Forensic Investigations

00:01

Hey, guys, watch another episode of the S S C P Exam Prep. I'm your host, Peter Simple in

00:08

This is going to be the second lesson in the fourth domain

00:12

so far in the fourth domain, we took a look at incident handling, which is the way an organization in response to a security incident

00:20

and now in this domain in this lesson specifically, we're gonna look at forensic investigations, which is a post assessment activity off any security incident in order to find out how the incident was started. It's very important to dig through all of the

00:38

digital evidence left behind from this incident

00:41

to piece together exactly what happened.

00:43

Let's get started

00:46

before person can start to identify evidence after an incident that happens to an organization, the crime scene must be established. So just like normal murderers, kidnappings, car accidents, right computer incidents and security incidents have prime scenes too.

01:03

On these crime scenes need to be

01:07

documented and defined. In order to collect all the evidence associated with that crime scene

01:14

principles of criminalistics, you will see that a lot of these are the same, whether it's a cyber crime or a real crime right. You want to identify the crime scene? You want to protect the environment so it can't be disrupted or any evidence. Disturb?

01:32

You want to identify any evidence within the crime scene?

01:34

You want to collect all of this evidence and you wanna minimize contamination

01:42

evidence.

01:42

One of most important aspects of evidence is live evidence, right. This is data that isn't a very dynamic location and can disappear or change in a moment's notice. Specifically, I'm talking about Ram. Um,

01:57

this is me. You want to make sure this evidence is gathered first simply because it does not hang around for a very long time.

02:06

Low cards principle of exchange. When a crime is committed, the perpetrators leaves something behind and take something with them,

02:14

right? Always this always happens, right? There is no such thing as, you know, clean, clean getaway, especially in cybercrime. Something always gets left behind. And this is great because this allows us to identify aspects of the person responsible and eventually figure out who the perpetrator is.

02:34

Guidelines for handling of it is these air general guidelines, but they could definitely be applied in a regular crime scene as well as in a cyber crime scene.

02:43

Guidelines are make sure the person who's handling the evidence is properly trained.

02:47

Make sure they take full responsibility for the evidence. If they decide to possess it or work with it on, the evidence cannot be changed. It's very important to maintain the integrity of the evidence at all times, and the evidence must be fully documented.

03:04

Anyone who has evidence is responsible for following all these forensic and procedural principles. When it comes to evidence,

03:15

Ranger procedures gather the evidence is the critical part off forensic analysis. It's very important to gather all the announces, and it's even more important that things or document

03:28

everything must be documents. So you know what kind of evidence you're dealing with the state. It's in where it was found just so you can kind of piece together and go back to, and we'll look at evidence and figure out how the incident took place. The data must not be altered at all

03:46

to ensure the integrity of the data.

03:50

You can take this kid image of the data or use a hashing out our rhythm, which will get into a little bit later, which maintains the integrity of the Davis, so you'll know if it was actually altered. Not You also want to establish a chain of custody as soon as you can. So basically, you want to document

04:09

everyone

04:10

that has touched her, looked at the data and what they did with it. Just so in case something does get corrupted or something that does happen to the data, you know exactly who is responsible.

04:23

Five rules of evidence. This is kind of like a like a blueprint for establishing evidence and bring it to the courtroom.

04:33

Five rules of evidence are the authentic. Be accurate,

04:38

be complete, be convincing and be admissible.

04:42

You know, Legal System's obviously and legal cases very across across the board, depending on where ever you live. But more or less the five rules of evidence apply everywhere.

04:55

Analysis there several different types off analysis off when trying to collect evidence. There's media analysis, which is the recovery of information from informational media. So this is things such as hard drives, USB CDs, that kind of thing. You have network analysis, which is the examination of

05:15

network logs at any

05:15

pipe off activities. Any kind of information generated from like an intrusion device or intrusion prevention system, or even CME would be, Ah, very applicant. Here

05:30

you're slow for analysis, which is the analysis and examination program cud. And there's hardware war embedded device analysis, which is the analysis off Mobile Voices hardware And from where?

05:45

In today's lecture, we discussed computer forensics

05:50

Please. Time

05:51

when a crime has been committed, the perpetrators leave something behind and take something with them. This is known as a

06:00

live evidence.

06:00

Be low cards principle

06:02

D forensic analysis or D evidence swapping.

06:10

If you said be low cards principle than you are correct, remember, there's no such thing as a clean getaway. Perpetrators always leave something behind. And this could help the S S c P practitioner and any incident response team's figure out who did the crime.