Forensic Investigation Process: Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, let's discuss the forensic investigation process.
00:00
Now, our first two steps in
00:00
the forensic investigation
00:00
are identification and preservation.
00:00
Our first step, we want to
00:00
identify that something's evidence and
00:00
then we have to make sure that we've preserved it.
00:00
With identification, there's something called
00:00
Locard's principle of exchange,
00:00
that essentially says when something is taken,
00:00
something is left behind,
00:00
and that really is true.
00:00
Many times, we see criminals
00:00
leave evidence behind at the scene.
00:00
They may leave DNA,
00:00
they may leave a digital thumbprint or footprint.
00:00
There's always something left behind.
00:00
At the very least,
00:00
what is taken leaves behind some degree of knowledge.
00:00
For instance, if we see a politically motivated attack,
00:00
the evidence left behind or what's left behind is
00:00
the fact that the attacker took
00:00
some benefit from targeting this particular politician.
00:00
At the very least, we gain knowledge.
00:00
But usually, there's something much more
00:00
tangible that can be used as evidence left behind.
00:00
Our job is to find out what it is to properly
00:00
identify it as evidence and
00:00
then move through the remaining steps.
00:00
The next step, which is preservation,
00:00
this is the most important step for a first responder.
00:00
As soon as something is determined to be evidence,
00:00
we should move right into
00:00
the preservation stage where
00:00
we start our chain of custody,
00:00
which means we're going to document who collected it,
00:00
when, where, how it was stored.
00:00
Again, we really want to
00:00
provide a history of the lifespan of
00:00
that data and we don't want
00:00
holes in accountability for the data.
00:00
We need to show that it was in
00:00
a controlled environment each step along the way.
00:00
We also need to be able to
00:00
prove the evidence wasn't manipulated,
00:00
that it's been properly preserved,
00:00
so we're going to do a lot of documentation here.
00:00
We're going to use hashing so that we can
00:00
guarantee there's been no modification.
00:00
Identification and preservation are
00:00
the first two steps of the forensic process.
Up Next
Instructed By
Similar Content
