All right. So moving beyond e discovery. Let's take a look at forensics. Can wanna stress you will not be a forensics expert after this. As a matter of fact, for those of you that already have background and forensics, you'll go. Oh, but that's so high level. Yes. Yes, it is.
We will discuss it to the depth that we need to for the C. C S P exam,
of course, understanding there many other courses you could take and need to take before you're really qualified. Incompetent with forensics. All right, so we get our guidelines here from various standards. As always, we appreciate the input of the international organization of standards
because they are Inder International.
Ah, standards based organization.
Hence the name, but I So 27,000 and 50 revision one, it looks like, does address forensics in the cloud. So I would simply know that I would simply No, that's what that standard does and provides us with the Siri's of,
uh, information or a set of information in relation to service providers and their degree of involvement hints.
You know, it's important with the cloud communications standards in relation to forensics. We also have different ice. Oh, documents that give us best practices. Honestly, I would associate is so 27,000 and 50 with cloud forensics specifically.
Now they're just some sort of generally accepted forensic standards that you wanna have down, you know, just is far as traditional forensic requirements those applied to digital forensics in the digital forensic requirements apply to the cloud as well.
So, you know, we're just kind of building upon.
So when we talk about, you know, the issues right off the bat really hard to get physical access to evidence in the public cloud. I can't just show up and say, Let me have that hard drive. I'm gonna analyze it for a little bit.
So we may, you know, in infrastructure is a service. We can get access to the V EMS, so that would be the next best thing. But we better have a lot of proved to be able to authenticate those v ems.
Uh, you know, again, they're just files. So we have thio guarantee that there hasn't been
modification and integrity, and we're gonna have to work hand in hand with the cloud service provider for software as a service. The CSP is going to really kind of take the lead there.
They should have the log files and documentation on secure access to the application.
But ultimately, when it comes down to it, whether you're infrastructure, software or platform, you should be documented in the service level agreement. We want to make sure that we have snapshots and we take back UPS regularly. We have regular backups,
never know when we're gonna need to compare and contrast images.
Make sure that audit ings configured within your virtual environment. We talked about SIM Systems being the centralized logs and pull those together hashing is what gives us integrity so that we can guarantee that file A hasn't been modified.
And then we also have to make sure we have data retention policies in place,
and they will be different based on the needs of the organization. Usually, that's driven by legal requirements are really important to have those policies in place,
you know, whether you're stormed out on the cloud or not, you have to have each of these elements for good forensics. Now the process of digital forensics and again a different course may teach you something different. you know, there are more steps in here, right? But just at a high level, identify
once you identify something is evidence.
Your first priority now becomes preservation of that evidence. So you might say that the first responders job is to ensure preservation of evidence. That's the most important piece. So, from the very beginning, acting in a forensically sound manner to collection of the evidence.
So collecting the forensically sound manner,
labeling the information acquiring are the evidence acquiring the evidence, making sure it doesn't get modified or damaged in any way. Then we go through examination and analysis, examination yields, data analysis, yields information.
Okay, data, just the facts. That's what I get when I do examination. This file was opened at 10. 23 at 7 a.m. The D. N s service stopped. You know, that's not good, More bad or, you know, it's just it's just data right in and of itself. It's meaningless
when we take that dama
and we put it into context. We're analyzing. Okay. Well, Deanna started at 7 a.m. No one should have had access to the d n. A server at 7 a.m.
Right. That's against policy. Well, now that's information that will help us in the big picture.
Ultimately, we're gonna collect our information, organize it and present it in a way that's meaningful through reporting. And then we document what we've learned throughout the process. We always learn good or bad, right? We have great lessons to take away or we have mistakes we've made. We've got a document.