Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

In this session, we look at the practice of forensic and why it's important to use best practices and take care in how we capture evidence You'll learn what the "order of volatility means, and the impact of your work as a forensics professional is when you don't adhere to professional standards and best practices when conducting your work. [toggle_content title="Transcript"] In this time, we have to consider that a lot of crimes are being committed across the Internet. We have to collect evidence, when we collect evidence we're having to collect electronic evidence. The practice is for forensics involved that we have to be careful how we collect all evidence we have to be strategic how we collect our evidence. We have to follow best practice to collecting enough evidence and we have certain measures by which we must collect the evidence. Otherwise they couldn't be presented in a court of law. One of the first things we look at is you want to capture your evidence in their order of volatility. When collecting evidence you want to capture them in their order or volatility meaning evidence that can easily be lost we refer to them as volatile evidence. Those are the ones you want to capture first. In regards to order of volatility, you want to follow this sequence; most volatile are registered as information in the cache or RAM next to your network cache, the virtual memory. Then your hard drives and flash drives, finally your CD ROMs' D.V.D. and print out. This is a basic consideration for order of volatility. If you ignore the order of volatility, by the time you understand or realize that you still need some evidence they're probably lost. When we do computer forensics, we want to work on the original evidence as little as possible ]. We want to preserve the evidence in the exact form we collected it so the best thing we do is we need to capture the system image. We capture the image of the device or the media on which we have the evidence. Best practice, you connect this to the right block device that prevents you accidentally writing to the media that way you're only able to collect information on the media without contaminating the evidence . We want to capture the system image we want to do it is following best practices to a show we have an exact copy of the evidence. We do a bit by bit copy of the evidence so that we have a replica of the evidence. We don't want to tear down the original. We might have to return the original to the owners. We might have to return the original in a court of law. We want to capture the system image and you do all your analyses on the image that you've captured. You also want to do… you want to take hashes. When you capture the image, you take a hash of the original media. Using cryptographic software you can you measure the content of the original media. When you take a hush of the original media then you capture the system image. Next you take a hash of the image so we have a hash image hash. This way they the hash values you obtain here can be used to verify that you have the exact replica as the original media. You take the hash of the image; Compare that to the hash of the original so that you can tell you have an exact replica of the original in the image. We would also be needing to look at network logs. We want to visit the logs, we want to review our network logs to see traffic that transpired on the network. We want to see what traffic transpired on the network, what day, what time from what system to what system. We need to review the network logs. The logs will capture all incidents that took place on the network. Everything is in the logs. We have to review these logs to see what transpired. We also need to capture, we need to record the time of set. This has to do with properly document the timestamp on media that is used so that we can tell what exact date, time, sequence we're referring to. Usually we reference a known time standard such as G.M.T. or Central European time. The equipment has to move from one zone to another zone. We are not confused as to what time is being referenced while processing the evidence; we also need to capture screenshots. You need to capture screenshots of the procedures you followed in processing the evidence. Should somebody else need to review, they can then go through these pictures to see what steps you followed. You have to follow best practice. You have to follow known steps that are approved and could be approved in a court of law. We also want to collect review witnesses . Usually in a court of law it is preferred that you have expert witness, expert forensic analyst that could review or that could review the processes by which the evidence is being analyzed to see that best practice was followed. These forensic experts would review the collection process. They would review the analysis process to ensure and verify to the court of law that best practice was followed in processing the evidence. While doing forensic procedures we also want to capture video. When we capture video we're able to piece together activities, we're able to piece together possible movement of people, movement of gadgets and movement of equipment. Activities that transpired in any given incident, we're able to piece together by connecting video from numerous sources so that we can tell what happened, when it happened and what happened after each other. By collecting the capture video, if we capture video from multiple sources you are then able to piece together everything that transpired for the investigation you are carrying out. If we track man-hours and expenses it allows us we have to capture all expenses incurred, all purchases made, all travelled, how long it took to carry out the investigation, how many people worked on the case, how much are had it paid per hour. This allows us to do an overall damage assessment. We want to do overall damage assessment so that we can say whoever caused this activity or whatever transpired, resulted in a certain amount of loss. So you have to track man hour and expenses to capture an overall damage assessment. Very important for this section is our chain of custody. The chain of custody is documentation we keep about the evidence from the time we collect the evidence, throughout the storage analysis on till we present it in a court of law. So the chain of custody has to be in a bound book. We don't like spiral binding because pages can go missing and we can't tell. With a very good chain of custody, you have a nice case in court. Without a solid chain of custody, the case could be thrown out of court. You must have a chain of custody in details who had access to the evidence? For what purpose do they have access to the evidence? Where was the evidence stored? Who had access to the Keys? How long was it store there for? Who had access to the evidence? How long did they have it? Etcetera. So this is all captured in the chain of custody. Finally we look at big data analysis. Big data analysis in the forensics arena is a challenge to forensics experts because big data is actually collection of data that are so large and complex. They cannot be managed using traditional database management tools. This presents challenges for forensic analysts in how we process, how we investigate big data. [/toggle_content]

Video Transcription

00:04
in this time,
00:05
we have to consider that a lot of crimes are being committed across the Internet.
00:11
So we have to collect evidence. When we collect evidence, we're having to collect electronic evidence.
00:17
The practice is for forensics involves that
00:20
We have to be careful how we collect our evidence. We have to be strategic. How we collect our evidence. We have to follow best practice toe collecting our evidence on. We have certain measures by which we must collect the evidence. Otherwise, they couldn't be presented in a court of law.
00:36
One of the first things we look at is you want to capture your evidence in their order off volatility.
00:44
When collecting evidence, you want to capture them in their order or volatility, meaning
00:50
everything that can easily be lost. We refer to them as volatile evidence, so those are the ones you want to capture first.
00:58
So in regards to order off volatility, you want to follow this sequence.
01:04
Most volatile your register as information in the cash around. Next, your network cash the bachelor memory,
01:12
then your hard drives on flash drives.
01:15
Finally your CD ROM's DVD and print out. So this is a basic consideration for order off volatility.
01:22
If you ignore order off relativity by time, you understand or realize that you still need some evidence. They're probably lost. When we do computer forensics, we want to work on the original evidence as little as possible. We want to preserve the evidence in the exact form we collected it.
01:41
So the best thing we do is we need to capture the system image.
01:45
We capture the image off the device or the media on which we have the evidence. Best practice. You connect these toe right block device that prevents you accidentally right into the media that were you only able to collect
02:01
information on the media without contaminating the evidence.
02:06
So we want to capture the system image. We want to do this following best practices to ensure we have an exact copy off the evidence. We do a bit by bit, copy off the evidence so that we have
02:19
replica off the evidence. We don't want to tear down the original. We might have to return the original to the owners.
02:27
We might have to return the original in a court of law. So you want to capture the system image on you do all your analyses on the image that you've captured. You also want to do
02:39
you want to take ha? She's
02:42
so when you captured the image,
02:44
you take a hash off the original media. So using cryptographic software, you can.
02:50
It's us. If you measure the content off the original media. When you take a harsh off the original media, then you
03:00
capture the system image. Next,
03:04
you take a harsh off the image, so we have harsh image hash this way. The hajj values you obtain here can be used to verify that you have the exact replica. As the original media,
03:20
you take a harsh all the
03:21
image compared that to the hush of the original, so that you can tell you have an exact replica off the image of the original in the image. We would also be needing to look at Metal Blog's. We want to visit the logs. We want to review our network logs
03:40
to see traffic
03:43
that transpired on the network.
03:46
We want to see what traffic transplant on the network. What day? What time From what system Tau, what system we need to review The network logs the logs will capture all incidents that took place on the network.
03:59
Everything is in the logs, so we have to review these logs to see what transpired.
04:05
We also need to capture. We need to record a time off set.
04:10
This has to do with
04:12
properly documenting the time stamp
04:17
on media that is used so that we can tell what exact date time sequence we're referring to. Usually we reference in no time standards such as GMT or Central European time. So in yes, equipment has to move from one's own toe. Another zone.
04:38
We are not confused as to what time is being referenced
04:43
while processing the evidence. We also need to capture screenshots. You need to capture screenshots off procedures followed in processing the evidence show somebody else need to review. They can then go through these pictures to see what steps you followed. Do you have to follow
05:01
best practice? You have to follow known steps
05:05
that are approved on could be approved in a court of law.
05:10
We also want to
05:13
collect
05:14
review witnesses,
05:21
usually in a court of law. It is preferred that you have expert witness
05:28
expert forensic analysts that will review or that cooled
05:34
that will review the processes by which the
05:39
evidence is being analyzed to see that best practice was followed. So this forensic experts wound review the collection process. They would review the analysis process, toe a shore on verify to the court of law that best practice was followed in processing the evidence
05:59
while doing forensic procedures. We also want to capture video
06:03
when we capture video were ableto piece together,
06:09
activities were able to piece together
06:13
possible movement of people movement of gadgets, movement off equipment
06:17
activities that transferred in any giving
06:21
incident were ableto piece together by collecting video from numerous sources so that we can tell what happened when it happened, what happened after each other. So by collecting, we capture video. If you capture video from multiple sources, you're then able to piece together everything that transpired
06:40
for the investigation you are carrying out.
06:42
If we track man hours and expenses, it allows us we have to capture all expenses in cured all purchases made all travels. How long it took to carry out the investigation, how many people worked in the case, how much they paid per hour. This allows us to do on overall damage assessment.
07:02
We want to do overall damage assessment so that we can say where, because this activity or whatever transpired, resulted in a certain amount off loss. So you have to trust man hours and expenses
07:16
toe capture an overall damage assessment.
07:20
Very important for this section is our chain of custody.
07:30
The chain of custody is documentation. We keep about the evidence from the time we collect the evidence throughout the storage analyses until we present it in a court of law. So the chain of custody has to be in a bound book. We don't like spiral binding because pages can go missing.
07:48
We can still
07:49
so, with a very good chain of custody, you have a nice case in court. Without a solid chain of custody, the case will be thrown out of court.
08:00
So you must have a chain of custody it details who have access to the evidence. For what purpose do they have access to the evidence? Where was the evidence stored? Who had access to the keys?
08:11
How long was the store? Therefore, who had access to the evidence? How long did they have it? Etcetera, etcetera. So this is all captured in the chain of custody.
08:22
Finally, we look at big data analyses,
08:24
big data analyses in the forensics. Raina is, ah, challenge toe for insist experts because Big Deter is actually a collection of data that are so large and complex that they cannot be managed using traditional diabetes management tools. This possesses. This presents
08:43
challenges for forensic analysts
08:46
in how we possess how we investigate big data.

Up Next

IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor