Evidence Collection and Forensics
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to our next lesson,
00:00
Evidence Collection, and Forensics.
00:00
In this lesson, we'll be talking
00:00
about Computer Forensics,
00:00
the importance of the Chain of
00:00
Custody as it relates to computer forensics,
00:00
different Stages of Forensics,
00:00
and some of the Key Procedures stages that as an auditor,
00:00
you should be looking to review.
00:00
Let's begin. Computer Forensics,
00:00
basically it's the process
00:00
of identifying, preserving, analyzing,
00:00
and presenting evidence from a computer that is
00:00
acceptable in a legal context,
00:00
it essentially includes
00:00
all activities involved in the gathering,
00:00
processing, and interpreting of the digital evidence.
00:00
Obviously a key important factor with computer forensics,
00:00
given the fact that it is going to
00:00
head to a legal proceeding is it needs
00:00
to follow the regulations and
00:00
laws of your particular jurisdiction.
00:00
This will vary from state to
00:00
state and country to country, of course.
00:00
Chain of Custody is quite critical
00:00
in dealing with forensic data.
00:00
Basically, forensic data or any digital data
00:00
collected in a forensic manner is incredibly volatile.
00:00
There needs to be a record of who had
00:00
access to the evidence and that needs
00:00
to be maintained with the actual evidence itself.
00:00
There needs to be a number of procedures
00:00
developed to follow for working with the evidence.
00:00
There needs to be a very strong understanding of
00:00
anyone who is handling or touching the evidence,
00:00
how they actually do deal with the evidence itself.
00:00
Basically, this comes down to proving that the analysis
00:00
has been conducted on identical copies of the evidence.
00:00
Often cases because the analysis of
00:00
the evidence will potentially destroy it,
00:00
the original evidence collected at
00:00
a particular crime scene or
00:00
a particular incident is usually
00:00
immediately duplicated and the original copy is
00:00
kept stored away from any analysis activities.
00:00
Now there's a couple of stages of forensics.
00:00
Basically it's the identification of the evidence.
00:00
Next is the preservation so as I indicated,
00:00
often cases digital evidence will be collected and
00:00
a copy immediately made
00:00
of which all the analysis will be conducted on.
00:00
Then there is the analysis of the evidence itself,
00:00
which could vary depending
00:00
upon the nature of what's been collected,
00:00
and then some form of presentation usually in the form of
00:00
a report which follows any of
00:00
the legal requirements for the given jurisdiction.
00:00
Now, as an auditor, there's a couple of
00:00
key procedures that you need to look for.
00:00
First and foremost is data protection.
00:00
How are you going to protect
00:00
the evidence in a forensically sound manner?
00:00
Is the data acquisition procedure correct in terms of is
00:00
the data being collected in a forensically sound manner,
00:00
is there a procedure for imaging so
00:00
that any data that's imaged,
00:00
that's been collected is done in exactly the same way.
00:00
Then we also have extraction and interrogation
00:00
procedures so that the data can be analyzed.
00:00
Ingestion and normalization, which
00:00
is another analysis component.
00:00
Reporting and evidenced protection
00:00
are all key procedures that you'll need to look for.
00:00
That is computer forensics.
00:00
We've talked about computer forensics,
00:00
issues regarding the chain of custody,
00:00
some of the stages of forensics and
00:00
the key procedures that you need
00:00
to look for as an auditor.
00:00
That's the end of our lesson.
00:00
I hope you enjoyed it and I will see you at the next one.
Up Next
