Forensic Investigation Process: Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Let's pick up talking about Part
00:00
2 of the forensic investigation process.
00:00
Here we're going to cover the remaining steps,
00:00
and those remaining steps are going
00:00
to be the collection of the evidence.
00:00
Then we're going to submit it through
00:00
an examination process which will lead to analysis.
00:00
We'll present the data in a court of law,
00:00
and then we'll get a decision
00:00
based on the quality of the evidence.
00:00
We're really going to just focus
00:00
>> here on the collection,
00:00
>> examination, and analysis piece,
00:00
because once the data is presented in a court of
00:00
law and the decision comes out of our hands.
00:00
Let's look at collection first.
00:00
When we talk about collection of evidence,
00:00
this is where we have to be particularly careful,
00:00
because if we don't properly collect our evidence,
00:00
we can find that it's corrupted or modified,
00:00
or might even just have
00:00
the appearance of being corrupted or modified.
00:00
Remember many times in criminal court,
00:00
we are looking for evidence that is
00:00
convincing and we want it to be
00:00
convincing beyond a reasonable doubt.
00:00
If there appears to be
00:00
a possibility that the evidence has been
00:00
contaminated or perhaps modified maliciously or not,
00:00
then the evidence is not going to
00:00
be of that same quality.
00:00
Just some general rules of thumb,
00:00
document, document, document.
00:00
You can never document too much.
00:00
You also want to make sure that we minimize
00:00
the handling of the evidence itself when possible,
00:00
if you can work with a copy of
00:00
the evidence as opposed to the original, that's best.
00:00
We make sure that we follow policy that's in place.
00:00
I'm not going to read all these off to you but,
00:00
making sure that we're having good processes in place,
00:00
that we're following those processes in order,
00:00
and also from a collection perspective,
00:00
we want to make sure that we're following
00:00
the principle of volatility.
00:00
The principle of volatility
00:00
means we're going to collect evidence
00:00
from most volatile to least volatile.
00:00
Just to show you the order of volatility,
00:00
we're going to pull those things that
00:00
have the shortest lifespan.
00:00
Anything stored in the CPU registers,
00:00
it's a very high-speed memory and
00:00
contents are stored in the registers for
00:00
very short periods of time.
00:00
What's in the register's information that the CPU
00:00
that's anticipated that the CPU will need.
00:00
Contents aren't there long.
00:00
From there, we'll collect what's in cache memory,
00:00
assuming that still available,
00:00
then we move to system memory or RAM.
00:00
Then we have virtual memory which is an area of
00:00
hard drive space that's set
00:00
aside to act like physical RAM.
00:00
Then we remove information from the hard drive itself,
00:00
and then at that point in time we would look to
00:00
those very least volatile locations for
00:00
evidence like paper records or
00:00
records that have been stored off site.
00:00
But it's important that we collect
00:00
our evidence in these steps because we
00:00
want to make sure that we're able to obtain or
00:00
to retrieve as much evidence as possible.
00:00
Now, we also want to make sure that in collection,
00:00
the rights of the suspect have been honored.
00:00
We want to make sure that we follow
00:00
the proper processes for seizing evidence,
00:00
turning it over to law enforcement.
00:00
The Fourth Amendment protects US citizens from
00:00
illegal search and seizure from law enforcement.
00:00
We want to make sure that
00:00
the evidence isn't improperly seized.
00:00
There are some exceptions to the Fourth Amendment.
00:00
Evidence can be seized if it is
00:00
the result or if it is referenced in a subpoena,
00:00
that information has been subpoenaed or
00:00
that whenever the evidence is.
00:00
Also anything that's obtained
00:00
as a result of a search warrant,
00:00
anything turned over as a voluntary consent,
00:00
and then also exigent circumstances.
00:00
Exigent circumstances mean that the evidence is
00:00
in direct harm of being destroyed.
00:00
One of the city council member,
00:00
city managers in one of the counties near where I
00:00
live was arrested for embezzlement.
00:00
Basically when the police showed up at his door,
00:00
his wife was in the bathroom
00:00
flushing hundreds of dollar bills,
00:00
thousands of dollar bills I'm sure down the toilet.
00:00
That would definitely be
00:00
an exigent circumstance and
00:00
then the evidence was able to be seized then.
00:00
What cracked me up also is that when they did
00:00
arrest her she had $20,000 shoved in her bra.
00:00
I don't care what figure you have,
00:00
$20,000 is going to show up.
00:00
Sometimes criminals are not
00:00
the smartest folks in the world,
00:00
but that was definitely
00:00
exigent circumstances and the evidence even
00:00
though wasn't turned over
00:00
voluntarily was admissible in court.
00:00
Next step, we've collected the evidence.
00:00
Now we want to examine it.
00:00
When we talk about examination,
00:00
examination yields data,
00:00
while analysis yields information.
00:00
Examination gives us data,
00:00
analysis gives us information.
00:00
When we talk about examination,
00:00
what we're doing is simply documenting the facts.
00:00
File was accessed at 08:00 PM. Was that good?
00:00
Was it bad? Don't know.
00:00
We're just documenting our finding.
00:00
But once we take those findings and look at
00:00
them in context as part of the bigger picture,
00:00
now we're doing analysis,
00:00
and now we're gathering information that's meaningful,
00:00
that's in context, and we can make
00:00
actionable decisions once we have our analysis done.
00:00
We're really trying to figure out
00:00
>> what the root cause is.
00:00
>> Now, one thing I want to stress is before we examine
00:00
or analyze something in original,
00:00
we would prefer to make a copy of
00:00
that original rather than analyzing the original.
00:00
Specifically thinking about ideas like hard drives.
00:00
Before we would put a hard drive through
00:00
an examination or analysis process,
00:00
what we would do is we would go through all the steps
00:00
in the order of volatility
00:00
that we talked about just a minute ago,
00:00
and then when we're finally
00:00
ready to look at the hard drive,
00:00
we remove the hard drive and immediately put it into
00:00
a right protected system
00:00
so that nothing we do could modify the hard drive.
00:00
Then we take a hash,
00:00
we hash that system and we write down,
00:00
we record the hash so that we have the hash
00:00
of the hard drive before any examination or analysis.
00:00
Next thing we do is we take
00:00
a bit-level copy of that hard drive,
00:00
then we hash the copy.
00:00
For those of you that remember what we talked
00:00
about in Chapter 3, cryptography,
00:00
what should be true of
00:00
the hashes if the hard drive is not been modified?
00:00
Anybody remember? The hashes should be the same.
00:00
If one is different from the other,
00:00
the hashes will be different.
00:00
What we've done is we've taken
00:00
the hard drive before any investigation and hashed it.
00:00
Then we've copied and hash the copy.
00:00
Now, we're going to analyze
00:00
the copy in a right protected system,
00:00
and after we're done investigating, we're going to
00:00
hash the copy again and prove
00:00
that no step in
00:00
the process have we
00:00
modified the information on that drive.
00:00
We're actually going to take three
00:00
forensic hashes as part of
00:00
the examination and analysis process so that again,
00:00
we can guarantee the integrity of our evidence.
00:00
Now, once we're done with examination and analysis,
00:00
now we're going to present
00:00
this information in court and hopefully
00:00
we've collected the information
00:00
in a forensically sound manner,
00:00
and I'll tell you all the way up to where we transport
00:00
the evidence to the court of law
00:00
and turn it over with sign-off.
00:00
Up until that point,
00:00
the evidence is our responsibility.
00:00
Now again, ideally the decision would be in our favor.
00:00
The evidence may be returned.
00:00
It may not be returned depending on
00:00
possibility of appeal and other criteria.
00:00
But ideally throughout the stages
00:00
of the forensic process,
00:00
we've done our job.
00:00
We've collected evidence in
00:00
a sound manner so that we can
00:00
>> get a ruling in our favor.
00:00
>> We looked at the final five stages.
00:00
We looked at the first two in the previous section.
00:00
Now we're looking at collection, examination,
00:00
then analysis,
00:00
presenting the evidence in
00:00
court and waiting on our decision.
Up Next
Instructed By
Similar Content
