Computer Forensics Investigation Process Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everybody, welcome back to the course. So in the last video we talked about
some of the investigative phase is as well as we talked about warrants and some of the actions that a first responder might do
in this video, we're gonna talk about things like best practices as well as exhibit numbering.
So some best practices for investigation. So for for, ah, forensic investigation. So number one, we want to have authorization from the decision maker. So that could be a judge. That could be your manager. Something like that Basically saying, OK, it's cool to go, you know, open up this investigation.
And then, of course, our first response is we mentioned the first responders. So generally those are not investigators. They're generally gonna be someone like, you know, your i t. You know, personnel. So, like your system admin your network admin could even be like, you know, an accountant, for example, Or like the janitor, right? So could technically be anybody. But generally it's gonna be someone
in a nightie capacity
for a digital forensic investigation.
Also, searching is seizing the evidence. So we want to make sure we have warrants where you don't have a warrant. We want to make sure that we fall under the applicability of warrantless seizures.
We're also evidence collection. We want to make sure we maintain the standards. So, for example, standards set by our particular organizations to our lab or standards that we need to follow by a regulatory body. For example, If we were working in the federal government capacity, we might have to meet certain standards that the private sector maybe doesn't have to meet.
We want to secure that evidence. We also want to make a copy, so preferably a bit by bit copy of the evidence. We also want to make sure we don't, uh, excuse me,
corrupted it also. You know what? We don't change the evidence or or at least minimal changes. So, uh, again, make sure you have some type of right blocker in place. When you collecting the evidence.
We also as we as we copy and then acquire the evidence, we're gonna analyze it. So we're gonna take a look at it. Look for information generated report on that, and then ultimately, you know, if it's a criminal case will end up testifying more than likely in some capacity.
So one key point for your examination for the siege if I exam, if you decide to take it. If the computers powered off, leave it off so you'll see different, possibly different, conflicting things in industry. But for easy council purposes, if the computer, if you see any type of questions they're asking about Hey, the computers off,
What should you know Timmy do next?
Timmy should leave that thing off, right? So that that's that's a good thing to remember for your exam.
We also want to photograph the current state of the computer. So if it's off, we just want a photograph, everything and everything around it.
They make sure that we're, you know, not adjusting anything. They're making sure that nothing is being disturbed. All that comes into play when you're actually in the courtroom and they're saying, Well, you know, it looks like this monitor should have been over here. You say No, no, no, no. Here's the original photograph from the scene
also. Ah, you know if but what the computer might be off, we could move the mouth slightly and see what what happens. Right? So it may, it may trigger the monitor to turn on if the computer's actually on it, we just don't notice it. Um, but, uh, at that point, we don't do anything else, right? So we kind of have the monitor, then Excuse me, The mouse.
And if we don't see anything else happening, we leave it alone, and we continue on the process.
Network computers. One thing key thing here that you'll see in the official you see counsel material. But that may or may not be applicable to the real world. Is unplugging the network cable from the router Motome? Um, you may not be able to do that, right. That's that's kind of common sense of, you know, if I've got two devices,
you know, attached my network in there and they're compromised, I'm not gonna go like, unplug the router itself, right of the Somme. Plug those devices more than likely. So just keep that in mind for the examination. But the kind of concept there is that you're stopping the further attack on the machines. So if you feel that there's imminent danger
of ah, continued attack, that might be something you want to remember for the exam,
um, is to to you know that the purpose of a plug in the network cable is to basically stop the attack.
You also want to collect all chords and peripherals. That's kind of common sense, like grab everything that you can on document in the chain of custody through the entire process.
Speaking of chain of custody. So that's a legal document. Andi. You'll see different formatting of it, but basically should list all the people that are touching this, the evidence they're involved in the process
and then walking through dates, times, etcetera, somebody signing off that they received the new evidence. As I mentioned, it's kind of that treasure map of your evidence
exhibit numbering. So this is the formatting for me see counsel that you want to memorize for the exam. However, you'll see different formatting out there, So the Triple A is distant. Your investigator initials. The date of the seizure. Sequential number of exhibits. So, like you know, 001002003
on That's a sequential number for parts of the same exhibit is the two lower Casey's.
So, for example, you know this this computer screen is 001 you know a. And then I put the desktop the CPU unit itself as 001 be etcetera, etcetera. So just kind of f y on that. You'll just want to memorize those for the actual examination.
Different data recovery tools that we can use. This start an all inclusive list. These air, some common ones that you might see mentioned throughout the easy council. Official material s o these ones. You'll probably want to know for the examination. So recover advanced this recovery under Lee plus the sleuth Clay. And assuming the Sleuth Kit
on, then on top of that autopsy is actually what runs on that tool kit
and then encase in an F t. K.
So in case you you may not actually see on the exam room, that's kind of the older version of the exam. But just in case you do, we're gonna just kind of touch out just a little bit, Really. We're just gonna look at some screen shots,
so recover. That's kind of what it looks like. They're again a lot of these air just for file recovery, right, recovering data. So keep that in mind that there's many tools tested on the siege of eye exam. Um, and in the official material, I think most of us stopped counting after, like, two or 300
that are mentioned throughout the City Council official material. So it just kind of f y on that? There's a ton of tools.
But if you understand, like each
each aspect of
what you're trying to do, then you can generally figure out, like, from the name of the tool what it's doing, right? So, for example, like ricotta, um, we kind of configure common sense wise. That's for file recovery, right, That we can recover things with that. So whatever, you know, type of file, something we can recover with it.
Events, disk recovery, similar type of thing here, this for Windows s so we can use that to recover information
under league plus. So if we delete a file and then they deleted from the recycle bin, we can go in and grab it
T s a T s K and autopsy. So here's the autopsy interface here, and you see, that's what you'll find in most forensic courses. You'll find mentioning of autopsy. So it's a common tool in use out there
in case is probably the most popular commercial one out there. Very, very expensive on. That's one of the rationales why we don't actually use that and the lapse in the course because it's not pragmatic for anyone to actually go out and spend a few $1000 or so to get a license to. Then just
do this for, like, a course to pass one exam. So
we don't use that. And most smaller companies don't use in case. These are kind of your bigger labs that are gonna use encase and especially like your federal government.
And then we also have F t K amateurs. Well, this is another popular one from access data that a lot of people are using.
So just a quick post assessment questions. So this is a secret number sequence number for parts of the same exhibit. So, for example, 0010 and 001
you know, a 001 b et cetera, et cetera. So which one of these is applicable to that?
All right, so if he said answer A, you are correct. So just as I mentioned, just make sure you memorize that for the actual examination itself. Just remember the different parts of the exhibits as according to easy counsel.
So this video, we wrapped up our discussion for module too. So we talked about exhibit numbering as well. Some best practices
and the next module were to talk kind of a at a high level of a lot of different components of hard disk and file system. So, for example, will talk about like the master boot record will talk about h d D and S T s d. Also talk about things like fat and T. F s as well as we'll go over the raid levels, which is something you definitely want to know for your examination
as well as some information about the hex eso basically
reading image files, the first part of the hex on image files. So what kind of talk about those again? All that's that kind of that 10,000 foot level. But it's valuable information that you definitely need to know for the ch EF eye examination.
So I see you guys in the next video
Up Next