Digital Evidence Logs
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, and welcome to Everyday Digital Forensics.
00:00
I'm your host Yesenia Yser.
00:00
In today's module of Digital Discovery,
00:00
we're going to go over digital evidence.
00:00
What is digital evidence?
00:00
Digital evidence includes information on computers,
00:00
audio files, video recordings, and digital images.
00:00
This is evidence that's essential
00:00
and computer and Internet crimes,
00:00
but it's also valuable for facial recognitions,
00:00
crime scene photos, and surveillance tapes.
00:00
Digital evidence can be anything
00:00
in between audio evidence,
00:00
image evidence, computer Internet crimes,
00:00
image analysis, videos.
00:00
Digital evidence is anything that's actually digital.
00:00
You have your files,
00:00
you have a web browser history,
00:00
social media, anything that
00:00
is actually digital in this world.
00:00
What is a common format for a digital image?
00:00
We have raw image, your.IMG.
00:00
your.DD, you have advanced forensics format,
00:00
AFF, you have VMWare image,
00:00
so you can actually perform
00:00
analysis on your VMWare or your VirtualBox images,
00:00
EnCase EW, which is the extension of.E01.
00:00
In today's video, you're going to have
00:00
a clear understanding of
00:00
digital evidence within Windows Event logs,
00:00
Windows Registry, and our web browser data files.
00:00
In the event that you're performing
00:00
analysis on a Windows operating machine,
00:00
it's best to know that Windows holds event logs.
00:00
Event logs are detailed records
00:00
of our system security and
00:00
application notifications that are
00:00
stored within Windows OS.
00:00
From anything of a user signing into the machine to
00:00
any protocols that was
00:00
executed to any programs that was ran,
00:00
any files that was downloaded,
00:00
things of that nature is stored
00:00
within our Windows Event logs.
00:00
Based on the operating system,
00:00
you can see that your event logs
00:00
are actually stored in different locations.
00:00
Windows also offers a good for you to
00:00
search and review your event logs.
00:00
Some of the logs contains
00:00
date and time of the event occurred,
00:00
your user, your computer,
00:00
your event's ID, your source,
00:00
and your different type.
00:00
Your type can range from information, a warning,
00:00
an error, a security audit,
00:00
or a security failure.
00:00
Next, we have Windows Registry.
00:00
The registry is a database of
00:00
stored configurations about the users,
00:00
the hardware, and the software on a Windows system.
00:00
These are any configuration settings from the way
00:00
your screen is displayed
00:00
from the connection to a printer,
00:00
the connection to your network.
00:00
Any of the configurations for
00:00
a software are stored within the registry.
00:00
Even though that the registry was
00:00
assigned to configure the system,
00:00
it tracks a number of information about
00:00
the user's activities from devices it
00:00
connects to such as your USBs.
00:00
Anything you pretty much connect to
00:00
a device is stored within a registry,
00:00
from software that's used,
00:00
including when it was used.
00:00
There's so much more information
00:00
that the registry consumes,
00:00
stores, and can do.
00:00
Information in the registry with some forensic value
00:00
includes users and the times
00:00
that they last use the system,
00:00
some of the most recent software that they used,
00:00
devices that were mountain on that system,
00:00
when the system connected to
00:00
a specific wireless access point.
00:00
Let's say in the event that you log into Starbucks,
00:00
you log into McDonald's.
00:00
For some reason or some way or another,
00:00
you are able to mask that you connected there.
00:00
On your Windows Registry,
00:00
it still holds that information.
00:00
If an examiner is able to pull that from your machine and
00:00
see that connectivity of
00:00
daytime at the McDonald's or at the Starbucks,
00:00
they can connect those two
00:00
independent sources and identify
00:00
their hypothesis that you were asked at McDonald's or
00:00
Starbucks doing that malicious activity.
00:00
You also have what and when files are
00:00
accessed and any of
00:00
the searches that were done on the system.
00:00
A Windows registry has five separate hives.
00:00
These are your root folders in your Windows Registry.
00:00
You have your users,
00:00
which just contains the information on user profiles,
00:00
your current user, which is
00:00
the current user that's logged in.
00:00
Number 2 is just a nested of number 1,
00:00
although it's one of the main folders.
00:00
You can find the same information on up
00:00
to in the registry Hive 1.
00:00
You have classes root, which
00:00
configuration information on applications
00:00
use to open files.
00:00
This is some of the configurations that
00:00
you may have for PDF files,
00:00
your Microsoft Office files.
00:00
If you've ever opened up Chrome and then
00:00
Firefox and Internet Explorer or Internet Edge,
00:00
you'll get that pop-up and it says,
00:00
"Your Chrome browser is not your default.
00:00
Would you like to make it your default?"
00:00
This is the registry hive
00:00
that it's trucking this setting in.
00:00
This is the root of that configuration to let
00:00
the system know that this is not
00:00
your default web browser.
00:00
We also have current configurations,
00:00
which is your hardware profile,
00:00
the system at point of startup,
00:00
and then your local machine.
00:00
This is configuration information
00:00
including hardware and software settings.
00:00
One of the most commonly used applications
00:00
in digital forensics is your web browser.
00:00
Your web browser holds
00:00
so much data files
00:00
from your cookies, your different sessions,
00:00
your bookmarks, your web browser history,
00:00
can tell so much of a user's activity.
00:00
This is where a lot
00:00
of a user's activity is actually performed.
00:00
You use a web browser to perform searches.
00:00
You use Google all the time,
00:00
and that is of your web browser.
00:00
You use your web browser to sign into your email.
00:00
You use your web browser for blog posting, social media,
00:00
news, shopping, weather conditions, gaming,
00:00
videos, music, banking, research,
00:00
anything, and everything is
00:00
typically done through a web browser.
00:00
This is your connection to the outside world.
00:00
A web browser's data files is
00:00
one of the most commonly used and one of
00:00
the most detailed information about
00:00
a user during an investigation process.
00:00
If you're ever performing an investigation,
00:00
web browser data is one of
00:00
the areas that you do want to focus your attention on.
00:00
In today's video, we talked about
00:00
the types of digital forensics image.
00:00
We went over Windows Event logs,
00:00
talked about Windows registry and it's five hives,
00:00
and then went into
00:00
web browser data files and
00:00
the importance of it within an investigation.
00:00
I hope you enjoyed today's video
00:00
and I'll catch you in the next one.
Up Next
Similar Content
