Discovery Recap

00:00

hi and welcome to everyday digital forensics. I'm your host just saying, he said. And in today's module of digital discovery, we're gonna do ah discovery recap.

00:09

So in today's video, we're gonna go over some information that was discussed in previous videos such as your digital forensics, the investigation process, the data accusation and digital evidence,

00:20

and then

00:21

talk a bit more about Windows browser for our locations,

00:25

some of the windows, artifacts and temporary files.

00:30

So do you recall what digital forensics is?

00:35

Did your forensics is the process and where we develop and test the hypothesis that answer questions about a digital event.

00:42

We use thes scientific method where we developed a hypothesis using the evidence that we have found on then test that hypothesis. Looking for additional evidence that will show that are her about this is is impossible.

00:57

Do you recall with the five steps of a digital forensics processes,

01:03

we have our identification in which we identify evidence that's valuable for our investigation.

01:08

We have preservation, which we preserve the state at which

01:12

the digital crime occurred. We'll go ahead and collect our data on after recollect your data will perform a analysis part where we kind of correlate and link independent sources to one another to prove or disprove or hypothesis in the investigation process. And this is part of the whole process. We do our reporting

01:32

in reporting. We log information

01:34

on searches that we've conducted timeline off efforts chain of custody on searches that we did not perform

01:42

going into their general accusation process. This typically foods copy one bite from the original storage device to a destination storage. Then we repeat for the next bit. We perform steps one and two until we have copied the full source. Copying typically occurs in

02:00

bites of 1 52 which are the size of this sectors, and these are the sizes that are typically transferred each time

02:07

some tools may counter errors were performing accusations. So just be aware that if you see nothing but zeros, there could be the possibility that there was an error that occurred during the process of writing to the destination drive.

02:21

Do you recall with the five hives of a Windows registry is

02:27

our first hive is our user.

02:29

This is typically a list of all the users that have logged into the machine.

02:32

The 2nd 1 is its own brute registry haIf, but could be a necid of the first. The same information that you see on the second could be seen in the first,

02:43

but the current user is the users X logged in. So this is the information on the current user.

02:47

We have a local machine, which is the settings that are used during boot up classroom and current configurations, which is our configurations for a different hardware and software settings.

03:00

Can you recall what a common format for a digital image is?

03:07

Some of the common formats are a raw image or dot I am G or Don T D.

03:10

Our advanced forensics format image a f f ah VM Ware image, which is R V M d K and N Case E W, which is our dot easier one. There's other, different images that could be used, and each image type may be performed by different acquisition tool, so you only get the Don t D. If you're performing

03:30

an accusation using a D D command,

03:32

however, you could get a dot easier one or dot I am G using FCK.

03:38

So the penny on the software that you use in the accusation is dependent on the format that you will get.

03:46

So we had mentioned previously that Web browser information is very important in the investigation process. So depending on your operating system on the Web browser you have, there's different locations for files.

03:59

So, as you can see, Internet explored based on the operating systems of Windows, has different locations for temporary files, cookies and its history

04:09

really dependent on the operating system version.

04:12

Then moving over to Firefox,

04:15

you can see that there's a difference between a Lennox, A Mac, a Windows XP and other Windows versions. So this is just kind of an idea of different locations for where

04:25

for where. Browser data is stored

04:28

based on your operating system and your Web browser.

04:30

Now we also have Google Chrome and Safari, and the same thing is you have different locations for your cashing. Your cooking's you're setting your browser history based on your operating system and your Web browser.

04:45

So Windows has a thing called window artifacts, and this is typically used in the analysis of files that help demonstrate evidence of information so your Windows artifacts could essentially tell you if a file was downloaded which programs were executed. Which files were open or created?

05:02

A delusional file, or maybe a link to a file,

05:05

your physical location of the file. Or maybe the device

05:10

any USB or drive usage some of your account uses and even your browser usage. Temporary files is also a good location to search for information and evidence, so the purpose of temporary files is to temporarily store files. There could be a random set of files that can be found in your temporary folder.

05:28

Programs typically generate copies of open documents, this directory

05:31

and our left behind by the program that executes them

05:34

when you download a file off of your browser. Sometimes a copy of that file is in your temporary folder.

05:41

So why does this happen

05:42

In the event of your machine being shut down, an air had occurred as you're writing a document or downloading a file. The machines or copies off these files interred a temporary folder kind of as a cashing system in the event that the machine shuts down as you're writing, let's say, a Microsoft Office document.

06:01

Have you ever noticed that once you reboot the system or restart the application you may have.

06:05

You may have not saved it, but you have part of what you had written.

06:10

The temporary files is storing part of that. So that's the last stored state of the file,

06:15

the same thing that happened in a download. But let's say you only Donald 1/4 of it.

06:19

So when you go to restart the download, it's not going to start from scratch. It's going to start from what it found in the temporary vows. To continue Donald in the issue of temporary files is the applications may not go back to remove the temporary files, so you may open this directory and just see a bunch of data that's in there

06:39

from files that have just left behind.

06:42

They're copies in Windows Vista and above. This folder is typically located in the path of all.

06:47

So in today's lecture, we want over digital forensics, the investigation process, data accusation did your evidence and then dive a little deeper in our Windows browser. Far Locations talked about Windows, artifacts and the importance of temporary fats.