Computer Forensics Investigation Process Part 1
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
17 hours 41 minutes
Hey, everybody, welcome back to the course. So in the last video, we wrapped up our much A one lab. So we looked at a couple of different image files.
Now, again, that's a fun little lab to show your family and friends.
So in this video, we're gonna talk about the different phases of investigations.
So just a quick pre assessment question. Securing the forensic scene would be in the post investigation phase. Was that true or false?
All right, so the interest false there. Right? So obviously, if we're starting off and securing the scene, we're not gonna be already in the post investigation phase, right? We haven't even conducted or investigation yet.
So speaking of phases, we've got the pre investigation the investigation, and that, as we mentioned the post investigation stage,
So the pre investigation face. So this is where were, you know, do that initial work, right? We're planning our budget for investigations were sent up our forensic lab, or, you know, if we work for a ah large organization or large government body, we may set up the lab to be able to take on cases from other organizations.
We also plan out our data destruction. Right? So after we're done with the, for example, the criminal case, what do we do with the evidence, right? Or a civil case? What? What do we do with the evidence? How can we verify that It's actually been destroyed where nobody can go in our dumpster and just grab that stuff?
We also plan out like evidence lockers. Right. So how secure are they gonna be, where they're gonna be? You know, how many do we need that sort of stuff? Based on how much you know, Volume we plan to do
also our work stations. So we plan out. Okay? You know, we only see. You know, most of our investigations are on Windows computers, so it may not make sense to, you know, Jennifer a Mac workstation. Right? So you may not make sense to create a work station. That's for analyzing Mac devices. If we only get, like, one a year, right,
because in that case, we might be able to partner with another lab, right? That
that they specialize in Mac
also consideration of certifications, right? So not only for lab, you know, workers, but also the lab itself. Right? There's different certification bodies out there that say. Okay, well, this lab, you know, meets ex criteria, and they're qualified to investigate these types of cases.
R Q and A. Right. So how are we maintaining quality assurance through the entire process? I mean, so keep it in mind there is well, like, the chain of custody, right? So, you know, and we'll talk about that a lot throughout the entire course. But, you know, essentially make sure we know where the evidence came from, who's touched it, But why they've touched it
and all the way through the entire process. So think of it. Kind of like a little treasure map of your
Also auditing, you know, eso planning our audits as well as understanding laws and regulations that we have to be accountable for.
So the forensic lab itself, you probably won't see this heavily tested in the material too much for the C h e e. Excuse me for the ch ef I, sam, but just kind of know, at a high level of what entails a forensic lab. So number one, we want to plan our budget, you know, and then figure out our team. Right? So how many you know
investigators do we need
Do we need lab managers, You know, how many do we need? We like other people in the lab. How many of those do we need? We need janitorial staff, you know. What kind of criteria are we using to investigate all those people to make sure they're not criminals, you know, And then I s o I c 170 to 5.
That covers some standards for the lab set up in forensics in general.
And some of the common things that you'll want to know. We want Florida ceiling walls. We don't want, like Bush's, you know, right outside. Like the window we don't want, like, externally facing windows in the lab. So, as you see, pictured here, it's just some walls. You see, their Florida ceiling walls were not like the little fake walls that you just pull out and push back again. Um,
and so this is this is, like a good example of what? Um, you know, your lab could look like we also want to consider, you know, looks secure containers for the evidence, as well as making sure we have appropriate locks on doors. you know, whether that's Elektronik or physical and then also making sure work stations are adequate size. So
roughly around 50 to 63 square foot is kind of the
the gold standard according to E C Council. So just kind of keep that in mind for the exam.
So then our investigation phase, right? So, you know, obviously we wanna have can either consent from somebody in a position of authority, you know? So, for example, you know, if your ah kid and you do a crime and then your parents say, Yeah, you could search his room. Well, that's given the consent, right? So is that person of authority we'll talk about that little more when we
I'm going to the warrants module.
And then also, of course, having a warrant, Right? So we know either either have consent or have an actual warrant that allows us to search the particular item or items that were looking for.
And so then we have our first responders, right? So the first responders shows up and they secure the evidence. So you want to keep in mind? The first responder is securing stuff in the investigation phase, so they show up the secure stuff on. And then from there, there, photographing or documented the scene how it is. Investigator arrives. And sometimes the first responder is the investigator, right?
the investigator arrives on the scene, and they know they work through collecting evidence. You know, of course, maintaining the chain of custody, preserving at it in evidence and then moving into the analyzing of the evidence.
So, as I mentioned warrants, we've got a couple different types of the electronic storage device and service provider. So you want to know both of those for your exam, and we'll talk about those in just a moment. The search warrant, If you're not familiar with it, what it is, basically, a judge writes that out or signs it off on direction and that direction Law enforcement to search for a particular evidence, right?
Um, yeah, And that's kind of where the Fourth Amendment comes in. That that we, uh,
talked about earlier in March of one. Whereas for the most part, the judge or, you know, the investigative team would have to specify, like, Okay, you know, this warrant covers, you know, the you know, the laptop in the desktop you know, or, you know, that covers the house. And so anything inside the house
he's covered by this warrant, so there's gonna be some specifications. You can't just sign off like a warrant. And then,
you know, then go search toward woods in back of the house in back of the neighbor's house or, you know, or even searched the neighbor's house. You kind of have to have something specified.
S o. I'll back up a second. So electronic storage device. So basically, that's the hardware components, you know? So our hardware and software. So, for example, I comes seizure computer. That's where that's gonna be covered in the service provider would be like your account information, like your cable company or something, you know, And that way they can see, like billing.
They can get information more in depth information about like your browsing history.
They can also subpoena all the records from ESO. The warrant, for example, could cover all the records are related to your account so they can get information from the actual servers so they could get permission to image parts of the servers from this actual service provider. So that way, if you think that you're gonna delete stuff that you've cleaned up your desktop.
the reality is they're still information out there that can be gathered to prosecute you, or if it's like a civil case to find against you.
So war it's not needed, you know, a wireless seizure. Basically, if the destruction of evidence is imminent and the belief is that the item that's gonna be seized or that could potentially be seized is evidence of criminal activity. So, for example, using like child *** for an example.
You know, there was a case a while back, I think spent, like, three or four years now.
But basically the FBI was investigating this person. They knew that the person had their laptop set up to where? You know, of course, I have full disk encryption, and they also had to set up toe where if it if there was, like so many wrong attempts or something like that, they would wipe the hard drive right, so it
would wipe everything out. So they set up a distraction. And you might know you may be familiar with this case. I could be telling it partially wrong,
but I'm just trying to remember the article, but basically
they set up under a distraction and they were able to get the laptop. Now they had a warrant in that case, right? They were able to get the user to be logged in, and then they were able to fake a fight essentially inside of, I think, the library on Get access to the laptop. But using that as a scenario we could potentially like if we see that the criminal is, you know, on the laptop,
you know, we look over their shoulder, for example.
You know, let's say let's say you're a police officer. You look over the shoulder in a Starbucks and you see there watching child ***, right? You can You can seize that device at that time. Well, I'm not giving legal advice, obviously understand the loss in your jurisdiction. But under this definition, here, you could You could potentially sees that device. Umm,
without a warrant, you know, and then get something retroactive, but
again, not giving legal advice there. But just so you could understand what we're talking about here with a warrantless seizure
and then the other option here is the person with authority consent So I mentioned you know something like, you're a kid, you have computers, you do whatever criminal on your parents say, Yeah, you can. You know, you could search Joey's room. You can take his computer, whatever you want to do,
so that just keep that in mind. So there are options around to use it warrants, you know, kind of like the no knock warrants if your state or where you live, has that stuff. So basically, those are like, you know, the police could know that somebody is a drug dealer on DSO. They could do a no knock warrant. If there's if there's a feeling that that knocking it saying police with a warrant
might lead to some type of endangerment to either the individual
or the police. So generally people that you don't have a history of violence against the police, or at least a documented history, whether or not it's true, because, as we've seen in different media articles, but anyways, digressing, they're a bit but basically the same concept, right? You know, they can go in that could get the evidence without shouting out. Hey, police with a warrant.
So first responders, as I mentioned, You know, they securing the scene. It's generally not gonna be your investigator. Sometimes it is. But generally it's gonna be somebody else. Right? So this might be like your i t personnel. So your system admin network admin, you know? So, for example, they they noticed there's been an incident, some kind of breach.
And so, you know, they come in and they take a look at stuff for you
opposed to guess investigation phase
here. We're, you know, we're gonna less evidence and everything. So we're also kind of tapping into, like, social media behavior of the investigator here. Right? So we want to act appropriately. We don't want to be like, Oh, I just found this evidence on so and so you know, on, you know, I found seven. It's on Donald Trump, for example. You know, check it out.
You know, obviously, number one, you're gonna go to jail because you're an investigator, and you're you know, you're sure there's statutes
that are applicable, And then also collecting social media evidence falls into this phase as well. So we're collecting it on the criminals as well here.
So some of the tools you can use for the social media collection. I'm gonna be things like, uh, there's a couple of them listed here, but this many, many more out there. So, like Facebook forensic software, you know, social discoveries is a pretty popular tool. That's a news net. Lick, lick, lick. Excuse me,
Navigator. Like Like I said, there's a whole bunch of different ones for social media.
Um, and as as the social media platforms block stuff, you're able, Thio, find new ones out there as well.
So this video, we talked about the different phases of investigation and the next video, we're gonna talk about some best practices as well as exhibit numbering.