Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
In this session, we look at the practice of forensic and why it's important to use best practices and take care in how we capture evidence You'll learn what the "order of volatility means, and the impact of your work as a forensics professional is when you don't adhere to professional standards and best practices when conducting your work. [toggle_content title="Transcript"] In this time, we have to consider that a lot of crimes are being committed across the Internet. We have to collect evidence, when we collect evidence we're having to collect electronic evidence. The practice is for forensics involved that we have to be careful how we collect all evidence we have to be strategic how we collect our evidence. We have to follow best practice to collecting enough evidence and we have certain measures by which we must collect the evidence. Otherwise they couldn't be presented in a court of law. One of the first things we look at is you want to capture your evidence in their order of volatility. When collecting evidence you want to capture them in their order or volatility meaning evidence that can easily be lost we refer to them as volatile evidence. Those are the ones you want to capture first. In regards to order of volatility, you want to follow this sequence; most volatile are registered as information in the cache or RAM next to your network cache, the virtual memory. Then your hard drives and flash drives, finally your CD ROMs' D.V.D. and print out. This is a basic consideration for order of volatility. If you ignore the order of volatility, by the time you understand or realize that you still need some evidence they're probably lost. When we do computer forensics, we want to work on the original evidence as little as possible ]. We want to preserve the evidence in the exact form we collected it so the best thing we do is we need to capture the system image. We capture the image of the device or the media on which we have the evidence. Best practice, you connect this to the right block device that prevents you accidentally writing to the media that way you're only able to collect information on the media without contaminating the evidence . We want to capture the system image we want to do it is following best practices to a show we have an exact copy of the evidence. We do a bit by bit copy of the evidence so that we have a replica of the evidence. We don't want to tear down the original. We might have to return the original to the owners. We might have to return the original in a court of law. We want to capture the system image and you do all your analyses on the image that you've captured. You also want to do… you want to take hashes. When you capture the image, you take a hash of the original media. Using cryptographic software you can you measure the content of the original media. When you take a hush of the original media then you capture the system image. Next you take a hash of the image so we have a hash image hash. This way they the hash values you obtain here can be used to verify that you have the exact replica as the original media. You take the hash of the image; Compare that to the hash of the original so that you can tell you have an exact replica of the original in the image. We would also be needing to look at network logs. We want to visit the logs, we want to review our network logs to see traffic that transpired on the network. We want to see what traffic transpired on the network, what day, what time from what system to what system. We need to review the network logs. The logs will capture all incidents that took place on the network. Everything is in the logs. We have to review these logs to see what transpired. We also need to capture, we need to record the time of set. This has to do with properly document the timestamp on media that is used so that we can tell what exact date, time, sequence we're referring to. Usually we reference a known time standard such as G.M.T. or Central European time. The equipment has to move from one zone to another zone. We are not confused as to what time is being referenced while processing the evidence; we also need to capture screenshots. You need to capture screenshots of the procedures you followed in processing the evidence. Should somebody else need to review, they can then go through these pictures to see what steps you followed. You have to follow best practice. You have to follow known steps that are approved and could be approved in a court of law. We also want to collect review witnesses . Usually in a court of law it is preferred that you have expert witness, expert forensic analyst that could review or that could review the processes by which the evidence is being analyzed to see that best practice was followed. These forensic experts would review the collection process. They would review the analysis process to ensure and verify to the court of law that best practice was followed in processing the evidence. While doing forensic procedures we also want to capture video. When we capture video we're able to piece together activities, we're able to piece together possible movement of people, movement of gadgets and movement of equipment. Activities that transpired in any given incident, we're able to piece together by connecting video from numerous sources so that we can tell what happened, when it happened and what happened after each other. By collecting the capture video, if we capture video from multiple sources you are then able to piece together everything that transpired for the investigation you are carrying out. If we track man-hours and expenses it allows us we have to capture all expenses incurred, all purchases made, all travelled, how long it took to carry out the investigation, how many people worked on the case, how much are had it paid per hour. This allows us to do an overall damage assessment. We want to do overall damage assessment so that we can say whoever caused this activity or whatever transpired, resulted in a certain amount of loss. So you have to track man hour and expenses to capture an overall damage assessment. Very important for this section is our chain of custody. The chain of custody is documentation we keep about the evidence from the time we collect the evidence, throughout the storage analysis on till we present it in a court of law. So the chain of custody has to be in a bound book. We don't like spiral binding because pages can go missing and we can't tell. With a very good chain of custody, you have a nice case in court. Without a solid chain of custody, the case could be thrown out of court. You must have a chain of custody in details who had access to the evidence? For what purpose do they have access to the evidence? Where was the evidence stored? Who had access to the Keys? How long was it store there for? Who had access to the evidence? How long did they have it? Etcetera. So this is all captured in the chain of custody. Finally we look at big data analysis. Big data analysis in the forensics arena is a challenge to forensics experts because big data is actually collection of data that are so large and complex. They cannot be managed using traditional database management tools. This presents challenges for forensic analysts in how we process, how we investigate big data. [/toggle_content]