic investigation will be known a spark off on insulin response scenario. I search. The first step should be to verify the incident, has taken place,

02:14

determined the scope of the sea and assess the case. No wife situation, the nation off the case and the specifics. This preliminary step is important because we help determining the characteristic of dancing on defining the best approach to identify, preserve and collect the evidence.

02:30

He may also help justify business owners to take a system off line.

02:37

Then he follows the system. This creature or the step where you start gathering data about the specific incident is starting by taking notes are describing the system you're going to analyse. Where's the system being acquire? Where is the system role in the organization and the network

02:52

on land operating system and general configuration, such as disc format? Amount off Ron

02:57

on the location of the ***

03:00

gave this acquisition. You should identify possible socials off data at quite volatile and non volatile data verified. Intel very off the data and ensure chain of custody

03:10

during these steps. Is house important that you prioritize your evidence

03:15

on engaged the business owners to determine execution on business impact off shows and strategies Because belittle data changes over time, the order in which data is collected is important.

03:28

Please note that all this data should be collected using trusted wineries. I know the ones for impact the system.

03:35

After collecting this volatile data, you're going to the next step off collecting normality. Data such as the heart rife together data from the hard drive, depending on the case there. Normally, three strategies to do obits really much using a hard drive device like a right broker in case you can take the system offline. Or remove the heart right

03:54

or using an easy a response on foreign 62 kids

03:59

or using a life system acquisition that might be used when dealing with a critic system or systems that cannot be taken off line or only accessible remotely

04:09

after acquiring data. Ensure I'm verifying isn't authority. You should also be able to clearly describe how the evidence was found, how it was 100 on everything that happened to it.

04:20

No dispersed investigation and analysis. The folding steps. Working a look where you can jump from one into another in order to fight footprints on tracks. Left

04:30

after devious accusation, you start doing your investigation on dialysis in your foreign signal up to start by doing a timeline analysis. This is crucial step. I'm very useful because it includes information such as when fires were mollified, access changed and created in a human readable four month is no a Semak time evidence.

04:50

The data is gathered using a variety of tools,

04:54

and it's instructive from the metal area the year of the fire system and then parts on sorted in order to be analysed. Timelines off memory artifacts can also be very useful in reconstructed. What happened? The goal is to generalise. Captured off the activity down in the systems is date. The artifact in bull actions are first

05:15

in the media and artifact analysis. The investigation should be able to answer questions such as What programs? Where. Security? Which files were downloaded? Which files were clicked on which directors were open. Which file was deleted? How many others?

05:29

When analyzing the Windows system, it can be created a super time like that. Super Time will incorporate multiple times sources into a single fire. Investigator must have no less off fire systems. When those artifacts on race three artifacts take advantage off, this technique will reduce the amount of data to be analysed.

05:47

Memory analysis is another key analysis step in order to examine grow processes that were connections on many others, be worse off anti forensic techniques such as stolen or a C or that alteration on the structure. The women talk to investigation analysis, Uncle closure

06:04

the string or by search will consist into using tools that will search the low level really much is if we know what we're looking, then we can use this medal to find it.

06:15

Is this step that we usedto until leaks that we look for by signatures off known files known as magic cookies. It's also in this step that you do string searches. You see goddess pressures

06:28

in the data recovery will be looking on your cover date. A friend If I system, some tools can be used to analyze the fire system.

06:34

The teller. You're a metal later liar Analyzing the slack space on a located space and in that file system analysis is part of this step in order to find files off interest carving files from the raw images based on finds. Heather's using tools is another technique. No foreigner gather evidence.

06:55

Reporting the results is a key part off an investigation. Consider writing in a way that reflects the usage off scientific methods on facts that you can prove a lot. The reporting style, the printing off the audience on be prepared for the report to be used as evidence for legal or administrative purposes.

07:15

All right, just one simple question in which of the steppe investigator should analyze the select space on the locator space on file system.

07:23

Is it a data recovery or be reporting results? Or maybe see Stina by search or debriefing cation?

07:30

You said a the recovery. You're correct.

07:34

So in this meeting, we cover the A step foreign SEC investigation mythology on analyze each of them. In the next model, we're going to study about Windows imaging, some principles, the logical structure of our witness operating system