Time
4 hours
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
hi and welcome to everyday digital forensics. I'm your host, Justin, he said, Not be guiding you through today. Digital discovery
00:07
on today's answer will go through a digital investigation scenario
00:12
for fun today work. We will use all the information we learned in the previous videos to find your coworker. For this video, I recommends having a digital physical copy off the current seen throughout as we go through the crime scene, as I will not always be able to display the image that will be using so you before sensitive picture
00:30
and you're gonna see which devices
00:32
contain forensics information that is useful steps taken for each item identified. Tills methodologies used to acquire forensics images, hardware tools and software programs. This is Ed's desk do coworker heads and working undercover for a Russian hacker. You spoke to Ed no more than half a hour ago.
00:50
You seem very anxious. Paranoid
00:53
Security reached out to you, reporting that he was connect after seeing two men enter with masks and carry him out unconsciously. He thought that a movie camera and showed you the image. You, his coworker, are the digital forensics investigator for the same PlayStation. What do you do? What do you look for? Once again, this is a scenario.
01:11
It's it's desk. He's undercover for a Russian hacker.
01:14
You spoke to help by half an hour ago. Security reached out to you to report that he was kidnapped after seeing the two month. So what do you do? And what do you look for? Let's take a look at that crime scene again and see what we can quickly examine for the purpose of his exercise. Once again, I recommend having additional physical coffee off the crime scene. Throughout.
01:32
They're about 13 items that I found that can be used for choosed
01:34
on used towards our investigation. What are they?
01:40
Take out a piece paper, Right. Some town take a minute to know. Take a screenshot
01:45
on just kind of identify
01:47
about 10 items or more that can be used to find clues based on the information that have given that can be used to find clues about where is that?
01:59
So this is what I identified. There may be other items that you have identified, and I definitely welcome suggestions so you can leave a comment or suggestions with your reasoning on the image.
02:09
Oh, This is just a quick points out of each objects. One of the items every identified was the desktop computer.
02:16
So what do we do with this appear?
02:17
Why don't we see that it's on? So we'll go ahead and perform live accusation.
02:23
We'll use the hardware where Gawker set up to prevent any files from running any malicious exodus. Any malicious scripts or anything that might run. We use the right box, forgot it. Taken account of open and accessible programs. Maybe add left recent eating house
02:39
a photo
02:42
in this image as a fingerprint. It could have been a identification of someone who was tracking capture volatile data. We don't know what he's saved in his brand memory. My memory can actually store information from your clipboard. So took board. We have a collection of cash and I'll data such as print jobs.
03:00
And, of course, the computer can identify what browser history overall user files, documentation, images.
03:07
I am email or social media data, but and communications that might make us a source
03:14
on anything that is connected to the device, like the U. S. Feet.
03:16
So this is the reason why we would choose the
03:20
the death.
03:21
Well, you saw for, like, abdicate imager on a case to run the
03:25
accusation
03:27
and make sure that we create duplicates all the original copy. We perform only actions on the duplicate copies. As part of the investigation process, we want to ensure that the original image we want to make sure that the original images not tampered with during the accusation
03:45
is.
03:46
And make sure you document the documentation has see reproducible this way. If it set up in the court and all they can follow your steps and come with same sources and data always include information on, sir see searches that you wanted to perform,
04:00
which once you did perform their results and which ones you did not perform.
04:03
And for what reason?
04:05
That is an overview of what can be accomplished on me computer itself.
04:11
The Peter was my first choice because there's so much to it. This is a digital friends ex course, and most of it is tended around
04:18
biosystems and data that you can pull from a computer laptop that stop sort of thing. Our next is a cell phone. We have image accusation of it. There might be a second way to authenticate, but maybe even try and figure out his pen
04:34
were We have a copy of this rare something we can do to get into his phone and figure out if are actually able to access. He did mobile device. We can pull things like recent calls, text message.
04:46
If location it saves, we can go to Google Maps history.
04:50
Find where they've been.
04:51
We have what browser history and data within the phone And, of course, more apt data such as email, banking and social media. Once again, you would handle cell phone saying where you would handle the test. You will make sure it if it's live,
05:05
you connect as much data as you can.
05:08
Cell phone. Tough box. If the computer signs out,
05:11
it's gonna be more difficult for you to access. The information 100 is more open. Source. Toe Under is more accessible with the information side. Iowa's has more layers of protection. The original image enabled it as a watch, but I'm they were gonna ask Smartwatch just because when it's an aged at foreign watches to exist,
05:30
so smart watches can help
05:32
use a determined ownership. It may not be ads,
05:35
watch and maybe someone else's. Let's see if we can actually pull
05:40
some kind of forensic. Some biological forensics evidence off of a legitimate who? It iss uh, if it's a smartwatch to determine ownership is the case with any watch. With the Smartwatch, you may be able to access location,
05:53
some phones and some watches. Have a two by two connection to figure out where it is like looking my phone looking. My watch. We have Communication channel. Some people keep text messages media on their watches, and investigators may have
06:09
use your time accessing a smartwatch that it will try accessing a cell phone with a pin. If the device is Andrew, you can always enable a ZB for debugging
06:19
on the show. You able to see data cache system an SD card if one is applicable.
06:26
This is information that you receive from the site. Watch itself
06:30
up. Next is the voice over I p telephone. This you can just saying recent calls, contact information. Maybe you see a number that's repeated itself over and over. God, you could also say there's voicemails left over if you're able to access it or know his 10 contact. Last known numbers from this is just a small little
06:48
information as they go into other items.
06:51
The reasoning may be smaller, smaller, so you want to make sure that you prioritize your time and focused on the items that will produce more data. Possible
07:00
USB stick A USB stick is interesting. If it's connected to the laptop, you would run it as a live acquisition. You would verify that there's nothing running, and they used to be that may be communicating with a not set. So where's
07:14
you would isolate itself as well as make a copy of within the You escape
07:19
and work on only the copy, so use B will contain recent documents. It could be clues to find recent months or years within Windows, you could look into the registry and see recent devices that were connected. You can also find additional media files,
07:36
the guesthouse registering may sure that, you see it was Russi mount, depending on the information within the use fees, depending on whether or not you would categorize it as evidence.
07:46
We have his I. D card and his task board.
07:49
These two were kind of combined together as they're just a form of identification
07:54
the passport in seeing recent troubles.
07:57
Um,
07:59
photos, some kind of thing to identify the person in question. Both idea and password. Haven't image. So you can use that for identification,
08:09
body height and the photo,
08:11
The gun and the bullet is another portion of France six. We're not getting into this in this class,
08:16
but fingerprints, serial numbers.
08:20
Gunnar industry
08:20
was the gun recently shot was Was that weapon belonged to end? Does that working belonged to Heavy is that weapon belonged to any recent cases that at work you can use these kind of questions to relate whether that object
08:33
isn't evidence for your case.
08:35
Next object is his board. His board has sticking out. It has joined a connection, Sean, information that he's gathered
08:43
his research.
08:46
So within the board itself, you can find Cruz investigation.
08:50
Some of the documents may have been printed with the printed nearby. So within the test stop, you could find temporary. If I was an instrumental data document metadata that might correlate to when it was printed.
09:03
This one, I won't die too much into it. It's confidential documentation. Make sure you have a clearance, but it could contain case information suspects may be linked to these cases. It's kind of a point for you to review up next. So simply bag it could be from a recent gather
09:20
linked to one of the confidential documentations or something that you find within one of the other objects that you're searching for. Evidence.
09:28
These are recent notes would be pictures, maybe quotes, something that may give you a clue or even linked to some kind of document.
09:37
In today's reflection, we took crime scene investigation Photo identified, evidence on their types, discussed process and steps for accusation,
09:48
coronated independent evidence to look for additional evidence.
09:52
This is the notebook, the USB, the documents on the board,
09:56
the confidential information.
09:58
They're independent evidence. However, they could all relate to one case. So something on the board, something within the UC and something written in his notebook could be not too much. But we touched upon some tools and methodologies to be used within the vest IG ation process of this scenario. That's it for module one.
10:18
Yes, I want to thank you for watching this video
10:20
and future good usable
10:22
go into how to perform live and sad accusations. What happens when you delete a file performing data carving and this Senna graphic
10:33
techniques of extracting and importing hidden information within an image out of property. Check and execute malicious files
10:41
if foreign professional tools at both of beginner and in defense up.
10:46
So once again, thank you for watching and I'll catch the next one.

Up Next

Everyday Digital Forensics

In this course, you will be presented with an overview of the principles and techniques for digital forensics investigation in the spectrum of file system analysis.

Instructed By

Instructor Profile Image
Yesenia Yser
Engineering Manager, Security Research & Development at SoFL, Women in Tech Committee Member, University Outreach and STEM Instructor
Instructor