Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:01
Welcome to Cyber Aires. Video Siris on company is security plus 5 +01 Certification and exam.
00:08
I'm your instructor round Warner,
00:10
please visit Cyber Dad I t. For more information on the security plus on a vacation as well as many others.
00:18
This next video for Security Plus domain five on risk management will help you prepare for Section five. Died five, which is summarized basic concepts of forensics.
00:29
This session is about more of the technical aspects of incident response covered in session 54
00:37
I understand the definition of digital forensics, which is the practice of gathering retaining an analyzing computer related data for investigative purposes in a manner that maintains the integrity of the data.
00:50
We'll cover this in detail in the next few minutes.
00:54
Mist provides another good definition you should be aware of.
00:57
They defined digital friends access the application of computer science and investigative procedures involving the examination of digital evidence
01:07
following proper search authority, Chain of custody validation with mathematics were hashing
01:12
use of validation tools,
01:15
repeatability reporting and possible expert testimony.
01:19
Seeing numerous concepts you should be aware of as you're preparing for your security plus exam,
01:26
we'll cover each of these in detail
01:30
The first concept you should be aware of associating with forensics. It's strategic intelligence and counterintelligence.
01:37
This is the gathering of information or data regarding an incident Knowing who, what, when, Where. How?
01:45
Collecting evidence on the threat, Actor, threat, source and threat. Vector member of those terms from an earlier video
01:53
Pulling your data from multiple sources. This could be internally and externally or internally, maybe from your logging systems. Your S I E. M.
02:02
Or from other sources, such as on the machine that might have been breached.
02:08
Also could be external sources say the Internet, Social media to understand at threat, source and threat vector
02:17
A critical concept you should understand regarding digital forensics. His Order of volatility.
02:23
This is how you collect evidence. The order. You collect evidence full. The tile data is that data that's easily or quickly lost, such as computer memories. When you turn off the computer, you may lose that random access memory
02:39
caches and temporary storage so temporary Internet files,
02:44
potentially even us bees. If you're thinking that evidence may be stolen on a USB that could quickly and easily be pocketed by somebody
02:53
you want to capture that data,
02:55
which will be quickly and easily lost. Capture that data first. You want to have this plan as part of your incident response procedure as to what do you capture in which order? This is all part of the preparation phase.
03:09
Understand the order of volatilities. That way you're not gonna accidentally lose any data.
03:16
Another important digital forensics concept is chain of custody.
03:22
This provides a clear record of the path the evidence takes from acquisition to disposal.
03:30
You want to track it to maintain its integrity, knowing who may have touched it.
03:36
You want someone to come back and be able to say they're under investigation? That will someone else touched. It wasn't me who did it. Chain of custody
03:44
provides that integrity.
03:46
Any items that are taken sure they are secured. You can use something known as a Faraday Cage or Faraday bag, which removes all electronic signals.
03:57
By the way, microwave were even an empty Peyton can't the great uses of a Faraday
04:03
bag or cage that you might have readily available.
04:06
You also want to use a documentation and tracking form showing who touched the evidence. At what point in time If someone is taking evidence to do forensics investigation. Create an image that needs to be tracked as well.
04:23
Evidence must be admissible,
04:25
authentic, complete, reliable and believable.
04:30
Understand these five concepts. Associate it with digital evidence
04:38
as part of an investigation. There may be a legal hold associated with this. Prevents data or information from being destroyed, either accidentally or maliciously.
04:48
It's the preservation on all forms of relevant information.
04:54
When litigation is reasonably anticipated,
04:57
check with your legal team and they can tell you a lot more about a legal hold.
05:01
Usually will be a lawyer who will tell you
05:03
this evidence has to be preserved,
05:06
associated with a request not destroy what might be relevant in a legal matter. Often the opposing party may ask for a legal ho hold through a judge.
05:18
Another good term to know associated with forensics.
05:24
Data acquisition. This is how you actually gather the information from the systems.
05:30
You could capture a system image, basically making a copy of the computer operating system. All and all of its data
05:39
Well, it's it's configurations.
05:41
Data acquisition could include network traffic and lock safe from your router firewalls, which is
05:48
UT M devices.
05:50
You want to make sure you're recording the time as well.
05:55
You'll use system hatches screenshots
05:59
and you want to interview witnesses.
06:02
Take two data acquisition
06:06
data acquisition is where you're actually pulling the evidence. It's the process you are following to make sure the evidence is what you need and the integrity is preserved.
06:17
We'll talk about each of the items, such as capturing a system image
06:21
using network and system logs as part of the evidence chain.
06:27
Recording the time associated with evidence
06:30
using system hash is to
06:33
prove integrity.
06:36
Screenshots Great way to show what has happened on a system so using tools to capture
06:44
images from computer screens
06:46
and then, lastly, interviewing witnesses. Let me talk about these different method it methods of data acquisition.
06:54
Capturing system images may be the most familiar to you,
06:58
basically making a pristine copy of what's happening on that computer or system or workstation.
07:05
It's a snapshot in time of what exists. You want to preserve that snapshots, and no one can touch it when you're doing your investigation. Don't ever investigate on a live system, you're always reviewing a snapshot of it that way. The original system's integrity is
07:26
always preserved
07:28
so capturing an image of the operating system in its exploited state, both for legal reasons.
07:33
And it's hopeful from when for investigating the issue after the fact can learn more about what happened.
07:42
How do you perform system image? Capture what you knew it distant dist. This disc Making an exact copy
07:49
of the disk, you have to find a disc that
07:53
mirrors the one you're copying.
07:56
You can do disc to image file,
07:59
so this is creating an image off the disc using different forensics applications such as encase forensics Tool Kit or Lennox Native D D Command
08:11
may also be making a copy to an actual disk. So you want might want to put an image onto some type of removable media to send it off site or to preserve it. Another method
08:22
when you're taking a system image yousa right blocker. Another important term to know for security. Plus example, a right blocker prevents
08:33
anything for to be written on that image.
08:35
It could be both hardware or software.
08:39
Understand the concepts associated with capturing system images.
08:45
Another source of information when conducting digital forensics are network traffic and locks,
08:50
user from static network systems,
08:54
maybe from your virtual machines. Server logs, application logs,
09:01
potentially even work station logs,
09:03
access control. So who gained access to the system under forensics investigation
09:09
Using a security incident, an event management system or s I E. M. Which is a centralized type of logging system. Do you want to pull evidence from many places as you can
09:20
in order to conduct
09:22
a forensics investigation? You can also do active network scanning on your network.
09:30
Using the tools, such as wire shark
09:31
or a shark is a file and network capture tool and recommend you review it. Eh? It's free.
09:39
Be it's very useful is part of
09:41
being a good system in security administrator and see you may need it as part of a forensics investigation
09:50
recording time. It's also important, as part of a forensics investigation would make sure it's synchronized across all of your log systems. So if someone can't come back and repudiate the evidence,
10:01
time is often synchronized. Using a protocol known as NTP. Network time protocol. Very easy to implement. Often it's the fact of standard across all of the systems.
10:13
Also, be aware of any time zone differences. I've seen that cost challenges part of its investigation as well.
10:22
Any evidence you collect, you want to make sure its integrity is intact. You do that by taking a hatch. A hash is unique fingerprint of any file.
10:33
If the file changes, the fingerprint changes MD five Shaw Common hash techniques.
10:41
It tracks the integrity of, say, any system files
10:45
any images that you take. Take a hash of it.
10:48
That way you can ensure that it hasn't been altered because of it is altered. The hash will change.
10:56
The National Software Reference Library
10:58
collects known traceable software applications through their hash values and stores them in the reference data set
11:07
at the website shown on the screen.
11:09
So if you're wondering about system files, have they've been altered or changed,
11:13
you can go to the N S R L
11:16
and compare their hash value with the hash value you have
11:20
to ensure
11:22
and to see if anything has changed on the system.
11:26
You're working through your forensics investigation and you see images on a screen.
11:31
I recommend you use screenshot tools.
11:35
Such a snipping tool within Windows were all print screen
11:39
snag. It is a commercial product that is also commonly used, might want to keep these available in your jump kit for your forensics.
11:48
This way you have it readily available for when you're conducting an investigation.
11:52
You can then use thes screenshots as part of your collection of evidence.
11:58
Great simple way to capture what's happening on systems.
12:03
Another step is part of a forensics investigation will be talking to people involved interviewing witnesses, understanding who may have come in contact
12:13
with the affected systems.
12:15
That should be the ones familiar with the incident.
12:18
When conducting an interview of this nature, make sure you include it. Legal and human resource is
12:24
because they have experience. In doing this.
12:26
They will help make sure the interview is conducted in the right manner.
12:31
You need to document who was interviewed
12:35
names, any contact information, what they may have seen or experienced.
12:41
Practice your interviews in a safe environment.
12:46
Be aware that this is a critical step
12:48
part of the digital forensics process.
12:52
As a part of any incident response, you need to document document document
12:58
anything you capture, you see take. You do should be written down. Capture Who did it when it happened? What happened? Keep a log and make sure your log is kept safe and secure.
13:11
It also could be a written narrative of what you're experiencing and other people experience.
13:20
Take images,
13:20
pictures of what you're seeing as well.
13:24
I'll do that. I'll bring out my cell phone and take pictures off what the scene looks like. That way, we can also use that as part of the forensics investigation.
13:35
You also want to be able to calculate the number of man hours that has
13:39
digital forensics has taken as well as any related expenses.
13:43
This is all part of that critical documentation trail.
13:48
In this session, we've covered a lot of basic concepts associated with digital forensics.
13:54
Let's practice on some test exam questions.
13:56
Question one.
13:58
Which of the following is the process used during data acquisition for the preservation of all forms of relevant information?
14:05
When litigation is reasonably anticipated,
14:09
look for key words in this case, litigation, meaning legal.
14:15
So the answer is a legal hold
14:20
question, too.
14:20
What hardware or software tools should be used Whenever you are capturing a system image to preserve the integrity of the original media,
14:30
you want to make sure the original cannot be corrupted.
14:33
That is done by using
14:35
D a right blocker.
14:39
That's the best answer. Keep in mind when you're answering these questions. Some of them may also be right.
14:46
We're looking for the best to answer.
14:48
To learn more about digital forensics and gain some practical hands on experience. See the security plus lap in the lab. You'll learn how to acquire an image of evidence media.
15:01
Don't be ableto analyze that digital evidence.
15:03
You go through an analysis example as well as the report example
15:07
and then see how to use keyword searches. These labs are invaluable to give you that practical hands on experience.
15:18
This concludes section 5.5 summarizing basic concepts of forensics.
15:24
Please refer to your study material for more information.

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor