Welcome to Cyber Aires. Video Siris on company is security plus 5 +01 Certification and exam.
I'm your instructor round Warner,
please visit Cyber Dad I t. For more information on the security plus on a vacation as well as many others.
This next video for Security Plus domain five on risk management will help you prepare for Section five. Died five, which is summarized basic concepts of forensics.
This session is about more of the technical aspects of incident response covered in session 54
I understand the definition of digital forensics, which is the practice of gathering retaining an analyzing computer related data for investigative purposes in a manner that maintains the integrity of the data.
We'll cover this in detail in the next few minutes.
Mist provides another good definition you should be aware of.
They defined digital friends access the application of computer science and investigative procedures involving the examination of digital evidence
following proper search authority, Chain of custody validation with mathematics were hashing
use of validation tools,
repeatability reporting and possible expert testimony.
Seeing numerous concepts you should be aware of as you're preparing for your security plus exam,
we'll cover each of these in detail
The first concept you should be aware of associating with forensics. It's strategic intelligence and counterintelligence.
This is the gathering of information or data regarding an incident Knowing who, what, when, Where. How?
Collecting evidence on the threat, Actor, threat, source and threat. Vector member of those terms from an earlier video
Pulling your data from multiple sources. This could be internally and externally or internally, maybe from your logging systems. Your S I E. M.
Or from other sources, such as on the machine that might have been breached.
Also could be external sources say the Internet, Social media to understand at threat, source and threat vector
A critical concept you should understand regarding digital forensics. His Order of volatility.
This is how you collect evidence. The order. You collect evidence full. The tile data is that data that's easily or quickly lost, such as computer memories. When you turn off the computer, you may lose that random access memory
caches and temporary storage so temporary Internet files,
potentially even us bees. If you're thinking that evidence may be stolen on a USB that could quickly and easily be pocketed by somebody
you want to capture that data,
which will be quickly and easily lost. Capture that data first. You want to have this plan as part of your incident response procedure as to what do you capture in which order? This is all part of the preparation phase.
Understand the order of volatilities. That way you're not gonna accidentally lose any data.
Another important digital forensics concept is chain of custody.
This provides a clear record of the path the evidence takes from acquisition to disposal.
You want to track it to maintain its integrity, knowing who may have touched it.
You want someone to come back and be able to say they're under investigation? That will someone else touched. It wasn't me who did it. Chain of custody
provides that integrity.
Any items that are taken sure they are secured. You can use something known as a Faraday Cage or Faraday bag, which removes all electronic signals.
By the way, microwave were even an empty Peyton can't the great uses of a Faraday
bag or cage that you might have readily available.
You also want to use a documentation and tracking form showing who touched the evidence. At what point in time If someone is taking evidence to do forensics investigation. Create an image that needs to be tracked as well.
Evidence must be admissible,
authentic, complete, reliable and believable.
Understand these five concepts. Associate it with digital evidence
as part of an investigation. There may be a legal hold associated with this. Prevents data or information from being destroyed, either accidentally or maliciously.
It's the preservation on all forms of relevant information.
When litigation is reasonably anticipated,
check with your legal team and they can tell you a lot more about a legal hold.
Usually will be a lawyer who will tell you
this evidence has to be preserved,
associated with a request not destroy what might be relevant in a legal matter. Often the opposing party may ask for a legal ho hold through a judge.
Another good term to know associated with forensics.
Data acquisition. This is how you actually gather the information from the systems.
You could capture a system image, basically making a copy of the computer operating system. All and all of its data
Well, it's it's configurations.
Data acquisition could include network traffic and lock safe from your router firewalls, which is
You want to make sure you're recording the time as well.
You'll use system hatches screenshots
and you want to interview witnesses.
Take two data acquisition
data acquisition is where you're actually pulling the evidence. It's the process you are following to make sure the evidence is what you need and the integrity is preserved.
We'll talk about each of the items, such as capturing a system image
using network and system logs as part of the evidence chain.
Recording the time associated with evidence
using system hash is to
Screenshots Great way to show what has happened on a system so using tools to capture
images from computer screens
and then, lastly, interviewing witnesses. Let me talk about these different method it methods of data acquisition.
Capturing system images may be the most familiar to you,
basically making a pristine copy of what's happening on that computer or system or workstation.
It's a snapshot in time of what exists. You want to preserve that snapshots, and no one can touch it when you're doing your investigation. Don't ever investigate on a live system, you're always reviewing a snapshot of it that way. The original system's integrity is
so capturing an image of the operating system in its exploited state, both for legal reasons.
And it's hopeful from when for investigating the issue after the fact can learn more about what happened.
How do you perform system image? Capture what you knew it distant dist. This disc Making an exact copy
of the disk, you have to find a disc that
mirrors the one you're copying.
You can do disc to image file,
so this is creating an image off the disc using different forensics applications such as encase forensics Tool Kit or Lennox Native D D Command
may also be making a copy to an actual disk. So you want might want to put an image onto some type of removable media to send it off site or to preserve it. Another method
when you're taking a system image yousa right blocker. Another important term to know for security. Plus example, a right blocker prevents
anything for to be written on that image.
It could be both hardware or software.
Understand the concepts associated with capturing system images.
Another source of information when conducting digital forensics are network traffic and locks,
user from static network systems,
maybe from your virtual machines. Server logs, application logs,
potentially even work station logs,
access control. So who gained access to the system under forensics investigation
Using a security incident, an event management system or s I E. M. Which is a centralized type of logging system. Do you want to pull evidence from many places as you can
a forensics investigation? You can also do active network scanning on your network.
Using the tools, such as wire shark
or a shark is a file and network capture tool and recommend you review it. Eh? It's free.
Be it's very useful is part of
being a good system in security administrator and see you may need it as part of a forensics investigation
recording time. It's also important, as part of a forensics investigation would make sure it's synchronized across all of your log systems. So if someone can't come back and repudiate the evidence,
time is often synchronized. Using a protocol known as NTP. Network time protocol. Very easy to implement. Often it's the fact of standard across all of the systems.
Also, be aware of any time zone differences. I've seen that cost challenges part of its investigation as well.
Any evidence you collect, you want to make sure its integrity is intact. You do that by taking a hatch. A hash is unique fingerprint of any file.
If the file changes, the fingerprint changes MD five Shaw Common hash techniques.
It tracks the integrity of, say, any system files
any images that you take. Take a hash of it.
That way you can ensure that it hasn't been altered because of it is altered. The hash will change.
The National Software Reference Library
collects known traceable software applications through their hash values and stores them in the reference data set
at the website shown on the screen.
So if you're wondering about system files, have they've been altered or changed,
you can go to the N S R L
and compare their hash value with the hash value you have
and to see if anything has changed on the system.
You're working through your forensics investigation and you see images on a screen.
I recommend you use screenshot tools.
Such a snipping tool within Windows were all print screen
snag. It is a commercial product that is also commonly used, might want to keep these available in your jump kit for your forensics.
This way you have it readily available for when you're conducting an investigation.
You can then use thes screenshots as part of your collection of evidence.
Great simple way to capture what's happening on systems.
Another step is part of a forensics investigation will be talking to people involved interviewing witnesses, understanding who may have come in contact
with the affected systems.
That should be the ones familiar with the incident.
When conducting an interview of this nature, make sure you include it. Legal and human resource is
because they have experience. In doing this.
They will help make sure the interview is conducted in the right manner.
You need to document who was interviewed
names, any contact information, what they may have seen or experienced.
Practice your interviews in a safe environment.
Be aware that this is a critical step
part of the digital forensics process.
As a part of any incident response, you need to document document document
anything you capture, you see take. You do should be written down. Capture Who did it when it happened? What happened? Keep a log and make sure your log is kept safe and secure.
It also could be a written narrative of what you're experiencing and other people experience.
pictures of what you're seeing as well.
I'll do that. I'll bring out my cell phone and take pictures off what the scene looks like. That way, we can also use that as part of the forensics investigation.
You also want to be able to calculate the number of man hours that has
digital forensics has taken as well as any related expenses.
This is all part of that critical documentation trail.
In this session, we've covered a lot of basic concepts associated with digital forensics.
Let's practice on some test exam questions.
Which of the following is the process used during data acquisition for the preservation of all forms of relevant information?
When litigation is reasonably anticipated,
look for key words in this case, litigation, meaning legal.
So the answer is a legal hold
What hardware or software tools should be used Whenever you are capturing a system image to preserve the integrity of the original media,
you want to make sure the original cannot be corrupted.
That is done by using
That's the best answer. Keep in mind when you're answering these questions. Some of them may also be right.
We're looking for the best to answer.
To learn more about digital forensics and gain some practical hands on experience. See the security plus lap in the lab. You'll learn how to acquire an image of evidence media.
Don't be ableto analyze that digital evidence.
You go through an analysis example as well as the report example
and then see how to use keyword searches. These labs are invaluable to give you that practical hands on experience.
This concludes section 5.5 summarizing basic concepts of forensics.
Please refer to your study material for more information.